First, done anyone have a working version of the script? Google returns the
github page which hasn't been updated in 3 years and currently fails trying
to import the 'fedora_cert' module.
Secondly, how is this not in a package yet? It's an extremely useful tool
for determining if initiating the non-responsive maintainer process.
== Summary ==
Remove ''nullok'' parameter from pam_unix module in default PAM
configuration in order to disallow authentication with empty password.
== Owner ==
* Name: [[User:pbrezina| Pavel Březina]]
* Email: <pbrezina(a)redhat.com>
== Detailed Description ==
Current default configuration allows users to login with an empty
password by setting nullok parameter to pam_unix module. This affects
only logins to local machine, it does not affect ssh logins as this
must be explicitly allowed in sshd_config. We want to disallow empty
password by default for local logins as well to improve system
Note: It is possible to disallow empty passwords with authselect call
(authselect enable-feature without-nullok) or by removing nullok
manually, however it creates possible issues in other components that
must be addressed.
=== Affected Components ===
* '''passwd''' - calling passwd -d to remove users password must be
denied if empty passwords are disallowed otherwise the user will be
locked out of the system
* '''AccountService''' - D-Bus methods ''SetPassword'' and
''SetPasswordMode'' on ''org.freedesktop.Accounts.User'' interface can
remove user’s password and lock the user out of the system if empty
password is disallowed. These calls must be denied in this case.
Additionally, these methods can be run by normal users as opposed to
''passwd -d'' and ''chage -d 0'' which can be run only by root.
Therefore only root should be able to call these methods.
* '''Gnome’s Control Center''' - when creating new users, it provides
an option to “require password to be set on first login” which creates
user with expired empty password. This would again lock the user out
of the system.
* '''Other Desktop Environments''' - may have the same issue as Gnome
=== Solution Step by Step ===
==== Step 1) Provide a unified way to read if nullok is enabled or not ====
We will create an authselect library call that would parse existing
PAM configuration (not necessarily generated by authselect) and return
list of enabled/disabled features. We will implement only ''nullok''
feature in the scope of this change but if needed it can be extended
in the future.
==== Step 2) Fix passwd -d ====
Calling ''passwd -d'' to remove user's password will fail if
''nullok'' is disabled.
==== Step 3) Fix AccountService ====
These methods on ''org.freedesktop.Accounts.User'' D-Bus interface
will be callable only by ''root'' and must return an error if
''nullok'' is disabled.
==== Step 4) Fix Desktop Environments ====
“Require password change on next login” must keep working. This
feature currently relies on setting an empty password. A new option
''nullresetok'' will be implemented for ''pam_unix'' module that will
allow user to authenticate with empty password only if a password
change for this user is enforced upon login. Authentication with empty
passwords which are not expired will be prohibited (unless ''nullok''
==== Step 5) Update PAM configuration to disable nullok by default ====
In authselect and pam components for new installations. Upgrading from
older systems will keep nullok present.
== Benefit to Fedora ==
Changes in described components (Step 1 - Step 4) are necessary to
implement in order to make sure that user accounts and tools works
correctly when authentication with empty password is disabled by
system administrator. Changing system default to disallow
authentication with empty passwords (Step 5) improves system
== Scope ==
* Proposal owners: Coordinate the work. Make sure all required changes
* Other developers: All affected component must be fixed. Changes are
described in ''Detailed Description''
* Release engineering: [https://pagure.io/releng/issue/9038 #9038] (a
check of an impact with Release Engineering is needed) <!-- REQUIRED
FOR SYSTEM WIDE CHANGES -->
<!-- Does this feature require coordination with release engineering
(e.g. changes to installer image generation or update package
delivery)? Is a mass rebuild required? include a link to the releng
The issue is required to be filed prior to feature submission, to
ensure that someone is on board to do any process development work and
testing, and that all changes make it into the pipeline; a bullet
point in a change is not sufficient communication -->
* Policies and guidelines: No updates needed.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
This does not affect system upgrades because only new installation
will have changed default.
== How To Test ==
* Calling ''passwd -d user'' as root must fail with default configuration.
