June 2016 - devel - Fedora Mailing-Lists

RFC: static builds for user emulators in Fedora QEMU RPMs

by Daniel P. Berrange

For those who aren't familiar, QEMU actually provides two completely different sets of emulators - system emulators - they emulate a full virtual machine and thus run a full guest OS. - user emulators - they emulate the Linux userspace ABI letting you run non-native arch executables directly. The user emulators are what I'm concerned with in this mail, so ignore the system emulators. Currently all the user emulators are provided in the "qemu-user" RPM which also includes files in /usr/lib/binfmt.d to register each emulator binary as a binary format handler for its respective architecture. This is ok if you have a non-native arch binary that's statically linked and you just want to run it from context of your main OS root filesystem. Running dynamic linked binaries won't fly because if say running an arm binary on x86_64 host, it'll look for /lib/libc.so and find the i386 one, instead of the arm one. You can't set LD_LIBRARY_PATH to override this as the env var will apply to both qemu-arm (an x86_64 binary) and the binary it is trying to run (an arm binary). More typical though is that you have a directory containing an fullish install tree of a non-native architecture and you just want to chroot into that. When doing such a chroot, the qemu-$ARCH emulator must be present inside the chroot too. ie the x86_64 build of /usr/bin/qemu-arm must be present inside at /my/chroot/for/fedora-arm/usr/bin/qemu-arm. So again you have the potential problem of clashing libc.so in /usr/lib It is a shame Fedora doesn't have full multi-arch support, instead of merely multi-lib to avoid these clashing lib dirs across architecture RPMs. The recommended way to deal with this for the qemu user emulator binaries to be statically linked, so when copied inside the non-native arch chroot, they never need to resolve any native arch libraries. Fedora's qemu user binaries are all dynamic linked right now. Debian handles this by having several packages [1] - qemu-user - the dynamic linked qemu user binaries - qemu-binfmt - binfmt rules registering the dynamic linked binaries - qemu-user-static - the static linked qemu user binaries *and* binfmt rules to register them. The static binaries all have -static suffix on their name NB, this means qemu-binfmt and qemu-user-static are mutually exclusive since they both provide the same binfmt files. You can however have both qemu-user and qemu-user-static installed as their binary names won't clash, and in this case the static ones will be registered as binfmts This nice thing about this multiple package approach is that when you copied the x86_64 build of the "qemu-arm-static" binary into your arm chroot, you still then have the possibility of installing the arm build of the "qemu-arm" binary inside that chroot without filename clash. An alternative simpler approach would be to just have one package, qemu-user, which contains the static binaries and never ship any dynamic linked qemu user binaries. This is slightly more restrictive though, as explained in the previous paragraph, so I'd like to avoid doing that. I'd like to make using non-native arch chroots simple with Fedora without people needing to manually build their own static QEMU binaries, or download static binaries provided by another distro[2]. So I'm suggesting to make a change to Fedora qemu packages to essentially copy the way Debian has done things. Specifically I will - Pull the binfmt registration files out of qemu-user and into a new qemu-binfmt package which depends on qemu-user. - Add static builds of qemu user emulators to a new qemu-user-static package, along with binfmt registration files The static build of QEMU user emulators is moderately light on dependancies, only requiring glib2-static, pcre-static, zlib-static and glibc-static packages. The change to introduce a qemu-binfmt package has small upgrade implications since anyone with qemu-user installed today, will loose the binary format rules unless they manually install qemu-binfmt. I think the number of people affected is probably quite small, and some of them may well wish to use qemu-user-static instead anyway. Obviously this would only be done in rawhide, not any existing stable releases of Fedora. Nothing will change about the rest of QEMU packaging - ie all system emulators will continue to use dynamic linking Regards, Daniel [1] https://wiki.debian.org/QemuUserEmulation [2] https://rwmj.wordpress.com/2013/12/22/how-to-run-aarch64-binaries-on-an-x... -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

