tl;dr: a scriptlet has been added to the fedora-release package that
performs a _one time_ "dnf module reset eclipse" operation when
fedora-release is upgraded. The update that does this is now in bodhi [1].
This was decided in a FESCo ticket [2] to solve bugzilla #1780827 [3]
and has a "F31 Common bugs" entry [4].
[1] https://bodhi.fedoraproject.org/updates/FEDORA-2020-af8b8d4da8
[2] https://pagure.io/fesco/issue/2356
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1780827
[4] https://fedoraproject.org/wiki/Common_F31_bugs#eclipse-module-reset
Longer explanation, quoting [4] in full:
> For a brief period, the eclipse module was a "default" module in
> Fedora 31 (meaning that a 'dnf install <package>' command would enable
> the module and install the modular version of <package> if <package>
> is part of the module). Such "shadowing" of non-modular packages is
> expected with modules, but the eclipse module was shadowing more
> packages than it should, so the module was made "non-default"
> again. Nevertheless, users who installed or upgraded affected packages
> in this window have the module persistently enabled and are not
> getting the non-modular versions of those rpms, even if those now have
> a higher version.
>
> To resolve this issue, a scriptlet was added to the fedora-release
> package that performs a one time 'dnf module reset eclipse'
> operation. This solves the issue of unexpected shadowing of packages,
> but at the same time creates a problem for users who have the eclipse
> module enabled on purpose. They need to once re-enable the module if
> desired.
>
> Summary: fedora-release performs a one-time disablement of eclipse
> module. Users who wish to have the module enabled should execute
> 'dnf module enable eclipse:latest' once more.
Zbyszek
(on behalf of FESCo)
Fedora 32 Beta Released
----------------------------------
The Fedora Project is pleased to announce the immediate availability
of Fedora 32 Beta, the next step towards our planned Fedora 32 release
at the end of April.
Download the prerelease from our Get Fedora site:
* Get Fedora 32 Beta Workstation: https://getfedora.org/workstation/download/
* Get Fedora 32 Beta Server: https://getfedora.org/server/download/
Or, check out one of our popular variants, including KDE Plasma, Xfce,
and other desktop environments, as well as images for ARM devices like
the Raspberry Pi 2 and 3:
* Get Fedora 32 Beta Spins: https://spins.fedoraproject.org/prerelease
* Get Fedora 32 Beta Labs: https://labs.fedoraproject.org/prerelease
* Get Fedora 32 Beta ARM: https://arm.fedoraproject.org/prerelease
## Beta Release Highlights
* New in Fedora 32 Workstation Beta is EarlyOOM enabled by default.
* Fedora 32 Workstation Beta also enables the fs.trim timer by default.
* Fedora 32 Workstation Beta includes GNOME 3.3.6.
* And more ...
For more details about the release, read the full announcement at
* https://fedoramagazine.org/announcing-the-release-of-fedora-32-beta/
or look for the prerelease pages in the download sections at
* https://getfedora.org/
Since this is a Beta release, we expect that you may encounter bugs or
missing features. To report issues encountered during testing, contact
the Fedora QA team via the mailing list or in #fedora-qa on Freenode.
Regards,
Mohan Boddu
Fedora Release Engineering.
For information, we will be enabling the cf_type field in Bugzilla for
Fedora products. This allows bugs to be set as bugs, feature requests,
etc. Whether you choose to do anything with it on your components is
up to you.
This is being done at the request to improve process for mirroring
certain Fedora bugs into internal Red Hat tooling. General use of this
field is entirely optional. You're welcome to make use of it in the
components you maintain if you find it helpful, but you're welcome to
ignore it if not. There is no Fedora-wide mandate to use the field in
any particular way. I'm sending this message so that you're not
confused when you see it appear later today.
As always, you can contact me directly with questions, or come to the
weekly Fedora Program Manager office hours on Wednesdays at 09:00
(America/Indiana/Indianapolis):
https://apps.fedoraproject.org/calendar/council/#m9570
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/F33MingwEnvToolchainUpdate
== Summary ==
Update the MinGW base environment and toolchain to the latest upstream
stable releases.
== Owner ==
* Name: [[User:smani|Sandro Mani]]
* Email: manisandro(a)gmail.com
== Detailed Description ==
The following packages will be updated
* mingw-gcc to version 10.0.0
* mingw-w64-tools to version 7.0.0
* mingw-winpthreads to version 7.0.0
* mingw-crt to version 7.0.0
* mingw-headers to version 7.0.0
* mingw-binutils to version 2.34
* mingw-gdb to version 9.1
== Benefit to Fedora ==
Ship the latest available MinGW environment and GNU toolchain.
