RFC: static builds for user emulators in Fedora QEMU RPMs
by Daniel P. Berrange
For those who aren't familiar, QEMU actually provides two completely
different sets of emulators
- system emulators - they emulate a full virtual machine and thus run
a full guest OS.
- user emulators - they emulate the Linux userspace ABI letting you
run non-native arch executables directly.
The user emulators are what I'm concerned with in this mail, so ignore
the system emulators.
Currently all the user emulators are provided in the "qemu-user" RPM
which also includes files in /usr/lib/binfmt.d to register each emulator
binary as a binary format handler for its respective architecture.
This is ok if you have a non-native arch binary that's statically linked
and you just want to run it from context of your main OS root filesystem.
Running dynamic linked binaries won't fly because if say running an arm
binary on x86_64 host, it'll look for /lib/libc.so and find the i386 one,
instead of the arm one. You can't set LD_LIBRARY_PATH to override this
as the env var will apply to both qemu-arm (an x86_64 binary) and the
binary it is trying to run (an arm binary).
More typical though is that you have a directory containing an fullish
install tree of a non-native architecture and you just want to chroot
into that. When doing such a chroot, the qemu-$ARCH emulator must be
present inside the chroot too. ie the x86_64 build of /usr/bin/qemu-arm
must be present inside at /my/chroot/for/fedora-arm/usr/bin/qemu-arm.
So again you have the potential problem of clashing libc.so in /usr/lib
It is a shame Fedora doesn't have full multi-arch support, instead of
merely multi-lib to avoid these clashing lib dirs across architecture
RPMs.
The recommended way to deal with this for the qemu user emulator binaries
to be statically linked, so when copied inside the non-native arch chroot,
they never need to resolve any native arch libraries. Fedora's qemu user
binaries are all dynamic linked right now.
Debian handles this by having several packages [1]
- qemu-user - the dynamic linked qemu user binaries
- qemu-binfmt - binfmt rules registering the dynamic linked binaries
- qemu-user-static - the static linked qemu user binaries *and* binfmt
rules to register them. The static binaries all
have -static suffix on their name
NB, this means qemu-binfmt and qemu-user-static are mutually exclusive
since they both provide the same binfmt files. You can however have both
qemu-user and qemu-user-static installed as their binary names won't
clash, and in this case the static ones will be registered as binfmts
This nice thing about this multiple package approach is that when you
copied the x86_64 build of the "qemu-arm-static" binary into your arm
chroot, you still then have the possibility of installing the arm build
of the "qemu-arm" binary inside that chroot without filename clash.
An alternative simpler approach would be to just have one package,
qemu-user, which contains the static binaries and never ship any
dynamic linked qemu user binaries. This is slightly more restrictive
though, as explained in the previous paragraph, so I'd like to avoid
doing that.
I'd like to make using non-native arch chroots simple with Fedora without
people needing to manually build their own static QEMU binaries, or download
static binaries provided by another distro[2]. So I'm suggesting to make a
change to Fedora qemu packages to essentially copy the way Debian has done
things. Specifically I will
- Pull the binfmt registration files out of qemu-user and into a
new qemu-binfmt package which depends on qemu-user.
- Add static builds of qemu user emulators to a new qemu-user-static
package, along with binfmt registration files
The static build of QEMU user emulators is moderately light on
dependancies, only requiring glib2-static, pcre-static, zlib-static
and glibc-static packages.
The change to introduce a qemu-binfmt package has small upgrade
implications since anyone with qemu-user installed today, will loose
the binary format rules unless they manually install qemu-binfmt. I
think the number of people affected is probably quite small, and some
of them may well wish to use qemu-user-static instead anyway.
Obviously this would only be done in rawhide, not any existing stable
releases of Fedora.
Nothing will change about the rest of QEMU packaging - ie all system
emulators will continue to use dynamic linking
Regards,
Daniel
[1] https://wiki.debian.org/QemuUserEmulation
[2] https://rwmj.wordpress.com/2013/12/22/how-to-run-aarch64-binaries-on-an-x...
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
7 years, 3 months
Proposal: remove insecure WebKitGTK+ packages for F27
by Michael Catanzaro
Hi,
I propose we retire the webkitgtk and webkitgtk3 packages when
branching rawhide for F26 (expected to occur roughly February 2017),
and forbid unretiring them. All their dependencies would then be
removed from from Fedora according to the normal process shortly before
the release of F27 (excepted to occur May 2017). If nobody objects,
we'll carry out this plan shortly after the F26 branch point.
Question: Why retire these packages?
Answer: Affected applications that process untrusted input are
vulnerable to roughly 150 unfixed security vulnerabilities, the
overwhelming majority of which are remote code execution
vulnerabilities. The severity of this situation arguably outweighs the
benefit of keeping affected applications around.
Question: This sounds horrible, we should act soon. Why wait until F26?
Answer: Porting to the new WebKitGTK+ API is easy for many
applications, but for applications that use the DOM API it can be
expected to take some time, as this API has moved to the web process
and accessing it requires writing a web process extension. If we were
to use F25 as the deadline, there would not be sufficient time for
applications to be ported. Porting efforts should begin as soon as
possible.
Question: What if my application doesn't process untrusted input?
Answer: If you're sure your application never processes untrusted
input, it is a special flower. You should request a bundling exception
from FESCo if you do not intend to upgrade.
Question: You're horrible for proposing to remove my packages.
Answer: WebKit1 was deprecated in March 2013. Packages have had three
years to upgrade. It's clear at this point that this problem won't ever
be fixed without a hard deadline that is enforced. But this is a fair
point; it sucks a lot that compatibility is not offered here. Such is
the cost of free software....
Question: We usually allow compatibility libraries to exist
indefinitely. Why so strict with WebKit?
Answer: Our compatibility libraries do not usually have upwards of 150
unfixed remote code execution vulnerabilities. Backporting fixes is not
practical in this situation.
Question: But these packages are still included in RHEL. Isn't Red Hat
providing security updates?
Answer: No.
Question: Will you help port my packages to newer WebKit?
Answer: We'll answer questions, but unfortunately we can only provide
serious assistance to priority GNOME packages. evolution-data-server
threatens to take out gnome-shell if removed, for instance, which is
why we waited until the Evolution port is nearing completion to propose
this.
Question: What if my application depends on GTK+ 2?
Answer: You must first port to GTK+ 3, then port to WebKit2. You may
find it more practical to stop using WebKitGTK+.
Question: What if my application needs to work on Windows?
Answer: WebKit2 is not supported on Windows. You will need to either
commit to developing Windows support, or stop using WebKitGTK+.
Question: I hear QtWebKit is insecure too, why punish only GTK+ apps?
Answer: QtWebKit has not had security updates since ~2012 and so has
even more unfixed vulnerabilities. However, an unofficial effort is
underway to rebase QtWebKit on the upstream WebKit project. The plan is
to make regular QtWebKit releases based on the latest WebKitGTK+ stable
branch, meaning there should be regular security updates. This is still
a work in progress, but once completed, Fedora will be able to switch
upstreams and solve this issue without the need to port applications to
QtWebEngine. No such compatibility effort is planned for WebKitGTK+.
Question: Where can I view WebKitGTK+ security advisories?
Answer: http://webkitgtk.org/security.html
Question: Where can I learn more?
Answer: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
Question: What would be removed if this were to occur today?
Answer: If you read this far, please seriously look over these lists.
Some big name applications are included.
$ repoquery --whatrequires --recursive webkitgtk
Yum-utils package has been deprecated, use dnf instead.
See 'man yum2dnf' for more information.