7 years, 3 months

9
17
1 / 0

Proposal: remove insecure WebKitGTK+ packages for F27

by Michael Catanzaro

Hi, I propose we retire the webkitgtk and webkitgtk3 packages when branching rawhide for F26 (expected to occur roughly February 2017), and forbid unretiring them. All their dependencies would then be removed from from Fedora according to the normal process shortly before the release of F27 (excepted to occur May 2017). If nobody objects, we'll carry out this plan shortly after the F26 branch point. Question: Why retire these packages? Answer: Affected applications that process untrusted input are vulnerable to roughly 150 unfixed security vulnerabilities, the overwhelming majority of which are remote code execution vulnerabilities. The severity of this situation arguably outweighs the benefit of keeping affected applications around. Question: This sounds horrible, we should act soon. Why wait until F26? Answer: Porting to the new WebKitGTK+ API is easy for many applications, but for applications that use the DOM API it can be expected to take some time, as this API has moved to the web process and accessing it requires writing a web process extension. If we were to use F25 as the deadline, there would not be sufficient time for applications to be ported. Porting efforts should begin as soon as possible. Question: What if my application doesn't process untrusted input? Answer: If you're sure your application never processes untrusted input, it is a special flower. You should request a bundling exception from FESCo if you do not intend to upgrade. Question: You're horrible for proposing to remove my packages. Answer: WebKit1 was deprecated in March 2013. Packages have had three years to upgrade. It's clear at this point that this problem won't ever be fixed without a hard deadline that is enforced. But this is a fair point; it sucks a lot that compatibility is not offered here. Such is the cost of free software.... Question: We usually allow compatibility libraries to exist indefinitely. Why so strict with WebKit? Answer: Our compatibility libraries do not usually have upwards of 150 unfixed remote code execution vulnerabilities. Backporting fixes is not practical in this situation. Question: But these packages are still included in RHEL. Isn't Red Hat providing security updates? Answer: No. Question: Will you help port my packages to newer WebKit? Answer: We'll answer questions, but unfortunately we can only provide serious assistance to priority GNOME packages. evolution-data-server threatens to take out gnome-shell if removed, for instance, which is why we waited until the Evolution port is nearing completion to propose this. Question: What if my application depends on GTK+ 2? Answer: You must first port to GTK+ 3, then port to WebKit2. You may find it more practical to stop using WebKitGTK+. Question: What if my application needs to work on Windows? Answer: WebKit2 is not supported on Windows. You will need to either commit to developing Windows support, or stop using WebKitGTK+. Question: I hear QtWebKit is insecure too, why punish only GTK+ apps? Answer: QtWebKit has not had security updates since ~2012 and so has even more unfixed vulnerabilities. However, an unofficial effort is underway to rebase QtWebKit on the upstream WebKit project. The plan is to make regular QtWebKit releases based on the latest WebKitGTK+ stable branch, meaning there should be regular security updates. This is still a work in progress, but once completed, Fedora will be able to switch upstreams and solve this issue without the need to port applications to QtWebEngine. No such compatibility effort is planned for WebKitGTK+. Question: Where can I view WebKitGTK+ security advisories? Answer: http://webkitgtk.org/security.html Question: Where can I learn more? Answer: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ Question: What would be removed if this were to occur today? Answer: If you read this far, please seriously look over these lists. Some big name applications are included. $ repoquery --whatrequires --recursive webkitgtk Yum-utils package has been deprecated, use dnf instead. See 'man yum2dnf' for more information. GREYCstoration-gimp-0:2.8-22.fc24.x86_64 atril-0:1.14.1-1.fc24.x86_64 atril-caja-0:1.14.1-1.fc24.x86_64 atril-devel-0:1.14.1-1.fc24.i686 atril-devel-0:1.14.1-1.fc24.x86_64 atril-libs-0:1.14.1-1.fc24.i686 atril-libs-0:1.14.1-1.fc24.x86_64 atril-thumbnailer-0:1.14.1-1.fc24.x86_64 banshee-0:2.6.2-15.fc24.x86_64 banshee-community-extensions-0:2.4.0-14.fc24.x86_64 banshee-devel-0:2.6.2-15.fc24.i686 banshee-devel-0:2.6.2-15.fc24.x86_64 billiards-0:0.4.1-10.fc24.x86_64 claws-mail-plugins-0:3.13.2-2.fc24.x86_64 claws-mail-plugins-fancy-0:3.13.2-2.fc24.x86_64 compat-wxGTK3-gtk2-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-0:3.0.2-7.fc24.x86_64 compat-wxGTK3-gtk2-devel-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-devel-0:3.0.2-7.fc24.x86_64 compat-wxGTK3-gtk2-docs-0:3.0.2-7.fc24.noarch compat-wxGTK3-gtk2-gl-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-gl-0:3.0.2-7.fc24.x86_64 compat-wxGTK3-gtk2-media-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-media-0:3.0.2-7.fc24.x86_64 conduit-0:0.3.17-12.fc24.noarch dissy-0:10-5.fc24.noarch fityk-0:1.3.0-8.fc24.i686 fityk-0:1.3.0-8.fc24.x86_64 fityk-devel-0:1.3.0-8.fc24.i686 fityk-devel-0:1.3.0-8.fc24.x86_64 