== Scope ==
* Proposal owners:
The above mentioned packages will be updated. Build failures following
the mass rebuild will be inspected.
* Other developers:
Help with build failures may be requested.
* Release engineering: Impact check [https://pagure.io/releng/issue/9253]
* Release engineering: Mass rebuild requested
* Policies and guidelines: No policies need to be changed
== Upgrade/compatibility impact ==
No impact
== How To Test ==
Update the system once the updated packages land, look out for new
build failures etc.
== User Experience ==
The features of the newest MinGW environment and GNU Toolchain will be
available to the users.
== Dependencies ==
None
== Contingency Plan ==
* Contingency mechanism: Revert to older versions of environment /
toolchain, mass rebuild mingw packages again
* Contingency deadline: Before release
* Blocks release? Yes
* Blocks product? No
== Release Notes ==
Fedora 33 comes with the mingw-w64-7.0.0 environment, mingw-gcc-10,
mingw-gdb-9.1 and mingw-binutils 2.34.
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/MAKE43
== Summary ==
Rebase GNU make in Fedora 33 from make version 4.2 to make version 4.3.
== Owner ==
* Name: [[User:djdelorie| DJ Delorie]]
* Email: dj(a)redhat.com
== Detailed Description ==
Make 4.3 was released on January 19th 2020. It includes many bug
fixes and new features. Fedora has been carrying many patches to the
4.2 release which are included in 4.3, reducing the workload for
Fedora builders.
Note that Fedora is also carrying some patches to retain compatibility
with make version 3.8, as an aid to packages which needed time to
adapt to make version 4. These compatibility patches will be removed
in this rebase, making Fedora's make the same as other distros. Some
packages may FTBFS and need help tweaking their Makefiles.
== Benefit to Fedora ==
Stay up to date with upstream GNU make, make sure we have the latest
bug fixes et al, be compatible with stock GNU make.
== Scope ==
* Proposal owners: Update to GNU make 4.3
* Other developers: Package owners relying on makefile features
specific to older versions of GNU make (including compatibility
patches for 3.8 we're dropping) may FTBFS and need to tweak their
Makefiles.
* Release engineering: (a check of an impact with Release Engineering
is pending)
* Policies and guidelines: The policies and guidelines do not need to
be updated.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
Users who have local projects using GNU make, which rely on features
only available in older versions of GNU make, may need to tweak their
Makefiles before rebuilding. Packages which were built previous to
this upgrade will not be affected.
Specific backwards incompatibilities as called out in the NEWS file
for make 4.3:
<pre>
* WARNING: Backward-incompatibility!
Number signs (#) appearing inside a macro reference or function invocation
no longer introduce comments and should not be escaped with backslashes:
thus a call such as:
foo := $(shell echo '#')
is legal. Previously the number sign needed to be escaped, for example:
foo := $(shell echo '\#')
Now this latter will resolve to "\#". If you want to write makefiles
portable to both versions, assign the number sign to a variable:
H := \#
foo := $(shell echo '$H')
This was claimed to be fixed in 3.81, but wasn't, for some reason.
To detect this change search for 'nocomment' in the .FEATURES variable.
* WARNING: Backward-incompatibility!
Previously appending using '+=' to an empty variable would result in a value
starting with a space. Now the initial space is only added if the variable
already contains some value. Similarly, appending an empty string does not
add a trailing space.
</pre>
== How To Test ==
GNU make has its own testsuite and does not require specific hardware
or testing outside of building the RPM.
== User Experience ==
Users will get all bugfixes included in make 4.3 as well as any new
features therein. The make 4.3 NEWS update will include more details.
== Dependencies ==
No dependencies.
== Contingency Plan ==
* Contingency mechanism: Revert to make 4.2.1
* Contingency deadline: Beta freeze. If there is a mass rebuild,
preferably before then.
* Blocks release? No
== Documentation ==
GNU Make includes its own documentation. No additional documentation
work is required.
== Release Notes ==
Full release notes can be found in make's NEWS file:
http://git.savannah.gnu.org/cgit/make.git/tree/NEWS
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/RPM-4.16
== Summary ==
Update RPM to the 4.16.0 release.
