Re: OpenSSL 1.1.0 in Rawhide very soon

On Út, 2016-10-11 at 09:25 -0600, Orion Poplawski wrote: > On 10/07/2016 06:49 AM, Tomas Mraz wrote: > > > > Hi all, > > > > the openssl will be rebased in Rawhide to 1.1.0 on Monday. There > > will > > be also 1.0.2 compat package (compat-openssl10) so

Re: OpenSSL 1.1.0 in Rawhide very soon

2830 > > > > Not sure if you'll have also some Fedora specific tracker > Would be nice to get tracking bug created on RHBZ, so we can track > all > the packages. Created: https://bugzilla.redhat.com/show_bug.cgi?id=1383740 --  Tom

Re: OpenSSL 1.1.0 in Rawhide very soon

encies. In my testing of application that pulled both old (indirectly) and new OpenSSL (directly), it did not crash and I did not see anything wrong with it. So it seems not all cases are broken however apparently the above is reason for moving dependencies to 1.1.0 as

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 01:23 +0100, David Woodhouse wrote: > On Mon, 2016-10-10 at 16:29 +0200, Tomas Mraz wrote: > > > > > > We will work on porting the dependent packages to the new API. If > > by > > some reasonable deadline there are still some packages that

Re: OpenSSL 1.1.0 in Rawhide very soon

7;t work. On the other hand the scenario where one library linked by an application uses OpenSSL 1.1 for TLS and another library uses OpenSSL 1.0 for SHA256 hashing, should work - at least it worked for me when I tested it. -- Tomas Mraz No matter

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 08:21 +, Petr Pisar wrote: > On 2016-10-12, Tomas Mraz wrote: > > > > On St, 2016-10-12 at 08:22 +0200, Nikos Mavrogiannopoulos wrote: > > > > > > Was the load using dlopen() or simply an indirect link? > Both Perl modules were dl

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 10:28 +0200, Vít Ondruch wrote: > > Dne 10.10.2016 v 16:29 Tomas Mraz napsal(a): > > > > On So, 2016-10-08 at 13:37 +0200, Kevin Kofler wrote: > > > > > > Tomas Mraz wrote: > > > > > > > > At worst if the

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 14:39 +0200, Kamil Dudka wrote: > On Friday, October 07, 2016 14:49:49 Tomas Mraz wrote: > > > > Hi all, > > > > the openssl will be rebased in Rawhide to 1.1.0 on Monday. There > > will > > be also 1.0.2 compat package (compat-openssl

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 15:33 +0200, Tomas Mraz wrote: > On St, 2016-10-12 at 14:39 +0200, Kamil Dudka wrote: > > > > On Friday, October 07, 2016 14:49:49 Tomas Mraz wrote: > > > > > > > > > Hi all, > > > > > > the openssl will be reba

Re: libbson soname alias removal

nd it's only a release candidate. > But be prepared they are quite obstinate about this packaging stuff. I do not think it is worth it. Effectively rpm dependencies detect this breakage anyway so there is no need to change the soname. -- Tomas M

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 12:40 +0200, Tomas Mraz wrote: > On St, 2016-10-12 at 10:28 +0200, Vít Ondruch wrote: > >  > > But what about stable versions of libraries applications? For > > example, > > in current Rawhide, you won't be able to build any stable Ruby >

Schedule for Wednesday's FESCo Meeting (2012-12-19)

at https://fedorahosted.org/fesco, e-mail me directly, or bring it up at the end of the meeting, during the open floor topic. Note that added topics may be deferred until the following meeting. -- Tomas Mraz No matter how far down the wrong road you've gone, turn

Summary/Minutes for today's FESCo meeting (2012-12-19)

=== #fedora-meeting: FESCO (2012-12-19) === Meeting started by t8m at 18:00:39 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2012-12-19/fedora-meeting.2012-12-19-18.00.log.html . Meeting summary

Re: Proposed F19 Feature: Package Signature Checking During Installation

t > verify signatures. But then what's the difference from distrusting the contents of an installation image booted without SecureBoot in play? -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb --

Re: Proposed F19 Feature: Package Signature Checking During Installation

r > installation process more laughably insecure is lapping an 'own me' label > on one of anaconda's install screens. > > Sure checking signature would not be perfect security, but your argument > is akin to removing airbags from cars that do not have an abs to 'avo

Re: Proposed F19 Feature: GCC48 - switch GCC in Fedora 19 to 4.8.x, rebuild all packages with it

ident that this won't cause problems. I'd say that if FESCo accepts this feature for F19, it implicates making the F19 schedule long enough to accommodate the rebuild before branching. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back.

