June 2024 - devel - Fedora Mailing-Lists

F41 Change Proposal: Make OpenSSL distrust SHA-1 signatures by default (system-wide)

by Aoife Moloney

Wiki - https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer Discussion Topic - https://discussion.fedoraproject.org/t/f41-change-proposal-make-openssl-d... This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == OpenSSL will no longer trust cryptographic signatures using SHA-1 by default, starting from Fedora 41. == Owner == * Name: [[User:Asosedkin| Alexander Sosedkin]] * Email: asosedki(a)redhat.com == Detailed Description == We would like to deprecate SHA-1 in signatures, because chosen-prefix collision attacks on SHA-1 are becoming increasingly feasible. Specifically, https://sha-mbles.github.io claims a complexity of 2^63.4, and a cost of 45k US dollars, with an estimated cost of 10k US dollars by 2025 to find a chosen-prefix collision for a SHA-1 signature. With this change accepted and implemented, OpenSSL will start blocking SHA-1 signature creation and verification by default. The rejected [[ Changes/StrongCryptoSettings3 | Changes/StrongCryptoSettings3 ]] has previously included this change among several others. This is a second attempt to propose it, two years later, with a narrower scope. == Feedback == This change, when discussed as part of the rejected [[ Changes/StrongCryptoSettings3 | Changes/StrongCryptoSettings3 ]], has proved itself controversial. There seems to be a consensus that the change has to be done sooner or later, but Fedora is a remarkably conservative distribution when it comes to deprecating legacy cryptography, even if by-default-only. The decision to discover code reliant on SHA-1 signatures by blocking creation/verification has not gathered many fans, but it's not like many viable alternative proposals have been raised in return either. In particular, there is no suitable facility to perform opt-out logging of the deprecated operation. Opt-in logging through USDT probes has been implemented the last time and has been reinstated again to aid testing this change. The precursor change has received limited testing during Fedora 37 Test Days, with only a handful of bugs discovered. The ones that were, though, wouldn't be something realistically discoverable by other means. The change has received significant testing in RHEL, which distrusts SHA-1 signatures by default starting from RHEL-9. Having this switch flipped in RHEL for ~2 years further enforces our confidence in the change. == Benefit to Fedora == Fedora's security defaults will inch closer to what is considered secure in the modern-day cryptographic landscape. == Scope == * Proposal owners: flip that switch in the DEFAULT policy, provide transitional policies for testing the change. * Other developers: Test your applications under TEST-FEDORA41 policy. If the security of your application depends on trusting SHA-1 signatures, fix this, or it will stop working unless users explicitly opt into lower security guarantees. See [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]]. * Release engineering: [https://pagure.io/releng/issue/12096 #12096] A change is a runtime change, so the mass rebuild considerations boil down to %check-time testsuite failures expecting different defaults. Specifically, reverting the change can be safely done without a mass-rebuild. * Policies and guidelines: CryptoPolicies section of the packaging guidelines will have to be updated to reflect that SHA-1 signatures must not be trusted by default. * Trademark approval: N/A (not needed for this Change) * Alignment with Community Initiatives: == Upgrade/compatibility impact == The change is not expected to break upgrades themselves. The ways people use Fedora are a multitude, and the rare scenarios relying on trusting SHA-1 signatures will break. Administrators willing to retain previous behavior and sacrifice security will be able to apply a compatibility policy or subpolicy before or after the upgrade. == How To Test == Preview the new defaults with `update-crypto-policies --set TEST-FEDORA41`. Proceed to use the system as usual, identify the workflows which are broken by blocking SHA-1 signature creation/verification, ideally also verify that `update-crypto-policies --set DEFAULT` fixes them, file bug reports against the affected components if not filed already. Please start your ticket title with `OpenSSLDistrustSHA1SigVer: `, mention this change page, the version of crypto-policies package and the policies under which your workflow does and does not work. Alternatively, a tool to identify the affected operation without blocking them will likely be provided, installable from https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer. One would need openssl-3.2.1-9.fc41 or newer for the tool to work. == User Experience == Some less-than-common use-cases will break. (One example from Fedora 37 test days was interoperability with old Apple devices). The affected users will need to either explicitly opt into the previous, less secure system configuration, or wait until the affected packages are updated to move away from SHA-1. Users that need the previous behaviour and don't mind the security implications will be able to revert to the old behavior system-wide (`update-crypto-policies --set FEDORA40`) or per-process (`runcp FEDORA40 command args`, requires a [https://copr.fedorainfracloud.org/coprs/asosedkin/crypto-policies-extras copr-packaged] tool). FEDORA40 policy will be maintained for several more Fedora releases. == Dependencies == All reverse dependencies of openssl are potentially affected. == Contingency Plan == * Contingency mechanism: the change is reverted * Contingency deadline: Fedora 41 Beta Freeze * Blocks release? Yes Note: with the change being a flip of a switch at heart, there's not much room for creativity in not completing it. Reverting is would be a straightforward ordeal, and would not require a mass rebuild. == Documentation == [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]] contains relevant notes. Fedora packaging guidelines should be modified accordingly. == Release Notes == We'll need something to the tune of: OpenSSL no longer trusts SHA-1 signatures are no longer trusted by default. Affected users can opt out of the change at the expense of lowering the system's security. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce(a)lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedora... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