GREYCstoration-gimp-0:2.8-22.fc24.x86_64
atril-0:1.14.1-1.fc24.x86_64
atril-caja-0:1.14.1-1.fc24.x86_64
atril-devel-0:1.14.1-1.fc24.i686
atril-devel-0:1.14.1-1.fc24.x86_64
atril-libs-0:1.14.1-1.fc24.i686
atril-libs-0:1.14.1-1.fc24.x86_64
atril-thumbnailer-0:1.14.1-1.fc24.x86_64
banshee-0:2.6.2-15.fc24.x86_64
banshee-community-extensions-0:2.4.0-14.fc24.x86_64
banshee-devel-0:2.6.2-15.fc24.i686
banshee-devel-0:2.6.2-15.fc24.x86_64
billiards-0:0.4.1-10.fc24.x86_64
claws-mail-plugins-0:3.13.2-2.fc24.x86_64
claws-mail-plugins-fancy-0:3.13.2-2.fc24.x86_64
compat-wxGTK3-gtk2-0:3.0.2-7.fc24.i686
compat-wxGTK3-gtk2-0:3.0.2-7.fc24.x86_64
compat-wxGTK3-gtk2-devel-0:3.0.2-7.fc24.i686
compat-wxGTK3-gtk2-devel-0:3.0.2-7.fc24.x86_64
compat-wxGTK3-gtk2-docs-0:3.0.2-7.fc24.noarch
compat-wxGTK3-gtk2-gl-0:3.0.2-7.fc24.i686
compat-wxGTK3-gtk2-gl-0:3.0.2-7.fc24.x86_64
compat-wxGTK3-gtk2-media-0:3.0.2-7.fc24.i686
compat-wxGTK3-gtk2-media-0:3.0.2-7.fc24.x86_64
conduit-0:0.3.17-12.fc24.noarch
dissy-0:10-5.fc24.noarch
fityk-0:1.3.0-8.fc24.i686
fityk-0:1.3.0-8.fc24.x86_64
fityk-devel-0:1.3.0-8.fc24.i686
fityk-devel-0:1.3.0-8.fc24.x86_64
gap-pkg-alnuth-0:3.0.0-6.fc24.noarch
gap-pkg-cryst-0:4.1.12-4.fc24.noarch
gap-pkg-crystcat-0:1.1.6-4.fc24.noarch
gap-pkg-nq-0:2.5.3-1.fc24.x86_64
gap-pkg-polenta-0:1.3.6-1.fc24.noarch
gap-pkg-polycyclic-0:2.11-6.fc24.noarch
gap-pkg-radiroot-0:2.7-5.fc24.noarch
geany-plugins-devhelp-0:1.27-1.fc24.x86_64
geany-plugins-geanypy-0:1.27-1.fc24.x86_64
geany-plugins-markdown-0:1.27-1.fc24.x86_64
geany-plugins-webhelper-0:1.27-1.fc24.x86_64
ghc-webkit-0:0.14.1.1-1.fc24.x86_64
ghc-webkit-devel-0:0.14.1.1-1.fc24.x86_64
gimp-2:2.8.16-1.fc24.1.x86_64
gimp-data-extras-0:2.0.2-13.fc24.noarch
gimp-dbp-0:1.1.9-9.fc24.x86_64
gimp-dds-plugin-0:3.0.1-5.fc24.x86_64
gimp-elsamuko-0:26-2.fc24.noarch
gimp-fourier-plugin-0:0.4.1-12.fc24.x86_64
gimp-gap-0:2.7.0-14.GITe75bd46.fc24.x86_64
gimp-help-0:2.8.2-5.fc24.noarch
gimp-help-browser-2:2.8.16-1.fc24.1.x86_64
gimp-help-ca-0:2.8.2-5.fc24.noarch
gimp-help-da-0:2.8.2-5.fc24.noarch
gimp-help-de-0:2.8.2-5.fc24.noarch
gimp-help-el-0:2.8.2-5.fc24.noarch
gimp-help-en_GB-0:2.8.2-5.fc24.noarch
gimp-help-es-0:2.8.2-5.fc24.noarch
gimp-help-fr-0:2.8.2-5.fc24.noarch
gimp-help-it-0:2.8.2-5.fc24.noarch
gimp-help-ja-0:2.8.2-5.fc24.noarch
gimp-help-ko-0:2.8.2-5.fc24.noarch
gimp-help-nl-0:2.8.2-5.fc24.noarch
gimp-help-nn-0:2.8.2-5.fc24.noarch
gimp-help-pt_BR-0:2.8.2-5.fc24.noarch
gimp-help-ru-0:2.8.2-5.fc24.noarch
gimp-help-sl-0:2.8.2-5.fc24.noarch
gimp-help-sv-0:2.8.2-5.fc24.noarch
gimp-help-zh_CN-0:2.8.2-5.fc24.noarch
gimp-high-pass-filter-0:1.2-6.fc24.noarch
gimp-lqr-plugin-0:0.7.2-4.fc24.x86_64
gimp-normalmap-0:1.2.3-12.fc24.x86_64
gimp-paint-studio-0:2.0-11.fc24.noarch
gimp-resynthesizer-0:0.16-14.fc24.x86_64
gimp-save-for-web-0:0.29.3-1.fc24.x86_64
gimp-separate+-0:0.5.8-16.fc24.x86_64
gimp-wavelet-denoise-plugin-0:0.3.1-9.fc24.x86_64
gimpfx-foundry-0:2.6.1-5.fc24.noarch
gmpc-0:11.8.16-11.fc24.x86_64
gmpc-devel-0:11.8.16-11.fc24.i686
gmpc-devel-0:11.8.16-11.fc24.x86_64
gmusicbrowser-0:1.1.15-2.fc24.noarch
gnucash-0:2.6.12-1.fc24.i686
gnucash-0:2.6.12-1.fc24.x86_64
gphpedit-0:0.9.98-0.11.RC1.fc24.x86_64
gpodder-0:3.9.0-1.fc24.noarch
gscribble-0:0.1.2-10.fc24.noarch
gtk-sharp-beans-0:2.14.0-17.fc24.x86_64
gtk-sharp-beans-devel-0:2.14.0-17.fc24.i686
gtk-sharp-beans-devel-0:2.14.0-17.fc24.x86_64
guitarix-0:0.35.0-2.fc24.x86_64
gutenprint-plugin-0:5.2.11-2.fc24.x86_64
gyachi-0:1.2.11-14.fc24.x86_64
gyachi-YMlike-theme-0:1.2.11-14.fc24.x86_64
gyachi-pidgy-theme-0:1.2.11-14.fc24.x86_64
gyachi-plugin-alsa-0:1.2.11-14.fc24.x86_64
gyachi-plugin-blowfish-0:1.2.11-14.fc24.x86_64
gyachi-plugin-gtkspell-0:1.2.11-14.fc24.x86_64
gyachi-plugin-libnotify-0:1.2.11-14.fc24.x86_64
gyachi-plugin-mcrypt-0:1.2.11-14.fc24.x86_64
gyachi-plugin-pulseaudio-0:1.2.11-14.fc24.x86_64
gyachi-recre8-theme-0:1.2.11-14.fc24.x86_64
icaro-0:1.0.4-3.fc24.noarch
kazehakase-0:0.5.8-20.svn3873_trunk.fc24.1.x86_64
kazehakase-webkit-0:0.5.8-20.svn3873_trunk.fc24.1.x86_64
kicad-1:4.0.2-2.fc24.x86_64
lekhonee-gnome-0:0.12-9.fc24.x86_64
lv2-guitarix-plugins-0:0.35.0-2.fc24.x86_64
midori-0:0.5.11-2.fc24.i686
midori-0:0.5.11-2.fc24.x86_64
mono-tools-0:4.2-2.fc24.x86_64
mono-tools-devel-0:4.2-2.fc24.i686
mono-tools-devel-0:4.2-2.fc24.x86_64
mono-tools-gendarme-0:4.2-2.fc24.x86_64
mono-tools-ilcontrast-0:4.2-2.fc24.x86_64
mono-tools-monodoc-0:4.2-2.fc24.x86_64
nested-0:1.2.2-17.fc24.noarch