== Owner ==
* Name: User:pmatilai, User:ffesti
* Email: pmatilai@redhat.com,ffesti@redhat.com
== Detailed Description ==
RPM 4.16 contains numerous improvements over previous versions
* New database backends and related developments to enable moving away
from Berkeley DB
** experimental sqlite backend
** experimental readonly-bdb backend to support conversion from BDB
without the library
** ndb backend promoted out of experimental
* Much improved expression parser (specs and macros)
* Powerful new macro features (expressions, ternary operator, literal
macros, access to macro body, eliminate unexpected double-expansion
etc)
* Support for macro-only dependency generators (very fast as fork+exec
is entirely avoided)
* Support for meta dependencies (which do not affect ordering)
* Transparent verification support for alternative (ie uncompressed)
payload digest (so deltarpm doesn't need to recompress)
* Automatic SSD detection and optimization
Rawhide rpm will be updated to 4.16 alpha once feature is approved and
updated through
beta and rc cycles, 4.16.0 final release is expected before to F33 beta freeze.
== Benefit to Fedora ==
See above for overall benefits, but most importantly this is the first
major step towards moving away from Berkeley DB based rpmdb. The
database format will not change in this release, but this release
enables wider testing of the new backend(s) and related features such
as switching from one backend to another. In particular it enables
testing of *other software* for compatibility and interoperability
with non-BDB databases. The change of database format is not a part of
this change.
== Scope ==
* Proposal owners:
** Rebase RPM
* Other developers:
** Test new release, report issues and bugs
** Test compatibility of other software with different rpmdb format
(containers, build-systems and such in particular)
* Release engineering: [https://pagure.io/releng/issue/9286 #9286]
* Policies and guidelines: As always, utilizing new rpm features is
subject to packaging guidelines, but the time for this is after the
new version has properly landed. Guideline updates should not be
necessary.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
* Similar to compiler updates, some previously working specs might
fail to build due to stricter error checking and the like. In
particular, barewords (ie non-quoted strings) in expressions are no
longer supported.
== How To Test ==
Rpm receives a thorough and constant testing via every single package
build, system installs and updates. New features can be tested
specifically as per their documentation.
The prime testing target should revolve around database functionality,
robustness and compatibility with other software. There's a
[https://bugzilla.redhat.com/show_bug.cgi?id=1766120 tracking bug] for
Berkeley DB format dependencies.
Details on database testing to be supplied later.
== User Experience ==
There are no significant user experience changes by default, but a
significant increase in overall robustness is expected with non-BDB
databases.
== Dependencies ==
* A soname bump is involved so all API-dependent packages will need a rebuild
* Rpm will grow an additional dependency on sqlite
== Contingency Plan ==
* Contingency mechanism: Roll back to rpm 4.15, but the chance of
having to do should be negligible
* Contingency deadline: Beta freeze.
* Blocks release? No
== Documentation ==
Draft release notes are available at https://rpm.org/wiki/Releases/4.16.0
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb
== Summary ==
Change format of the RPM database from Berkeley DB to a new Sqlite format.
== Owner ==
* Name: [[User:pmatilai| Panu Matilainen]] [[User:ffesti|Florian Festi]]
* Email: pmatilai(a)redhat.com ffesti(a)redhat.com
== Detailed Description ==
The current rpm database implementation is based on Berkeley DB 5.x, a
version which is unmaintained upstream for several years now. Berkeley
DB 6.x is license incompatible so moving to that is not an option. In
addition, the existing rpmdb implementation is notoriously unreliable
as it's not transactional and has no other means to detect
inconsistencies either.
Changing to a more sustainable database implementation is long
overdue. We propose to change the default rpmdb format to the new
sqlite based implementation. Support for current BDB format will be
retained in Fedora 33, and phased out to read-only support in Fedora
34.
== Benefit to Fedora ==
* A far more robust rpm database implementation
* Getting rid of Berkeley DB dependency in one of the core components
== Scope ==
* Proposal owners:
** Once [[Changes/RPM-4.16|RPM 4.16]] lands and passes initial
shakedown, change the default rpmdb configuration to sqlite
** Address any bugs and issues in the database backend found by wider
testing base
** Help other developers to address Berkeley DB dependencies
* Other developers:
** Test for hidden Berkeley DB dependencies in other software, address
them as found and needed
* Release engineering: [https://pagure.io/releng/issue/9308 #9308]
* Policies and guidelines: Policies and guidelines are not affected
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
=== Upgrading ===
* Ability to upgrade is not affected
* After upgrade completes, manual action (rpmdb --rebuilddb) will
probably be needed to convert to sqlite. Alternatively user can change
configuration to stay on BDB.
