Re: RHEL, Centos, Fedora rpm 9.14.6
Hello Jóhann, I am packager of BIND in RHEL and Fedora. I would like everyone would use our BIND packages. But we have some modifications, as was already mentioned. Some of them are important for FreeIPA to work, some provide bind-sdb build to use SDB features. Also some other changes that bound dhcp package to bind libraries. The story short, our package is mostly the same, but with nontrivial differences. On 9/30/19 1:11 PM, Jóhann B. Guðmundsson wrote: https://www.five-ten-sg.com/mapper/bind contains links to the source rpms, and build instructions. Bind is already package and maintained in Fedora [1] and derivatives as well as ISC having it's ownspecific copr repo [2] in addition to that. Copr exist to overcome limitation in RHEL/CentOS as in RHEL/CentOS consumer wanting newer release then what's available in RHEL/CentOS while Fedora packages residing in copr repo would under normal circumstance only be needed to provide early testing of branches not yet suitable for rawhide ( read as 9.15.x branch of Bind would be made available in copr for Fedora while 9.14.x is what should be shipped in $CURRENT Fedora releases ). Copr is used also for Fedora, usually testing rebases or preparing packages that would not be useful for general audience. Or not yet ready in good enough quality. It is used for example for my build of 9.14 [3]. Unfortunately my build fails to run on both normal variant and bind-pkcs11, which FreeIPA requires. Until I fix it, new version would not be in Fedora. And bind-sdb variant is turned off as well. Now the fact that the copr repo contains newer release of Bind compared to what's currently being shipped in Fedora indicates that there is some friction between the Fedora maintainer ( which in this case seems to be a Red Hat employee not an upstream ISC maintainer ) and ISC community about maintaining Bind in the distribution. I hope there is no friction. I admit I had not enough time to finish rebase of 9.14, Fedora still contains last 9.11 release. We decided long ago to use bind dynamic libraries from DHCP. However, support for singlethread libraries was dropped in 9.13. Sharing these libraries was intended to save our maintenance for separate libraries. But now it proved opossite. That was changed in Fedora 30, where dhcp again uses original bind library shipped by ISC with it. Now just PKCS11 and SDB variants are blocking new version. Unfortunately, I am busy with some internal tasks, so I still had not time to switch onto BIND 9.14 in Fedora, not even in Rawhide. Sorry for that. That is all my fault, ISC is not involved anyhow. On the other hand, having vanilla ISC package available is good. I can test issues in vanilla ISC package and compare them to Fedora package. I have plans to reduce differences to necessary minimum. But have more important tasks for RHEL now. Sorry for keeping you waiting. It is on my TODO list. That said removing patches implemented by Red Hat for Fedora or it's derivative ( RHEL/CentOS etc ) is usually not a smart thing to do and or not working with upstream community ( ISC ) to provide and help maintain releases for specific platform or downstream distribution in a package repository maintained by ISC and it's community ( be it a copr repo or repository hosted under the isc domain ) will only cause confusion and frustration of consumers of ISC components at the cost of the upstream/downstream community surrounding the relevant components. That said and given that there is no rocket science involved with removing patches and building packages I ask... Well, this is more on side of Red Hat adding those patches on top of ISC sources. I already mentioned few features that needs them. In general, we at Red Hat try to push as much changes upstream as possible. BIND is not great example, as its customization contains lot of changes. And we support more combinations for each build. That also complicates new builds. What's the purpose with these builds, what problems do they solve which are unsolvable with upstream ( ISC ) or downstream ( Fedora/RHEL/CentOS ) and why announcing you are building it and how long are you intending to supporting those builds ( encase someone decides to use those builds instead of ISC or downstream distribution maintained ones )? I think its purpose is to support just their own bugs, not Red Hat bugs. And to provide ready to use packages soon after release. It is more difficult for me to follow. As soon as normal variant is able to support both SDB and PKCS11 variant by configuration/plugin, it should be easier to maintain and release new version. I think we have an agreement in that with ISC developers. Regards Jóhann B. 1. https://koji.fedoraproject.org/koji/packageinfo?packageID=314 2. https://copr.fedorainfracloud.org/coprs/isc/ Regards, Petr 3. https://copr.fedorainfracloud.org/coprs/pemensik/bind-9.14/ -- Petr Menšík