osmo-0:0.2.12-0.8.svn924.fc24.3.x86_64
pari-gp-0:2.7.5-2.fc24.x86_64
perl-Gtk2-WebKit-0:0.09-14.fc24.x86_64
pywebkitgtk-0:1.1.8-11.fc24.x86_64
rednotebook-0:1.12-1.fc24.noarch
sagemath-0:6.8-10.fc24.i686
sagemath-0:6.8-10.fc24.x86_64
sagemath-core-0:6.8-10.fc24.x86_64
sagemath-data-0:6.8-10.fc24.noarch
sagemath-data-conway_polynomials-0:6.8-10.fc24.noarch
sagemath-data-elliptic_curves-0:6.8-10.fc24.noarch
sagemath-data-etc-0:6.8-10.fc24.noarch
sagemath-data-graphs-0:6.8-10.fc24.noarch
sagemath-data-polytopes_db-0:6.8-10.fc24.noarch
sagemath-notebook-0:6.8-10.fc24.x86_64
sagemath-rubiks-0:6.8-10.fc24.x86_64
sagemath-sagetex-0:6.8-10.fc24.x86_64
sparkleshare-0:1.2.0-4.fc23.x86_64
techne-0:0.2.3-18.fc24.x86_64
techtalk-pse-0:1.1.0-10.fc24.noarch
turpial-0:3.0-7.fc24.noarch
ufraw-gimp-0:0.22-1.fc24.x86_64
webkit-sharp-0:0.3-17.fc24.x86_64
webkit-sharp-devel-0:0.3-17.fc24.i686
webkit-sharp-devel-0:0.3-17.fc24.x86_64
webkitgtk-devel-0:2.4.11-1.fc24.i686
webkitgtk-devel-0:2.4.11-1.fc24.x86_64
webkitgtk-doc-0:2.4.11-1.fc24.noarch
wordgroupz-0:0.3.1-11.fc24.noarch
xiphos-gtk2-0:4.0.4-3.fc24.x86_64
xsane-gimp-0:0.999-20.fc24.x86_64
$ repoquery --whatrequires --recursive webkitgtk3
Yum-utils package has been deprecated, use dnf instead.
See 'man yum2dnf' for more information.
3Depict-0:0.0.18-6.fc24.x86_64
4Pane-0:4.0-1.fc24.x86_64
Mayavi-0:4.4.3-4.fc24.x86_64
PyPE-0:2.9.4-5.fc24.noarch
PythonCard-0:0.8.2-16.fc24.noarch
RunSnakeRun-0:2.0.4-4.fc24.noarch
ailurus-0:10.10.3-9.fc24.noarch
almanah-0:0.11.1-8.fc24.x86_64
audacity-0:2.1.2-4.fc24.x86_64
audacity-manual-0:2.1.2-4.fc24.noarch
audio-convert-mod-0:3.46.0b-10.fc24.noarch
autokey-gtk-0:0.90.4-8.fc24.noarch
autokey-qt-0:0.90.4-8.fc24.noarch
balsa-0:2.5.2-3.fc24.x86_64
batti-0:0.3.8-9.fc24.noarch
bibus-0:1.5.1-15.fc24.x86_64
bijiben-0:3.20.2-1.fc24.x86_64
bitlyclip-0:0.2.2-7.fc24.noarch
boinc-manager-0:7.6.22-4.fc24.x86_64
cairo-dock-plug-ins-webkit-0:3.4.1-7.fc24.x86_64
california-0:0.4.0-7.fc24.x86_64
congruity-0:18-10.fc24.noarch
coq-emacs-0:8.5pl1-1.fc24.noarch
couchdb-0:1.6.1-14.fc24.x86_64
cura-0:15.04.4-3.fc24.noarch
cura-lulzbot-0:19.12-1.fc24.noarch
cycle-0:0.3.1-21.fc24.noarch
decibel-audio-player-0:1.08-12.fc24.noarch
deluge-0:1.3.12-3.fc24.noarch
deluge-gtk-0:1.3.12-3.fc24.noarch
deluge-web-0:1.3.12-3.fc24.noarch
dwb-0:2015.10.09-2.20151009git.fc24.x86_64
earcandy-0:0.9-4.fc24.noarch
ejabberd-0:16.01-5.fc24.x86_64
ekiga-0:4.0.1-29.fc24.x86_64
emacs-1:25.0.94-1.fc24.x86_64
emacs-apel-0:10.8-10.fc24.noarch
emacs-auctex-0:11.89-3.fc24.noarch
emacs-auto-complete-0:1.3.1-9.fc24.noarch
emacs-auto-complete-el-0:1.3.1-9.fc24.noarch
emacs-bbdb-1:3.1.2-5.fc24.noarch
emacs-color-theme-0:6.6.0-11.fc24.noarch
emacs-color-theme-el-0:6.6.0-11.fc24.noarch
emacs-common-tuareg-0:2.0.10-0.2.1c837e26.fc24.noarch
emacs-ddskk-0:15.2-4.fc24.noarch
emacs-ebib-0:1.8.0-9.fc24.noarch
emacs-ebib-el-0:1.8.0-9.fc24.noarch
emacs-epix-0:1.2.16-1.fc24.noarch
emacs-erlang-0:18.3.3-1.fc24.noarch
emacs-erlang-el-0:18.3.3-1.fc24.noarch
emacs-erlang-lfe-0:1.0.2-1.fc24.noarch
emacs-erlang-lfe-el-0:1.0.2-1.fc24.noarch
emacs-ess-0:16.04-1.fc24.noarch
emacs-evil-0:1.2.9-1.fc24.noarch
emacs-gettext-0:0.19.7-4.fc24.noarch
emacs-gnu-smalltalk-0:3.2.5-10.fc24.noarch
emacs-gnu-smalltalk-el-0:3.2.5-10.fc24.noarch
emacs-goodies-0:35.8-5.fc24.noarch
emacs-goodies-el-0:35.8-5.fc24.noarch
emacs-goto-chg-0:1.6-2.fc24.noarch
emacs-gtypist-0:2.9.4-5.fc24.x86_64
emacs-haskell-mode-0:13.18-1.fc24.noarch
emacs-htmlize-0:1.34-12.fc24.noarch
emacs-htmlize-el-0:1.34-12.fc24.noarch
emacs-irsim-mode-0:0.1-14.fc24.noarch
emacs-irsim-mode-el-0:0.1-14.fc24.noarch
emacs-ledger-0:3.1.1-1.fc24.x86_64
emacs-ledger-el-0:3.1.1-1.fc24.noarch
emacs-lookup-0:1.4.1-13.fc24.noarch
emacs-lua-0:20151025-2.fc24.noarch
emacs-magit-0:1.2.2-3.fc24.noarch
emacs-magit-el-0:1.2.2-3.fc24.noarch
emacs-mew-0:6.7-2.fc24.x86_64
emacs-mmm-0:0.4.8-9.fc23.noarch
emacs-mmm-el-0:0.4.8-9.fc23.noarch
emacs-nesc-0:1.3.5-2.fc22.noarch
emacs-nesc-el-0:1.3.5-2.fc22.noarch
emacs-notmuch-0:0.21-3.fc24.noarch
emacs-php-mode-0:1.17.0-6.fc24.noarch
emacs-proofgeneral-0:4.2-5.fc24.noarch
emacs-proofgeneral-el-0:4.2-5.fc24.noarch
emacs-pydb-0:1.26-14.fc24.noarch
emacs-pymacs-0:0.25-7.fc24.noarch
emacs-pymacs-el-0:0.25-7.fc24.noarch
emacs-pyrex-0:0.9.9-10.fc24.noarch
emacs-riece-0:8.0.0-9.fc24.noarch
emacs-rinari-0:2.1-12.20100815git.fc24.noarch
emacs-rinari-el-0:2.1-12.20100815git.fc24.noarch