Re: Start of systemd timers after install/update of a package

f services from cron to systemd timers is very premature and should be actively at least discouraged by packaging directives. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel maili

Re: Proposed F19 Feature: GLIBC 2.17

secure_getenv renaming need to be reflected in a > few packages (as of Fedora 18): > openssl-1.0.1c-7.fc18.src.rpm Fixed already in rawhide. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turk

Re: Proposed F19 Feature: systemd features

d to shipping the data separate - it's > cleaner, allows for just updating the data when necessary, and it forces > people to keep their API & ABI for accessing it stable. :) +1 million - another data point - ca-certificates package - it was much cleaner to split it out of

libtasn1 soname bump in rawhide

I'm rebasing libtasn1 in rawhide to libtasn1-3.2. As there is some obsolete API dropped it is accompanied with SONAME bump from libtasn1.so.3 to libtasn1.so.6. I will try to rebuild the dependencies. Regards, -- Tomas Mraz No matter how far down the wrong road you've gone,

Re: Proposed F19 Feature: Virtio RNG

ranoid it should definitely be controllable by sysctl (even maybe off by default although in initial seeding of the kernel entropy pool it would be very nice to have it on). -- Tomas Mraz No matter how far down the wrong road you've gone, turn back.

GnuTLS soname bump in rawhide

epend on it are libguestfs and python-gnutls. I will look at them why do they need it. Dependencies will be rebuilt during the mass rebuild as I do not expect much breakage from the change. Regards, -- Tomas Mraz No matter how far down the wrong road you've gone,

Re: Package shipping their own CA and security

te them out of the file and I suppose the bundle should be directly usable instead of the /etc/pki/tls/certs/ca-bundle.crt. I did not inspect what individual CA certificates it contains but I am almost 100% sure that this should not be shipped and the package patched so the default system CA certi

Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting

On Wed, 2013-02-27 at 14:05 -0800, Toshio Kuratomi wrote: > Greetings, > > At today's FESCo meeting there were two tickets which had the end result > of needing to have new maintainers and comaintainers for some packages: > * libtasn1 Taken. -- Tomas Mraz No matter how far

Re: fedora release name problem

; > >> It's not the name that was originally voted for. > > Schrodinger is not the man's name, and is the wrong solution. Schroedinger > > is as acceptable as Schrödinger. > > Yes, definitely Schroedinger if Schrödinger does not work. Cou

Schedule for Wednesday's FESCo Meeting (2014-11-19)

t at https://fedorahosted.org/fesco, e-mail me directly, or bring it up at the end of the meeting, during the open floor topic. Note that added topics may be deferred until the following meeting. -- Tomas Mraz No matter how far down the wrong road you've

Summary/Minutes from today's FESCo Meeting (2014-11-19)

=== #fedora-meeting: FESCO (2014-11-19) === Meeting started by t8m at 18:08:14 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2014-11-19/fesco.2014-11-19-18.08.log.html . Meeting summary -

Re: Schedule for Wednesday's FESCo meeting (2014-11-26 at 18UTC)

gt; > > > Unfortunately, I won't be available today for FESCo meeting. Let me know > > in the ticket. > > I am also unable to attend. And me too. Regards, Tomas Mraz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Abotu setting 'PermitRootLogin=no' in sshd_config

e the more I am having an opinion that we should reject it altogether. In fact this change does not really bring any real security improvement because for the Workstation the sshd is already disabled completely by default and for the other products the people who are installing them can be expected to know what they are doing. Also disabling root access does not improve security against targeted attacks because in such cases the user name can be quite easily inferred. So basically this feature is just a 'marketing' improvement and not worth the hassle. Tomas Mraz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: echoping - Re: Hundreds of bugzilla mails on one day

dated since F14. I would just open a FESCo ticket to get the package removed from Fedora. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though

Re: DNF as default package manager

re forced into Fedora even though they weren't by any means finished. I can name UsrMove, TMPonTMPFS, etc. Even the systemd replacement of sysvinit change but that was not that bad. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back.