* Calling ''org.freedesktop.Accounts.User.SetPassword("", hint)'' and
''org.freedesktop.Accounts.User.SetPasswordMode(x)'' must fail with
* "require password reset on first login" must keep working when
creating users from Desktop Environment's GUI tools
== User Experience ==
Users will no longer be able to use empty passwords by default.
== Dependencies ==
== Contingency Plan ==
* Contingency mechanism: Default behavior will not be changed.
* Contingency deadline: Beta
* Blocks release? No
* Blocks product? No
== Documentation ==
He / Him / His
Fedora Program Manager
## How to determine if you have an issue and how to fix it:
run: ```sudo dnf list --installed *protobuf*```
if you get a result that looks like
you have encountered the problem. so please:
run: ```sudo dnf module disable eclipse```
run: ```sudo dnf downgrade protobuf```
Any updates, as of a few hours ago, should be fine.
## What happened:
First and foremost, this issue appears to be caused by Modularity but, in
fact, is just an example of a policy not being followed. When a module
wishes to declare a "default stream" it *must* not override a
traditional RPM without express permission from FESCo. The policy is
Unfortunately, the recent change to enable an Eclipse Module Stream as a
default stream did not follow this policy and provided a different protobuf
RPM with different functionality.
## What we can do going forward:
* Increase the awareness of the policies for Fedora Modules
* Investigate an "early warning system" that would indicate to packagers
(modular and RPM) when they might be violating this policy
* Request dnf notify the user when they are enabling a superseding rpm from
a default stream module
* Request dnf provide an indication of what module is providing a
particular rpm (e.g. `dnf provides protobuf` not just indicate repo origin
but also module name and stream)
: if you are unfamiliar, this is the functionality that allows a module
stream to be used transparently by end users without them needing to
explicitly install a module.
On 07. 12. 19 11:53, Henrique Castro wrote:
> Pymol is a package that, integrated with python-rdkit and other python packages,
> makes the lives of people working with drug discovery (and chemistry in general
> too) much easier. Unfortunately, the package is broken and not even build into
> F31. The maintainer has not replied to a BZ ticket open months ago.
> At this point, the absence of the package is realy making an impact in science
> made with Fedora.
Unfortunately, pymol needs an active maintainer. Since it is retired, any Fedora
packager can request it to be unretired and become the owner of it.
Builds will start soon into a side tag (f32-build-side-14856), and
then if everything goes OK I will merge it into Rawhide.
This version should have fixed RISC-V support which is broken
currently (and requires some extremely difficult to backport fixes -
we already tried that and gave up, so upgrading to OCaml 4.09 is the
only solution if you want fixed RISC-V support).
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
Pymol is a package that, integrated with python-rdkit and other python packages, makes the lives of people working with drug discovery (and chemistry in general too) much easier. Unfortunately, the package is broken and not even build into F31. The maintainer has not replied to a BZ ticket open months ago.
At this point, the absence of the package is realy making an impact in science made with Fedora.
Henrique C. S. Junior
Today I've attempted to run "dnf upgrade".
It has the following in it:
protobuf x86_64 3.6.1-6.module_f31+6793+1c93c38e updates-modular
Enabling module streams:
I don't consider this behavior adequate for a released Fedora version.
As a maintainer of dependent packages (Cura stack) I have tested and built it
against the nonmodular protobuf. What just happened here and how do I track it down?
dnf doesn't even tell me what module is this in. I suppose eclipse.
However, protobuf was not mentioned in https://pagure.io/fesco/issue/2285
rdma-core 26.1-1.fc32 dropped support for %arm:
# 32-bit arm is missing required arch-specific memory barriers,
This broke dependecies for the arm package of openmpi
This may have affected other users of rdma-core, depending of if they
use rdma on arm. Using my x86_64 machine:
$ dnf repoquery --whatrequires libibverbs.so.1'()(64bit)' --source
Last metadata expiration check: 0:14:21 ago on Fri 06 Dec 2019 10:35:11
This has also broken hwloc-devel on arm:
Is this a definite hard requirement, or can we have at least a minimal
rdma-core for arm to avoid having to propagate a bunch of arm
conditionals down the stack?
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/