Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2021-10-01 22:28:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.2443 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Fri Oct 1 22:28:56 2021 rev:2 rq:921687 version:20210917.c9d86d1
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2021-03-03 18:33:55.555336339 +0100
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.2443/crypto-policies.changes
2021-10-01 22:29:00.233368559 +0200
@@ -1,0 +2,53 @@
+Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <[email protected]>
+
+- Remove the scripts and documentation regarding
+ fips-finish-install and test-fips-setup
+ * Add crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal <[email protected]>
+
+- Update to version 20210917.c9d86d1:
+ * openssl: fix disabling ChaCha20
+ * pacify pylint 2.11: use format strings
+ * pacify pylint 2.11: specify explicit encoding
+ * fix minor things found by new pylint
+ * update-crypto-policies: --check against regenerated
+ * update-crypto-policies: fix --check's walking order
+ * policygenerators/gnutls: revert disabling DTLS0.9...
+ * policygenerators/java: add javasystem backend
+ * LEGACY: bump 1023 key size to 1024
+ * cryptopolicies: fix 'and' in deprecation warnings
+ * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
+ * nss: hopefully the last fix for nss sigalgs check
+ * cryptopolicies: Python 3.10 compatibility
+ * nss: postponing check + testing at least something
+ * Rename 'policy modules' to 'subpolicies'
+ * validation.rules: fix a missing word in error
+ * cryptopolicies: raise errors right after warnings
+ * update-crypto-policies: capitalize warnings
+ * cryptopolicies: syntax-precheck scope errors
+ * .gitlab-ci.yml, Makefile: enable codespell
+ * all: fix several typos
+ * docs: don't leave zero TLS/DTLS protocols on
+ * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
+ * alg_lists: order protocols new-to-old for consistency
+ * alg_lists: max_{d,}tls_version
+ * update-crypto-policies: fix pregenerated + local.d
+ * openssh: allow validation with pre-8.5
+ * .gitlab-ci.yml: run commit-range against upstream
+ * openssh: Use the new name for PubkeyAcceptedKeyTypes
+ * sha1_in_dnssec: deprecate
+ * .gitlab-ci.yml: test commit ranges
+ * FIPS:OSPP: sign = -*-SHA2-224
+ * scoped policies: documentation update
+ * scoped policies: use new features to the fullest...
+ * scoped policies: rewrite + minimal policy changes
+ * scoped policies: rewrite preparations
+ * nss: postponing the version check again, to 3.64
+- Remove patches fixed upstream: crypto-policies-typos.patch
+- Rebase: crypto-policies-test_supported_modules_only.patch
+- Merge crypto-policies-asciidoc.patch into
+ crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
Old:
----
crypto-policies-asciidoc.patch
crypto-policies-typos.patch
fedora-crypto-policies-20210225.05203d2.tar.gz
New:
----
crypto-policies-FIPS.patch
fedora-crypto-policies-20210917.c9d86d1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.iS424I/_old 2021-10-01 22:29:00.825369652 +0200
+++ /var/tmp/diff_new_pack.iS424I/_new 2021-10-01 22:29:00.825369652 +0200
@@ -1,7 +1,7 @@
#
# spec file for package crypto-policies
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%global _python_bytecompile_extra 0
Name: crypto-policies
-Version: 20210225.05203d2
+Version: 20210917.c9d86d1
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -28,18 +28,23 @@
Source1: README.SUSE
Source2: crypto-policies.7.gz
Source3: update-crypto-policies.8.gz
-Patch0: crypto-policies-asciidoc.patch
-Patch1: crypto-policies-typos.patch
-Patch2: crypto-policies-test_supported_modules_only.patch
-Patch3: crypto-policies-no-build-manpages.patch
+Patch0: crypto-policies-test_supported_modules_only.patch
+Patch1: crypto-policies-no-build-manpages.patch
+Patch2: crypto-policies-FIPS.patch
BuildRequires: python3-base
+# For testing, the following buildrequires need to be uncommented.