Re: Headsup: Xorg is broken in F-22 when used with fips or /etc/system-fips

d side-effect of running the FIPS selftest in the libgcrypt constructor, we need to fix that. Please open a new bug against libgcrypt so the bug fix is tracked. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (

Re: switching libcurl back to OpenSSL and providing the libcurl-minimal subpackage

ompatible licence. Grr :) GPLv2-only incompatible licence. It is compatible with GPLv3 or GPLv2+. So the situation is better and given the objectives for the licence change they had I am afraid there was no better choice. -- Tomas Mraz No matter how far down the wrong road you've gone,

Wild changes in nsswitch.conf

modifications of fairly critical systemwide configuration file? * From which time systemd started to manage user accounts of the machine, again where is the Fedora Change page for such change? Regards, -- Tomas Mraz No matter how far down the wrong road you've gone, turn

Re: Wild changes in nsswitch.conf

On Mon, 2017-05-15 at 17:15 +0200, Jakub Hrozek wrote: > On Mon, May 15, 2017 at 04:35:56PM +0200, Tomas Mraz wrote: > > My current Fedora 26 default nsswitch.conf contains these lines: > > > > passwd:  sss files systemd > > shadow: files sss > &g

Re: Locale setup for non-shells

use pam_env to read /etc/default/locale. Similar thing is possible > > to do in > > Fedora too. E.g. just put this into /etc/pam.d/system-auth: > > > > session required  pam_env.so envfile=/etc/locale.conf > >

Re: [systemd-devel] Locale setup for non-shells

1]. > > A better question is what exactly pam_env.so expects... Last time I > couldn't quite figure out when it wants a key=value file and when it > wants > its own special "foo DEFAULT=bar" format, and in fact the manual > doesn't > seem to match the actual b

How to make a package multilib

Hi all, the package p11-kit-trust needs to be multilib because it contains PKCS#11 .so object used for access to trusted CA certificate store. However because this package is a PKCS#11 module and not a regular shared library there is no p11-kit-trust-devel package which would mark it automatically

Re: Can we have better ssh fingerprint collision messages?

st entry which made the line invalid and the message was the same as for first contact with the server. So I wonder if Harald did the same mistake. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You&#

Orphaning ipsec-tools and workrave

I've orphaned workrave and ipsec-tools in all active branches of Fedora as I do not use them any more. Feel free to take them. Both upstreams are still active although with very low activity. -- Tomas Mraz No matter how far down the wrong road you've gone,

Re: F21 System Wide Change: Headless Java

only headless Java. I much more believe the maintainers will ignore the bug even if the package requires full Java which will mean that the package gets broken after the mass change. But that's a maintainer ignorance problem then and not just mass breaking packages by a script. -- Tomas Mraz N

Re: Bundled md5 in OCaml

y, I am not sure it is worth it to replace the bundled copy with a library call. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mail

Re: Bundled md5 in OCaml

On Čt, 2013-11-21 at 11:26 +, Richard W.M. Jones wrote: > On Thu, Nov 21, 2013 at 10:29:39AM +0100, Tomas Mraz wrote: > > On St, 2013-11-20 at 20:33 +, Richard W.M. Jones wrote: > > > See: > > > https://github.com/ocaml/ocaml/blob/trunk/byterun/md5.c#L78 >

Re: crypto consolidation status

e). 1. NSS 2. GNUTLS (with nettle as crypto backend, but nettle never used directly by applications) 3. OpenSSL 4. libgcrypt -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish prove

Re: crypto consolidation status

On Út, 2013-12-03 at 22:28 +0100, Florian Weimer wrote: > On 12/03/2013 07:58 PM, Tomas Mraz wrote: > > > I'd suggest to follow the "Medium term goals" from the page. That means > > to choose the backend from one of the following libraries (in the order >

Schedule for Wednesday's FESCo Meeting (2014-01-08)

rectly, or bring it up at the end of the meeting, during the open floor topic. Note that added topics may be deferred until the following meeting. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'l

Summary/Minutes for today's FESCo Meeting (2014-01-08)

=== #fedora-meeting: FESCO (2014-01-08) === Meeting started by t8m at 18:01:33 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2014-01-08/fesco.2014-01-08-18.01.log.html . Meeting summary -

Re: Why authconfig create -ac files

separate file for > the primary config file, thus guaranteeing that authconfig would not > overwrite it. Yes, I want to confirm that as I added this mechanism in place before RHEL-5. It is also described in the manual page system-auth-ac(5). -- Tomas Mraz No matter how far down the wrong

