OpenSSL 1.1.0 in Rawhide very soon
by Tomas Mraz
Hi all,
the openssl will be rebased in Rawhide to 1.1.0 on Monday. There will
be also 1.0.2 compat package (compat-openssl10) so the dependencies are
not broken and Rawhide should be installable. Also things that do not
depend on openssl should be rebuildable without changes.
On the other hand due to the major API changes in 1.1.0 if your package
uses OpenSSL it will not be possible to rebuild it without patching.
Some upstreams already updated their code to work with 1.1.0 so if it
is your case again there might not be any problems rebuilding it.
I will be also working on patching and rebuilding the dependencies
starting with minimal install and expanding to broader installs of
Fedora. However there might be cases where the package is using some
obscure features of the old 1.0.x API and the port might be non-trivial
- I do not expect such packages to be common however cooperation with
the respective package upstream might be needed in such cases.
At worst if the patching of a package is highly non-trivial and the
upstream is not responsive we might have to drop the package from
Fedora.
We do not want to keep 1.0.2 devel around as that could make it to look
like the 1.0.2 is still fully "supported" in Fedora and there would be
no incentive to switch to 1.1.0. Also to get any new features from
upstream OpenSSL we have to move to newer versions as they are released
as the old versions get only bug fixes.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
7 years, 6 months
Fedora 25 Beta Release Readiness Meeting, Thursday, October 6th @
19:00 UTC
by Jan Kurik
Join us on irc.freenode.net in #fedora-meeting-2 for the Fedora 25
Beta Release Readiness Meeting meeting.
The meeting is going to be held on Thursday, October 6th, 2016 at
19:00 UTC. Please check the [FedoCal] link for your time zone.
We will meet to make sure we are coordinated and ready for the Beta
release of Fedora 25. Please note that this meeting is going to be
held even if the release is delayed at the Go/No-Go meeting on the
same day two hours earlier.
You may received this message several times, but it is by purpose to
open this meeting to the teams and to raise awareness, so hopefully
more team representatives will come to this meeting. This meeting
works best when we have representatives from all of the teams.
[FedoCal] https://apps.fedoraproject.org/calendar/meeting/4782/
More information available at:
https://fedoraproject.org/wiki/Release_Readiness_Meetings
Thank you for your support and Regards, Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
7 years, 6 months
F26 Self Contained Change: OpenSSH Crypto Policy (Client)
by Jan Kurik
= Proposed Self Contained Change: OpenSSH Crypto Policy (Client) =
https://fedoraproject.org/wiki/Changes/OpenSSH_Crypto_Policy
Change owner(s):
* Jakub Jelen < jjelen AT redhat DOT com >
OpenSSH client will follow system-wide crypto policies already
followed by other cryptographic libraries and tools. It will allow to
use different security levels defined system-wide.
== Detailed Description ==
Currently, the set of cryptographic algorithms used in OpenSSH is
defined by upstream and Fedora just inherits what upstream considers
secure. If there are special requirements for the security, manual
modifications of the configuration files is required, which also
prevents package manager to update the configuration file with future
updates and can possibly leave enabled insecure algorithms.
Since Fedora 25 we have possibility to include configuration files
from the main ssh_config, which allowed us to include crypto policies
in the OpenSSH (client).
For more information about Crypto Policy, see the appropriate wiki
page Changes/CryptoPolicy describing the concept in whole.
== Scope ==
* Proposal owners: Default OpenSSH configuration will include the
generated policy file containing the definition of system-wide enabled
algorithms. The include must be before any other options so user
changes would not unintentionally get used instead of system-wide
policy. The policy preview is already available in the pull request on
github [ https://github.com/nmav/fedora-crypto-policies/pull/8 ].
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
7 years, 6 months
Fedora 25 Beta Go/No-Go Meeting, Thursday, October 6th @ 17:00 UTC
by Jan Kurik
Join us on irc.freenode.net in #fedora-meeting-2 for this important
meeting, wherein we shall determine the readiness of the Fedora 25
Beta.