gap-pkg-alnuth-0:3.0.0-6.fc24.noarch gap-pkg-cryst-0:4.1.12-4.fc24.noarch gap-pkg-crystcat-0:1.1.6-4.fc24.noarch gap-pkg-nq-0:2.5.3-1.fc24.x86_64 gap-pkg-polenta-0:1.3.6-1.fc24.noarch gap-pkg-polycyclic-0:2.11-6.fc24.noarch gap-pkg-radiroot-0:2.7-5.fc24.noarch geany-plugins-devhelp-0:1.27-1.fc24.x86_64 geany-plugins-geanypy-0:1.27-1.fc24.x86_64 geany-plugins-markdown-0:1.27-1.fc24.x86_64 geany-plugins-webhelper-0:1.27-1.fc24.x86_64 ghc-webkit-0:0.14.1.1-1.fc24.x86_64 ghc-webkit-devel-0:0.14.1.1-1.fc24.x86_64 gimp-2:2.8.16-1.fc24.1.x86_64 gimp-data-extras-0:2.0.2-13.fc24.noarch gimp-dbp-0:1.1.9-9.fc24.x86_64 gimp-dds-plugin-0:3.0.1-5.fc24.x86_64 gimp-elsamuko-0:26-2.fc24.noarch gimp-fourier-plugin-0:0.4.1-12.fc24.x86_64 gimp-gap-0:2.7.0-14.GITe75bd46.fc24.x86_64 gimp-help-0:2.8.2-5.fc24.noarch gimp-help-browser-2:2.8.16-1.fc24.1.x86_64 gimp-help-ca-0:2.8.2-5.fc24.noarch gimp-help-da-0:2.8.2-5.fc24.noarch gimp-help-de-0:2.8.2-5.fc24.noarch gimp-help-el-0:2.8.2-5.fc24.noarch gimp-help-en_GB-0:2.8.2-5.fc24.noarch gimp-help-es-0:2.8.2-5.fc24.noarch gimp-help-fr-0:2.8.2-5.fc24.noarch gimp-help-it-0:2.8.2-5.fc24.noarch gimp-help-ja-0:2.8.2-5.fc24.noarch gimp-help-ko-0:2.8.2-5.fc24.noarch gimp-help-nl-0:2.8.2-5.fc24.noarch gimp-help-nn-0:2.8.2-5.fc24.noarch gimp-help-pt_BR-0:2.8.2-5.fc24.noarch gimp-help-ru-0:2.8.2-5.fc24.noarch gimp-help-sl-0:2.8.2-5.fc24.noarch gimp-help-sv-0:2.8.2-5.fc24.noarch gimp-help-zh_CN-0:2.8.2-5.fc24.noarch gimp-high-pass-filter-0:1.2-6.fc24.noarch gimp-lqr-plugin-0:0.7.2-4.fc24.x86_64 gimp-normalmap-0:1.2.3-12.fc24.x86_64 gimp-paint-studio-0:2.0-11.fc24.noarch gimp-resynthesizer-0:0.16-14.fc24.x86_64 gimp-save-for-web-0:0.29.3-1.fc24.x86_64 gimp-separate+-0:0.5.8-16.fc24.x86_64 gimp-wavelet-denoise-plugin-0:0.3.1-9.fc24.x86_64 gimpfx-foundry-0:2.6.1-5.fc24.noarch gmpc-0:11.8.16-11.fc24.x86_64 gmpc-devel-0:11.8.16-11.fc24.i686 gmpc-devel-0:11.8.16-11.fc24.x86_64 gmusicbrowser-0:1.1.15-2.fc24.noarch gnucash-0:2.6.12-1.fc24.i686 gnucash-0:2.6.12-1.fc24.x86_64 gphpedit-0:0.9.98-0.11.RC1.fc24.x86_64 gpodder-0:3.9.0-1.fc24.noarch gscribble-0:0.1.2-10.fc24.noarch gtk-sharp-beans-0:2.14.0-17.fc24.x86_64 gtk-sharp-beans-devel-0:2.14.0-17.fc24.i686 gtk-sharp-beans-devel-0:2.14.0-17.fc24.x86_64 guitarix-0:0.35.0-2.fc24.x86_64 gutenprint-plugin-0:5.2.11-2.fc24.x86_64 gyachi-0:1.2.11-14.fc24.x86_64 gyachi-YMlike-theme-0:1.2.11-14.fc24.x86_64 gyachi-pidgy-theme-0:1.2.11-14.fc24.x86_64 gyachi-plugin-alsa-0:1.2.11-14.fc24.x86_64 gyachi-plugin-blowfish-0:1.2.11-14.fc24.x86_64 gyachi-plugin-gtkspell-0:1.2.11-14.fc24.x86_64 gyachi-plugin-libnotify-0:1.2.11-14.fc24.x86_64 gyachi-plugin-mcrypt-0:1.2.11-14.fc24.x86_64 gyachi-plugin-pulseaudio-0:1.2.11-14.fc24.x86_64 gyachi-recre8-theme-0:1.2.11-14.fc24.x86_64 icaro-0:1.0.4-3.fc24.noarch kazehakase-0:0.5.8-20.svn3873_trunk.fc24.1.x86_64 kazehakase-webkit-0:0.5.8-20.svn3873_trunk.fc24.1.x86_64 kicad-1:4.0.2-2.fc24.x86_64 lekhonee-gnome-0:0.12-9.fc24.x86_64 lv2-guitarix-plugins-0:0.35.0-2.fc24.x86_64 midori-0:0.5.11-2.fc24.i686 midori-0:0.5.11-2.fc24.x86_64 mono-tools-0:4.2-2.fc24.x86_64 mono-tools-devel-0:4.2-2.fc24.i686 mono-tools-devel-0:4.2-2.fc24.x86_64 mono-tools-gendarme-0:4.2-2.fc24.x86_64 mono-tools-ilcontrast-0:4.2-2.fc24.x86_64 mono-tools-monodoc-0:4.2-2.fc24.x86_64 nested-0:1.2.2-17.fc24.noarch osmo-0:0.2.12-0.8.svn924.fc24.3.x86_64 pari-gp-0:2.7.5-2.fc24.x86_64 perl-Gtk2-WebKit-0:0.09-14.fc24.x86_64 pywebkitgtk-0:1.1.8-11.fc24.x86_64 rednotebook-0:1.12-1.fc24.noarch sagemath-0:6.8-10.fc24.i686 sagemath-0:6.8-10.fc24.x86_64 sagemath-core-0:6.8-10.fc24.x86_64 sagemath-data-0:6.8-10.fc24.noarch sagemath-data-conway_polynomials-0:6.8-10.fc24.noarch sagemath-data-elliptic_curves-0:6.8-10.fc24.noarch sagemath-data-etc-0:6.8-10.fc24.noarch sagemath-data-graphs-0:6.8-10.fc24.noarch sagemath-data-polytopes_db-0:6.8-10.fc24.noarch sagemath-notebook-0:6.8-10.fc24.x86_64 sagemath-rubiks-0:6.8-10.fc24.x86_64 sagemath-sagetex-0:6.8-10.fc24.x86_64 sparkleshare-0:1.2.0-4.fc23.x86_64 techne-0:0.2.3-18.fc24.x86_64 techtalk-pse-0:1.1.0-10.fc24.noarch turpial-0:3.0-7.fc24.noarch ufraw-gimp-0:0.22-1.fc24.x86_64 webkit-sharp-0:0.3-17.fc24.x86_64 webkit-sharp-devel-0:0.3-17.fc24.i686 webkit-sharp-devel-0:0.3-17.fc24.x86_64 webkitgtk-devel-0:2.4.11-1.fc24.i686 webkitgtk-devel-0:2.4.11-1.fc24.x86_64 webkitgtk-doc-0:2.4.11-1.fc24.noarch wordgroupz-0:0.3.1-11.fc24.noarch xiphos-gtk2-0:4.0.4-3.fc24.x86_64 xsane-gimp-0:0.999-20.fc24.x86_64 $ repoquery --whatrequires --recursive webkitgtk3 Yum-utils package has been deprecated, use dnf instead. See 'man yum2dnf' for more information. 