Re: compat-openssl11 vs openssl1.1

On Tue, 2020-09-15 at 19:33 +0200, Miro Hrončok wrote: > On 15. 09. 20 19:26, Tomas Mraz wrote: > > What is more important? Consistency between those two compat > > packages > > or strictly following the naming rules for the new package? > > Why not both? I.e

compat-openssl11 vs openssl1.1

Hi Fedora developers, we need to introduce temporarily a compat package for OpenSSL as it is going to be rebased to the 3.0 version in Rawhide once the 3.0 release is stable. The 3.0 version should not break API from the 1.1.1, it just breaks the ABI, so rebuilds should be quite easy. Of course

Re: Fedora 33 System-Wide Change proposal: systemd-resolved

On Wed, 2020-04-15 at 10:02 -0500, Michael Catanzaro wrote: > On Wed, Apr 15, 2020 at 1:38 pm, Florian Weimer > wrote: > > Not sure if that's compatible with the new split DNS model because > > VPN1 > > could simply start pushing longer names in the scope of VPN2, thus > > hijacking internal

Re: Fedora 33 System-Wide Change proposal: OpenSSL 3.0

On Wed, 2020-04-08 at 10:38 +0200, Miro Hrončok wrote: > On 07. 04. 20 23:31, Ben Cotton wrote: > > * Proposal owners: Provide a compat-openssl11 package, identify > > dependent packages, provide the rebased openssl package, work with > > dependent package owners on rebuilds. > > Thanks for doing

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Thu, 2020-03-26 at 17:11 +0100, Miro Hrončok wrote: > On 26. 03. 20 17:07, Tomas Mraz wrote: > > On Wed, 2020-03-25 at 09:34 +0100, Miro Hrončok wrote: > > > On 24. 03. 20 13:22, Tomas Mraz wrote: > > > > Most probably we will revert this > > >

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Wed, 2020-03-25 at 09:34 +0100, Miro Hrončok wrote: > On 24. 03. 20 13:22, Tomas Mraz wrote: > > Most probably we will revert this > > change in upstream 1.1.1 branch and I will update the rawhide build > > with the revert patch as well. > > Can this please happ

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Tue, 2020-03-24 at 09:52 -0400, Charalampos Stratakis wrote: > > - Original Message - > > From: "Tomas Mraz" > > To: "Miro Hrončok" , "Development discussions > > related to Fedora" > > Cc: "python-maint"

Re: Heads up: OpenSSL-1.1.1e coming to Rawhide

On Sun, 2020-03-22 at 17:29 +0100, Miro Hrončok wrote: > On 19. 03. 20 17:31, Tomas Mraz wrote: > > The new openssl-1.1.1e is coming to Rawhide. > > > > It reports premature EOF/improper shutdown on TLS connections more > > properly. However this might make some d

Heads up: OpenSSL-1.1.1e coming to Rawhide

The new openssl-1.1.1e is coming to Rawhide. It reports premature EOF/improper shutdown on TLS connections more properly. However this might make some dependencies broken in build tests (such as Ruby). As I would like to eventually update the openssl also on stable branches because it brings

Re: Python 2 exodus is happening now

On Fri, 2019-11-15 at 02:02 +0100, Miro Hrončok wrote: > system-config-rootpassword Fixed to use python3 in system-config-rootpassword-1.99.6-21.fc32, please do not retire. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back.

compat-openssl10 is now orphaned

This is just an announcement that the compat-openssl10 package is now orphaned. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your

Re: Fedora 31 Self-Contained Change proposal: Limit Scriptlet Usage of core packages

On Thu, 2019-07-04 at 09:03 -0700, Adam Williamson wrote: > On Thu, 2019-07-04 at 11:38 +0200, Tomas Mraz wrote: > > OK, let's talk about concrete package: crypto-policies needs to run > > update-crypto-policies --no-check >/dev/null > > > > It currently does it

Re: Fedora 31 Self-Contained Change proposal: Limit Scriptlet Usage of core packages

On Mon, 2019-07-01 at 17:18 -0400, James Antill wrote: > On Mon, 2019-07-01 at 17:03 -0400, Robbie Harwood wrote: > > Ben Cotton writes: > > > > > == Detailed Description == > > > > > > Currently we know how to make an installable OS with packages > > > that > > > doesn't require the use of