emacs-rpm-spec-mode-0:0.15-4.fc24.noarch
emacs-sdcc-0:3.5.0-6.fc24.x86_64
emacs-slime-1:2.12-4.fc24.noarch
emacs-slime-el-1:2.12-4.fc24.noarch
emacs-spice-mode-0:1.2.25-16.fc24.noarch
emacs-spice-mode-el-0:1.2.25-16.fc24.noarch
emacs-terminal-1:25.0.94-1.fc24.noarch
emacs-tuareg-0:2.0.10-0.2.1c837e26.fc24.noarch
emacs-undo-tree-0:0.6.4-2.fc24.noarch
emacs-verilog-mode-0:531-9.fc24.noarch
emacs-vm-0:8.1.2-12.fc24.x86_64
emacs-vregs-mode-0:1.470-10.fc24.noarch
emacs-w3m-0:1.4.531-0.5.20140421cvs.fc24.noarch
emacs-yaml-mode-0:0.0.12-3.fc24.noarch
emacspeak-0:40.0-5.fc24.x86_64
empathy-0:3.12.12-1.fc24.x86_64
erlang-0:18.3.3-1.fc24.x86_64
erlang-clique-0:0.3.5-2.fc24.x86_64
erlang-cluster_info-0:2.0.5-1.fc24.x86_64
erlang-common_test-0:18.3.3-1.fc24.x86_64
erlang-cuttlefish-0:2.0.6-1.fc24.x86_64
erlang-debugger-0:18.3.3-1.fc24.x86_64
erlang-dialyzer-0:18.3.3-1.fc24.x86_64
erlang-epgsql-0:3.1.0-2.fc24.x86_64
erlang-esdl-0:1.3.1-12.fc24.x86_64
erlang-et-0:18.3.3-1.fc24.x86_64
erlang-exometer_core-0:1.4-2.fc24.x86_64
erlang-ibrowse-0:4.2.4-2.fc24.x86_64
erlang-lager-0:3.2.0-1.fc24.x86_64
erlang-megaco-0:18.3.3-1.fc24.x86_64
erlang-merge_index-0:2.1-1.fc24.x86_64
erlang-observer-0:18.3.3-1.fc24.x86_64
erlang-rebar-0:2.6.1-10.fc24.x86_64
erlang-reltool-0:18.3.3-1.fc24.x86_64
erlang-riak_api-0:2.1.2-1.fc24.x86_64
erlang-riak_control-0:2.1.2-1.fc24.x86_64
erlang-riak_core-0:2.1.5-1.fc24.x86_64
erlang-riak_ensemble-0:2.1.2-1.fc24.x86_64
erlang-riak_kv-0:2.1.2-2.fc24.x86_64
erlang-riak_pipe-0:2.1.1-1.fc24.x86_64
erlang-riak_search-0:1.3.2-2.fc21.x86_64
erlang-riaknostic-0:2.1.3-5.fc24.x86_64
erlang-test_server-0:18.3.3-1.fc24.x86_64
erlang-typer-0:18.3.3-1.fc24.x86_64
erlang-webtool-0:18.3.3-1.fc24.x86_64
erlang-wx-0:18.3.3-1.fc24.x86_64
evolution-0:3.20.2-1.fc24.i686
evolution-0:3.20.2-1.fc24.x86_64
evolution-bogofilter-0:3.20.2-1.fc24.x86_64
evolution-data-server-0:3.20.2-1.fc24.i686
evolution-data-server-0:3.20.2-1.fc24.x86_64
evolution-data-server-devel-0:3.20.2-1.fc24.i686
evolution-data-server-devel-0:3.20.2-1.fc24.x86_64
evolution-data-server-tests-0:3.20.2-1.fc24.i686
evolution-data-server-tests-0:3.20.2-1.fc24.x86_64
evolution-devel-0:3.20.2-1.fc24.i686
evolution-devel-0:3.20.2-1.fc24.x86_64
evolution-devel-docs-0:3.20.2-1.fc24.noarch
evolution-ews-0:3.20.2-1.fc24.i686
evolution-ews-0:3.20.2-1.fc24.x86_64
evolution-help-0:3.20.2-1.fc24.noarch
evolution-mapi-0:3.20.1-1.fc24.i686
evolution-mapi-0:3.20.1-1.fc24.x86_64
evolution-mapi-devel-0:3.20.1-1.fc24.i686
evolution-mapi-devel-0:3.20.1-1.fc24.x86_64
evolution-perl-0:3.20.2-1.fc24.x86_64
evolution-pst-0:3.20.2-1.fc24.x86_64
evolution-rspam-0:0.6.0-13.fc24.x86_64
evolution-rss-1:0.3.95-7.fc24.x86_64
evolution-spamassassin-0:3.20.2-1.fc24.x86_64
evolution-tests-0:3.20.2-1.fc24.x86_64
fawkes-devenv-0:0.5.0-29.fc24.noarch
ffgtk-plugin-evolution-0:0.8.6-18.fc24.x86_64
filezilla-0:3.17.0.1-1.fc24.x86_64
fityk-0:1.3.0-8.fc24.i686
fityk-0:1.3.0-8.fc24.x86_64
fityk-devel-0:1.3.0-8.fc24.i686
fityk-devel-0:1.3.0-8.fc24.x86_64
flim-0:1.14.9-10.fc24.noarch
fmtools-tkradio-0:2.0.7-6.fc24.noarch
folks-1:0.11.2-5.fc24.i686
folks-1:0.11.2-5.fc24.x86_64
folks-devel-1:0.11.2-5.fc24.i686
folks-devel-1:0.11.2-5.fc24.x86_64
folks-tools-1:0.11.2-5.fc24.i686
folks-tools-1:0.11.2-5.fc24.x86_64
frama-c-emacs-0:1.12-4.fc24.noarch
freedink-0:108.4-3.fc24.x86_64
freedink-dfarc-0:3.12-4.fc24.x86_64
freedv-0:1.1-6.fc24.x86_64
fwbackups-0:1.43.5-2.fc24.noarch
gadget-0:0.0.3-16.fc24.noarch
gcl-emacs-0:2.6.12-5.fc24.noarch
gcl-emacs-el-0:2.6.12-5.fc24.noarch
gdm-1:3.20.1-1.fc24.i686
gdm-1:3.20.1-1.fc24.x86_64
gdm-devel-1:3.20.1-1.fc24.i686
gdm-devel-1:3.20.1-1.fc24.x86_64
geary-0:0.11.0-1.fc24.x86_64
giggle-0:0.7-22.fc24.i686
giggle-0:0.7-22.fc24.x86_64
giggle-devel-0:0.7-22.fc24.i686
giggle-devel-0:0.7-22.fc24.x86_64
gitso-0:0.6-13.fc24.noarch
glabels-0:3.2.1-8.fc24.x86_64
gnome-calendar-0:3.20.2-1.fc24.x86_64
gnome-classic-session-0:3.20.1-1.fc24.noarch
gnome-contacts-0:3.20.0-1.fc24.x86_64
gnome-initial-setup-0:3.20.1-1.fc24.x86_64
gnome-maps-0:3.20.1-1.fc24.i686
gnome-maps-0:3.20.1-1.fc24.x86_64
gnome-phone-manager-0:0.69-16.fc24.x86_64
gnome-phone-manager-telepathy-0:0.69-16.fc24.x86_64
gnome-shell-0:3.20.2-1.fc24.x86_64
gnome-shell-extension-alternate-tab-0:3.20.1-1.fc24.noarch
gnome-shell-extension-apps-menu-0:3.20.1-1.fc24.noarch
gnome-shell-extension-auto-move-windows-0:3.20.1-1.fc24.noarch