3Depict-0:0.0.18-6.fc24.x86_64 4Pane-0:4.0-1.fc24.x86_64 Mayavi-0:4.4.3-4.fc24.x86_64 PyPE-0:2.9.4-5.fc24.noarch PythonCard-0:0.8.2-16.fc24.noarch RunSnakeRun-0:2.0.4-4.fc24.noarch ailurus-0:10.10.3-9.fc24.noarch almanah-0:0.11.1-8.fc24.x86_64 audacity-0:2.1.2-4.fc24.x86_64 audacity-manual-0:2.1.2-4.fc24.noarch audio-convert-mod-0:3.46.0b-10.fc24.noarch autokey-gtk-0:0.90.4-8.fc24.noarch autokey-qt-0:0.90.4-8.fc24.noarch balsa-0:2.5.2-3.fc24.x86_64 batti-0:0.3.8-9.fc24.noarch bibus-0:1.5.1-15.fc24.x86_64 bijiben-0:3.20.2-1.fc24.x86_64 bitlyclip-0:0.2.2-7.fc24.noarch boinc-manager-0:7.6.22-4.fc24.x86_64 cairo-dock-plug-ins-webkit-0:3.4.1-7.fc24.x86_64 california-0:0.4.0-7.fc24.x86_64 congruity-0:18-10.fc24.noarch coq-emacs-0:8.5pl1-1.fc24.noarch couchdb-0:1.6.1-14.fc24.x86_64 cura-0:15.04.4-3.fc24.noarch cura-lulzbot-0:19.12-1.fc24.noarch cycle-0:0.3.1-21.fc24.noarch decibel-audio-player-0:1.08-12.fc24.noarch deluge-0:1.3.12-3.fc24.noarch deluge-gtk-0:1.3.12-3.fc24.noarch deluge-web-0:1.3.12-3.fc24.noarch dwb-0:2015.10.09-2.20151009git.fc24.x86_64 earcandy-0:0.9-4.fc24.noarch ejabberd-0:16.01-5.fc24.x86_64 ekiga-0:4.0.1-29.fc24.x86_64 emacs-1:25.0.94-1.fc24.x86_64 emacs-apel-0:10.8-10.fc24.noarch emacs-auctex-0:11.89-3.fc24.noarch emacs-auto-complete-0:1.3.1-9.fc24.noarch emacs-auto-complete-el-0:1.3.1-9.fc24.noarch emacs-bbdb-1:3.1.2-5.fc24.noarch emacs-color-theme-0:6.6.0-11.fc24.noarch emacs-color-theme-el-0:6.6.0-11.fc24.noarch emacs-common-tuareg-0:2.0.10-0.2.1c837e26.fc24.noarch emacs-ddskk-0:15.2-4.fc24.noarch emacs-ebib-0:1.8.0-9.fc24.noarch emacs-ebib-el-0:1.8.0-9.fc24.noarch emacs-epix-0:1.2.16-1.fc24.noarch emacs-erlang-0:18.3.3-1.fc24.noarch emacs-erlang-el-0:18.3.3-1.fc24.noarch emacs-erlang-lfe-0:1.0.2-1.fc24.noarch emacs-erlang-lfe-el-0:1.0.2-1.fc24.noarch emacs-ess-0:16.04-1.fc24.noarch emacs-evil-0:1.2.9-1.fc24.noarch emacs-gettext-0:0.19.7-4.fc24.noarch emacs-gnu-smalltalk-0:3.2.5-10.fc24.noarch emacs-gnu-smalltalk-el-0:3.2.5-10.fc24.noarch emacs-goodies-0:35.8-5.fc24.noarch emacs-goodies-el-0:35.8-5.fc24.noarch emacs-goto-chg-0:1.6-2.fc24.noarch emacs-gtypist-0:2.9.4-5.fc24.x86_64 emacs-haskell-mode-0:13.18-1.fc24.noarch emacs-htmlize-0:1.34-12.fc24.noarch emacs-htmlize-el-0:1.34-12.fc24.noarch emacs-irsim-mode-0:0.1-14.fc24.noarch emacs-irsim-mode-el-0:0.1-14.fc24.noarch emacs-ledger-0:3.1.1-1.fc24.x86_64 emacs-ledger-el-0:3.1.1-1.fc24.noarch emacs-lookup-0:1.4.1-13.fc24.noarch emacs-lua-0:20151025-2.fc24.noarch emacs-magit-0:1.2.2-3.fc24.noarch emacs-magit-el-0:1.2.2-3.fc24.noarch emacs-mew-0:6.7-2.fc24.x86_64 emacs-mmm-0:0.4.8-9.fc23.noarch emacs-mmm-el-0:0.4.8-9.fc23.noarch emacs-nesc-0:1.3.5-2.fc22.noarch emacs-nesc-el-0:1.3.5-2.fc22.noarch emacs-notmuch-0:0.21-3.fc24.noarch emacs-php-mode-0:1.17.0-6.fc24.noarch emacs-proofgeneral-0:4.2-5.fc24.noarch emacs-proofgeneral-el-0:4.2-5.fc24.noarch emacs-pydb-0:1.26-14.fc24.noarch emacs-pymacs-0:0.25-7.fc24.noarch emacs-pymacs-el-0:0.25-7.fc24.noarch emacs-pyrex-0:0.9.9-10.fc24.noarch emacs-riece-0:8.0.0-9.fc24.noarch emacs-rinari-0:2.1-12.20100815git.fc24.noarch emacs-rinari-el-0:2.1-12.20100815git.fc24.noarch emacs-rpm-spec-mode-0:0.15-4.fc24.noarch emacs-sdcc-0:3.5.0-6.fc24.x86_64 emacs-slime-1:2.12-4.fc24.noarch emacs-slime-el-1:2.12-4.fc24.noarch emacs-spice-mode-0:1.2.25-16.fc24.noarch emacs-spice-mode-el-0:1.2.25-16.fc24.noarch emacs-terminal-1:25.0.94-1.fc24.noarch emacs-tuareg-0:2.0.10-0.2.1c837e26.fc24.noarch emacs-undo-tree-0:0.6.4-2.fc24.noarch emacs-verilog-mode-0:531-9.fc24.noarch emacs-vm-0:8.1.2-12.fc24.x86_64 emacs-vregs-mode-0:1.470-10.fc24.noarch emacs-w3m-0:1.4.531-0.5.20140421cvs.fc24.noarch emacs-yaml-mode-0:0.0.12-3.fc24.noarch emacspeak-0:40.0-5.fc24.x86_64 empathy-0:3.12.12-1.fc24.x86_64 erlang-0:18.3.3-1.fc24.x86_64 erlang-clique-0:0.3.5-2.fc24.x86_64 erlang-cluster_info-0:2.0.5-1.fc24.x86_64 erlang-common_test-0:18.3.3-1.fc24.x86_64 erlang-cuttlefish-0:2.0.6-1.fc24.x86_64 erlang-debugger-0:18.3.3-1.fc24.x86_64 erlang-dialyzer-0:18.3.3-1.fc24.x86_64 erlang-epgsql-0:3.1.0-2.fc24.x86_64 erlang-esdl-0:1.3.1-12.fc24.x86_64 erlang-et-0:18.3.3-1.fc24.x86_64 erlang-exometer_core-0:1.4-2.fc24.x86_64 erlang-ibrowse-0:4.2.4-2.fc24.x86_64 erlang-lager-0:3.2.0-1.fc24.x86_64 erlang-megaco-0:18.3.3-1.fc24.x86_64 erlang-merge_index-0:2.1-1.fc24.x86_64 erlang-observer-0:18.3.3-1.fc24.x86_64 erlang-rebar-0:2.6.1-10.fc24.x86_64 erlang-reltool-0:18.3.3-1.fc24.x86_64 erlang-riak_api-0:2.1.2-1.fc24.x86_64 erlang-riak_control-0:2.1.2-1.fc24.x86_64 erlang-riak_core-0:2.1.5-1.fc24.x86_64 erlang-riak_ensemble-0:2.1.2-1.fc24.x86_64 erlang-riak_kv-0:2.1.2-2.fc24.x86_64 erlang-riak_pipe-0:2.1.1-1.fc24.x86_64 erlang-riak_search-0:1.3.2-2.fc21.x86_64 erlang-riaknostic-0:2.1.3-5.fc24.x86_64 erlang-test_server-0:18.3.3-1.fc24.x86_64 erlang-typer-0:18.3.3-1.fc24.x86_64 erlang-webtool-0:18.3.3-1.fc24.x86_64 erlang-wx-0:18.3.3-1.fc24.x86_64 evolution-0:3.20.2-1.fc24.i686 evolution-0:3.20.2-1.fc24.x86_64 evolution-bogofilter-0:3.20.2-1.fc24.x86_64 evolution-data-server-0:3.20.2-1.fc24.i686 evolution-data-server-0:3.20.2-1.fc24.x86_64 evolution-data-server-devel-0:3.20.2-1.fc24.i686 evolution-data-server-devel-0:3.20.2-1.fc24.x86_64 evolution-data-server-tests-0:3.20.2-1.fc24.i686 evolution-data-server-tests-0:3.20.2-1.fc24.x86_64 evolution-devel-0:3.20.2-1.fc24.i686 evolution-devel-0:3.20.2-1.fc24.x86_64 evolution-devel-docs-0:3.20.2-1.fc24.noarch evolution-ews-0:3.20.2-1.fc24.i686 evolution-ews-0:3.20.2-1.fc24.x86_64 evolution-help-0:3.20.2-1.fc24.noarch evolution-mapi-0:3.20.1-1.fc24.i686 evolution-mapi-0:3.20.1-1.fc24.x86_64 evolution-mapi-devel-0:3.20.1-1.fc24.i686 evolution-mapi-devel-0:3.20.1-1.fc24.x86_64 evolution-perl-0:3.20.2-1.fc24.x86_64 evolution-pst-0:3.20.2-1.fc24.x86_64 evolution-rspam-0:0.6.0-13.fc24.x86_64 evolution-rss-1:0.3.95-7.fc24.x86_64 evolution-spamassassin-0:3.20.2-1.fc24.x86_64 evolution-tests-0:3.20.2-1.fc24.x86_64 fawkes-devenv-0:0.5.0-29.fc24.noarch ffgtk-plugin-evolution-0:0.8.6-18.fc24.x86_64 filezilla-0:3.17.0.1-1.fc24.x86_64 fityk-0:1.3.0-8.fc24.i686 fityk-0:1.3.0-8.fc24.x86_64 fityk-devel-0:1.3.0-8.fc24.i686 fityk-devel-0:1.3.0-8.fc24.x86_64 flim-0:1.14.9-10.fc24.noarch