Re: Fedora 31 System-Wide Change proposal: Switch RPMs to zstd compression

On Tue, 2019-06-25 at 07:16 -0400, Nico Kadel-Garcia wrote: > On Wed, Jun 19, 2019 at 9:31 AM Panu Matilainen > wrote: > > On 6/19/19 1:51 PM, Aleš Matěj wrote: > > > > At this point, the drpm library is the only blocker for zstd > > > > payloads, > > > > since createrepo_c needs to be able to

Re: F31 Self-Contained Change proposal: Custom Crypto Policies

On Wed, 2019-06-19 at 12:38 +0200, Vít Ondruch wrote: > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > == How To Test == > > > > This will be tested as part of the upstream crypto-policies > > testsuite. > > I think this section should describe, how I, as a Fedora user, am > supposed to test

Re: F31 Self-Contained Change proposal: Custom Crypto Policies

On Wed, 2019-06-19 at 12:49 +0200, Vít Ondruch wrote: > Dne 19. 06. 19 v 12:00 Tomas Mraz napsal(a): > > On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: > > > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > > > https://fedoraproject.org/wik

Re: F31 Self-Contained Change proposal: Custom Crypto Policies

On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies > > > > == Summary == > > This new feature of crypto-policies allows system administrators > > and > > third party providers to

Re: wpa supplicant using /dev/random

On Wed, 2019-06-05 at 16:38 -0600, Chris Murphy wrote: > Jun 05 15:53:25 fmac.local kernel: random: crng init done > Jun 05 15:53:25 fmac.local kernel: random: 7 urandom warning(s) > missed > due to ratelimiting > Jun 05 15:53:25 fmac.local wpa_supplicant[1000]: random: Cannot read > from

Re: Fedora 31 System-Wide Change proposal: Switch RPMs to zstd compression

On Thu, 2019-05-30 at 16:18 -0400, Neal Gompa wrote: > > That said, I'm less happy about the thought that inspecting Fedora > RPMs on RHEL 8 or openSUSE is going to be a royal pain. > Ecosystem-wise, no one really prepared for a distribution to switch > to > zstd so quickly. Thankfully, it's

Re: rpmlint warning: crypto-policy-non-compliance-gnutls-1

Anderson, FYI. Could you please answer the question below? On Fri, 2019-05-24 at 17:58 +0100, Richard W.M. Jones wrote: > > libnbd.x86_64: W: crypto-policy-non-compliance-gnutls-1 > > /usr/lib64/libnbd.so.0.0.0 gnutls_priority_set_direct > > This application package calls a function to explicitly

Re: Removal of krb5-devel from "stable" F29 buidroot broke my package

On Thu, 2019-05-16 at 07:50 +0200, Vít Ondruch wrote: > Dne 15. 05. 19 v 17:29 Dominique Martinet napsal(a): > > Michal Schorm wrote on Wed, May 15, 2019 at 05:14:23PM +0200: > > > Another possible cause came up my mind. > > > > > > Another package in the buildroot could have brought it as a > >

Re: Can we maybe reduce the set of packages we install by default a bit?

On Wed, 2019-04-24 at 14:16 +0200, Lennart Poettering wrote: > On Mi, 24.04.19 12:37, Nikos Mavrogiannopoulos (n...@redhat.com) > wrote: > > > > As mentioned before: systemd itself already needs entropy itself > > > (it > > > assigns a random 128bit id to each service invocation, dubbed the > > >

Re: How to submit Root CA to ship with Fedora

On Wed, 2019-04-24 at 09:15 +0200, Dominik 'Rathann' Mierzejewski wrote: > Hi, > > On Wednesday, 24 April 2019 at 08:05, Danishka Navin wrote: > > Sri Lanka Cert is gonna implement local Root CA. > > How we can submit this Root CA with Fedora? > > > > I could not find enough information on this.