2 weeks, 1 day

15
21
0 / 0

Macros stored in a separate file

by Miroslav Suchý

Lately, I noticed that several SPEC files in Fedora use this syntax: Source: macros.vlc And this file defines macros that are loaded by rpmbuild during buildtime and are used in the SPEC file. This makes parsing of the SPEC file harder, because any parser have to have this maro file in current directory - just reading SPEC file is not enough. I mentioned vlc, but it is used in many other packages: valkey, zig, typelib-srpm-macros, ansible-packaging, rakudo, sip and many many other. Why are packagers doing this? I am not saying this is bad, it just surprised me. I am used to put all macros at the top of the SPEC file and this is new to me. What is the benefit? -- Miroslav Suchy, RHCA Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys

2 weeks, 1 day

7
10
0 / 0

Mass Package Change: Turn deprecated %patchN syntax into %patch -PN

by Florian Festi

Hi everyone, RPM has deprecated the %patchN syntax in favor of %patch -PN where N is the patch number for a year now. See the RPM documentation for more information [1]. In current RPM versions, this syntax only emits a deprecation warning, but support for this syntax has been removed completely in the upcoming RPM 4.20 release. As it will be added in Fedora soon [2] it is time to switch over to the new syntax now. There are around 1800 packages that still use the old syntax. Later this week/next week, we will run this script [3] over the affected packages [4][5] to update them to the modern patch syntax. For example, the script will change: %patch0 -p1 → %patch -P0 -p1 %patch0005 -p2 → %patch -P0005 -p2 If anyone has any objections or would like to exclude a package, please let me know. As this change does not affect the resulting binary packages an immediate rebuild is not needed. The change will "only" ensure the packages still build with the new version of RPM. This is the change with the highest compatibility (back to RPM 3.x). There are more modern options (like %autosetup) that packagers are encouraged to use but are out of scope here. Florian [1] https://rpm-software-management.github.io/rpm/manual/spec.html#patch-1 [2] https://fedoraproject.org/wiki/Changes/RPM-4.20 [3] https://fedoraproject.org/wiki/File:User-Ffesti-new_patch_syntax.sh [4] https://fedoraproject.org/wiki/File:User-Ffesti-patchNN-packages.txt [5] https://fedoraproject.org/wiki/File:User-Ffesti-patchNN-package-owners.txt

2 weeks, 1 day

13
25
0 / 0

Rebuilding openvdb with required tbb2020.3

by Luya Tshimbalanga

Hello everyone, Openvdb got rebuild to use tbb2020.3 as requirement addressing an issue where Blender would fail due to incompatibility with the latest stable tbb 2021. The following packages should remain unaffected by this change: - OpenImageIO - luxcorerender - openvkl - prusa-slicer - usd-24.03-5 In case of broken dependency, use f41-build-side-90865 <https://koji.fedoraproject.org/koji/taginfo?tagID=90865> for Rawhide f40-build-side-90867 <https://koji.fedoraproject.org/koji/taginfo?tagID=90867> for Fedora 40 -- Luya Tshimbalanga Fedora Design Team Fedora Design Suite maintainer

