Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shadow for openSUSE:Factory checked in at 2026-01-20 21:02:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadow (Old) and /work/SRC/openSUSE:Factory/.shadow.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadow" Tue Jan 20 21:02:15 2026 rev:81 rq:1328142 version:4.19.2 Changes: -------- --- /work/SRC/openSUSE:Factory/shadow/shadow.changes 2025-12-16 15:49:32.885764453 +0100 +++ /work/SRC/openSUSE:Factory/.shadow.new.1928/shadow.changes 2026-01-20 21:02:19.518531971 +0100 @@ -1,0 +2,124 @@ +Mon Jan 19 13:39:42 UTC 2026 - Michael Vetter <[email protected]> + +- Update to 4.19.2: + Regression fixes usermod(8): + * Revert an incorrect commit. See #1509 and #1510. + +------------------------------------------------------------------- +Mon Jan 19 13:38:37 UTC 2026 - Michael Vetter <[email protected]> + +- Update to 4.19.1: + Regression fixes in chpasswd(8): + * Don't reject leading '!' in password hashes or a hash consisting + of "*". These were accidentally rejected in 4.19.0. + See #1483 and #1486. + * Don't reject a passwordless account ("" or "!"). + See #1483 (comment) and #1505. + +------------------------------------------------------------------- +Wed Dec 31 10:50:15 UTC 2025 - Michael Vetter <[email protected]> + +- Update to 4.19.0: + Breaking changes: + * Remove support for escaped newlines in configuration files. + It never worked correctly. + b0a7ce5 (2025-12-05; "lib/, po/: Remove fgetsx() and fputsx()") + * Some user names and group names are too dangerous and are rejected, + even with --badname. + 25aea74 (2025-12-25; "lib/chkname.c, src/: Strictly disallow really bad names") + Future breaking changes: + * SHA512 and SHA256 will be supported unconditionally in the next + release. The build-time flag '--with-sha-crypt' will be removed. + See #1452. + Support: + * Several years ago, there were talks about deprecating su(1) and + login(1), back when this project was maintained as part of Debian. + However, nothing was clearly stated, and there were doubts about the + status of these programs. Let's clarify them now. + * Our implementations of su(1) and login(1) are fully supported, and we + don't have any plans to remove them. They are NOT deprecated. + See #464. + Deprecations: + * groupmems(8) + The program will be removed in a future release. + See #1343. + * logoutd(8) + The program will be removed in the next release. + See #999, + and #1344. + * DES + This hashing algorithm has been deprecated for a long time, + and support for it will be removed in a future release. + See #1456 + * MD5 + This hashing algorithm has been deprecated for a long time, + and support for it will be removed in a future release. + See #1457 + * login.defs(5): MD_CRYPT_ENAB + This feature had been deprecated for decades. It will be + removed in a future release. + The command-line equivalents (-m, --md5) of this feature in + chpasswd(8) and chgpasswd(8) will also be removed in a future + release. + See #1455. + * login.defs(5): PASS_MAX_LEN + This feature is ignored except for DES. Once DES is removed, + it makes no sense keeping it. It may be removed in a future + release. + * Password aging + Scientific research shows that periodic password expiration + leads to predictable password patterns, and that even in a + theoretical scenario where that wouldn't happen the gains in + security are mathematically negligible. + https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf + * Modern security standards, such as NIST SP 800-63B-4 in the USA, + prohibit periodic password expiration. + https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver + https://pages.nist.gov/800-63-FAQ/#q-b05 + https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry + * To align with these, we're deprecating the ability to + periodically expire passwords. The specifics and long-term + roadmap are currently being discussed, and we invite feedback + from users, particularly