Re: Fedora 30 System-Wide Change Proposal: GnuPG2 as default GPG implementation

On Mon, 2018-11-26 at 09:59 -0500, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/GnuPG2_as_default_GPG_implemen > tation > > == Summary == > The /usr/bin/gpg path representing the main GPG implementation will > now use GnuPG 2 instead of GnuPG 1. I, as the primary maintainer of the

Re: Koji: builds fails with "error retrieving sources"

On Fri, 2018-09-21 at 10:33 -0400, Scott Talbert wrote: > On Fri, 21 Sep 2018, Scott Talbert wrote: > > > > https://koji.fedoraproject.org/koji/taskinfo?taskID=29796611 > > > > > > It's not very clear what the actual error is, but I am fairly > > > sure > > > that I have uploaded the correct

You can now test/use the crypto policy of future Fedora releases

The current [0] crypto-policies in Rawhide contain additional policy named as NEXT. You can switch the system to it as root via command: update-crypto-policies --set NEXT The difference to the current DEFAULT policy is that TLS versions 1.0 and 1.1 are disabled and the minimum key length of RSA

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Wed, 2018-06-13 at 00:45 -0400, Paul Wouters wrote: > On Wed, 6 Jun 2018, Nikos Mavrogiannopoulos wrote: > > > I think the debate here is whether fedora (and in general operating > > systems) can afford to be stricter than the browsers. As an OS our > > attack surface is much larger than the

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-12 at 16:01 +0200, Kai Engert wrote: > On 06/11/18 15:14, Tomas Mraz wrote: > > > Okay, so IIUC now, this is an all-or-nothing kind of change. If > > > I > > > elect/need to use LEGACY to administer some old hardware that I > > >

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Sat, 2018-06-09 at 20:49 -0400, John Florian wrote: > On 06/08/2018 04:07 AM, Tomas Mraz wrote: > > On Thu, 2018-06-07 at 16:13 -0400, John Florian wrote: > > > On 06/07/2018 08:44 AM, Tomas Mraz wrote: > > > > On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote:

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Thu, 2018-06-07 at 16:13 -0400, John Florian wrote: > On 06/07/2018 08:44 AM, Tomas Mraz wrote: > > On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote: > > > On 06/05/2018 12:25 PM, Tomas Mraz wrote: > > > > On Tue, 2018-06-05 at 16:11 +, Christian Stadelm

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote: > On 06/05/2018 12:25 PM, Tomas Mraz wrote: > > On Tue, 2018-06-05 at 16:11 +, Christian Stadelmann wrote: > > > "Fallback option" always smells like "protocol downgrade attack". > > > T

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Wed, 2018-06-06 at 12:05 +, Petr Pisar wrote: > On 2018-06-05, John Florian wrote: > > Makes sense, but what is the best way to deal with such old HW if > > you're > > stuck with it? I don't want to compromise my workstation for all > > my > > normal needs just to deal with some ancient

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 11:54 -0500, mcatanz...@gnome.org wrote: > On Fri, Jun 1, 2018 at 6:40 AM, Jan Kurik wrote: > > and weak > > Diffie-Hellman key exchange sizes (1024 bit) > > What size is currently required by upstream Firefox and Chrome? > > The most recent reference I could find is >

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 08:08 -0700, Adam Williamson wrote: > On Tue, 2018-06-05 at 11:16 +0200, Nikos Mavrogiannopoulos wrote: > > On Mon, 2018-06-04 at 11:46 -0700, Adam Williamson wrote: > > > On Fri, 2018-06-01 at 13:40 +0200, Jan Kurik wrote: > > > > = Proposed System Wide Change: Strong crypto

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 16:11 +, Christian Stadelmann wrote: > "Fallback option" always smells like "protocol downgrade attack". > This would undermine the idea of a crypto policy. Anyway, > implementing it seems way out of scope for the crypto policy. Yes, a fallback option is a no-way. You

Re: how to replace ssl with ssh2 in kqoauth

On Fri, 2017-12-01 at 06:40 -0600, Rex Dieter wrote: > Tomas Mraz wrote: > > > Compat-openssl10-devel will be removed at the latest by Fedora 29 > > and > > anything that requires it will be no longer buildable. > > That's the first I've seen or heard of

Re: how to replace ssl with ssh2 in kqoauth

On Thu, 2017-11-30 at 13:49 +, Martin Gansser wrote: > Is it possible to compile kQOAuth [1] with ssh2 by using openssl, as > it always comes to conflict between compat-openssl10 and openssl.  > I have already searched in the sources of kqoauth for the places > where ssl is referenced. > > $

Re: Heads Up - openssl makefile and scripts for creating self signed certificates

On 10/24/2017 04:23 PM, Tomas Mraz wrote: > I was asked here to merge pull request that moves the openssl makefile > and scripts for creating self signed certificates to /usr/share/doc. > > I am not sure this is the right thing to do as these are definitely > still used currently

Heads Up - openssl makefile and scripts for creating self signed certificates

that depend on openssl whether they currently use the makefile or the scripts to create self signed certificate for the service. Tomas Mraz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le

Re: How should we handle gnupg v1.4.X as gpg1?