2 weeks, 1 day

1
0
0 / 0

Re: OCaml 5.2 rebuild

by Richard W.M. Jones

The OCaml 5.2 build is ongoing. flocq FTBFS on ppc64le (only) with a stack overflow: https://koji.fedoraproject.org/koji/buildinfo?buildID=2458620 I tried increasing the stack size in case it was just marginal, but to no effect. I have reserved a ppc64le system so I can take a look at this tomorrow. Let's see if I can at least get a stack trace. This unfortunately affects several other packages: - gappalib-coq - why3 - frama-c Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org

2 weeks, 1 day

2
3
0 / 0

No FESCo meeting today

by Zbigniew Jędrzejewski-Szmek

There is nothing on the agenda for the meeting today so the meeting is cancelled. Zbyszek

2 weeks, 1 day

1
0
0 / 0

Fedora rawhide compose report: 20240610.n.0 changes

by Fedora Rawhide Report

OLD: Fedora-Rawhide-20240609.n.0 NEW: Fedora-Rawhide-20240610.n.0 ===== SUMMARY ===== Added images: 1 Dropped images: 0 Added packages: 1 Dropped packages: 0 Upgraded packages: 25 Downgraded packages: 0 Size of added packages: 3.66 MiB Size of dropped packages: 0 B Size of upgraded packages: 1.53 GiB Size of downgraded packages: 0 B Size change of upgraded packages: 9.80 MiB Size change of downgraded packages: 0 B ===== ADDED IMAGES ===== Image: i3 live aarch64 Path: Spins/aarch64/iso/Fedora-i3-Live-aarch64-Rawhide-20240610.n.0.iso ===== DROPPED IMAGES ===== ===== ADDED PACKAGES ===== Package: mingw-objfw-1.1.4-1.fc41 Summary: MinGW port of ObjFW RPMs: mingw32-objfw mingw64-objfw ucrt64-objfw Size: 3.66 MiB ===== DROPPED PACKAGES ===== ===== UPGRADED PACKAGES ===== Package: VirtualGL-3.1-1.fc41 Old package: VirtualGL-2.6.5-9.fc40 Summary: A toolkit for displaying OpenGL applications to thin clients RPMs: VirtualGL VirtualGL-devel Size: 4.89 MiB Size change: 954.23 KiB Changelog: * Sun Jun 09 2024 S��rgio Basto <sergio(a)serjux.com> - 3.1-1 - Update VirtualGL to 3.1 - Do not rely on hostname package (#1860323) (Fri Jul 24 2020 Pavel Zhukov <pavel(a)pzhukov-pc.home.redhat.com>) Package: clapper-0.6.0-1.fc41 Old package: clapper-0.5.2-6.fc40 Summary: Modern media player powered by GStreamer and GTK4 RPMs: clapper clapper-devel Size: 1.90 MiB Size change: 638.77 KiB Changelog: * Fri Jun 07 2024 Fabio Valentini <decathorpe(a)gmail.com> - 0.6.0-1 - Update to version 0.6.0; Fixes RHBZ#2283505 Package: deepin-icon-theme-2024.04.16-1.fc41 Old package: deepin-icon-theme-2021.11.24-6.fc40 Summary: Icons for the Deepin Desktop Environment RPMs: deepin-icon-theme Size: 34.74 MiB Size change: 293.71 KiB Changelog: * Sun Jun 09 2024 topazus <topazus(a)outlook.com> - 2024.04.16-1 - Update to 2024.04.16 Package: galera-26.4.18-3.fc41 Old package: galera-26.4.18-1.fc41 Summary: Synchronous multi-master wsrep provider (replication engine) RPMs: galera Size: 4.76 MiB Size change: 6.35 KiB Changelog: * Sun Jun 09 2024 Michal Schorm <mschorm(a)redhat.com> - 26.4.18-2 - Bump release for package rebuild * Sun Jun 09 2024 Michal