gnome-shell-extension-background-logo-0:3.20.0-1.fc24.noarch
gnome-shell-extension-calc-0:0-0.10.gite4f4ac5.fc24.noarch
gnome-shell-extension-common-0:3.20.1-1.fc24.noarch
gnome-shell-extension-drive-menu-0:3.20.1-1.fc24.noarch
gnome-shell-extension-fedmsg-0:0.1.9-15.fc24.noarch
gnome-shell-extension-gpaste-0:3.18.3-2.fc24.noarch
gnome-shell-extension-iok-0:0.20160405-1.fc24.noarch
gnome-shell-extension-launch-new-instance-0:3.20.1-1.fc24.noarch
gnome-shell-extension-native-window-placement-0:3.20.1-1.fc24.noarch
gnome-shell-extension-openweather-0:1-
0.18.20160325git8dd1696.fc24.noarch
gnome-shell-extension-panel-osd-0:1-0.13.20160325gite052ded.fc24.noarch
gnome-shell-extension-pidgin-0:0-0.20.gitfb9dbfd.fc24.x86_64
gnome-shell-extension-places-menu-0:3.20.1-1.fc24.noarch
gnome-shell-extension-pomodoro-0:0.11.3-1.fc24.x86_64
gnome-shell-extension-remove-bluetooth-icon-0:0.5.1-5.fc24.noarch
gnome-shell-extension-remove-volume-icon-0:0.5.1-5.fc24.noarch
gnome-shell-extension-screenshot-window-sizer-0:3.20.1-1.fc24.noarch
gnome-shell-extension-simple-dock-0:0.1-
0.20150505git25c94bc.fc24.2.noarch
gnome-shell-extension-user-theme-0:3.20.1-1.fc24.noarch
gnome-shell-extension-window-list-0:3.20.1-1.fc24.noarch
gnome-shell-extension-windowsNavigator-0:3.20.1-1.fc24.noarch
gnome-shell-extension-workspace-indicator-0:3.20.1-1.fc24.noarch
gnome-shell-theme-selene-0:3.4.0-11.fc24.noarch
gnome-todo-0:3.20.2-1.fc24.x86_64
gnome-tweak-tool-0:3.20.1-1.fc24.noarch
gnome-web-photo-0:0.10.5-9.fc24.x86_64
gnumed-0:1.4.8-6.fc24.noarch
gnumed-doc-0:1.4.8-6.fc24.noarch
gnumed-server-0:19.8-4.fc24.noarch
gnuradio-0:3.7.9.1-3.fc24.i686
gnuradio-0:3.7.9.1-3.fc24.x86_64
gnuradio-devel-0:3.7.9.1-3.fc24.i686
gnuradio-devel-0:3.7.9.1-3.fc24.x86_64
gnuradio-doc-0:3.7.9.1-3.fc24.noarch
gnuradio-examples-0:3.7.9.1-3.fc24.x86_64
gphotoframe-0:2.0.2-2.hg2084299dffb6.fc24.1.noarch
gphotoframe-gss-0:2.0.2-2.hg2084299dffb6.fc24.1.noarch
gqrx-0:2.5.3-3.fc24.x86_64
gr-air-modes-0:0-0.46.20160106git514414f6.fc24.i686
gr-air-modes-0:0-0.46.20160106git514414f6.fc24.x86_64
gr-air-modes-devel-0:0-0.46.20160106git514414f6.fc24.i686
gr-air-modes-devel-0:0-0.46.20160106git514414f6.fc24.x86_64
gr-air-modes-doc-0:0-0.46.20160106git514414f6.fc24.noarch
gr-fcdproplus-0:0-0.22.20140920git1edbe523.fc24.i686
gr-fcdproplus-0:0-0.22.20140920git1edbe523.fc24.x86_64
gr-fcdproplus-devel-0:0-0.22.20140920git1edbe523.fc24.i686
gr-fcdproplus-devel-0:0-0.22.20140920git1edbe523.fc24.x86_64
gr-fcdproplus-doc-0:0-0.22.20140920git1edbe523.fc24.noarch
gr-iqbal-0:0.37.2-19.fc24.i686
gr-iqbal-0:0.37.2-19.fc24.x86_64
gr-iqbal-devel-0:0.37.2-19.fc24.i686
gr-iqbal-devel-0:0.37.2-19.fc24.x86_64
gr-iqbal-doc-0:0.37.2-19.fc24.noarch
gr-osmosdr-0:0.1.3-18.20141023git42c66fdd.fc24.i686
gr-osmosdr-0:0.1.3-18.20141023git42c66fdd.fc24.x86_64
gr-osmosdr-devel-0:0.1.3-18.20141023git42c66fdd.fc24.i686
gr-osmosdr-devel-0:0.1.3-18.20141023git42c66fdd.fc24.x86_64
gr-osmosdr-doc-0:0.1.3-18.20141023git42c66fdd.fc24.noarch
gr-rds-0:0-0.21.20150513git201f32b.fc24.i686
gr-rds-0:0-0.21.20150513git201f32b.fc24.x86_64
gr-rds-devel-0:0-0.21.20150513git201f32b.fc24.i686
gr-rds-devel-0:0-0.21.20150513git201f32b.fc24.x86_64
gr-rds-doc-0:0-0.21.20150513git201f32b.fc24.noarch
grass-0:7.0.3-1.fc24.x86_64
gtg-0:0.3.1-10.fc24.noarch
gtkwhiteboard-0:1.3-11.fc24.noarch
guake-0:0.8.4-1.fc24.noarch
hugin-0:2016.0.0-1.fc24.i686
hugin-0:2016.0.0-1.fc24.x86_64
libopensync-plugin-evolution2-1:0.22-53.fc24.i686
libopensync-plugin-evolution2-1:0.22-53.fc24.x86_64
liferea-1:1.10.19-1.fc24.x86_64
londonlaw-0:0.3.0-0.3.pre2.fc24.noarch
mMass-0:5.5.0-17.fc24.x86_64
mailnag-0:1.2.0-1.fc24.noarch
memaker-0:20100110-10.fc24.noarch
metamorphose2-0:0.8.2-8.fc24.noarch
migemo-emacs-0:0.40-24.fc24.noarch
migemo-xemacs-0:0.40-24.fc24.noarch
mona-emacs-0:1.4r17-1.fc24.noarch
nautilus-phatch-0:0.2.7-24.fc24.noarch
nicotine+-0:1.2.16-12.fc24.noarch
notify-python-0:0.1.1-30.fc24.x86_64
ocaml-emacs-0:4.02.3-3.fc24.x86_64
openstv-0:1.7-6.fc24.noarch
ovirt-guest-agent-gdm-plugin-0:1.0.11-2.fc24.3.noarch
peppy-0:0.16.0-8.fc24.noarch
phatch-0:0.2.7-24.fc24.noarch
plater-0:2015.03.10-4.fc24.noarch
playonlinux-0:4.2.10-7.fc24.x86_64
poedit-0:1.8.7.1-1.fc24.x86_64
printrun-0:2015.03.10-4.fc24.x86_64
pronterface-0:2015.03.10-4.fc24.noarch
protobuf-emacs-0:2.6.1-4.fc24.x86_64
protobuf-emacs-el-0:2.6.1-4.fc24.x86_64
psgml-0:1.2.5-20.fc24.noarch
pulseaudio-gdm-hooks-0:8.0-6.fc24.x86_64
pyhoca-gui-0:0.5.0.5-2.fc24.noarch