fmtools-tkradio-0:2.0.7-6.fc24.noarch folks-1:0.11.2-5.fc24.i686 folks-1:0.11.2-5.fc24.x86_64 folks-devel-1:0.11.2-5.fc24.i686 folks-devel-1:0.11.2-5.fc24.x86_64 folks-tools-1:0.11.2-5.fc24.i686 folks-tools-1:0.11.2-5.fc24.x86_64 frama-c-emacs-0:1.12-4.fc24.noarch freedink-0:108.4-3.fc24.x86_64 freedink-dfarc-0:3.12-4.fc24.x86_64 freedv-0:1.1-6.fc24.x86_64 fwbackups-0:1.43.5-2.fc24.noarch gadget-0:0.0.3-16.fc24.noarch gcl-emacs-0:2.6.12-5.fc24.noarch gcl-emacs-el-0:2.6.12-5.fc24.noarch gdm-1:3.20.1-1.fc24.i686 gdm-1:3.20.1-1.fc24.x86_64 gdm-devel-1:3.20.1-1.fc24.i686 gdm-devel-1:3.20.1-1.fc24.x86_64 geary-0:0.11.0-1.fc24.x86_64 giggle-0:0.7-22.fc24.i686 giggle-0:0.7-22.fc24.x86_64 giggle-devel-0:0.7-22.fc24.i686 giggle-devel-0:0.7-22.fc24.x86_64 gitso-0:0.6-13.fc24.noarch glabels-0:3.2.1-8.fc24.x86_64 gnome-calendar-0:3.20.2-1.fc24.x86_64 gnome-classic-session-0:3.20.1-1.fc24.noarch gnome-contacts-0:3.20.0-1.fc24.x86_64 gnome-initial-setup-0:3.20.1-1.fc24.x86_64 gnome-maps-0:3.20.1-1.fc24.i686 gnome-maps-0:3.20.1-1.fc24.x86_64 gnome-phone-manager-0:0.69-16.fc24.x86_64 gnome-phone-manager-telepathy-0:0.69-16.fc24.x86_64 gnome-shell-0:3.20.2-1.fc24.x86_64 gnome-shell-extension-alternate-tab-0:3.20.1-1.fc24.noarch gnome-shell-extension-apps-menu-0:3.20.1-1.fc24.noarch gnome-shell-extension-auto-move-windows-0:3.20.1-1.fc24.noarch gnome-shell-extension-background-logo-0:3.20.0-1.fc24.noarch gnome-shell-extension-calc-0:0-0.10.gite4f4ac5.fc24.noarch gnome-shell-extension-common-0:3.20.1-1.fc24.noarch gnome-shell-extension-drive-menu-0:3.20.1-1.fc24.noarch gnome-shell-extension-fedmsg-0:0.1.9-15.fc24.noarch gnome-shell-extension-gpaste-0:3.18.3-2.fc24.noarch gnome-shell-extension-iok-0:0.20160405-1.fc24.noarch gnome-shell-extension-launch-new-instance-0:3.20.1-1.fc24.noarch gnome-shell-extension-native-window-placement-0:3.20.1-1.fc24.noarch gnome-shell-extension-openweather-0:1- 0.18.20160325git8dd1696.fc24.noarch gnome-shell-extension-panel-osd-0:1-0.13.20160325gite052ded.fc24.noarch gnome-shell-extension-pidgin-0:0-0.20.gitfb9dbfd.fc24.x86_64 gnome-shell-extension-places-menu-0:3.20.1-1.fc24.noarch gnome-shell-extension-pomodoro-0:0.11.3-1.fc24.x86_64 gnome-shell-extension-remove-bluetooth-icon-0:0.5.1-5.fc24.noarch gnome-shell-extension-remove-volume-icon-0:0.5.1-5.fc24.noarch gnome-shell-extension-screenshot-window-sizer-0:3.20.1-1.fc24.noarch gnome-shell-extension-simple-dock-0:0.1- 0.20150505git25c94bc.fc24.2.noarch gnome-shell-extension-user-theme-0:3.20.1-1.fc24.noarch gnome-shell-extension-window-list-0:3.20.1-1.fc24.noarch gnome-shell-extension-windowsNavigator-0:3.20.1-1.fc24.noarch gnome-shell-extension-workspace-indicator-0:3.20.1-1.fc24.noarch gnome-shell-theme-selene-0:3.4.0-11.fc24.noarch gnome-todo-0:3.20.2-1.fc24.x86_64 gnome-tweak-tool-0:3.20.1-1.fc24.noarch gnome-web-photo-0:0.10.5-9.fc24.x86_64 gnumed-0:1.4.8-6.fc24.noarch gnumed-doc-0:1.4.8-6.fc24.noarch gnumed-server-0:19.8-4.fc24.noarch gnuradio-0:3.7.9.1-3.fc24.i686 gnuradio-0:3.7.9.1-3.fc24.x86_64 gnuradio-devel-0:3.7.9.1-3.fc24.i686 gnuradio-devel-0:3.7.9.1-3.fc24.x86_64 gnuradio-doc-0:3.7.9.1-3.fc24.noarch gnuradio-examples-0:3.7.9.1-3.fc24.x86_64 gphotoframe-0:2.0.2-2.hg2084299dffb6.fc24.1.noarch gphotoframe-gss-0:2.0.2-2.hg2084299dffb6.fc24.1.noarch gqrx-0:2.5.3-3.fc24.x86_64 gr-air-modes-0:0-0.46.20160106git514414f6.fc24.i686 gr-air-modes-0:0-0.46.20160106git514414f6.fc24.x86_64 gr-air-modes-devel-0:0-0.46.20160106git514414f6.fc24.i686 gr-air-modes-devel-0:0-0.46.20160106git514414f6.fc24.x86_64 gr-air-modes-doc-0:0-0.46.20160106git514414f6.fc24.noarch gr-fcdproplus-0:0-0.22.20140920git1edbe523.fc24.i686 gr-fcdproplus-0:0-0.22.20140920git1edbe523.fc24.x86_64 gr-fcdproplus-devel-0:0-0.22.20140920git1edbe523.fc24.i686 gr-fcdproplus-devel-0:0-0.22.20140920git1edbe523.fc24.x86_64 gr-fcdproplus-doc-0:0-0.22.20140920git1edbe523.fc24.noarch gr-iqbal-0:0.37.2-19.fc24.i686 gr-iqbal-0:0.37.2-19.fc24.x86_64 gr-iqbal-devel-0:0.37.2-19.fc24.i686 gr-iqbal-devel-0:0.37.2-19.fc24.x86_64 gr-iqbal-doc-0:0.37.2-19.fc24.noarch gr-osmosdr-0:0.1.3-18.20141023git42c66fdd.fc24.i686 gr-osmosdr-0:0.1.3-18.20141023git42c66fdd.fc24.x86_64 gr-osmosdr-devel-0:0.1.3-18.20141023git42c66fdd.fc24.i686 gr-osmosdr-devel-0:0.1.3-18.20141023git42c66fdd.fc24.x86_64 gr-osmosdr-doc-0:0.1.3-18.20141023git42c66fdd.fc24.noarch gr-rds-0:0-0.21.20150513git201f32b.fc24.i686 gr-rds-0:0-0.21.20150513git201f32b.fc24.x86_64 gr-rds-devel-0:0-0.21.20150513git201f32b.fc24.i686 gr-rds-devel-0:0-0.21.20150513git201f32b.fc24.x86_64 gr-rds-doc-0:0-0.21.20150513git201f32b.fc24.noarch grass-0:7.0.3-1.fc24.x86_64 gtg-0:0.3.1-10.fc24.noarch gtkwhiteboard-0:1.3-11.fc24.noarch guake-0:0.8.4-1.fc24.noarch hugin-0:2016.0.0-1.fc24.i686 hugin-0:2016.0.0-1.fc24.x86_64 libopensync-plugin-evolution2-1:0.22-53.fc24.i686 libopensync-plugin-evolution2-1:0.22-53.fc24.x86_64 liferea-1:1.10.19-1.fc24.x86_64 londonlaw-0:0.3.0-0.3.pre2.fc24.noarch mMass-0:5.5.0-17.fc24.x86_64 mailnag-0:1.2.0-1.fc24.noarch memaker-0:20100110-10.fc24.noarch metamorphose2-0:0.8.2-8.fc24.noarch migemo-emacs-0:0.40-24.fc24.noarch migemo-xemacs-0:0.40-24.fc24.noarch mona-emacs-0:1.4r17-1.fc24.noarch nautilus-phatch-0:0.2.7-24.fc24.noarch nicotine+-0:1.2.16-12.fc24.noarch notify-python-0:0.1.1-30.fc24.x86_64 ocaml-emacs-0:4.02.3-3.fc24.x86_64 openstv-0:1.7-6.fc24.noarch ovirt-guest-agent-gdm-plugin-0:1.0.11-2.fc24.3.noarch