F35 Change: Disable SHA1 In OpenDNSSec (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Change/DisableSHA1InOpenDNSSec == Summary == OpenDNSSec' enforcer has a (deprecated) -sha1 CLI option that brings back the old behavior, e.g. include the SHA1 version of the DS. As SHA1 use is deprecated in favour of SHA256, disable the -sha1 CLI knob so that it only displays a warning. == Owner == * Name: [[User:fcami| François Cami]] * Email: fc...@redhat.com == Detailed Description == OpenDNSSec changed the default behavior to not include SHA1 DS by default, and added the -sha1 knob as an immediately-deprecated compatibility knob in version 2.1.0 (2017-2): "OPENDNSSEC-552: By default ‘ods-enforcer key export –ds’ included the SHA1 version of the DS. SHA1 use is discouraged in favour of SHA256. To get the SHA1 DS use the –sha1 flag. This flag is immediately deprecated and will be removed from future versions of OpenDNSSEC." (see ChangeLog: https://www.opendnssec.org/archive/releases/ ). The proposal is to disable the -sha1 knob in Fedora. I will also open an issue upstream to remove all the sha1-related code. Supporting statement [https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en [from ICANN] (2020-1-24): "Now is the time for administrators of zones at all levels of the DNS to stop using SHA-1 and change to algorithms using stronger hashes." == Benefit to Fedora == * This change makes sure OpenDNSSec in Fedora follows ICANN's guidelines and does not propose SHA1 DS. This is is needed given the [https://sha-mbles.github.io/ latest attacks against SHA-1]. More in-depth articles are available [https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html there] and [https://mailarchive.ietf.org/arch/msg/dnsop/hA4Ur9qxRJIUo13Pjpmrm_va7cs/ there]. * This change is aligned with previous features: ** [[Features/StrongerHashes]] ** [[Changes/StrongCryptoSettings]] ** [[Changes/StrongCryptoSettings2]] == Scope == * Proposal owners: Patch the enforcer so that bsha1 is not honored anymore: ./enforcer/src/keystate/keystate_export_cmd.c-271-break; ./enforcer/src/keystate/keystate_export_cmd.c-272-case 's': ./enforcer/src/keystate/keystate_export_cmd.c:273:bsha1 = 1; ./enforcer/src/keystate/keystate_export_cmd.c-274-break; ./enforcer/src/keystate/keystate_export_cmd.c-275-default: * Other developers: * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: N/A == Upgrade/compatibility impact == Zones with SHA-1 signatures can be migrated to SHA-256 by re-signing the zone. This change might break (very old) clients that only recognize SHA-1 but these should already be broken (on the Internet at least) because the root zone is signed with SHA-256 only. == How To Test == == User Experience == OpenDNSSec in Fedora can currently be used to sign zones with SHA1. With this change, this will no longer be possible. The migration from SHA1 is underway anyway. == Dependencies == FreeIPA (freeipa-server-dns) depends on OpenDNSSec. == Contingency Plan == * Contingency mechanism: Keep the current -sha1 knob's behavior (remove the patch). * Contingency deadline: Beta freeze * Blocks release? No, unless the change breaks IPA. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F35 Change: Golang 1.17 (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/golang1.17 == Summary == Rebase of Golang package to upcoming version 1.17 in Fedora 35, including the rebuild of all dependent packages(the pre-release version of Go will be used for the rebuild if released version will not be available at the time of the mass rebuild). == Owner == * Name: [[User:alexsaezm| Alejandro Sáez Morollón]], [[User:Jcajka| Jakub Čajka]] * Email: a...@redhat.com, jca...@redhat.com == Detailed Description == Rebase of Golang package to upcoming version 1.17 in Fedora 35. Golang 1.17 is scheduled to be released in August 2021. Due to Go packages' current nature and state, the rebuild of dependent packages will be required. == Benefit to Fedora == Stay closely behind upstream by providing the latest release of Go, which includes improved support of the risc-v processor architecture and added support for aarch64 based darwin(macOS) machines, among other bug fixes, enhancements and new features. For a complete list of changes, see upstream change notes at https://tip.golang.org/doc/go1.17 . Therefore Fedora will be providing a reliable development platform for Go language and projects written in it. == Scope == * Proposal owners: Rebase Golang package in Fedora 35, help resolve possible issues found during package rebuilds. * Other developers: Fix possible issues, with help from Golang maintainers. * Release engineering: Rebuild of dependent packages as part of planned mass-rebuild. * Policies and guidelines: N/A * Trademark approval: N/A == Upgrade/compatibility impact == None == How To Test == ;0. :a) Install golang 1.17 from rawhide and use it to build your application(s)/package(s). :b) Scratch build against rawhide. ;1. :Your application/package built using golang 1.17 should work as expected. == User Experience == None == Dependencies == dnf repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'golang' dnf repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'compiler(go-compiler)' dnf repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'compiler(golang)' dnf repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'go-rpm-macros' Omitted due to the number of packages listed ~1600. Not all of listed require re-build as they might not ship binaries and/or do not use golang compiler during build, but only use Go rpm macros that pull it in to every build root. == Contingency Plan == * Contingency mechanism:Reverting to golang version 1.16.X if significant issues are discovered. * Contingency