pymol-wxpython-0:1.8-3.20151208svn4142.fc24.x86_64
pyobd-0:0.9.3-1.fc24.noarch
python-couchdbkit-0:0.6.5-5.fc24.noarch
python-envisage-0:4.4.0-3.fc24.noarch
python-ropemacs-0:0.7-6.fc24.noarch
python-squaremap-0:1.0.3-5.fc24.noarch
python2-apptools-0:4.4.0-3.fc24.noarch
python2-matplotlib-wx-0:1.5.1-3.fc24.x86_64
python2-pyface-0:5.0.0-9.fc24.noarch
python2-pyface-qt-0:5.0.0-9.fc24.noarch
python2-pyface-wx-0:5.0.0-9.fc24.noarch
python2-pyudev-wx-0:0.20.0-2.fc24.noarch
python2-traitsui-0:5.0.0-4.fc24.noarch
qgis-devel-0:2.14.0-2.fc24.i686
qgis-devel-0:2.14.0-2.fc24.x86_64
qgis-grass-0:2.14.0-2.fc24.i686
qgis-grass-0:2.14.0-2.fc24.x86_64
qgnomeplatform-0:0.1-5.fc24.i686
qgnomeplatform-0:0.1-5.fc24.x86_64
radiotray-0:0.7.3-6.fc24.noarch
rapid-photo-downloader-0:0.4.11-3.fc24.noarch
recutils-0:1.7-6.fc24.i686
recutils-0:1.7-6.fc24.x86_64
recutils-devel-0:1.7-6.fc24.i686
recutils-devel-0:1.7-6.fc24.x86_64
rubygem-webkit-gtk-0:3.0.8-1.fc24.noarch
rubygem-webkit-gtk-doc-0:3.0.8-1.fc24.noarch
rurple-0:1.0-0.13.rc3.fc24.noarch
saga-0:2.2.4-1.fc24.i686
saga-0:2.2.4-1.fc24.x86_64
saga-devel-0:2.2.4-1.fc24.i686
saga-devel-0:2.2.4-1.fc24.x86_64
saga-python-0:2.2.4-1.fc24.x86_64
seed-0:3.8.1-7.fc24.i686
seed-0:3.8.1-7.fc24.x86_64
seed-devel-0:3.8.1-7.fc24.i686
seed-devel-0:3.8.1-7.fc24.x86_64
seed-doc-0:3.8.1-7.fc24.noarch
sflphone-gnome-plugins-0:1.4.1-18.fc24.x86_64
shutter-0:0.93.1-2.fc24.noarch
sidc-gui-0:0.4-6.fc24.noarch
sk2py-0:0.1-14.fc24.noarch
soundconverter-0:2.1.6-2.fc24.noarch
spe-0:0.8.4.h-16.fc24.noarch
specto-0:0.4.1-9.fc24.noarch
sugar-browse-0:157.3-1.fc24.noarch
surf-0:0.7-1.fc24.x86_64
synce-gnome-0:0.11-12.fc24.noarch
syncevolution-1:1.5.1-9.fc24.x86_64
syncevolution-devel-1:1.5.1-9.fc24.i686
syncevolution-devel-1:1.5.1-9.fc24.x86_64
syncevolution-gtk-1:1.5.1-9.fc24.x86_64
syncevolution-libs-1:1.5.1-9.fc24.i686
syncevolution-libs-1:1.5.1-9.fc24.x86_64
syncevolution-libs-akonadi-1:1.5.1-9.fc24.x86_64
syncevolution-perl-1:1.5.1-9.fc24.x86_64
system-config-printer-0:1.5.7-8.fc24.x86_64
taskcoach-0:1.4.3-2.fc24.noarch
timeline-0:1.10.0-1.fc24.noarch
tmda-emacs-0:1.1.12-13.fc24.noarch
tsung-0:1.6.0-1.fc24.x86_64
turpial-0:3.0-7.fc24.noarch
uzbl-0:0-0.39.20120514git228bc38cbd.fc24.x86_64
uzbl-browser-0:0-0.39.20120514git228bc38cbd.fc24.x86_64
uzbl-core-0:0-0.39.20120514git228bc38cbd.fc24.x86_64
uzbl-defaults-0:0-0.39.20120514git228bc38cbd.fc24.x86_64
uzbl-tabbed-0:0-0.39.20120514git228bc38cbd.fc24.x86_64
vfrnav-0:20160212-3.fc24.i686
vfrnav-0:20160212-3.fc24.x86_64
vfrnav-utils-0:20160212-3.fc24.x86_64
vfrnav-validatorservice-0:20160212-3.fc24.x86_64
vfrnav-webservice-0:20160212-3.fc24.x86_64
vfrnav-wetterdl-0:20160212-3.fc24.x86_64
wammu-0:0.40-3.fc24.noarch
webkitgtk3-devel-0:2.4.11-1.fc24.i686
webkitgtk3-devel-0:2.4.11-1.fc24.x86_64
webkitgtk3-doc-0:2.4.11-1.fc24.noarch
why3-emacs-0:0.87.0-3.fc24.noarch
wicd-curses-0:1.7.3-2.fc23.noarch
wicd-gtk-0:1.7.3-2.fc23.noarch
wings-0:2.0.4-1.fc24.x86_64
winpdb-0:1.4.8-11.fc24.noarch
wuja-0:0.0.8-16.fc24.noarch
wxGTK3-0:3.0.2-19.fc24.i686
wxGTK3-0:3.0.2-19.fc24.x86_64
wxGTK3-devel-0:3.0.2-19.fc24.i686
wxGTK3-devel-0:3.0.2-19.fc24.x86_64
wxGTK3-docs-0:3.0.2-19.fc24.noarch
wxGTK3-gl-0:3.0.2-19.fc24.i686
wxGTK3-gl-0:3.0.2-19.fc24.x86_64
wxGTK3-media-0:3.0.2-19.fc24.i686
wxGTK3-media-0:3.0.2-19.fc24.x86_64
wxGTK3-xmldocs-0:3.0.2-19.fc24.noarch
wxGlade-0:0.7.2-1.fc24.noarch
wxMaxima-0:15.08.2-2.fc24.x86_64
wxPython-0:3.0.2.0-10.fc24.x86_64
wxPython-devel-0:3.0.2.0-10.fc24.i686
wxPython-devel-0:3.0.2.0-10.fc24.x86_64
wxPython-docs-0:3.0.2.0-10.fc24.noarch
wxsqlite3-0:3.3.2-0.1gitb05867d.fc24.i686
wxsqlite3-0:3.3.2-0.1gitb05867d.fc24.x86_64
wxsqlite3-devel-0:3.3.2-0.1gitb05867d.fc24.i686
wxsqlite3-devel-0:3.3.2-0.1gitb05867d.fc24.x86_64
xemacs-tuareg-0:2.0.10-0.2.1c837e26.fc24.noarch
xiphos-gtk3-0:4.0.4-3.fc24.x86_64
xylib-0:1.4-8.fc24.i686
xylib-0:1.4-8.fc24.x86_64
xylib-devel-0:1.4-8.fc24.i686
xylib-devel-0:1.4-8.fc24.x86_64
yaws-0:2.0-2.fc24.x86_64
yaws-devel-0:2.0-2.fc24.i686
yaws-devel-0:2.0-2.fc24.x86_64
Note that work is already in progress for some of the above. Active
porting efforts are underway for Evolution (which will take care of the
mass of evolution-data-server dependencies like gnome-shell and gdm),
Geary, and Liferea. There are also stalled porting efforts for inactive
projects like Empathy, Bijiben, and Midori; these efforts have
significant progress and could easily be resurrected.