Schorm <mschorm(a)redhat.com> - 26.4.18-3 - Bump release for package rebuild Package: ghostwriter-24.05.0-2.fc41 Old package: ghostwriter-24.05.0-1.fc41 Summary: Cross-platform, aesthetic, distraction-free Markdown editor RPMs: ghostwriter Size: 5.01 MiB Size change: -2.90 MiB Changelog: * Sun Jun 09 2024 Yaakov Selkowitz <yselkowi(a)redhat.com> - 24.05.0-2 - Use KF5 Package: golang-github-alecthomas-kingpin2-2.4.0-1.fc41 Old package: golang-github-alecthomas-kingpin2-2.3.2-3.fc40 Summary: Go command line and flag parser RPMs: golang-github-alecthomas-kingpin2-devel Size: 56.51 KiB Size change: -318 B Changelog: * Sun Jun 09 2024 Mikel Olasagasti Uranga <mikel(a)olasagasti.info> - 2.4.0-1 - Update to 2.4.0 Package: golang-github-alecthomas-units-0-0.22.20240609git9a357b5.fc41 Old package: golang-github-alecthomas-units-0-0.20.20210108git1786d5e.fc40 Summary: Helpful unit multipliers and functions for Go RPMs: golang-github-alecthomas-units-devel Size: 15.12 KiB Size change: 1.16 KiB Changelog: * Sun Jun 09 2024 Mikel Olasagasti Uranga <mikel(a)olasagasti.info> - 0-0.22 - Update to latest commit Package: greetd-0.10.3-1.fc41 Old package: greetd-0.10.0-1.fc41 Summary: A generic greeter daemon RPMs: greetd greetd-fakegreet greetd-selinux Size: 3.13 MiB Size change: 17.71 KiB Changelog: * Mon Jun 10 2024 Aleksei Bavshin <alebastr(a)fedoraproject.org> - 0.10.3-1 - Update to 0.10.3 (#2290645) Package: js-jsroot-7.7.0-1.fc41 Old package: js-jsroot-7.5.5-1.fc41 Summary: JavaScript ROOT - Interactive numerical data analysis graphics RPMs: js-jsroot Size: 1.12 MiB Size change: 247.24 KiB Changelog: * Sun Jun 09 2024 Mattias Ellert <mattias.ellert(a)physics.uu.se> - 7.7.0-1 - Update to version 7.7.0 Package: kanshi-1.7.0-1.fc41 Old package: kanshi-1.6.0-1.fc41 Summary: Dynamic display configuration for Wayland RPMs: kanshi Size: 142.60 KiB Size change: 4.86 KiB Changelog: * Sun Jun 09 2024 Aleksei Bavshin <alebastr(a)fedoraproject.org> - 1.7.0-1 - Update to 1.7.0 (#2290950) Package: mold-2.32.0-1.fc41 Old package: mold-2.31.0-1.fc41 Summary: A Modern Linker RPMs: mold Size: 10.05 MiB Size change: 56.56 KiB Changelog: * Sun Jun 09 2024 Christoph Erhardt <fedora(a)sicherha.de> - 2.32.0-1 - Update to 2.32.0 Package: mysql8.0-8.0.37-2.fc41 Old package: mysql8.0-8.0.36-3.fc40 Summary: MySQL client programs and shared libraries RPMs: mysql mysql-common mysql-devel mysql-errmsg mysql-libs mysql-server mysql-test Size: 1.45 GiB Size change: 10.82 MiB Changelog: * Mon Feb 19 2024 Honza Horak <hhorak(a)redhat.com> - 8.0.36-4 - Do not provide community-mysql* symbols if alternative * Tue Apr 16 2024 Michal Schorm <mschorm(a)redhat.com> - 8.0.36-5 - Fix my.cnf dependency for Flatpak builds * Thu Apr 18 2024 Lars Tangvald <lars.tangvald(a)oracle.com> - 8.0.37-1 - Update to MySQL 8.0.37 - Remove some legacy cmake options * Sun Jun 09 2024 Michal Schorm <mschorm(a)redhat.com> - 8.0.37-2 - Bump release for package rebuild Package: packit-0.97.2-1.fc41 Old