On Wed, 2017-10-11 at 05:33 +, Christopher wrote: > On Tue, Oct 10, 2017 at 5:44 PM Dominik 'Rathann' Mierzejewski < > domi...@greysector.net> wrote: > > > On Tuesday, 10 October 2017 at 20:57, Christopher wrote: > > > On Tue, Oct 10, 2017 at 1:04 PM Brian C. Lane > > >

Re: GnuPG 2.2.0 and replacement of GnuPG1

On Sun, 2017-09-03 at 13:45 +0200, Igor Gnatenko wrote: > GnuPG 2.2.0 has --enable-gpg-is-gpg2 which would install compat > symlink >  from /usr/bin/gpg to /usr/bin/gpg2.. > > Is it time to retire gnupg (v1) ? I really do not care. If the gpg v1 is still maintained upstream and there is somebody

Re: tcp_wrappers deprecation

On 08/16/2017 11:37 AM, Michal Sekletar wrote: > On Tue, Aug 15, 2017 at 1:58 PM, Jakub Jelen wrote: > >> >> So can we discuss it now once more without the affiliation to systemd? >> The fact is that we still do not have any other replacement except >> firewalls. But do we

Re: F27 Self Contained Change: Authselect: new tool to replace authconfig

On Tue, 2017-07-18 at 20:30 +0100, Tom Hughes wrote: > On 18/07/17 15:26, Stephen Gallagher wrote: > > > On Tue, Jul 18, 2017 at 10:17 AM Tom Hughes > > wrote: > > > > Well none of my newly upgraded F26 machines appear to be > > running it ;-) > >

How to make a package multilib

Hi all, the package p11-kit-trust needs to be multilib because it contains PKCS#11 .so object used for access to trusted CA certificate store. However because this package is a PKCS#11 module and not a regular shared library there is no p11-kit-trust-devel package which would mark it

Re: [systemd-devel] Locale setup for non-shells

gt; A better question is what exactly pam_env.so expects... Last time I > couldn't quite figure out when it wants a key=value file and when it > wants > its own special "foo DEFAULT=bar" format, and in fact the manual > doesn't > seem to match the actual behavior... Does it autode

Re: Locale setup for non-shells

read /etc/default/locale. Similar thing is possible > > to do in > > Fedora too. E.g. just put this into /etc/pam.d/system-auth: > > > > session required  pam_env.so envfile=/etc/locale.conf > > > > Nick

Re: Wild changes in nsswitch.conf

On Mon, 2017-05-15 at 17:15 +0200, Jakub Hrozek wrote: > On Mon, May 15, 2017 at 04:35:56PM +0200, Tomas Mraz wrote: > > My current Fedora 26 default nsswitch.conf contains these lines: > > > > passwd:  sss files systemd > > shadow: files sss > &g

Wild changes in nsswitch.conf

these modifications of fairly critical systemwide configuration file? * From which time systemd started to manage user accounts of the machine, again where is the Fedora Change page for such change? Regards, -- Tomas Mraz No matter how far down the wrong road you've gone, turn back

Re: switching libcurl back to OpenSSL and providing the libcurl-minimal subpackage

. Grr :) GPLv2-only incompatible licence. It is compatible with GPLv3 or GPLv2+. So the situation is better and given the objectives for the licence change they had I am afraid there was no better choice. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back.