Question: What if we're not willing to remove packages?
Answer: Well, then we'll just have to watch the count of unfixed remote
code execution vulnerabilities increase forever, because there's no
chance all of the above packages will be ported; we could set the
deadline 10 years in the future and it still wouldn't happen. If we
decide we're not willing to remove packages, I would suggest renaming
the WebKit packages to webkitgtk-insecure and webkitgtk3-insecure to
clarify the situation.
Question: :(
Answer: \_(ツ)_/
Michael
7 years, 6 months
Notice on WebKitGTK+ API/ABI compatibility
by Michael Catanzaro
Hi,
We have recently started updating all Fedoras to the latest stable
release of WebKitGTK+ in order to provide effective security support.
I'm pleased that so far we have had no bug reports related to these
updates.
Recently, FESCo wisely adopted a policy to ban stable release updates
that break API or ABI, and while I believe we currently comply, we
might be skirting the line a bit. We intend to offer a API and ABI
compatibility indefinitely, most likely until GTK+ 4 is released,
whenever that may be, but with two caveats.
First, the stable DOM bindings API/ABI will not change, but may cease
to function properly if something is removed from the DOM spec. In the
worst case, application crashes are possible, e.g. if an application is
not expecting a function to return NULL. To avoid friction with other
WebKit contributors, we cannot provide compatibility here. To my
knowledge, no real world application has ever been affected by such an
issue, and the odds of real world breakage here are much lower than
with a typical bugfix update, so I don't see the need to worry about
this -- it's just something to be aware of. If your open source
application is ever unlucky enough to be affected by such an issue, we
will help fix it.
WebKitGTK+ also offers a larger, unstable DOM API accessible if
WEBKIT_DOM_USE_UNSTABLE_API is defined. Here API/ABI compatibility is
restricted to micro 2.x.y version updates; the API/ABI *will* break in
a minor version update (2.x), and these updates will occur within the
lifetime of a particular stable Fedora release. The only practical way
to avoid API changes here is to not update WebKit and live with unfixed
remote code execution vulnerabilities. Backports are not practical.
Currently known users of this API are Epiphany and Yelp; since only two
applications are affected, I don't consider this a practical problem.
If your Fedora package needs to use this API, contact me privately so
that we can know to take responsibility for rebuilding your application
when needed and avoid broken updates. Third-party applications are
strongly encouraged to avoid using this API.
Michael
7 years, 7 months
F25 System Wide Change: Automatic Provides for Python RPM Packages
by Jaroslav Reznik
= Proposed System Wide Change: Automatic Provides for Python RPM Packages =
https://fedoraproject.org/wiki/Changes/
Automatic_Provides_for_Python_RPM_Packages
Change owner(s):
* Tomas Orsava <https://fedoraproject.org/wiki/User:Torsava>
* Miro Hroncok <https://fedoraproject.org/wiki/User:Churchyard>
* Email: python-maint(a)redhat.com
Upon building Python packages containing packaging metadata, RPM will
automatically detect the standardized name of the software (i.e. dist name,
name on PyPI) in the canonical format [1] and create a virtual Provides tag
with the value pythonX.Ydist(CANONICAL_NAME), where X.Y is the used Python
version. RPM may also detect dependencies of the software from the metadata
and automatically require them using the same syntax.
== Detailed Description ==
If during the building of a Python package RPM encounters .egg-info, .egg-link
or .dist-info files (provided in Python Wheels and Eggs), it will read the
standardized name of the software (i.e. dist name, name on PyPI) in the
canonical format and create a virtual Provides tag with the value
pythonX.Ydist(CANONICAL_NAME), where X.Y is the used Python version. Note that
the canonical format can differ slightly from the name displayed, for example,
on PyPI.[1]
RPM will also detect dependencies of the software from the aforementioned
metadata files and automatically require them using the format
pythonX.Ydist(). However, because these files don't always contain the full
list of requirements (which are either in setup.py or requirements.txt), the
dependency generator will not be conclusive.
All Python packages will need to be rebuilt so that the virtual Provides tags
are generated and can be used by users, scripts and the requires generator.
== Scope ==
* Proposal owners: Prepare a draft for the Fedora Packaging Guidelines for
Python
* Maintainers of the RPM package: Backport the functionality from upsteram to
Fedora. — Already done thanks to Florian Festi [2]
* Release engineering: Targeted rebuild of Python packages. Ticket [3].
* List of deliverables: All Fedora deliverables will be affected, but only in
a very minor way that in no way jeopardizes their delivery.
* Policies and guidelines: Fedora Packaging Guidelines for Python need to be
updated after the implementation so users know how to take advantage of the
change.
* Trademark approval: Not needed for this Change
[1] https://fedoraproject.org/wiki/Changes/
Automatic_Provides_for_Python_RPM_Packages#cite_note-canonical-0
7 years, 8 months
First stage of glibc recvmsg/sendmsg ABI revert landed in rawhide
by Florian Weimer
glibc upstream, during development of the 2.24 release, introduced new
symbol versions recvmsg(a)GLIBC_2.24, sendmsg(a)GLIBC_2.24 (and
recvmmsg(a)GLIBC_2.24, sendmmsg(a)GLIBC_2.24 on 64-bit architectures), in
order to fix some minor POSIX compliance issue. (POSIX and the Linux
kernel disagree about the width of some fields in struct msghdr.) These
changes landed in rawhide as part of glibc-2.23.90-19.fc25.
This change caused quite a few issues (chrony stopped building, Address
Sanitizer interception of these functions was affected, probably more).
Considering that the deviation from POSIX was really minor, this was
considered a poor trade-off, and the patch and ABI change was eventually
reverted upstream.
We cannot implement the ABI reversal immediately in rawhide because that
would break existing binaries, and we don't want to do a bootstrap or
mass rebuild for this. Therefore, glibc-2.23.90-21.fc25 turns the new
symbols into compatibility symbols. As a result, new binaries will be
linked against the old symbol versions, as before, and old binaries
continue to work.
(glibc-2.23.90-22.fc25 adds some polishing, but this version is
functionally equivalent to the previous one.)
Based on Sunday's compose, the list of packages which need to rebuild is
fairly small:
source
----------------------------------------
NetworkManager-1.2.2-2.fc25
OpenIPMI-2.0.22-1.fc25
OpenImageIO-1.6.14-1.fc25
boost-1.60.0-7.fc25
chrony-2.4-1.fc25
collectd-5.5.1-12.fc25
cryptsetup-1.7.2-1.fc25
firefox-47.0-4.fc25
freerdp-2.0.0-9.git.aa15327.fc25
gdb-7.11.1-75.fc25
glib2-2.49.1-2.fc25
glibc-2.23.90-20.fc25
gnutls-3.4.13-1.fc25
haproxy-1.6.5-2.fc25
hostapd-2.5-4.fc25
java-1.8.0-openjdk-1.8.0.92-1.b14.fc25
libguestfs-1.33.35-1.fc25
libnice-0.1.13-6.fc25
libvirt-1.3.5-1.fc25
lxc-2.0.1-1.fc25
mono-4.4.0-5.fc25
nftables-0.6-1.fc25
ntp-4.2.6p5-41.fc25
openssh-7.2p2-7.fc25
php-5.6.23-0.1.RC1.fc25
python-twisted-16.1.1-3.fc25
qt5-qtbase-5.6.1-2.fc25
qt5-qtwebengine-5.6.1-1.fc25
qt5-qtwebkit-5.6.1-1.b889f46git.fc25
root-6.06.04-2.fc25
samba-4.4.4-1.fc25
thunderbird-45.1.1-2.fc25
tigervnc-1.6.0-6.fc25
weechat-1.5-1.fc25
wine-1.9.11-1.fc25
(35 rows)
I'll wait some time to see how many of those pick up the old ABI due to
regular development. Probably around mid-July, I will start pinging
developers if rebuilds are missing. We must remove the compatibility
symbol before the release, so I'll have to enlist help of provenpackages
eventually to trigger missing rebuilds.