Re: GIT development branches for packagers?

e/builder/NEVR line, *without* adding a new > > line identifying the new build, date and builder. That way when someone > > comes along and does a new build, they ought to see what should happen - > > they should roll your partial entry into the entry they add for the > >

Re: Summary/Minutes from today's FESCo Meeting (2014-01-15)

ever I would prefer "fc20-copr". > > I.e. not to use dot as separator. > > That would require changes to RPM -- the "-" has special meaning. We could use underscore "_" instead. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back

Re: System CA certificate trust store management meeting

On Po, 2016-02-15 at 13:05 +, David Woodhouse wrote: > On Tue, 2016-02-02 at 17:13 +0100, Tomas Mraz wrote: > > Hello, > > for anyone interested in the subject and visiting DevConf in Brno > > on  > > this Friday - we will be holding an informal meeting to gather use

Re: GPG2 as default /usr/bin/gpg

x27;d say this should be a Fedora Change and we are past the deadline for Changes proposals. So this will have to be postponed to Fedora 25. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish prove

Re: GPG2 as default /usr/bin/gpg

e renaming it. What would be your opinion for using alternatives for the /usr/bin/gpg? The problem is that now the keystores are incompatible and it creates big confusion to the users when they see some key in gnupg-1 and do not see it in gnupg-2 and the other way around. -- Tomas Mraz No matter how

Re: GPG2 as default /usr/bin/gpg

On St, 2016-02-17 at 08:10 -0800, Brian C. Lane wrote: > On Wed, Feb 17, 2016 at 04:51:48PM +0100, Tomas Mraz wrote: > > On St, 2016-02-17 at 07:29 -0800, Brian C. Lane wrote: > > > On Wed, Feb 17, 2016 at 05:52:45AM +, Christopher wrote: > > > &g

Re: Storage size unknown on rawhide

ted in the sources: https://github.com/patch-exchange/openssl-1.1-transition Basically you have to use EVP_CIPHER_CTX_new() and ..._free() to allocate and deallocate the structure and use only pointer. For all the structure members that should be used pub

Re: RFC (round 2): Change the default hostname for Fedora 26+

ust pull from /dev/random. Please, please, do not mention use of /dev/random at all. Use /dev/urandom. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb

Re: upcoming build and release developer flag day December 12 2016

t typos. I could probably type them if I typed them slowly but that isn't something I am willing to do. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You&#

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Sun, 2020-03-22 at 17:29 +0100, Miro Hrončok wrote: > On 19. 03. 20 17:31, Tomas Mraz wrote: > > The new openssl-1.1.1e is coming to Rawhide. > > > > It reports premature EOF/improper shutdown on TLS connections more > > properly. However this might make some d

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Tue, 2020-03-24 at 09:52 -0400, Charalampos Stratakis wrote: > > - Original Message - > > From: "Tomas Mraz" > > To: "Miro Hrončok" , "Development discussions > > related to Fedora" > > Cc: "python-maint"

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Wed, 2020-03-25 at 09:34 +0100, Miro Hrončok wrote: > On 24. 03. 20 13:22, Tomas Mraz wrote: > > Most probably we will revert this > > change in upstream 1.1.1 branch and I will update the rawhide build > > with the revert patch as well. > > Can this please happ

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Thu, 2020-03-26 at 17:11 +0100, Miro Hrončok wrote: > On 26. 03. 20 17:07, Tomas Mraz wrote: > > On Wed, 2020-03-25 at 09:34 +0100, Miro Hrončok wrote: > > > On 24. 03. 20 13:22, Tomas Mraz wrote: > > > > Most probably we will revert this > > > >

Re: Fedora 33 System-Wide Change proposal: OpenSSL 3.0

On Wed, 2020-04-08 at 10:38 +0200, Miro Hrončok wrote: > On 07. 04. 20 23:31, Ben Cotton wrote: > > * Proposal owners: Provide a compat-openssl11 package, identify > > dependent packages, provide the rebased openssl package, work with > > dependent package owners on rebuilds. > > Thanks for doing

Re: Fedora 33 System-Wide Change proposal: systemd-resolved

On Wed, 2020-04-15 at 10:02 -0500, Michael Catanzaro wrote: > On Wed, Apr 15, 2020 at 1:38 pm, Florian Weimer > wrote: > > Not sure if that's compatible with the new split DNS model because > > VPN1 > > could simply start pushing longer names in the scope of VPN2, thus > > hijacking internal tra