Re: upcoming build and release developer flag day December 12 2016

os. I could probably type them if I typed them slowly but that isn't something I am willing to do. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know wh

Re: RFC (round 2): Change the default hostname for Fedora 26+

rom /dev/random. Please, please, do not mention use of /dev/random at all. Use /dev/urandom. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never k

Re: Storage size unknown on rawhide

://github.com/patch-exchange/openssl-1.1-transition Basically you have to use EVP_CIPHER_CTX_new() and ..._free() to allocate and deallocate the structure and use only pointer. For all the structure members that should be used publicly there are accessor

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 12:40 +0200, Tomas Mraz wrote: > On St, 2016-10-12 at 10:28 +0200, Vít Ondruch wrote: > >  > > But what about stable versions of libraries applications? For > > example, > > in current Rawhide, you won't be able to build any stable Ruby > >

Re: libbson soname alias removal

to the upstream. At the and it's only a release candidate. > But be prepared they are quite obstinate about this packaging stuff. I do not think it is worth it. Effectively rpm dependencies detect this breakage anyway so there is no need to change the soname. -- Tomas Mraz

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 15:33 +0200, Tomas Mraz wrote: > On St, 2016-10-12 at 14:39 +0200, Kamil Dudka wrote: > > > > On Friday, October 07, 2016 14:49:49 Tomas Mraz wrote: > > > > > > > > > Hi all, > > > > > &g

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 14:39 +0200, Kamil Dudka wrote: > On Friday, October 07, 2016 14:49:49 Tomas Mraz wrote: > > > > Hi all, > > > > the openssl will be rebased in Rawhide to 1.1.0 on Monday. There > > will > > be also 1.0.2 compat package

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 10:28 +0200, Vít Ondruch wrote: > > Dne 10.10.2016 v 16:29 Tomas Mraz napsal(a): > > > > On So, 2016-10-08 at 13:37 +0200, Kevin Kofler wrote: > > > > > > Tomas Mraz wrote: > > > > > > > >

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 08:21 +, Petr Pisar wrote: > On 2016-10-12, Tomas Mraz <tm...@redhat.com> wrote: > > > > On St, 2016-10-12 at 08:22 +0200, Nikos Mavrogiannopoulos wrote: > > > > > > Was the load using dlopen() or simply an indirect link?

Re: OpenSSL 1.1.0 in Rawhide very soon

ons. That certainly won't work. On the other hand the scenario where one library linked by an application uses OpenSSL 1.1 for TLS and another library uses OpenSSL 1.0 for SHA256 hashing, should work - at least it worked for me when I tested it. -- Tomas Mraz No matter how far d

Re: OpenSSL 1.1.0 in Rawhide very soon

On St, 2016-10-12 at 01:23 +0100, David Woodhouse wrote: > On Mon, 2016-10-10 at 16:29 +0200, Tomas Mraz wrote: > > > > > > We will work on porting the dependent packages to the new API. If > > by > > some reasonable deadline there are still some packages that

Re: OpenSSL 1.1.0 in Rawhide very soon

he order of > dependencies. In my testing of application that pulled both old (indirectly) and new OpenSSL (directly), it did not crash and I did not see anything wrong with it. So it seems not all cases are broken however apparently the above is reason for moving dependencies to 1.1.0 as quic

Re: OpenSSL 1.1.0 in Rawhide very soon

ugs.ruby-lang.org/issues/12830 > > > > Not sure if you'll have also some Fedora specific tracker > Would be nice to get tracking bug created on RHBZ, so we can track > all > the packages. Created: https://bugzilla.redhat.com/show_bug.cgi?id=1383740 --  To

Re: OpenSSL 1.1.0 in Rawhide very soon

On Út, 2016-10-11 at 09:25 -0600, Orion Poplawski wrote: > On 10/07/2016 06:49 AM, Tomas Mraz wrote: > > > > Hi all, > > > > the openssl will be rebased in Rawhide to 1.1.0 on Monday. There > > will > > be also 1.0.2 compat package (compat-openssl10) so

Re: OpenSSL 1.1.0 in Rawhide very soon

On So, 2016-10-08 at 13:37 +0200, Kevin Kofler wrote: > Tomas Mraz wrote: > > > > At worst if the patching of a package is highly non-trivial and the > > upstream is not responsive we might have to drop the package from > > Fedora. > > > > We do not want t

Re: Weak password madness is back again

anel with the admin password before changing his password; not > sure what the UI should be for this). If accountsservice uses usermod it generates audit events too although slightly different ones than passwd. But that should not be a problem for auditability. -- Tomas Mraz No matter how far dow

Re: Weak password madness is back again

here the password strength check should not be overridable is when a regular user tries to change his own password. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll neve