deadline: Beta Freeze * Blocks release? No * Blocks product? No == Documentation == https://tip.golang.org/doc/go1.17 -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F35 Change: LLVM 13 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/LLVM-13 == Summary == Update all llvm sub-projects in Fedora to version 13. == Owner == * Name: [[User:tstellar| Tom Stellard]] * Email: == Detailed Description == All llvm sub-projects in Fedora will be updated to version 13, and there will be a soname version change for the llvm libraries. Compatibility packages clang12 and llvm12 will be added to ensure that packages that currently depend on clang and llvm version 12 libraries will continue to work. == Benefit to Fedora == New features and bug fixes provided by the latest version of LLVM. == Scope == * Proposal owners: ** Review existing llvm and clang compatibility packages and orphan any packages that are no longer used. ** Request a side-tag. ** Build llvm12 and clang12 into the side-tag. ** When the upstream LLVM project releases version 12.0.0-rc1 (Late July 2021), package this and build it into the side tag. ** Merge side-tag into rawhide prior to the f35 branch date. ** Continue packaging newer release candidates into rawhide and f35 until the final release is complete (Late September 2021) * Other developers: ** Maintainers of packages that depend on clang-libs or llvm-libs will need to update their spec files to depend on the clang12 and llvm12 compatibility packages if they want to rebuild their package and it does not work with LLVM 13 yet. The key point here is that spec file changes are only needed if a package is going to be rebuilt after LLVM 13 is added to Fedora. The compatibility packages will ensure that already built packages continue to work. * Release engineering: [https://pagure.io/releng/issues/10179] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == This change should not impact upgradeability. == How To Test == The CI tests for the llvm sub-packages in Fedora will be used to catch regressions that might be potentially introduced by the update to LLVM 13. == User Experience == Users will benefit from new features and bug-fixes in the latest version of LLVM. == Dependencies == This change can be made without updating any other packages. However, as mention before, packages that need to use LLVM 12 will need to update their spec file on their first rebuild after this change. == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?): If there are major problems with LLVM 13, the compatibility package provide a way for other packages to continue using LLVM 12. * Contingency deadline: Final Freeze * Blocks release? No == Documentation == Release notes will be added for this change. == Release Notes == LLVM sub-projects in Fedora have been updated to version 13: * llvm * clang * lld * lldb * compiler-rt * libomp * llvm-test-suite * libcxx * libcxxabi * python-lit * flang * mlir * polly * libclc -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F35 Change: Rebase firewalld to upstream v1.0.0 (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/firewalld-1.0.0 == Summary == Firewalld upstream is about to release v1.0.0. As indicated by the major version bump this includes behavioral changes. == Owner == * Name: [[User:erig0| Eric Garver]] * Email: egar...@redhat.com == Detailed Description == Firewalld v1.0.0 includes breaking changes meant to improve the overall health of the project. The majority of the changes are centered around improving and strengthening the zone concept. All breaking changes are detailed in depth in the [https://firewalld.org/2021/06/the-upcoming-1-0-0 upstream blog]. Major changes: * Reduced dependencies * Intra-zone forwarding by default * NAT rules moved to inet family (reduced rule set) * Default target is now similar to reject * ICMP blocks and block inversion only apply to input, not forward * tftp-client service has been removed * iptables backend is deprecated * Direct interface is deprecated * CleanupModulesOnExit defaults to no (kernel modules not unloaded) == Benefit to Fedora == The major benefit to Fedora is more predictability in the stock firewall. In particular, "Default target is now similar to reject" addresses many subtle issues encountered by users. "NAT rules moved to inet family" also significantly reduces the rule set size for users of `ipset`s. == Scope == * Proposal owners: Changes are isolated to firewalld, but given firewalld is core a System Wide Change is being filed. * Other developers: None. Isolated change. * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == * Most configurations will migrate. No intervention required. ** Exceptions *** configurations that utilize `tftp-client` service will have firewalld start in `failed` state because the service has been removed. As noted in the upstream blog this service has ''never'' worked properly. * Zones that users have not modified will now have intra-zone forwarding enabled. ** for this to occur the user must ''not'' have added an interface, service, port, etc. to the zone ** minimal concern because this also means the zone was not in use, the exception being an unmodified default zone, e.g. `FedoraWorkstation` == How To Test == Testing for this rebase should revolve around integrations. * libvirt ** verify VMs still have network access * podman ** verify containers still have network access ** verify forwarding ports via podman still works * NetworkManager ** verify connection sharing still works == User Experience == N/A == Dependencies == firewalld has yet to release v1.0.0. It is expected in early July. == Contingency Plan == * Contingency mechanism: revert package to v0.9.z (what f34 uses) * Contingency deadline: