Hello community, here is the log from the commit of package yast2-packager for openSUSE:Factory checked in at 2018-05-22 16:58:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-packager (Old) and /work/SRC/openSUSE:Factory/.yast2-packager.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-packager" Tue May 22 16:58:26 2018 rev:354 rq:610258 version:4.0.63 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-packager/yast2-packager.changes 2018-05-17 19:32:27.913134041 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-packager.new/yast2-packager.changes 2018-05-22 16:58:27.895860729 +0200 @@ -1,0 +2,8 @@ +Thu May 17 10:51:58 UTC 2018 - lsle...@suse.cz + +- Display an error popup when the FIPS compliant mode is active + and the "fips" pattern is not available (installing an + unregistered system or without the Packages DVD) (bsc#1093060) +- 4.0.63 + +------------------------------------------------------------------- Old: ---- yast2-packager-4.0.62.tar.bz2 New: ---- yast2-packager-4.0.63.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-packager.spec ++++++ --- /var/tmp/diff_new_pack.UykP2i/_old 2018-05-22 16:58:28.435841083 +0200 +++ /var/tmp/diff_new_pack.UykP2i/_new 2018-05-22 16:58:28.439840937 +0200 @@ -17,7 +17,7 @@ Name: yast2-packager -Version: 4.0.62 +Version: 4.0.63 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-packager-4.0.62.tar.bz2 -> yast2-packager-4.0.63.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-packager-4.0.62/package/yast2-packager.changes new/yast2-packager-4.0.63/package/yast2-packager.changes --- old/yast2-packager-4.0.62/package/yast2-packager.changes 2018-05-16 16:38:04.000000000 +0200 +++ new/yast2-packager-4.0.63/package/yast2-packager.changes 2018-05-18 11:28:37.000000000 +0200 @@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Thu May 17 10:51:58 UTC 2018 - lsle...@suse.cz + +- Display an error popup when the FIPS compliant mode is active + and the "fips" pattern is not available (installing an + unregistered system or without the Packages DVD) (bsc#1093060) +- 4.0.63 + +------------------------------------------------------------------- Wed May 16 11:35:45 UTC 2018 - lsle...@suse.cz - Fixed argument handling in the .desktop file for the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-packager-4.0.62/package/yast2-packager.spec new/yast2-packager-4.0.63/package/yast2-packager.spec --- old/yast2-packager-4.0.62/package/yast2-packager.spec 2018-05-16 16:38:04.000000000 +0200 +++ new/yast2-packager-4.0.63/package/yast2-packager.spec 2018-05-18 11:28:37.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-packager -Version: 4.0.62 +Version: 4.0.63 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-packager-4.0.62/src/modules/Packages.rb new/yast2-packager-4.0.63/src/modules/Packages.rb --- old/yast2-packager-4.0.62/src/modules/Packages.rb 2018-05-16 16:38:04.000000000 +0200 +++ new/yast2-packager-4.0.63/src/modules/Packages.rb 2018-05-18 11:28:37.000000000 +0200 @@ -2422,18 +2422,42 @@ end end - # FIPS pattern - if (Linuxrc.InstallInf("Cmdline") || "").split.include?("fips=1") - fips_pattern = "fips" - if !Pkg.ResolvableProperties(fips_pattern, :pattern, "").empty? - log.info "fips=1 boot option detected, adding '#{fips_pattern}' pattern" - pattern_list << fips_pattern - end + # is the FIPS compliant mode enabled? + return pattern_list unless File.exist?(FIPS_FILE) && File.read(FIPS_FILE).chomp == "1" + + # install the FIPS pattern when the FIPS mode is enabled + # see https://en.wikipedia.org/wiki/FIPS_140-2 for more details + if Pkg.ResolvableProperties(FIPS_PATTERN, :pattern, "").empty? + # TRANSLATORS: error popup, use at most 70 characters per line + # the %{fips_option} string is replaced by the FIPS boot option ("fips=1"), + # the %{fips_pattern} is replaced by the FIPS pattern name ("fips"). + Report.Error(_("The FIPS compliant mode has been enabled\n" \ + "but the '%{fips_pattern}' pattern is not available to install.\n\n" \ + "The installation will very likely fail and the installed system\n" \ + "might not work properly.