peppy-0:0.16.0-8.fc24.noarch phatch-0:0.2.7-24.fc24.noarch plater-0:2015.03.10-4.fc24.noarch playonlinux-0:4.2.10-7.fc24.x86_64 poedit-0:1.8.7.1-1.fc24.x86_64 printrun-0:2015.03.10-4.fc24.x86_64 pronterface-0:2015.03.10-4.fc24.noarch protobuf-emacs-0:2.6.1-4.fc24.x86_64 protobuf-emacs-el-0:2.6.1-4.fc24.x86_64 psgml-0:1.2.5-20.fc24.noarch pulseaudio-gdm-hooks-0:8.0-6.fc24.x86_64 pyhoca-gui-0:0.5.0.5-2.fc24.noarch pymol-wxpython-0:1.8-3.20151208svn4142.fc24.x86_64 pyobd-0:0.9.3-1.fc24.noarch python-couchdbkit-0:0.6.5-5.fc24.noarch python-envisage-0:4.4.0-3.fc24.noarch python-ropemacs-0:0.7-6.fc24.noarch python-squaremap-0:1.0.3-5.fc24.noarch python2-apptools-0:4.4.0-3.fc24.noarch python2-matplotlib-wx-0:1.5.1-3.fc24.x86_64 python2-pyface-0:5.0.0-9.fc24.noarch python2-pyface-qt-0:5.0.0-9.fc24.noarch python2-pyface-wx-0:5.0.0-9.fc24.noarch python2-pyudev-wx-0:0.20.0-2.fc24.noarch python2-traitsui-0:5.0.0-4.fc24.noarch qgis-devel-0:2.14.0-2.fc24.i686 qgis-devel-0:2.14.0-2.fc24.x86_64 qgis-grass-0:2.14.0-2.fc24.i686 qgis-grass-0:2.14.0-2.fc24.x86_64 qgnomeplatform-0:0.1-5.fc24.i686 qgnomeplatform-0:0.1-5.fc24.x86_64 radiotray-0:0.7.3-6.fc24.noarch rapid-photo-downloader-0:0.4.11-3.fc24.noarch recutils-0:1.7-6.fc24.i686 recutils-0:1.7-6.fc24.x86_64 recutils-devel-0:1.7-6.fc24.i686 recutils-devel-0:1.7-6.fc24.x86_64 rubygem-webkit-gtk-0:3.0.8-1.fc24.noarch rubygem-webkit-gtk-doc-0:3.0.8-1.fc24.noarch rurple-0:1.0-0.13.rc3.fc24.noarch saga-0:2.2.4-1.fc24.i686 saga-0:2.2.4-1.fc24.x86_64 saga-devel-0:2.2.4-1.fc24.i686 saga-devel-0:2.2.4-1.fc24.x86_64 saga-python-0:2.2.4-1.fc24.x86_64 seed-0:3.8.1-7.fc24.i686 seed-0:3.8.1-7.fc24.x86_64 seed-devel-0:3.8.1-7.fc24.i686 seed-devel-0:3.8.1-7.fc24.x86_64 seed-doc-0:3.8.1-7.fc24.noarch sflphone-gnome-plugins-0:1.4.1-18.fc24.x86_64 shutter-0:0.93.1-2.fc24.noarch sidc-gui-0:0.4-6.fc24.noarch sk2py-0:0.1-14.fc24.noarch soundconverter-0:2.1.6-2.fc24.noarch spe-0:0.8.4.h-16.fc24.noarch specto-0:0.4.1-9.fc24.noarch sugar-browse-0:157.3-1.fc24.noarch surf-0:0.7-1.fc24.x86_64 synce-gnome-0:0.11-12.fc24.noarch syncevolution-1:1.5.1-9.fc24.x86_64 syncevolution-devel-1:1.5.1-9.fc24.i686 syncevolution-devel-1:1.5.1-9.fc24.x86_64 syncevolution-gtk-1:1.5.1-9.fc24.x86_64 syncevolution-libs-1:1.5.1-9.fc24.i686 syncevolution-libs-1:1.5.1-9.fc24.x86_64 syncevolution-libs-akonadi-1:1.5.1-9.fc24.x86_64 syncevolution-perl-1:1.5.1-9.fc24.x86_64 system-config-printer-0:1.5.7-8.fc24.x86_64 taskcoach-0:1.4.3-2.fc24.noarch timeline-0:1.10.0-1.fc24.noarch tmda-emacs-0:1.1.12-13.fc24.noarch tsung-0:1.6.0-1.fc24.x86_64 turpial-0:3.0-7.fc24.noarch uzbl-0:0-0.39.20120514git228bc38cbd.fc24.x86_64 uzbl-browser-0:0-0.39.20120514git228bc38cbd.fc24.x86_64 uzbl-core-0:0-0.39.20120514git228bc38cbd.fc24.x86_64 uzbl-defaults-0:0-0.39.20120514git228bc38cbd.fc24.x86_64 uzbl-tabbed-0:0-0.39.20120514git228bc38cbd.fc24.x86_64 vfrnav-0:20160212-3.fc24.i686 vfrnav-0:20160212-3.fc24.x86_64 vfrnav-utils-0:20160212-3.fc24.x86_64 vfrnav-validatorservice-0:20160212-3.fc24.x86_64 vfrnav-webservice-0:20160212-3.fc24.x86_64 vfrnav-wetterdl-0:20160212-3.fc24.x86_64 wammu-0:0.40-3.fc24.noarch webkitgtk3-devel-0:2.4.11-1.fc24.i686 webkitgtk3-devel-0:2.4.11-1.fc24.x86_64 webkitgtk3-doc-0:2.4.11-1.fc24.noarch why3-emacs-0:0.87.0-3.fc24.noarch wicd-curses-0:1.7.3-2.fc23.noarch wicd-gtk-0:1.7.3-2.fc23.noarch wings-0:2.0.4-1.fc24.x86_64 winpdb-0:1.4.8-11.fc24.noarch wuja-0:0.0.8-16.fc24.noarch wxGTK3-0:3.0.2-19.fc24.i686 wxGTK3-0:3.0.2-19.fc24.x86_64 wxGTK3-devel-0:3.0.2-19.fc24.i686 wxGTK3-devel-0:3.0.2-19.fc24.x86_64 wxGTK3-docs-0:3.0.2-19.fc24.noarch wxGTK3-gl-0:3.0.2-19.fc24.i686 wxGTK3-gl-0:3.0.2-19.fc24.x86_64 wxGTK3-media-0:3.0.2-19.fc24.i686 wxGTK3-media-0:3.0.2-19.fc24.x86_64 wxGTK3-xmldocs-0:3.0.2-19.fc24.noarch wxGlade-0:0.7.2-1.fc24.noarch wxMaxima-0:15.08.2-2.fc24.x86_64 wxPython-0:3.0.2.0-10.fc24.x86_64 wxPython-devel-0:3.0.2.0-10.fc24.i686 wxPython-devel-0:3.0.2.0-10.fc24.x86_64 wxPython-docs-0:3.0.2.0-10.fc24.noarch wxsqlite3-0:3.3.2-0.1gitb05867d.fc24.i686 wxsqlite3-0:3.3.2-0.1gitb05867d.fc24.x86_64 wxsqlite3-devel-0:3.3.2-0.1gitb05867d.fc24.i686 wxsqlite3-devel-0:3.3.2-0.1gitb05867d.fc24.x86_64 xemacs-tuareg-0:2.0.10-0.2.1c837e26.fc24.noarch xiphos-gtk3-0:4.0.4-3.fc24.x86_64 xylib-0:1.4-8.fc24.i686 xylib-0:1.4-8.fc24.x86_64 xylib-devel-0:1.4-8.fc24.i686 xylib-devel-0:1.4-8.fc24.x86_64 yaws-0:2.0-2.fc24.x86_64 yaws-devel-0:2.0-2.fc24.i686 yaws-devel-0:2.0-2.fc24.x86_64 Note that work is already in progress for some of the above. Active porting efforts are underway for Evolution (which will take care of the mass of evolution-data-server dependencies like gnome-shell and gdm), Geary, and Liferea. There are also stalled porting efforts for inactive projects like Empathy, Bijiben, and Midori; these efforts have significant progress and could easily be resurrected. Question: What if we're not willing to remove packages? Answer: Well, then we'll just have to watch the count of unfixed remote code execution vulnerabilities increase forever, because there's no chance all of the above packages will be ported; we could set the deadline 10 years in the future and it still wouldn't happen. If we decide we're not willing to remove packages, I would suggest renaming the WebKit packages to webkitgtk-insecure and webkitgtk3-insecure to clarify the situation. Question: :( Answer: \_(ツ)_/ Michael