OpenSSL 1.1.0 in Rawhide very soon

is still fully "supported" in Fedora and there would be no incentive to switch to 1.1.0. Also to get any new features from upstream OpenSSL we have to move to newer versions as they are released as the old versions get only bug fixes. -- Tomas Mraz No matter how far down the wrong road y

Re: F26 System Wide Change: OpenSSL 1.1.0

and avoid any additional ones with exception of libgcrypt for gnupg2. Tomas Mraz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: F26 System Wide Change: OpenSSL 1.1.0

ems with openssl etc I am sorry but I certainly cannot promise to test all dependent packages with the new OpenSSL - that's out question. The testing has to be done by the respective package maintainers and the package users as for all other cases of library package updates. -- Tomas Mraz No matter ho

Re: F26 System Wide Change: OpenSSL 1.1.0

On Po, 2016-09-26 at 09:35 +0100, David Woodhouse wrote: > On Mon, 2016-09-26 at 10:09 +0200, Tomas Mraz wrote: > > > > My current plan is to not ship such engine-pkcs11 package. We > > should > > try to move everything to OpenSSL 1.1 and ship the 1.0.2 only as a &

Re: F26 System Wide Change: OpenSSL 1.1.0

On So, 2016-09-24 at 00:52 +0100, David Woodhouse wrote: > On Tue, 2016-09-20 at 11:37 +0200, Tomas Mraz wrote: > > > > Well... we certainly need to port it sooner or later although I > > understand that effort will be quite non-trivial. > You mean port libp11? That's

Re: F26 System Wide Change: OpenSSL 1.1.0

> it's > actually *present* for the version of OpenSSL that you're building > against... Well... we certainly need to port it sooner or later although I understand that effort will be quite non-trivial. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back.

Re: Suggestion to end support for legacy 1024-bit RSA root CAs in Fedora stable

a release, and after it's done: > - build this change into f25 updates-testing > - all F25 alpha users doing updates will get this change >   immediately and will participate in testing it. +1 to this plan, except for one thing - you do not have to wait for alpha to be released before y

Re: OpenSSL-1.1.0 COPR for Rawhide

On Pá, 2016-07-22 at 10:24 -0400, Simo Sorce wrote: > On Fri, 2016-07-22 at 10:21 -0400, Simo Sorce wrote: > > > > On Fri, 2016-07-22 at 17:17 +0300, Antti Järvinen wrote: > > > > > > Tomas Mraz writes: > > >  > for anybody inste

OpenSSL-1.1.0 COPR for Rawhide

suggestions for improvements, please mail me directly. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel

Re: GPG2 as default /usr/bin/gpg

On St, 2016-02-17 at 08:10 -0800, Brian C. Lane wrote: > On Wed, Feb 17, 2016 at 04:51:48PM +0100, Tomas Mraz wrote: > > On St, 2016-02-17 at 07:29 -0800, Brian C. Lane wrote: > > > On Wed, Feb 17, 2016 at 05:52:45AM +, Christopher wrote: > > > &g

Re: GPG2 as default /usr/bin/gpg

your opinion for using alternatives for the /usr/bin/gpg? The problem is that now the keystores are incompatible and it creates big confusion to the users when they see some key in gnupg-1 and do not see it in gnupg-2 and the other way around. -- Tomas Mraz No matter how far down the wrong road you'v

Re: GPG2 as default /usr/bin/gpg

ora Change and we are past the deadline for Changes proposals. So this will have to be postponed to Fedora 25. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the r

Re: System CA certificate trust store management meeting

On Po, 2016-02-15 at 13:05 +, David Woodhouse wrote: > On Tue, 2016-02-02 at 17:13 +0100, Tomas Mraz wrote: > > Hello, > > for anyone interested in the subject and visiting DevConf in Brno > > on  > > this Friday - we will be holding an informal meeting to gather use

System CA certificate trust store management meeting

will happen on Friday Feb 5th 2016 13:10-14:30 at the DevConf venue in the room C228. See also: https://communityblog.fedoraproject.org/system-ca-certificate-trust-management-review-planning-meeting-devconf/ Regards, Tomas Mraz, Security Technologies Team member at Red Hat -- devel mailing list devel

Re: F24 System Wide Change: Default Local DNS Resolver

> - We decided not to query user for security decisions, and for the beginning > if there is no other option just fall back to the current state that that is > in Fedora today Will there be at least some visual indicator that the network you're connected to does not provide secure DNS?