=== Compatibility ===
* Container/chroot use-cases will be affected: older rpm versions will
be unable to query/manipulate the rpmdb from outside the chroot
* Koji/COPR may need to override the database format (back to) BDB for
the time being
== How To Test ==
* Rpmdb gets thoroughly exercised as a matter of normal system
operation, performing installs, updates, package builds etc
* Of specific interest here is torture testing: forcibly killing rpm
in various stages of execution - database should stay consistent and
operational (other system state is out of scope)
* Test database conversions from one backend to another (rpmdb
--rebuilddb --define "_db_backend <backend>")
== User Experience ==
* In normal operation, users should see little or no change
* Behavior in error situations is much more robust: forcibly killed
transaction no longer causes database inconsistency or corruption
== Dependencies ==
* This change depends on [[Changes/RPM-4.16|RPM 4.16]], support for
sqlite rpmdb is not present in older versions
* RPM will grow a new dependency on sqlite-libs
* Technically the rpmdb format is an internal implementation detail of
RPM and the data is only accessible through the librpm API, but some
software is making assumptions both about the format and/or in
particular, file naming. These are being tracked at
https://bugzilla.redhat.com/show_bug.cgi?id=1766120
* Upgrade tooling could/should perform rpmdb rebuild at end, this
would be a good thing to do regardless of this change
== Contingency Plan ==
* Contingency mechanism:
** Revert the default database back to Berkeley DB backend in the
package. Running 'rpmdb --rebuilddb' on hosts is currently required to
actually convert the database, but means to automate conversion in
specific conditions is being discussed upstream.
** The rpm-team does not expect problems with the database backend
itself, but we are aware that postponing may be needed due to
infrastructure or other tooling not being ready, primarily due to
inability to access the database from older releases.
* Contingency deadline: Beta freeze
* Blocks release? Yes
== Documentation ==
* [https://rpm.org/wiki/Releases/4.16.0 | RPM 4.16 release notes]
== Release Notes ==
* After upgrading from an older release, rpm operations will issue
warnings about database backend configuration not matching what's on
disk. Users should run 'rpmdb --rebuilddb' at earliest opportunity, or
change configuration to stay on Berkeley DB backend (eg 'echo
%_db_backend bdb > /etc/rpm/macros.db')
* The details are subject to change, the database rebuild may be done
by upgrade tooling
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
== Summary ==
We update the current system-wide crypto policy to further disable
legacy cryptographic protocols (TLS 1.0 and TLS 1.1), weak
Diffie-Hellman key exchange sizes (1024 bit), and use of the SHA-1
hash in signatures.
== Owner ==
* Name: [[User:tmraz|Tomáš Mráz]]
* Email: <tmraz(a)redhat.com>
== Detailed Description ==
Fedora includes several cryptographic components who's security
doesn't remain constant over time. Algorithms such as (cryptographic)
hashing and encryption typically have a lifetime after which they are
considered either too risky to use or plain insecure. That would mean
we need to phase out such algorithms from the default settings, or
completely disable if they could cause irreparable issue.
While in the past we did not disable algorithms in a consistent way
(different applications utilized different policies), today we have a
system-wide policy followed by a large part of Fedora components. That
allows us to move consistently and deprecate algorithms system-wide.
For rationale see RFC 7457 for a more complete list of attacks taking
advantage of legacy crypto algorithms.
The changes for default policy are:
* Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols
and move the TLS 1.x, x<=1 to legacy level.