# BuildRequires: asciidoc
+# BuildRequires: bind
# BuildRequires: gnutls >= 3.6.0
# BuildRequires: java-devel
# BuildRequires: libxslt
# BuildRequires: openssl
# BuildRequires: perl
+# BuildRequires: python3-coverage
# BuildRequires: python3-devel >= 3.6
+# BuildRequires: python3-flake8
+# BuildRequires: python3-pylint
+# BuildRequires: python3-pytest
# BuildRequires: perl(File::Copy)
# BuildRequires: perl(File::Temp)
# BuildRequires: perl(File::Which)
@@ -102,6 +107,11 @@
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+# Remove fips-finish-install and test-fips-setup scripts and man
+find -type f -name fips-finish-install -delete
+find -type f -name fips-finish-install.8.txt -delete
+find -type f -name test-fips-setup.sh -delete
+
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@@ -119,7 +129,7 @@
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
-%make_build check || :
+%make_build test || :
%post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -175,6 +185,7 @@
%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/libssh.config
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.iS424I/_old 2021-10-01 22:29:00.857369711 +0200
+++ /var/tmp/diff_new_pack.iS424I/_new 2021-10-01 22:29:00.857369711 +0200
@@ -1,2 +1,2 @@
-Currently only OpenSSL, GnuTLS, and NSS policies are supported.
+Currently only OpenSSL and GnuTLS policies are supported.
The rest of the modules ignore the policy settings for the time being.
++++++ _service ++++++
--- /var/tmp/diff_new_pack.iS424I/_old 2021-10-01 22:29:00.877369749 +0200
+++ /var/tmp/diff_new_pack.iS424I/_new 2021-10-01 22:29:00.877369749 +0200
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
- <param name="revision">05203d21f6d0ea9bbdb351e4600f1e273720bb8e</param>
+ <param name="revision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.iS424I/_old 2021-10-01 22:29:00.893369778 +0200
+++ /var/tmp/diff_new_pack.iS424I/_new 2021-10-01 22:29:00.897369785 +0200
@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
- <param
name="changesrevision">05203d21f6d0ea9bbdb351e4600f1e273720bb8e</param></service></servicedata>
\ No newline at end of file
+ <param
name="changesrevision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param></service></servicedata>
\ No newline at end of file
++++++ crypto-policies-FIPS.patch ++++++
Index: fedora-crypto-policies/Makefile
===================================================================
--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies
DESTDIR?=
MAN7PAGES=crypto-policies.7
-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
+SCRIPTS=update-crypto-policies fips-finish-install
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
PYVERSION = -3
DIFFTOOL?=meld
Index: fedora-crypto-policies/crypto-policies.7.txt
===================================================================
--- fedora-crypto-policies.orig/crypto-policies.7.txt
+++ fedora-crypto-policies/crypto-policies.7.txt
@@ -144,9 +144,6 @@ PROVIDED POLICIES
*FIPS*::
A policy to aid conformance to the *FIPS 140-2* requirements.
- This policy is used internally by the *fips-mode-setup(8)* tool
- which can switch the system into the *FIPS 140-2* mode.
- This policy provides at least 112-bit security.
* MACs: all *HMAC* with *SHA1* or better
* Curves: all prime >= 256 bits
@@ -255,12 +252,6 @@ COMMANDS
back ends and allows the system administrator to change the active
cryptographic policy.
-*fips-mode-setup(8)*::
- This command allows the system administrator to enable, or disable the
- system FIPS mode and also apply the *FIPS* cryptographic policy
- which limits the allowed algorithms and protocols to these allowed by
- the FIPS 140-2 requirements.