Re: RHEL, Centos, Fedora rpm 9.14.6
> On Sep 30, 2019, at 7:08 AM, Lightner, Jeffrey > wrote: > > I can't speak for him but will say Carl has been providing these packages and > announcing them on this list for quite some time now and it is valuable to > those who would like to use later upstream packages on RHEL/CentOS/Fedora. > I would like to add that ISC very much appreciates Carl’s work over the years packaging BIND for CentOS users. He has been meticulous about updating his packages promptly every time we have a CVE and I expect quite a few users have come to rely on his packages. ISC only recently began providing packages. I reached out to Carl at the time we were planning the ISC packages for advice, because of his experience. > What's the purpose with these builds, what problems do they solve which are > unsolvable with upstream ( ISC ) or downstream ( Fedora/RHEL/CentOS > ) and why announcing you are building it and how long are you intending to > supporting those builds ( encase someone decides to use those builds instead > of ISC or downstream distribution maintained ones )? The ISC packages are different from Carl’s CentOS package and the official RedHat packages in several ways: - the ISC packages start from the ISC tarball, and do not incorporate any additional downstream RedHat bug fixes. (I believe Carl’s packages are also built this way.) ISC can’t support the RedHat packages because they have different code, and different bugs from the official ISC releases. - the ISC packages provide the most up to date BIND versions. The RedHat support policy does not allow them to update applications in a stable OS branch. This is why they cherry-pick things to backport, as Jeffrey explained, but this approach has its limits. (Carl’s packages are up to date, of course.) - the ISC packages specifically incorporate the additional dependencies required to enable dnstap support. (I don’t know whether Carl’s packages incorporate this or not) ISC also has respect for and a good relationship with the RedHat team that maintains BIND in the RedHat distribution. We each have our own user base we are responsible for, and we each have different policies about what sort of changes we allow in a stable branch. It is a good thing there are several distributions to choose from when deciding on a BIND package. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RHEL, Centos, Fedora rpm 9.14.6
I can't speak for him but will say Carl has been providing these packages and announcing them on this list for quite some time now and it is valuable to those who would like to use later upstream packages on RHEL/CentOS/Fedora. RHEL's model (and therefore CentOS') is to start with a base upstream package of BIND (and most other packages) tied to their major release then modify it to work with the other packages in that release. They then backport bug and security fixes from later upstream into their base and put extended versioning on that package so you'll know both the upstream from which it was initially derived and the specific build they later did. Using the extended versioning one can learn specifically what has changed (e.g. what CVEs are addressed). Despite using RHEL or CentOS some people prefer to roll their own using later (or the latest) upstream versions of BIND. Carl is providing packages to allow for that. CentOS releases are built based on the source code RedHat provides for their releases. CentOS is actually maintained by RedHat as of couple of years back. RedHat offers paid subscriptions/support for RHEL but not for CentOS. There is the Fedora EPEL that offers packages or upstream version higher than those shipped with RHEL/CentOS. The packages in the EPEL are designed to work on RHEL/CentOS but are not supported (directly) by RedHat on RHEL. Fedora is a bleeding edge distro in the RedHat ecosystem. It is used as a test bed for much of what later goes into RHEL. It is also maintained but by RedHat but again there is no paid subscription/support for it. They do 2 major releases per year so would often have the latest upstream package. -Original Message- From: bind-users On Behalf Of Jóhann B. Guðmundsson Sent: Monday, September 30, 2019 7:11 AM To: bind-users@lists.isc.org Subject: Re: RHEL, Centos, Fedora rpm 9.14.6 > https://www.five-ten-sg.com/mapper/bind contains links to the source > rpms, and build instructions. Bind is already package and maintained in Fedora [1] and