from those in regulated environments. + See #1432. + * This deprecation includes the following programs and features: + + expiry(1) + + chage(1): + -I,--inactive (also the interactive version) + -m,--mindays (also the interactive version) + -M,--maxdays (also the interactive version) + -W,--warndays (also the interactive version) + + passwd(1): + -k,--keep-tokens + -n,--mindays + -x,--maxdays + -i,--inactive + -w,--warndays + + useradd(8): + -f,--inactive + + usermod(8): + -f,--inactive + + login.defs(5): + PASS_MIN_DAYS + PASS_MAX_DAYS + PASS_WARN_AGE + + /etc/default/useradd: + INACTIVE + + shadow(5): + sp_lstchg: Restrict to just the values 0 and empty. + sp_min + sp_max + sp_warn + sp_inact + * We recognize that many users operate in environments with + regulatory or contractual requirements that still mandate + password aging. To minimize disruption, these features will + remain functional for a significant period. However, we + encourage administrators to review their internal policies, + talk to their regulators if appropriate, and participate in the + roadmap discussion linked above. +- Update patches: + * shadow-login_defs-suse.patch + * shadow-login_defs-unused-by-pam.patch + +------------------------------------------------------------------- Old: ---- shadow-4.18.0.tar.xz shadow-4.18.0.tar.xz.asc New: ---- shadow-4.19.2.tar.xz shadow-4.19.2.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadow.spec ++++++ --- /var/tmp/diff_new_pack.9rZLm5/_old 2026-01-20 21:02:20.990597878 +0100 +++ /var/tmp/diff_new_pack.9rZLm5/_new 2026-01-20 21:02:20.994598057 +0100 @@ -1,7 +1,7 @@ # # spec file for package shadow # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %define no_config 1 %endif Name: shadow -Version: 4.18.0 +Version: 4.19.2 Release: 0 Summary: Utilities to Manage User and Group Accounts License: BSD-3-Clause AND GPL-2.0-or-later @@ -154,6 +154,7 @@ --with-selinux \ --without-libcrack \ --without-libbsd \ + --disable-logind \ %if 0%{?suse_version} >= 1600 --without-sssd \ %endif ++++++ shadow-4.18.0.tar.xz -> shadow-4.19.2.tar.xz ++++++ ++++ 111978 lines of diff (skipped) ++++++ shadow-login_defs-suse.patch ++++++ --- /var/tmp/diff_new_pack.9rZLm5/_old 2026-01-20 21:02:29.890974125 +0100 +++ /var/tmp/diff_new_pack.9rZLm5/_new 2026-01-20 21:02:29.914975118 +0100 @@ -107,7 +107,7 @@ # # Tell login to only re-prompt for the password if authentication -@@ -207,18 +210,9 @@ LOGIN_TIMEOUT 60 +@@ -207,20 +210,6 @@ LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh # @@ -117,19 +117,19 @@ -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -# --# Note: If you use PAM, it is recommended to use a value consistent with +-# Note: if you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# -# This variable is deprecated. You should use ENCRYPT_METHOD instead. -+# This variable is deprecated. Use ENCRYPT_METHOD instead! - # +-# -#MD5_CRYPT_ENAB no -+#MD5_CRYPT_ENAB DO_NOT_USE - - # +- +-# # If set to MD5, MD5-based algorithm will be used for encrypting password -@@ -233,7 +227,7 @@ CHFN_RESTRICT rwh - # Note: If you use PAM, it is recommended to use a value consistent with + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password +@@ -233,7 +222,7 @@ CHFN_RESTRICT rwh + # Note: if you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # -#ENCRYPT_METHOD DES @@ -137,7 +137,7 @@ # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -@@ -299,7 +293,7 @@ USERGROUPS_ENAB yes +@@ -299,7 +288,7 @@ USERGROUPS_ENAB yes # This option is overridden with the -M or -m flags on the useradd(8) # command-line. # ++++++ shadow-login_defs-unused-by-pam.patch ++++++ --- /var/tmp/diff_new_pack.9rZLm5/_old 2026-01-20 21:02:29.946976443 +0100 +++ /var/tmp/diff_new_pack.9rZLm5/_new 2026-01-20 21:02:29.950976609 +0100 @@ -192,7 +192,7 @@ -# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. --# Ignored if MD5_CRYPT_ENAB set to "yes". +-# Only used for DES encryption algorithm. -# -#PASS_MAX_LEN 8 -