-
NOTES
-----
@@ -427,7 +418,7 @@ FILES
SEE ALSO
--------
-update-crypto-policies(8), fips-mode-setup(8)
+update-crypto-policies(8)
AUTHOR
Index: fedora-crypto-policies/python/update-crypto-policies.py
===================================================================
--- fedora-crypto-policies.orig/python/update-crypto-policies.py
+++ fedora-crypto-policies/python/update-crypto-policies.py
@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
eprint("Warning: Using 'update-crypto-policies --set FIPS' "
"is not sufficient for")
eprint(" FIPS compliance.")
- eprint(" Use 'fips-mode-setup --enable' "
- "command instead.")
elif fips_mode():
eprint("Warning: Using 'update-crypto-policies --set' "
"in FIPS mode will make the system")
eprint(" non-compliant with FIPS.")
eprint(" It can also break "
"the ssh access to the system.")
- eprint(" Use 'fips-mode-setup --disable' "
- "to disable the system FIPS mode.")
if base_dir == DEFAULT_BASE_DIR:
if not os.geteuid() == 0:
++++++ crypto-policies-no-build-manpages.patch ++++++
--- /var/tmp/diff_new_pack.iS424I/_old 2021-10-01 22:29:00.909369808 +0200
+++ /var/tmp/diff_new_pack.iS424I/_new 2021-10-01 22:29:00.913369815 +0200
@@ -1,23 +1,8 @@
-Index: fedora-crypto-policies-master/Makefile
+Index: fedora-crypto-policies/Makefile
===================================================================
---- fedora-crypto-policies-master.orig/Makefile 2020-09-23
08:49:28.000000000 +0200
-+++ fedora-crypto-policies-master/Makefile 2020-11-12 10:00:52.418204054
+0100
-@@ -60,8 +60,8 @@ clean:
- rm -rf output
-
- %: %.txt
-- asciidoc -v -d manpage -b docbook $<
-- xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl [email protected]
-+ # asciidoc -v -d manpage -b docbook $<
-+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl [email protected]
-
- dist:
- rm -rf crypto-policies && git clone . crypto-policies && rm -rf
crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz
crypto-policies && rm -rf crypto-policies
-Index: fedora-crypto-policies-master
-===================================================================
---- fedora-crypto-policies-master.orig/Makefile
-+++ fedora-crypto-policies-master/Makefile
-@@ -21,9 +21,9 @@ install: $(MANPAGES)
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -22,9 +22,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
@@ -30,3 +15,14 @@
mkdir -p $(DESTDIR)$(DIR)/
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
+@@ -106,8 +106,8 @@ clean:
+ rm -rf output
+
+ %: %.txt
+- asciidoc.py -v -d manpage -b docbook $<
+- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl
[email protected]
++ # asciidoc -v -d manpage -b docbook $<
++ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl [email protected]
+
+ dist:
+ rm -rf crypto-policies && git clone . crypto-policies && rm -rf
crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz
crypto-policies && rm -rf crypto-policies
++++++ crypto-policies-test_supported_modules_only.patch ++++++
--- /var/tmp/diff_new_pack.iS424I/_old 2021-10-01 22:29:00.917369823 +0200
+++ /var/tmp/diff_new_pack.iS424I/_new 2021-10-01 22:29:00.921369830 +0200
@@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-master/Makefile
+Index: fedora-crypto-policies/Makefile
===================================================================
---- fedora-crypto-policies-master.orig/Makefile
-+++ fedora-crypto-policies-master/Makefile
-@@ -45,8 +45,6 @@ check:
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -56,8 +56,6 @@ check:
tests/openssl.pl
tests/gnutls.pl
tests/nss.py
@@ -10,4 +10,4 @@
- tests/krb5.py
top_srcdir=. tests/update-crypto-policies.sh
- test: check runpylint
+ # Alternative, equivalent ways to write the same policies
++++++ fedora-crypto-policies-20210225.05203d2.tar.gz ->
fedora-crypto-policies-20210917.c9d86d1.tar.gz ++++++
++++ 5686 lines of diff (skipped)