The meeting is going to be held on Thursday, October 6th, 2016 at
17:00 UTC. Please check the [FedoCal] link for your time zone.
Before each public release Development, QA and Release Engineering
meet to determine if the release criteria are met for a particular
release. This meeting is called the Go/No-Go Meeting. Verifying that
the Release criteria are met is the responsibility of the QA Team.
Release Candidate (RC) availability and good QA coverage are
prerequisites for the Go/No-Go meeting. If you have any bug on the
list, please help us with Beta release. If we won't be ready by
Thursday, we will use this meeting to review blockers and decide what
to do.
For more details about this meeting please follow the [GoNoGoMeeting] link.
In the meantime, please keep also an eye on the Fedora 25 Beta Blocker
list [Blockers].
[FedoCal] https://apps.fedoraproject.org/calendar/meeting/4783/
[Blockers] http://qa.fedoraproject.org/blockerbugs/milestone/25/beta/buglist
[GoNoGoMeeting] https://fedoraproject.org/wiki/Go_No_Go_Meeting
Thank you in advance for your support.
Regards, Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
7 years, 6 months
F26 Self Contained Change: BIND version 9.11
by Jan Kurik
= Proposed Self Contained Change: BIND version 9.11 =
https://fedoraproject.org/wiki/Changes/BIND_9.11
Change owner(s):
* Tomas Hozza <thozza AT redhat DOT com>
* Michal Ruprich <mruprich AT redhat DOT com>
BIND (Berkeley Internet Name Domain) version 9.11 is the latest stable
major update of the widely used DNS server. Besides new features, some
settings defaults have changed since the previous major version
(9.10).
== Detailed Description ==
FULL BIND 9.11 RELEASE NOTES:
ftp://ftp.isc.org/isc/bind9/9.11.0b3/RELEASE-NOTES-bind-9.11.0b3.txt
New features
* A new method of provisioning secondary servers called "Catalog
Zones" has been added.
* Added an isc.rndc Python module, which allows rndc commands to be
sent from Python programs.
* Added support for DynDB, a new interface for loading zone data from
an external database, developed by Red Hat for the FreeIPA project.
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks.
* Added support for dnstap, a fast, flexible method for capturing and
logging DNS traffic.
* A new DNSSEC key management utility, dnssec-keymgr, has been added.
* nslookup will now look up IPv6 as well as IPv4 addresses by default.
* named will now check to see whether other name server processes are
running before starting up.
* Added server-side support for pipelined TCP queries.
* The new mdig command is a version of dig that sends multiple
pipelined queries and then waits for responses, instead of sending one
query and waiting the response before sending the next.
* A new message-compression option can be used to specify whether or
not to use name compression when answering queries.
* When loading a signed zone, named will now check whether an RRSIG's
inception time is in the future, and if so, it will regenerate the
RRSIG immediately.
Feature changes
* When using native PKCS#11 cryptography (i.e., configure
--enable-native-pkcs11) HSM PINs of up to 256 characters can now be
used.
* Update forwarding performance has been improved by allowing a single
TCP connection to be shared between multiple updates.
* Added support for OPENPGPKEY type.
* Retrieving the local port range from net.ipv4.ip_local_port_range on
Linux is now supported.
* On machines with 2 or more processors (CPU), the default value for
the number of UDP listeners has been changed to the number of detected
processors minus one.
* Zone transfers now use smaller message sizes to improve message
compression. This results in reduced network usage.
* Added support for the AVC resource record type (Application
Visibility and Control).
== Scope ==
Proposal owners:
* Rebase the package to the latest 9.11 minor version and resolve
possible packaging issues. (Also rebuild all currently existing
dependent packages listed below)
Other developers:
* Rebuild dependent packages (dhcp, dnsperf, bind-dyndb-ldap)
Release engineering:
* no work required
Policies and guidelines:
* no change required
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
7 years, 6 months