7 years, 6 months

11
24
0 / 0

Notice on WebKitGTK+ API/ABI compatibility

by Michael Catanzaro

Hi, We have recently started updating all Fedoras to the latest stable release of WebKitGTK+ in order to provide effective security support. I'm pleased that so far we have had no bug reports related to these updates. Recently, FESCo wisely adopted a policy to ban stable release updates that break API or ABI, and while I believe we currently comply, we might be skirting the line a bit. We intend to offer a API and ABI compatibility indefinitely, most likely until GTK+ 4 is released, whenever that may be, but with two caveats. First, the stable DOM bindings API/ABI will not change, but may cease to function properly if something is removed from the DOM spec. In the worst case, application crashes are possible, e.g. if an application is not expecting a function to return NULL. To avoid friction with other WebKit contributors, we cannot provide compatibility here. To my knowledge, no real world application has ever been affected by such an issue, and the odds of real world breakage here are much lower than with a typical bugfix update, so I don't see the need to worry about this -- it's just something to be aware of. If your open source application is ever unlucky enough to be affected by such an issue, we will help fix it. WebKitGTK+ also offers a larger, unstable DOM API accessible if WEBKIT_DOM_USE_UNSTABLE_API is defined. Here API/ABI compatibility is restricted to micro 2.x.y version updates; the API/ABI *will* break in a minor version update (2.x), and these updates will occur within the lifetime of a particular stable Fedora release. The only practical way to avoid API changes here is to not update WebKit and live with unfixed remote code execution vulnerabilities. Backports are not practical. Currently known users of this API are Epiphany and Yelp; since only two applications are affected, I don't consider this a practical problem. If your Fedora package needs to use this API, contact me privately so that we can know to take responsibility for rebuilding your application when needed and avoid broken updates. Third-party applications are strongly encouraged to avoid using this API. Michael

7 years, 7 months

2
4
0 / 0

F25 System Wide Change: Automatic Provides for Python RPM Packages

by Jaroslav Reznik

= Proposed System Wide Change: Automatic Provides for Python RPM Packages = https://fedoraproject.org/wiki/Changes/ Automatic_Provides_for_Python_RPM_Packages Change owner(s): * Tomas Orsava <https://fedoraproject.org/wiki/User:Torsava> * Miro Hroncok <https://fedoraproject.org/wiki/User:Churchyard> * Email: python-maint(a)redhat.com Upon building Python packages containing packaging metadata, RPM will automatically detect the standardized name of the software (i.e. dist name, name on PyPI) in the canonical format [1] and create a virtual Provides tag with the value pythonX.Ydist(CANONICAL_NAME), where X.Y is the used Python version. RPM may also detect dependencies of the software from the metadata and automatically require them using the same syntax. == Detailed Description == If during the building of a Python package RPM encounters .egg-info, .egg-link or .dist-info files (provided in Python Wheels and Eggs), it will read the standardized name of the software (i.e. dist name, name on PyPI) in the canonical format and create a virtual Provides tag with the value pythonX.Ydist(CANONICAL_NAME), where X.Y is the used Python version. Note that the canonical format can differ slightly from the name displayed, for example, on PyPI.[1] RPM will also detect dependencies of the software from the aforementioned metadata files and automatically require them using the format pythonX.Ydist(). However, because these files don't always contain the full list of requirements (which are either in setup.py or requirements.txt), the dependency generator will not be conclusive. All Python packages will need to be rebuilt so that the virtual Provides tags are generated and can be used by users, scripts and the requires generator. == Scope == * Proposal owners: Prepare a draft for the Fedora Packaging Guidelines for Python * Maintainers of the RPM package: Backport the functionality from upsteram to Fedora. — Already done thanks to Florian Festi [2] * Release engineering: Targeted rebuild of Python packages. Ticket [3]. * List of deliverables: All Fedora deliverables will be affected, but only in a very minor way that in no way jeopardizes their delivery. * Policies and guidelines: Fedora Packaging Guidelines for Python need to be updated after the implementation so users know how to take advantage of the change. * Trademark approval: Not needed for this Change [1] https://fedoraproject.org/wiki/Changes/ Automatic_Provides_for_Python_RPM_Packages#cite_note-canonical-0

7 years, 8 months

4
16
1 / 0

First stage of glibc recvmsg/sendmsg ABI revert landed in rawhide

by Florian Weimer

glibc upstream, during development of the 2.24 release, introduced new symbol versions recvmsg(a)GLIBC_2.24, sendmsg(a)GLIBC_2.24 (and recvmmsg(a)GLIBC_2.24, sendmmsg(a)GLIBC_2.24 on 64-bit architectures), in order to fix some minor POSIX compliance issue. (POSIX and the Linux kernel disagree about the width of some fields in struct msghdr.) These changes landed in rawhide as part of glibc-2.23.90-19.fc25. This change caused quite a few issues (chrony stopped building, Address Sanitizer interception of these functions was affected, probably more). Considering that the deviation from POSIX was really minor, this was considered a poor trade-off, and the patch and ABI change was eventually reverted upstream. We cannot implement the ABI reversal immediately in rawhide because that would break existing binaries, and we don't want to do a bootstrap or mass rebuild for this. Therefore, glibc-2.23.90-21.fc25 turns the new symbols into compatibility symbols. As a result, new binaries will be linked against the old symbol versions, as before, and old binaries continue to work. (glibc-2.23.90-22.fc25 adds some polishing, but this version is functionally equivalent to the previous one.) Based on Sunday's compose, the list of packages which need to rebuild is fairly small: source ---------------------------------------- NetworkManager-1.2.2-2.fc25 OpenIPMI-2.0.22-1.fc25 OpenImageIO-1.6.14-1.fc25 boost-1.60.0-7.fc25 chrony-2.4-1.fc25 collectd-5.5.1-12.fc25 cryptsetup-1.7.2-1.fc25 firefox-47.0-4.fc25 freerdp-2.0.0-9.git.aa15327.fc25 gdb-7.11.1-75.fc25 glib2-2.49.1-2.fc25 glibc-2.23.90-20.fc25 gnutls-3.4.13-1.fc25 haproxy-1.6.5-2.fc25 hostapd-2.5-4.fc25 java-1.8.0-openjdk-1.8.0.92-1.b14.fc25 libguestfs-1.33.35-1.fc25 libnice-0.1.13-6.fc25 libvirt-1.3.5-1.fc25 lxc-2.0.1-1.fc25 mono-4.4.0-5.fc25 nftables-0.6-1.fc25 ntp-4.2.6p5-41.fc25 openssh-7.2p2-7.fc25 php-5.6.23-0.1.RC1.fc25 python-twisted-16.1.1-3.fc25 qt5-qtbase-5.6.1-2.fc25 qt5-qtwebengine-5.6.1-1.fc25 qt5-qtwebkit-5.6.1-1.b889f46git.fc25 root-6.06.04-2.fc25 samba-4.4.4-1.fc25 thunderbird-45.1.1-2.fc25 tigervnc-1.6.0-6.fc25 weechat-1.5-1.fc25 wine-1.9.11-1.fc25 (35 rows) I'll wait some time to see how many of those pick up the old ABI due to regular development. Probably around mid-July, I will start pinging developers if rebuilds are missing. We must remove the compatibility symbol before the release, so I'll have to enlist help of provenpackages eventually to trigger missing rebuilds. Thanks, Florian