July 27, 2021 * Blocks release? No == Documentation == https://firewalld.org/2021/06/the-upcoming-1-0-0 == Release Notes == firewalld has been rebased to v1.0.0. This includes some breaking changes that may affect users. Major changes: * Reduced dependencies * Intra-zone forwarding by default * NAT rules moved to inet family (reduced rule set) * Default target is now similar to reject * ICMP blocks and block inversion only apply to input, not forward * tftp-client service has been removed * iptables backend is deprecated * Direct interface is deprecated * CleanupModulesOnExit defaults to no (kernel modules not unloaded) Full details on the upstream blog: https://firewalld.org/2021/06/the-upcoming-1-0-0 -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F35 Change: Boost 1.76 upgrade (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/F35Boost176 == Summary == This change brings Boost 1.76 to Fedora. This will mean Fedora ships with a recent upstream Boost release. == Owner == * Name: [[User:trodgers| Thomas Rodgers]] * Email: trodg...@redhat.com == Detailed Description == The aim is to synchronize Fedora with the most recent Boost release. Because ABI stability is absent from Boost, this entails rebuilding of all dependent packages. This also entails the change owner assisting maintainers of client packages in decoding cryptic boost-ese seen in output from g++. The equivalent changes for previous releases were [[Changes/F34Boost175]], [[Changes/F33Boost173]], [[Changes/F30Boost169|Fedora 30 Change]], [[Changes/F29Boost167|Fedora 29 Change]], [[Changes/F28Boost166|Fedora 28 Change]], [[Changes/F27Boost164|Fedora 27 Change]], [[Changes/F26Boost163|Fedora 26 Change]], [[Changes/F25Boost161|Fedora 25 Change]], [[Changes/F24Boost160|Fedora 24 Change]], [[Changes/F23Boost159|Fedora 23 Change]] and [[Changes/F22Boost158|Fedora 22 Change]]. == Benefit to Fedora == Fedora 35 includes Boost 1.76 Fedora will stay relevant, as far as Boost clients are concerned. Boost 1.76 does not bring any new components but includes many fixes and enhancements to existing components. Boost 1.76 also introduces some breaking changes - * Boost.DLL : boost::dll::import was renamed to boost::dll::import_symbol to avoid collision with C++20 import keyword. * Boost.Math : Drops C++03 support. * Boost.Multiprecision : Explicitly requires C++11 or later. == Scope == * Proposal owners: ** Build will be done with Boost.Build v2 (which is the upstream-sanctioned way of building Boost) ** Request a "f35-boost" [https://docs.pagure.org/releng/sop_adding_side_build_targets.html build system tag] ([http://lists.fedoraproject.org/pipermail/devel/2011-November/159908.html discussion]): https://pagure.io/releng/issue/9474 ** Build boost into that tag (take a look at the [http://koji.fedoraproject.org/koji/buildinfo?buildID=606493 build #606493] for inspiration) ** Post a request for rebuilds to fedora-devel ** Work on rebuilding dependent packages in the tag. ** When most is done, re-tag all the packages to rawhide ** Watch fedora-devel and assist in rebuilding broken Boost clients (by fixing the client, or Boost). * Other developers: ** Those who depend on Boost DSOs will have to rebuild their packages. Feature owners will alleviate some of this work as indicated above, and will assist those whose packages fail to build in debugging them. * Policies and guidelines: ** Apart from scope, this is business as usual, so no new policies, no new guidelines. * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == * No manual configuration or data migration needed. * Some impact on other packages needing code changes to rebuild. Historically this hasn't been too much of a problem and could always be resolved before deadline. == How To Test == * No special hardware is needed. * Integration testing simply consists of installing Boost packages (`dnf install boost`) on Fedora and checking that it does not break other packages (see below for a way to obtain a list of boost clients). == User Experience == * Expected to remain largely the same. * Developers building third-party software on Fedora may need to rebuild against the new Boost packages, and may need to adjust their code if the new Boost release is not source-compatible. * Developers using `bjam` to build their own software will need to switch to using the new name for the tool, `b2` == Dependencies == Packages that must be rebuilt: $ dnf repoquery -s --releasever=rawhide --whatrequires libboost\* --disablerepo=* --enablerepo=fedora | sort -u All clients: $ dnf repoquery --releasever=rawhide --archlist=src --whatrequires boost-devel --disablerepo='*' --enablerepo=fedora-source == Contingency Plan == * Contingency mechanism: Worst case scenario is to abandon the update and simply ship F34 with Boost 1.73, which is already in rawhide. It would also be possible to ship the 1.74.0 which would still be newer than in current Fedora releases and contains numerous fixes and improvements to existing Boost components. * Blocks release? No * Blocks product? None == Documentation == * https://www.boost.org/users/history/version_1_76_0.html (released on 16 April 2021) * https://www.boost.org/users/history/version_1_75_0.html (released on 11 December 2020) * https://www.boost.org/users/history/version_1_74_0.html (released on 14 August 2020) * https://www.boost.org/users/history/version_1_73_0.html (released on 28 April 2020) * https://www.boost.org/users/history/version_1_72_0.html (released on 11 December 2019) * https://www.boost.org/users/history/version_1_71_0.html (released on 19 August 2019) * https://www.boost.org/users/history/version_1_70_0.html (released on 12 April 2019) * https://www.boost.org/development/index.html == Release Notes