Re: Python 2 exodus is happening now

On Fri, 2019-11-15 at 02:02 +0100, Miro Hrončok wrote: > system-config-rootpassword Fixed to use python3 in system-config-rootpassword-1.99.6-21.fc32, please do not retire. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. T

compat-openssl10 is now orphaned

This is just an announcement that the compat-openssl10 package is now orphaned. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscien

Heads up: OpenSSL-1.1.1e coming to Rawhide

The new openssl-1.1.1e is coming to Rawhide. It reports premature EOF/improper shutdown on TLS connections more properly. However this might make some dependencies broken in build tests (such as Ruby). As I would like to eventually update the openssl also on stable branches because it brings many

Re: How to submit Root CA to ship with Fedora

On Wed, 2019-04-24 at 09:15 +0200, Dominik 'Rathann' Mierzejewski wrote: > Hi, > > On Wednesday, 24 April 2019 at 08:05, Danishka Navin wrote: > > Sri Lanka Cert is gonna implement local Root CA. > > How we can submit this Root CA with Fedora? > > > > I could not find enough information on this.

Re: Can we maybe reduce the set of packages we install by default a bit?

On Wed, 2019-04-24 at 14:16 +0200, Lennart Poettering wrote: > On Mi, 24.04.19 12:37, Nikos Mavrogiannopoulos (n...@redhat.com) > wrote: > > > > As mentioned before: systemd itself already needs entropy itself > > > (it > > > assigns a random 128bit id to each service invocation, dubbed the > > >

Re: Removal of krb5-devel from "stable" F29 buidroot broke my package

On Thu, 2019-05-16 at 07:50 +0200, Vít Ondruch wrote: > Dne 15. 05. 19 v 17:29 Dominique Martinet napsal(a): > > Michal Schorm wrote on Wed, May 15, 2019 at 05:14:23PM +0200: > > > Another possible cause came up my mind. > > > > > > Another package in the buildroot could have brought it as a > > >

Re: rpmlint warning: crypto-policy-non-compliance-gnutls-1

Anderson, FYI. Could you please answer the question below? On Fri, 2019-05-24 at 17:58 +0100, Richard W.M. Jones wrote: > > libnbd.x86_64: W: crypto-policy-non-compliance-gnutls-1 > > /usr/lib64/libnbd.so.0.0.0 gnutls_priority_set_direct > > This application package calls a function to explicitly

Re: Fedora 31 System-Wide Change proposal: Switch RPMs to zstd compression

On Thu, 2019-05-30 at 16:18 -0400, Neal Gompa wrote: > > That said, I'm less happy about the thought that inspecting Fedora > RPMs on RHEL 8 or openSUSE is going to be a royal pain. > Ecosystem-wise, no one really prepared for a distribution to switch > to > zstd so quickly. Thankfully, it's easie

Re: wpa supplicant using /dev/random

On Wed, 2019-06-05 at 16:38 -0600, Chris Murphy wrote: > Jun 05 15:53:25 fmac.local kernel: random: crng init done > Jun 05 15:53:25 fmac.local kernel: random: 7 urandom warning(s) > missed > due to ratelimiting > Jun 05 15:53:25 fmac.local wpa_supplicant[1000]: random: Cannot read > from /dev/rand

Re: F31 Self-Contained Change proposal: Custom Crypto Policies

On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies > > > > == Summary == > > This new feature of crypto-policies allows system administrators > > and > > third party providers to modif

Re: F31 Self-Contained Change proposal: Custom Crypto Policies

On Wed, 2019-06-19 at 12:49 +0200, Vít Ondruch wrote: > Dne 19. 06. 19 v 12:00 Tomas Mraz napsal(a): > > On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: > > > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > > > https://fedoraproject.org/wik

Re: F31 Self-Contained Change proposal: Custom Crypto Policies

On Wed, 2019-06-19 at 12:38 +0200, Vít Ondruch wrote: > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > == How To Test == > > > > This will be tested as part of the upstream crypto-policies > > testsuite. > > I think this section should describe, how I, as a Fedora user, am > supposed to test th