7 years, 9 months

3
6
0 / 0

Firefox not working anymore over ssh?

by Juan Quintela

Hi since last Monday or so, I have been able to run firefox over ssh anymore. I thought it was my setup, but further investigation showed that it is something specific to firefox. My setup is a bit more convoluted than this, but I am able to do: $ ssh -X localhost gnome-terminal And it shows a terminal as expected $ ssh -X localhost firefox Without a firefox running will hang there forever, no output at all. I tried doing strace of it, and see that is waiting for futexes. But haven't been able to see what is happening. Until last Tuesday or so (I am on F23) firefox worked over ssh without any problems. I have been running it like that for something like a year. Anyone has any suggestion? I tried also $ ssh -Y localhost firefox And it didn't helped at all (not that I am sure of the difference either). Later, Juan. PD. Really, what I normally do is run ssh to a virtual manchine in the same host.

7 years, 9 months

12
27
0 / 0

GPG2 as default /usr/bin/gpg

by Christopher

I just ran into this: https://bugzilla.redhat.com/show_bug.cgi?id=1309175 It's not a huge deal (and there are several workarounds, for git and for other tools which default ot using 'gpg'), but it highlights the mismatch between the default /usr/bin/gpg running gpg1, when other tools, like gpg-agent, are tailored for gpg2. RHEL/CentOS has shipped /usr/bin/gpg with gnupg2 since at least sometime in RHEL6. I'm not saying we shouldn't continue to ship gnupg1, but can we at least rename it, so gnupg package is version 2, and gnupg1 provides /usr/bin/gpg1 instead? This seems overdue. Is there any reason not to do this?

7 years, 9 months

12
21
0 / 0

Support for PCLMUL, AVX, FMA, etc.

by Jerry James

I am one of the maintainers of the ntl package, which is used by some numeric applications (e.g., Macaulay2 and sagemath). Upstream supports use of the PCLMUL instruction, the AVX instructions, and the FMA instructions to speed up various computations. We can't use any of those in Fedora, since we have to support a baseline x86_64. Well, that's kind of a downer. I could advertise that people with newer CPUs ought to rebuild the ntl package for their own CPUs, but what's a distribution for if people have to rebuild packages? I've been looking for a way to automatically support more recent CPUs. Yesterday I sent a patch upstream that uses gcc's indirect function support together with __attribute__((target ...)) to build vanilla x86_64, PCLMUL-enabled, AVX-enabled, and FMA-enabled varieties of several functions. Upstream was initially excited about this but then, on further reflection, offered the opinion that this approach is dangerous. The problem is that some of the types involved may change ABI depending on the instruction set in use, and therefore it would be necessary to build larger portions of the library for each supported CPU variant. At that point, as upstream said, we might as well just build the entire library for each variant. The problem then is how to choose which version of the library to use at load time. On some platforms, ld.so offers "hardware capabilities", such as sse2 on i386. By dropping a vanilla library into /usr/lib and an SSE2-enabled build into /usr/lib/sse2, applications can get the version of the library appropriate for the CPU in use. But there don't seem to be any defined hardware capabilities for x86_64. Has anybody already thought this through? What's the best approach to take? For this package, the speedups are substantial, so this is worth doing, if it can be done well. Thank you, -- Jerry James http://www.jamezone.org/

7 years, 9 months

5
4
0 / 0

Fixing /.autorelabel

by Richard W.M. Jones

It should be possible to touch /.autorelabel and have the SELinux labels on the filesystem fixed at next boot. Fedora 24 shipped with a couple of nasty bugs in /.autorelabel functionality: https://bugzilla.redhat.com/show_bug.cgi?id=1351352 https://bugzilla.redhat.com/show_bug.cgi?id=1349586 This is not particularly a new thing. This bug against systemd was filed a couple of years ago, and still not fixed although the problem is understood and there is a fix: https://bugzilla.redhat.com/show_bug.cgi?id=1049656 The general issues are: (1) Autorelabelling requires that the system is booted up "enough" to run the fedora-autorelabel.service. (2) If SELinux is enabled during the boot, then services may fail to start up correctly because of mislabelled files. (3) fedora-autorelabel.service requires local-fs.target. This is a correct dependency, but it also happens quite late -- if you look at the attached chart you can see that dozens of services need to be started successfully before we even get to local-fs.target. (4) If we don't reach the fedora-autorelabel.service then we can be dumped into a rescue shell, or worse still go into a boot loop. (5) The fedora-autorelabel.service itself can fail to be run because SELinux stops systemd from working properly (the cause of RHBZ#1049656). (6) A related problem is that the autorelabel doesn't stop other services from attempting to start while the relabel is happening. I'm not sure what's a good way to fix it. Some ways I can think of: (a) Configure /etc/selinux/config to set SELinux permissive, and modify the fedora-autorelabel.service so it edits /etc/selinux/config to re-enable SELinux next time. This editing would have to be conditional, and the details are up in the air. Maybe there could be a "/.autorelabel-enforce-after-boot" file to do this? [Note these are for VM images, so we cannot have "special" boot flags that the user must set and modify, it must all happen automatically] (b) Introduce some shortcut, low level, very minimal default target which systemd uses when it sees the /.autorelabel file. This was basically what sysvinit used to do - the /.autorelabel file was processed specially very early in the boot scripts. (c) Instead of touching the file, set the default.target to some special target. The problem with this is we want to replace default.target with the normal one after the autorelabel completes successfully, and I've no idea how to do that. (d) Combine setting SELinux to enforcing with checking for /.autorelabel. If whatever it is that reads /etc/selinux/config notices that the /.autorelabel file exists, it should do the autorelabel before setting SELinux to enforcing. (e) Insert your idea here ... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html

7 years, 9 months

12
32
0 / 0

Fedora retirement guidelines

by James Hogarth

Right now the retirement guidelines state that you should only retire in branched (prior to freeze) and up to master... But I just had a user bitten by a change in behaviour between dnf and yum that was discovered here: https://bugzilla.redhat.com/show_bug.cgi?id=1096506 This is the bug raised with my package: https://bugzilla.redhat.com/show_bug.cgi?id=1342249 It seems very unintuitive to the user, and wasn't initially apparent to me until I look at all open dnf bugs and did a "find on page" for "obsolete" For now I've opened a rel-eng ticket to get the letsencrypt packages properly removed from the F23 repos so that a dnf install letsencrypt, like F24 behaviour, will install certbot. I guess the real question is - is the dnf behaviour correct, and if the dnf behaviour isn't going to change should we allow packagers to retire from a released branch?

7 years, 9 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

devel June 2016