\n\n" \ + "Either add an additional software repository providing\n" \ + "the '%{fips_pattern}' pattern or reboot the installation\n"\ + "without the '%{fips_option}' boot option.") % + { fips_option: FIPS_BOOT_OPTION, fips_pattern: FIPS_PATTERN }) + else + log.info "#{FIPS_BOOT_OPTION} boot option detected, adding '#{FIPS_PATTERN}' pattern" + pattern_list << FIPS_PATTERN end pattern_list end + # the name of the FIPS pattern + FIPS_PATTERN = "fips".freeze + # the kernel boot option which activates the FIPS behavior + FIPS_BOOT_OPTION = "fips=1".freeze + # the kernel file indicating whether the FIPS mode is supported and active + # - if the kernel does not support the FIPS mode the file does not exist (openSUSE) + # - if the kernel supports the FIPS mode the file exists (SLES) + # - if the FIPS mode is not active "0\n" is read + # - if the FIPS mode is active "1\n" is read + FIPS_FILE = "/proc/sys/crypto/fips_enabled".freeze + # Log only resolvables with resolvable["status"] matching these below LOG_RESOLVABLE_STATUS = [:selected, :removed].freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-packager-4.0.62/test/packages_test.rb new/yast2-packager-4.0.63/test/packages_test.rb --- old/yast2-packager-4.0.62/test/packages_test.rb 2018-05-16 16:38:04.000000000 +0200 +++ new/yast2-packager-4.0.63/test/packages_test.rb 2018-05-18 11:28:37.000000000 +0200 @@ -478,13 +478,20 @@ .with("fips", :pattern, "").and_return([{ "name" => "fips" }]) end - it "adds 'fips' pattern if fips=1 boot parameter is used" do - expect(Yast::Linuxrc).to receive(:InstallInf).with("Cmdline").and_return("foo fips=1 bar") + it "adds 'fips' pattern if the FIPS mode is active" do + expect(File).to receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(true) + expect(File).to receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("1\n") expect(Yast::Packages.ComputeSystemPatternList).to include("fips") end - it "does not add 'fips' pattern if fips=1 boot parameter is not used" do - expect(Yast::Linuxrc).to receive(:InstallInf).with("Cmdline").and_return("foo bar") + it "does not add 'fips' pattern if the FIPS mode is not active" do + expect(File).to receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(true) + expect(File).to receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("0\n") + expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips") + end + + it "does not add 'fips' pattern if the FIPS mode is not supported" do + expect(File).to receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(false) expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips") end end @@ -494,16 +501,41 @@ allow_any_instance_of(Yast::ProductPatterns).to receive(:names).and_return([]) allow(Yast::Pkg).to receive(:ResolvableProperties) .with("fips", :pattern, "").and_return([]) + allow(Yast::Report).to receive(:Error) end - it "does not add 'fips' pattern if fips=1 boot parameter is used" do - expect(Yast::Linuxrc).to receive(:InstallInf).with("Cmdline").and_return("foo fips=1 bar") - expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips") + context "kernel does not support the FIPS mode" do + before do + expect(File).to receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(false) + end + + it "does not report an error if the FIPS mode is not supported" do + expect(Yast::Report).to_not receive(:Error) + Yast::Packages.ComputeSystemPatternList + end end - it "does not add 'fips' pattern if fips=1 boot parameter is not used" do - expect(Yast::Linuxrc).to receive(:InstallInf).with("Cmdline").and_return("foo bar") - expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips") + context "kernel supports the FIPS mode" do + before do + expect(File).to receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(true) + end + + it "does not report an error if the FIPS mode is not active" do + expect(File).to receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("0\n") + expect(Yast::Report).to_not receive(:Error) + Yast::Packages.ComputeSystemPatternList + end + + it "reports an error if the FIPS mode is active" do + expect(File).to receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("1\n") + expect(Yast::Report).to receive(:Error).with(/the 'fips' pattern is not available/) + Yast::Packages.ComputeSystemPatternList + end + + it "does not add 'fips' pattern if the FIPS mode is active" do + expect(File).to receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("1\n") + expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips") + end end end end