Hello community,
here is the log from the commit of package yast2-packager for openSUSE:Factory
checked in at 2018-05-22 16:58:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-packager (Old)
and /work/SRC/openSUSE:Factory/.yast2-packager.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-packager"
Tue May 22 16:58:26 2018 rev:354 rq:610258 version:4.0.63
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-packager/yast2-packager.changes
2018-05-17 19:32:27.913134041 +0200
+++ /work/SRC/openSUSE:Factory/.yast2-packager.new/yast2-packager.changes
2018-05-22 16:58:27.895860729 +0200
@@ -1,0 +2,8 @@
+Thu May 17 10:51:58 UTC 2018 - lsle...@suse.cz
+
+- Display an error popup when the FIPS compliant mode is active
+ and the "fips" pattern is not available (installing an
+ unregistered system or without the Packages DVD) (bsc#1093060)
+- 4.0.63
+
+-------------------------------------------------------------------
Old:
----
yast2-packager-4.0.62.tar.bz2
New:
----
yast2-packager-4.0.63.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-packager.spec ++++++
--- /var/tmp/diff_new_pack.UykP2i/_old 2018-05-22 16:58:28.435841083 +0200
+++ /var/tmp/diff_new_pack.UykP2i/_new 2018-05-22 16:58:28.439840937 +0200
@@ -17,7 +17,7 @@
Name: yast2-packager
-Version: 4.0.62
+Version: 4.0.63
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
++++++ yast2-packager-4.0.62.tar.bz2 -> yast2-packager-4.0.63.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-packager-4.0.62/package/yast2-packager.changes
new/yast2-packager-4.0.63/package/yast2-packager.changes
--- old/yast2-packager-4.0.62/package/yast2-packager.changes 2018-05-16
16:38:04.000000000 +0200
+++ new/yast2-packager-4.0.63/package/yast2-packager.changes 2018-05-18
11:28:37.000000000 +0200
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Thu May 17 10:51:58 UTC 2018 - lsle...@suse.cz
+
+- Display an error popup when the FIPS compliant mode is active
+ and the "fips" pattern is not available (installing an
+ unregistered system or without the Packages DVD) (bsc#1093060)
+- 4.0.63
+
+-------------------------------------------------------------------
Wed May 16 11:35:45 UTC 2018 - lsle...@suse.cz
- Fixed argument handling in the .desktop file for the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-packager-4.0.62/package/yast2-packager.spec
new/yast2-packager-4.0.63/package/yast2-packager.spec
--- old/yast2-packager-4.0.62/package/yast2-packager.spec 2018-05-16
16:38:04.000000000 +0200
+++ new/yast2-packager-4.0.63/package/yast2-packager.spec 2018-05-18
11:28:37.000000000 +0200
@@ -17,7 +17,7 @@
Name: yast2-packager
-Version: 4.0.62
+Version: 4.0.63
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-packager-4.0.62/src/modules/Packages.rb
new/yast2-packager-4.0.63/src/modules/Packages.rb
--- old/yast2-packager-4.0.62/src/modules/Packages.rb 2018-05-16
16:38:04.000000000 +0200
+++ new/yast2-packager-4.0.63/src/modules/Packages.rb 2018-05-18
11:28:37.000000000 +0200
@@ -2422,18 +2422,42 @@
end
end
- # FIPS pattern
- if (Linuxrc.InstallInf("Cmdline") || "").split.include?("fips=1")
- fips_pattern = "fips"
- if !Pkg.ResolvableProperties(fips_pattern, :pattern, "").empty?
- log.info "fips=1 boot option detected, adding '#{fips_pattern}'
pattern"
- pattern_list << fips_pattern
- end
+ # is the FIPS compliant mode enabled?
+ return pattern_list unless File.exist?(FIPS_FILE) &&
File.read(FIPS_FILE).chomp == "1"
+
+ # install the FIPS pattern when the FIPS mode is enabled
+ # see https://en.wikipedia.org/wiki/FIPS_140-2 for more details
+ if Pkg.ResolvableProperties(FIPS_PATTERN, :pattern, "").empty?
+ # TRANSLATORS: error popup, use at most 70 characters per line
+ # the %{fips_option} string is replaced by the FIPS boot option
("fips=1"),
+ # the %{fips_pattern} is replaced by the FIPS pattern name ("fips").