Thanks,
Florian
7 years, 9 months
Firefox not working anymore over ssh?
by Juan Quintela
Hi
since last Monday or so, I have been able to run firefox over ssh
anymore. I thought it was my setup, but further investigation showed
that it is something specific to firefox.
My setup is a bit more convoluted than this, but I am able to do:
$ ssh -X localhost gnome-terminal
And it shows a terminal as expected
$ ssh -X localhost firefox
Without a firefox running will hang there forever, no output at all. I
tried doing strace of it, and see that is waiting for futexes. But
haven't been able to see what is happening.
Until last Tuesday or so (I am on F23) firefox worked over ssh without
any problems. I have been running it like that for something like a
year.
Anyone has any suggestion? I tried also
$ ssh -Y localhost firefox
And it didn't helped at all (not that I am sure of the difference either).
Later, Juan.
PD. Really, what I normally do is run ssh to a virtual manchine in the
same host.
7 years, 9 months
GPG2 as default /usr/bin/gpg
by Christopher
I just ran into this: https://bugzilla.redhat.com/show_bug.cgi?id=1309175
It's not a huge deal (and there are several workarounds, for git and for
other tools which default ot using 'gpg'), but it highlights the mismatch
between the default /usr/bin/gpg running gpg1, when other tools, like
gpg-agent, are tailored for gpg2.
RHEL/CentOS has shipped /usr/bin/gpg with gnupg2 since at least sometime in
RHEL6.
I'm not saying we shouldn't continue to ship gnupg1, but can we at least
rename it, so gnupg package is version 2, and gnupg1 provides /usr/bin/gpg1
instead? This seems overdue. Is there any reason not to do this?
7 years, 9 months
Support for PCLMUL, AVX, FMA, etc.
by Jerry James
I am one of the maintainers of the ntl package, which is used by some
numeric applications (e.g., Macaulay2 and sagemath). Upstream
supports use of the PCLMUL instruction, the AVX instructions, and the
FMA instructions to speed up various computations. We can't use any
of those in Fedora, since we have to support a baseline x86_64.
Well, that's kind of a downer. I could advertise that people with
newer CPUs ought to rebuild the ntl package for their own CPUs, but
what's a distribution for if people have to rebuild packages? I've
been looking for a way to automatically support more recent CPUs.
Yesterday I sent a patch upstream that uses gcc's indirect function
support together with __attribute__((target ...)) to build vanilla
x86_64, PCLMUL-enabled, AVX-enabled, and FMA-enabled varieties of
several functions. Upstream was initially excited about this but
then, on further reflection, offered the opinion that this approach is
dangerous. The problem is that some of the types involved may change
ABI depending on the instruction set in use, and therefore it would be
necessary to build larger portions of the library for each supported
CPU variant. At that point, as upstream said, we might as well just
build the entire library for each variant. The problem then is how to
choose which version of the library to use at load time.
On some platforms, ld.so offers "hardware capabilities", such as sse2
on i386. By dropping a vanilla library into /usr/lib and an
SSE2-enabled build into /usr/lib/sse2, applications can get the
version of the library appropriate for the CPU in use. But there
don't seem to be any defined hardware capabilities for x86_64.
Has anybody already thought this through? What's the best approach to
take? For this package, the speedups are substantial, so this is
worth doing, if it can be done well.
Thank you,
--
Jerry James
http://www.jamezone.org/
7 years, 9 months
Fixing /.autorelabel
by Richard W.M. Jones
It should be possible to touch /.autorelabel and have the SELinux
labels on the filesystem fixed at next boot.
Fedora 24 shipped with a couple of nasty bugs in /.autorelabel
functionality:
https://bugzilla.redhat.com/show_bug.cgi?id=1351352
https://bugzilla.redhat.com/show_bug.cgi?id=1349586
This is not particularly a new thing. This bug against systemd was
filed a couple of years ago, and still not fixed although the problem
is understood and there is a fix:
https://bugzilla.redhat.com/show_bug.cgi?id=1049656
The general issues are:
(1) Autorelabelling requires that the system is booted up "enough" to
run the fedora-autorelabel.service.
(2) If SELinux is enabled during the boot, then services may fail to
start up correctly because of mislabelled files.
(3) fedora-autorelabel.service requires local-fs.target. This is a
correct dependency, but it also happens quite late -- if you look at
the attached chart you can see that dozens of services need to be
started successfully before we even get to local-fs.target.
(4) If we don't reach the fedora-autorelabel.service then we can be
dumped into a rescue shell, or worse still go into a boot loop.
(5) The fedora-autorelabel.service itself can fail to be run because
SELinux stops systemd from working properly (the cause of
RHBZ#1049656).
(6) A related problem is that the autorelabel doesn't stop other
services from attempting to start while the relabel is happening.
I'm not sure what's a good way to fix it. Some ways I can think of:
(a) Configure /etc/selinux/config to set SELinux permissive, and
modify the fedora-autorelabel.service so it edits /etc/selinux/config
to re-enable SELinux next time. This editing would have to be
conditional, and the details are up in the air. Maybe there could be
a "/.autorelabel-enforce-after-boot" file to do this?
[Note these are for VM images, so we cannot have "special" boot flags
that the user must set and modify, it must all happen automatically]
(b) Introduce some shortcut, low level, very minimal default target
which systemd uses when it sees the /.autorelabel file. This was
basically what sysvinit used to do - the /.autorelabel file was
processed specially very early in the boot scripts.
(c) Instead of touching the file, set the default.target to some
special target. The problem with this is we want to replace
default.target with the normal one after the autorelabel completes
successfully, and I've no idea how to do that.
(d) Combine setting SELinux to enforcing with checking for
/.autorelabel. If whatever it is that reads /etc/selinux/config
notices that the /.autorelabel file exists, it should do the
autorelabel before setting SELinux to enforcing.
(e) Insert your idea here ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
7 years, 9 months
Fedora retirement guidelines
by James Hogarth
Right now the retirement guidelines state that you should only retire in
branched (prior to freeze) and up to master...
But I just had a user bitten by a change in behaviour between dnf and yum
that was discovered here:
https://bugzilla.redhat.com/show_bug.cgi?id=1096506
This is the bug raised with my package:
https://bugzilla.redhat.com/show_bug.cgi?id=1342249
It seems very unintuitive to the user, and wasn't initially apparent to me
until I look at all open dnf bugs and did a "find on page" for "obsolete"
For now I've opened a rel-eng ticket to get the letsencrypt packages
properly removed from the F23 repos so that a dnf install letsencrypt, like
F24 behaviour, will install certbot.
I guess the real question is - is the dnf behaviour correct, and if the dnf
behaviour isn't going to change should we allow packagers to retire from a
released branch?
7 years, 9 months