derivatives as well as ISC having it's ownspecific copr repo [2] in addition to that. Copr exist to overcome limitation in RHEL/CentOS as in RHEL/CentOS consumer wanting newer release then what's available in RHEL/CentOS while Fedora packages residing in copr repo would under normal circumstance only be needed to provide early testing of branches not yet suitable for rawhide ( read as 9.15.x branch of Bind would be made available in copr for Fedora while 9.14.x is what should be shipped in $CURRENT Fedora releases ). Now the fact that the copr repo contains newer release of Bind compared to what's currently being shipped in Fedora indicates that there is some friction between the Fedora maintainer ( which in this case seems to be a Red Hat employee not an upstream ISC maintainer ) and ISC community about maintaining Bind in the distribution. That said removing patches implemented by Red Hat for Fedora or it's derivative ( RHEL/CentOS etc ) is usually not a smart thing to do and or not working with upstream community ( ISC ) to provide and help maintain releases for specific platform or downstream distribution in a package repository maintained by ISC and it's community ( be it a copr repo or repository hosted under the isc domain ) will only cause confusion and frustration of consumers of ISC components at the cost of the upstream/downstream community surrounding the relevant components. That said and given that there is no rocket science involved with removing patches and building packages I ask... What's the purpose with these builds, what problems do they solve which are unsolvable with upstream ( ISC ) or downstream ( Fedora/RHEL/CentOS ) and why announcing you are building it and how long are you intending to supporting those builds ( encase someone decides to use those builds instead of ISC or downstream distribution maintained ones )? Regards Jóhann B. 1. https://koji.fedoraproject.org/koji/packageinfo?packageID=314 2. https://copr.fedorainfracloud.org/coprs/isc/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL, Centos, Fedora rpm 9.14.6
https://www.five-ten-sg.com/mapper/bind contains links to the source rpms, and build instructions. Bind is already package and maintained in Fedora [1] and derivatives as well as ISC having it's ownspecific copr repo [2] in addition to that. Copr exist to overcome limitation in RHEL/CentOS as in RHEL/CentOS consumer wanting newer release then what's available in RHEL/CentOS while Fedora packages residing in copr repo would under normal circumstance only be needed to provide early testing of branches not yet suitable for rawhide ( read as 9.15.x branch of Bind would be made available in copr for Fedora while 9.14.x is what should be shipped in $CURRENT Fedora releases ). Now the fact that the copr repo contains newer release of Bind compared to what's currently being shipped in Fedora indicates that there is some friction between the Fedora maintainer ( which in this case seems to be a Red Hat employee not an upstream ISC maintainer ) and ISC community about maintaining Bind in the distribution. That said removing patches implemented by Red Hat for Fedora or it's derivative ( RHEL/CentOS etc ) is usually not a smart thing to do and or not working with upstream community ( ISC ) to provide and help maintain releases for specific platform or downstream distribution in a package repository maintained by ISC and it's community ( be it a copr repo or repository hosted under the isc domain ) will only cause confusion and frustration of consumers of ISC components at the cost of the upstream/downstream community surrounding the relevant components. That said and given that there is no rocket science involved with removing patches and building packages I ask... What's the purpose with these builds, what problems do they solve which are unsolvable with upstream ( ISC ) or downstream ( Fedora/RHEL/CentOS ) and why announcing you are building it and how long are you intending to supporting those builds ( encase someone decides to use those builds instead of ISC or downstream distribution maintained ones )? Regards Jóhann B. 1. https://koji.fedoraproject.org/koji/packageinfo?packageID=314 2. https://copr.fedorainfracloud.org/coprs/isc/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RHEL, Centos, Fedora rpm 9.14.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 https://www.five-ten-sg.com/mapper/bind contains links to the source rpms, and build instructions. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAl2Q8rYACgkQL6j7milTFsHbqQCfW4iTTxaJUcvuRphFj5ALnctC fjcAniCHtMwZSrTSbGExD4FklCgV2mG3 =+eHj -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users