+ Report.Error(_("The FIPS compliant mode has been enabled\n" \
+ "but the '%{fips_pattern}' pattern is not available to install.\n\n"
\
+ "The installation will very likely fail and the installed system\n" \
+ "might not work properly.\n\n" \
+ "Either add an additional software repository providing\n" \
+ "the '%{fips_pattern}' pattern or reboot the installation\n"\
+ "without the '%{fips_option}' boot option.") %
+ { fips_option: FIPS_BOOT_OPTION, fips_pattern: FIPS_PATTERN })
+ else
+ log.info "#{FIPS_BOOT_OPTION} boot option detected, adding
'#{FIPS_PATTERN}' pattern"
+ pattern_list << FIPS_PATTERN
end
pattern_list
end
+ # the name of the FIPS pattern
+ FIPS_PATTERN = "fips".freeze
+ # the kernel boot option which activates the FIPS behavior
+ FIPS_BOOT_OPTION = "fips=1".freeze
+ # the kernel file indicating whether the FIPS mode is supported and active
+ # - if the kernel does not support the FIPS mode the file does not exist
(openSUSE)
+ # - if the kernel supports the FIPS mode the file exists (SLES)
+ # - if the FIPS mode is not active "0\n" is read
+ # - if the FIPS mode is active "1\n" is read
+ FIPS_FILE = "/proc/sys/crypto/fips_enabled".freeze
+
# Log only resolvables with resolvable["status"] matching these below
LOG_RESOLVABLE_STATUS = [:selected, :removed].freeze
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-packager-4.0.62/test/packages_test.rb
new/yast2-packager-4.0.63/test/packages_test.rb
--- old/yast2-packager-4.0.62/test/packages_test.rb 2018-05-16
16:38:04.000000000 +0200
+++ new/yast2-packager-4.0.63/test/packages_test.rb 2018-05-18
11:28:37.000000000 +0200
@@ -478,13 +478,20 @@
.with("fips", :pattern, "").and_return([{ "name" => "fips" }])
end
- it "adds 'fips' pattern if fips=1 boot parameter is used" do
- expect(Yast::Linuxrc).to
receive(:InstallInf).with("Cmdline").and_return("foo fips=1 bar")
+ it "adds 'fips' pattern if the FIPS mode is active" do
+ expect(File).to
receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(true)
+ expect(File).to
receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("1\n")
expect(Yast::Packages.ComputeSystemPatternList).to include("fips")
end
- it "does not add 'fips' pattern if fips=1 boot parameter is not used" do
- expect(Yast::Linuxrc).to
receive(:InstallInf).with("Cmdline").and_return("foo bar")
+ it "does not add 'fips' pattern if the FIPS mode is not active" do
+ expect(File).to
receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(true)
+ expect(File).to
receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("0\n")
+ expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips")
+ end
+
+ it "does not add 'fips' pattern if the FIPS mode is not supported" do
+ expect(File).to
receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(false)
expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips")
end
end
@@ -494,16 +501,41 @@
allow_any_instance_of(Yast::ProductPatterns).to
receive(:names).and_return([])
allow(Yast::Pkg).to receive(:ResolvableProperties)
.with("fips", :pattern, "").and_return([])
+ allow(Yast::Report).to receive(:Error)
end
- it "does not add 'fips' pattern if fips=1 boot parameter is used" do
- expect(Yast::Linuxrc).to
receive(:InstallInf).with("Cmdline").and_return("foo fips=1 bar")
- expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips")
+ context "kernel does not support the FIPS mode" do
+ before do
+ expect(File).to
receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(false)
+ end
+
+ it "does not report an error if the FIPS mode is not supported" do
+ expect(Yast::Report).to_not receive(:Error)
+ Yast::Packages.ComputeSystemPatternList
+ end
end
- it "does not add 'fips' pattern if fips=1 boot parameter is not used" do
- expect(Yast::Linuxrc).to
receive(:InstallInf).with("Cmdline").and_return("foo bar")
- expect(Yast::Packages.ComputeSystemPatternList).to_not include("fips")
+ context "kernel supports the FIPS mode" do
+ before do
+ expect(File).to
receive(:exist?).with("/proc/sys/crypto/fips_enabled").and_return(true)
+ end
+
+ it "does not report an error if the FIPS mode is not active" do
+ expect(File).to
receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("0\n")
+ expect(Yast::Report).to_not receive(:Error)
+ Yast::Packages.ComputeSystemPatternList
+ end
+
+ it "reports an error if the FIPS mode is active" do
+ expect(File).to
receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("1\n")
+ expect(Yast::Report).to receive(:Error).with(/the 'fips' pattern is
not available/)
+ Yast::Packages.ComputeSystemPatternList
+ end
+
+ it "does not add 'fips' pattern if the FIPS mode is active" do
+ expect(File).to
receive(:read).with("/proc/sys/crypto/fips_enabled").and_return("1\n")
+ expect(Yast::Packages.ComputeSystemPatternList).to_not
include("fips")
+ end
end
end
end