* Require finite field parameters (RSA, Diffie-Hellman) of 2048 and
more in the default settings
* Disable SHA1 support for use in signatures (X.509 certificates,
TLS, IPSEC handshakes)
That is a policy of:
LEGACY
MACs: All HMAC with SHA1 or better + all modern MACs (poly1305 etc)
Curves: all prime >= 255 bits (including bernstein curves)
Signature algorithms: SHA-1 hash or better (not RIPEMD)
Ciphers: all available > 112-bit key, >= 128-bit block (no rc4, but with 3DES)
key exchange: ECDHE, RSA, DHE
DH params size: >=1023
RSA params size: >=1023
TLS protocols: TLS >= 1.0
DEFAULT
MACs: All HMAC with SHA1 or better + all modern MACs (poly1305 etc)
Curves: all prime >= 255 bits (including bernstein curves)
Signature algorithms: with SHA-256 hash or better (not DSA)
Ciphers: >= 128-bit key, >= 128-bit block (aes, chacha20, including aes-cbc)
key exchange: ECDHE, RSA, DHE
DH params size: >= 2048
RSA params size: >= 2048
TLS protocols: TLS >= 1.2
FUTURE
MACs: All HMAC with SHA256 or better + all modern MACs (poly1305 etc)
Curves: all prime >= 255 bits (including bernstein curves)
Signature algorithms: SHA-256 hash or better (not DSA)
Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated
Encryption (AE) ciphers
key exchange: ECDHE, DHE
DH params size: >= 3072
RSA params size: >= 3072
TLS protocols: TLS >= 1.2
== Benefit to Fedora ==
With this change we protect users from relying on enabled-by-default
weak cryptography, as well as reduce our maintenance cost for future
attacks that rely on weak crypto for exploitation.
Also please note that Firefox is also moving to similar default crypto
settings with the current releases (Firefox 74)
[https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/]
== Scope ==
* Proposal owners:
The policies include in crypto-policies package need to be updated.
* Other developers:
* Crypto policies are updated to the settings above
* Release engineering: Copied from F28 change - no impact
[https://pagure.io/releng/issue/7235 #7235] (a check of an impact with
Release Engineering is needed)
* Crypto policies are updated to the settings above
* OpenSSL, NSS, GnuTLS and all applications covered under the Fedora
Crypto Policies follow the new crypto settings.
* Policies and guidelines:
No changes to packaging or other guidelines is needed.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
It may be that the new settings break software that connects to
servers which utilize weak algorithms. Compatibility can be obtained
by switching the system to legacy policy level as follows.
update-crypto-policies --set LEGACY
== How To Test ==
Applications which follow the system-wide policy (e.g., curl,wget)
should be tested:
* whether they can connect to legacy (TLS1.0, TLS1.1) servers when
system is in legacy mode
* whether the previous connection breaks when system is in default mode
* whether the system can connect to TLS 1.2 servers when in default,
legacy or future mode.
== User Experience ==
Given the existing deployment of TLS 1.2 on the internet, there should
not be significant user experience degradation, although that's a
speculation.
== Dependencies ==
* nss
* gnutls
* openssl
* crypto-policies
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?)
If we notice significant user experience degradation, e.g., due to
many custom servers utilizing legacy protocols, we should consider
postponing or reducing the number of updates in that change. The
change owner will take care of this.
* Contingency deadline: beta freeze
* Blocks release? No
== Documentation ==
None
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
Hi,
A fonts packaging policy rewrite proposal has been pushed to FPC today:
https://pagure.io/packaging-committee/pull-request/934
It should be clearer, more opinionated, and take into account:
– updates of The OpenType standard
– variable fonts
– web fonts
– upstream depreciation of non OpenType formats: final stages of the
Harfbuzz consolidation decided at the 2006 Text Layout summit
https://www.freedesktop.org/wiki/TextLayout/
– appstream & fonts
– weak dependencies
– and probably more I forget here
It is based on the new fonts-rpm-macros project for automation:
This project builds on tooling enhancements in redhat-rpm-config and rpm
itself, done during the past two years for the Forge and Go sets of
packaging macros. It started 2 years ago as a fork of fontpackages,
which is the core of our current fonts packaging guidelines.
It will require putting the fonts-srpm-macros package in the default
build root, like is done for other domain-specific packaging macro
sets.
Major additions:
– better documentation (clearer and more complete)
– better automation (less packager hassle for better and more complete
results)
Major removals:
– tools and scripts
– fixing metadata with ttname
Mostly because no one seems willing to maintain those scripts, or port
ttname to python 3.
https://copr.fedorainfracloud.org/coprs/nim/fonts-rpm-macros/builds/
showcases the new policy on 62 real-world source packages, generating
139 installation packages. Some of those are badly delayed updates to
Fedora packages, others are brand-new packages ready for Fedora
inclusion. They include major font packages such as Stix, DejaVu, Droid,
IBM Plex.
Existing Fedora packages will continue to build, the old fontpackages
macros are grandfathered in fonts-rpm-macros for now. They will be
removed in a few years to give packagers time to apply the new
guidelines.
Regards,
--
Nicolas Mailhot