Re: Fedora 31 System-Wide Change proposal: Switch RPMs to zstd compression

On Tue, 2019-06-25 at 07:16 -0400, Nico Kadel-Garcia wrote: > On Wed, Jun 19, 2019 at 9:31 AM Panu Matilainen > wrote: > > On 6/19/19 1:51 PM, Aleš Matěj wrote: > > > > At this point, the drpm library is the only blocker for zstd > > > > payloads, > > > > since createrepo_c needs to be able to han

Re: Fedora 31 Self-Contained Change proposal: Limit Scriptlet Usage of core packages

On Mon, 2019-07-01 at 17:18 -0400, James Antill wrote: > On Mon, 2019-07-01 at 17:03 -0400, Robbie Harwood wrote: > > Ben Cotton writes: > > > > > == Detailed Description == > > > > > > Currently we know how to make an installable OS with packages > > > that > > > doesn't require the use of scri

Re: Fedora 31 Self-Contained Change proposal: Limit Scriptlet Usage of core packages

On Thu, 2019-07-04 at 09:03 -0700, Adam Williamson wrote: > On Thu, 2019-07-04 at 11:38 +0200, Tomas Mraz wrote: > > OK, let's talk about concrete package: crypto-policies needs to run > > update-crypto-policies --no-check >/dev/null > > > > It currently does i

You can now test/use the crypto policy of future Fedora releases

The current [0] crypto-policies in Rawhide contain additional policy named as NEXT. You can switch the system to it as root via command: update-crypto-policies --set NEXT The difference to the current DEFAULT policy is that TLS versions 1.0 and 1.1 are disabled and the minimum key length of RSA k

Re: Koji: builds fails with "error retrieving sources"

On Fri, 2018-09-21 at 10:33 -0400, Scott Talbert wrote: > On Fri, 21 Sep 2018, Scott Talbert wrote: > > > > https://koji.fedoraproject.org/koji/taskinfo?taskID=29796611 > > > > > > It's not very clear what the actual error is, but I am fairly > > > sure > > > that I have uploaded the correct sour

Re: Fedora 30 System-Wide Change Proposal: GnuPG2 as default GPG implementation

On Mon, 2018-11-26 at 09:59 -0500, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/GnuPG2_as_default_GPG_implemen > tation > > == Summary == > The /usr/bin/gpg path representing the main GPG implementation will > now use GnuPG 2 instead of GnuPG 1. I, as the primary maintainer of the g

compat-openssl11 vs openssl1.1

Hi Fedora developers, we need to introduce temporarily a compat package for OpenSSL as it is going to be rebased to the 3.0 version in Rawhide once the 3.0 release is stable. The 3.0 version should not break API from the 1.1.1, it just breaks the ABI, so rebuilds should be quite easy. Of course t

Re: compat-openssl11 vs openssl1.1

On Tue, 2020-09-15 at 19:33 +0200, Miro Hrončok wrote: > On 15. 09. 20 19:26, Tomas Mraz wrote: > > What is more important? Consistency between those two compat > > packages > > or strictly following the naming rules for the new package? > > Why not both? I.e. r

Re: F27 Self Contained Change: Authselect: new tool to replace authconfig

On Tue, 2017-07-18 at 20:30 +0100, Tom Hughes wrote: > On 18/07/17 15:26, Stephen Gallagher wrote: > > > On Tue, Jul 18, 2017 at 10:17 AM Tom Hughes > > wrote: > > > > Well none of my newly upgraded F26 machines appear to be > > running it ;-) > > > > I said "default

Re: tcp_wrappers deprecation

On 08/16/2017 11:37 AM, Michal Sekletar wrote: > On Tue, Aug 15, 2017 at 1:58 PM, Jakub Jelen wrote: > >> >> So can we discuss it now once more without the affiliation to systemd? >> The fact is that we still do not have any other replacement except >> firewalls. But do we need one? >> > > IIRC,

Re: GnuPG 2.2.0 and replacement of GnuPG1

On Sun, 2017-09-03 at 13:45 +0200, Igor Gnatenko wrote: > GnuPG 2.2.0 has --enable-gpg-is-gpg2 which would install compat > symlink >  from /usr/bin/gpg to /usr/bin/gpg2.. > > Is it time to retire gnupg (v1) ? I really do not care. If the gpg v1 is still maintained upstream and there is somebody

Re: How should we handle gnupg v1.4.X as gpg1?