Re: Packaging:NamingGuidelines Re: DNF is completly unable to act with local packages

; > change, so it's hard for me to come up with a reason to change my > > opinion. > > prerelease numbering can't begin with 0 and increased to 0.1 because : > > next version of foo-0.b would be foo-0.1.b and "b">1 Nope, 1>"b" in rpm version compare.

Re: Dealing with the "my packages" problem

some time (24-48 hours ? could be > configurable). > > I think this workflow would lessen the burden for both parties > involved: > * less work for proven packagers when "doing it right" > (automatic asking, staging & auto apply) > * maintainers get always

Orphaning openct and ctapi-common on Rawhide

also for the branched releases. Regards, -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel@lists.fedoraproject.org https

Re: Summary/Minutes from today's FESCo Meeting (2015-10-07)

a worse! Yes, it seems the quantity over quality view won. :( Also the haste with which it was pushed is seriously disappointing. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether

Re: Proposal to reduce anti-bundling requirements

the other hand the evaluation should be quick and the current rules seem to me to be slightly too strict. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- de

Re: Proposal to reduce anti-bundling requirements

in "now that i don't need to ask FPC i don't declare it" > > the opposite is more likely: people trying to avoid the FPC burden now > can declare it without fearing somebody takes notice and points out a > violation I think that's exactly what was Orion trying to say above

Re: Proposal to reduce anti-bundling requirements

to make number of exceptions when necessary, but the fight against entropy should never stop and we should strife to make The Right Things™ against all odds. And I am giving Matěj a big +1 for what he wrote here. I completely agree with that. Regards, Tomas Mraz -- devel mailing list devel

Re: Symbol `SSL_ImplementedCiphers' has different size in shared object, consider re-linking

PI so it is not really an ABI break in practice. However ld.so of course cannot know that. Is there any way to make the message disappear other than rebuild of the dependent package? I am afraid that unfortunately not. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back.

Re: F23 Self Contained Change: Standardized Passphrase Policy

of the changes needed, it would be really helpful. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel@lists.fedoraproject.org https

Re: F23 Self Contained Change: Standardized Passphrase Policy

for various passwords, not only for the system accounts. You can simply create and set different configuration files for different password uses. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never

Re: Harden_all_packages_with_position-independent_code + guile modules

On 19.3.2015 08:16, Nikos Mavrogiannopoulos wrote: On Wed, 2015-03-18 at 11:37 -0700, Moez Roy wrote: FULL RELRO http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html If that's all we got I suggest to remove this flag or (better) provide a way for applications that use

Re: OpenSSL MD5 verification disabled?

=1202157 I don't like the workaround specified in the BZ but I don't see an alternative so I would like to get some input from others who are better versed in how OpenSSL works. Hi, there is no other workaround. And they should not use MD5 signed certificates - they are insecure. Regards, Tomas

Re: Headsup: Xorg is broken in F-22 when used with fips or /etc/system-fips

to fix that. Please open a new bug against libgcrypt so the bug fix is tracked. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel

Re: DNF as default package manager

they weren't by any means finished. I can name UsrMove, TMPonTMPFS, etc. Even the systemd replacement of sysvinit change but that was not that bad. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never

Re: echoping - Re: Hundreds of bugzilla mails on one day

removed from Fedora. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org

Re: Abotu setting 'PermitRootLogin=no' in sshd_config

access does not improve security against targeted attacks because in such cases the user name can be quite easily inferred. So basically this feature is just a 'marketing' improvement and not worth the hassle. Tomas Mraz -- devel mailing list devel@lists.fedoraproject.org https

Re: Schedule for Wednesday's FESCo meeting (2014-11-26 at 18UTC)

. And me too. Regards, Tomas Mraz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Summary/Minutes from today's FESCo Meeting (2014-11-19)

=== #fedora-meeting: FESCO (2014-11-19) === Meeting started by t8m at 18:08:14 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2014-11-19/fesco.2014-11-19-18.08.log.html . Meeting summary

Schedule for Wednesday's FESCo Meeting (2014-11-19)

://fedorahosted.org/fesco, e-mail me directly, or bring it up at the end of the meeting, during the open floor topic. Note that added topics may be deferred until the following meeting. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back

  1   2   3   >