On Wed, 2017-10-11 at 05:33 +, Christopher wrote: > On Tue, Oct 10, 2017 at 5:44 PM Dominik 'Rathann' Mierzejewski < > domi...@greysector.net> wrote: > > > On Tuesday, 10 October 2017 at 20:57, Christopher wrote: > > > On Tue, Oct 10, 2017 at 1:04 PM Brian C. Lane > > > wrote: > > > > > > >

Heads Up - openssl makefile and scripts for creating self signed certificates

that depend on openssl whether they currently use the makefile or the scripts to create self signed certificate for the service. Tomas Mraz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to dev

Re: Heads Up - openssl makefile and scripts for creating self signed certificates

On 10/24/2017 04:23 PM, Tomas Mraz wrote: > I was asked here to merge pull request that moves the openssl makefile > and scripts for creating self signed certificates to /usr/share/doc. > > I am not sure this is the right thing to do as these are definitely > still used currently

Re: how to replace ssl with ssh2 in kqoauth

On Thu, 2017-11-30 at 13:49 +, Martin Gansser wrote: > Is it possible to compile kQOAuth [1] with ssh2 by using openssl, as > it always comes to conflict between compat-openssl10 and openssl.  > I have already searched in the sources of kqoauth for the places > where ssl is referenced. > > $ g

Re: how to replace ssl with ssh2 in kqoauth

On Fri, 2017-12-01 at 06:40 -0600, Rex Dieter wrote: > Tomas Mraz wrote: > > > Compat-openssl10-devel will be removed at the latest by Fedora 29 > > and > > anything that requires it will be no longer buildable. > > That's the first I've seen or heard

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 16:11 +, Christian Stadelmann wrote: > "Fallback option" always smells like "protocol downgrade attack". > This would undermine the idea of a crypto policy. Anyway, > implementing it seems way out of scope for the crypto policy. Yes, a fallback option is a no-way. You can

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 08:08 -0700, Adam Williamson wrote: > On Tue, 2018-06-05 at 11:16 +0200, Nikos Mavrogiannopoulos wrote: > > On Mon, 2018-06-04 at 11:46 -0700, Adam Williamson wrote: > > > On Fri, 2018-06-01 at 13:40 +0200, Jan Kurik wrote: > > > > = Proposed System Wide Change: Strong crypto

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 11:54 -0500, mcatanz...@gnome.org wrote: > On Fri, Jun 1, 2018 at 6:40 AM, Jan Kurik wrote: > > and weak > > Diffie-Hellman key exchange sizes (1024 bit) > > What size is currently required by upstream Firefox and Chrome? > > The most recent reference I could find is > htt

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Wed, 2018-06-06 at 12:05 +, Petr Pisar wrote: > On 2018-06-05, John Florian wrote: > > Makes sense, but what is the best way to deal with such old HW if > > you're > > stuck with it? I don't want to compromise my workstation for all > > my > > normal needs just to deal with some ancient

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote: > On 06/05/2018 12:25 PM, Tomas Mraz wrote: > > On Tue, 2018-06-05 at 16:11 +, Christian Stadelmann wrote: > > > "Fallback option" always smells like "protocol downgrade attack". > > > T

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Thu, 2018-06-07 at 16:13 -0400, John Florian wrote: > On 06/07/2018 08:44 AM, Tomas Mraz wrote: > > On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote: > > > On 06/05/2018 12:25 PM, Tomas Mraz wrote: > > > > On Tue, 2018-06-05 at 16:11 +, Christian Stadelm

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Sat, 2018-06-09 at 20:49 -0400, John Florian wrote: > On 06/08/2018 04:07 AM, Tomas Mraz wrote: > > On Thu, 2018-06-07 at 16:13 -0400, John Florian wrote: > > > On 06/07/2018 08:44 AM, Tomas Mraz wrote: > > > > On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote:

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-12 at 16:01 +0200, Kai Engert wrote: > On 06/11/18 15:14, Tomas Mraz wrote: > > > Okay, so IIUC now, this is an all-or-nothing kind of change. If > > > I > > > elect/need to use LEGACY to administer some old hardware that I > > > cann

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Wed, 2018-06-13 at 00:45 -0400, Paul Wouters wrote: > On Wed, 6 Jun 2018, Nikos Mavrogiannopoulos wrote: > > > I think the debate here is whether fedora (and in general operating > > systems) can afford to be stricter than the browsers. As an OS our > > attack surface is much larger than the br

<    1   2   3   4   >