package: packit-0.97.1-1.fc41 Summary: A tool for integrating upstream projects with Fedora operating system RPMs: packit python3-packit Size: 476.99 KiB Size change: -28 B Changelog: * Thu Jun 06 2024 Packit <hello(a)packit.dev> - 0.97.2-1 - We have fixed the syncing of ACLs for `propose-downtream` for CentOS Stream. (#2318) - Resolves: rhbz#2290733 Package: perl-Devel-Cover-1.43-1.fc41 Old package: perl-Devel-Cover-1.42-1.fc41 Summary: Code coverage metrics for Perl RPMs: perl-Devel-Cover Size: 886.30 KiB Size change: 844 B Changelog: * Sun Jun 09 2024 Paul Howarth <paul(a)city-fan.org> - 1.43-1 - 1.43 bump Package: perl-MCE-1.893-1.fc41 Old package: perl-MCE-1.891-1.fc41 Summary: Many-core Engine for Perl providing parallel processing capabilities RPMs: perl-MCE perl-MCE-tools Size: 331.73 KiB Size change: 988 B Changelog: * Sun Jun 09 2024 aul Howarth <paul(a)city-fan.org> - 1.893-1 - Update to 1.893 (rhbz#2291021) - Remove check if spinning threads i.e. use_threads: predictable output matches non-threads for CORE, Math::Prime::Util and Math::Random::MT::Auto (see https://perlmonks.org/?node_id=11159834) Package: python-can-4.4.0-1.fc41 Old package: python-can-4.3.1-3.fc40 Summary: Controller Area Network (CAN) support for Python RPMs: python3-can Size: 533.18 KiB Size change: 2.35 KiB Changelog: * Fri Jun 07 2024 Python Maint <python-maint(a)redhat.com> - 4.3.1-4 - Rebuilt for Python 3.13 * Sun Jun 09 2024 Peter Robinson <pbrobinson(a)fedoraproject.org> - 4.4.0-1 - Update to 4.4.0 Package: python-engineio-4.9.1-3.fc41 Old package: python-engineio-4.9.1-1.fc41 Summary: Python Engine.IO server and client RPMs: python3-engineio python3-engineio+asyncio_client python3-engineio+client Dropped RPMs: python-engineio-doc Size: 172.04 KiB Size change: -292.76 KiB Changelog: * Sun Jun 09 2024 Benjamin A. Beasley <code(a)musicinmybrain.net> - 4.9.1-2 - Stop packaging the examples * Sun Jun 09 2024 Benjamin A. Beasley <code(a)musicinmybrain.net> - 4.9.1-3 - F41+: Stop building PDF documentation; drop -doc subpackage Package: python-ipyparallel-8.8.0-2.fc41 Old package: python-ipyparallel-8.8.0-1.fc41 Summary: Interactive Parallel Computing with IPython RPMs: python3-ipyparallel python3-ipyparallel+test Size: 674.40 KiB Size change: -682 B Changelog: * Sun Jun 09 2024 Mattias Ellert <mattias.ellert(a)physics.uu.se> - 8.8.0-2 - Ignore deprecation warnings from datetime.strptime() Package: python-marshmallow-3.21.3-1.fc41 Old package: python-marshmallow-3.21.2-1.fc41 Summary: Python library for converting complex datatypes to and from primitive types RPMs: python-marshmallow-doc python3-marshmallow Size: 315.57 KiB Size change: 627 B Changelog: * Fri Jun 07 2024 Python Maint <python-maint(a)redhat.com> - 3.21.2-2 - Rebuilt for Python 3.13 * Sun Jun 09 2024 Packit <hello(a)packit.dev> - 3.21.3-1 - Update to 3.21.3 upstream release - Resolves: rhbz#2290872 Package: radicale-3.2.1-3.fc41 Old package: radicale-3.2.1-1.fc41 Summary: A simple CalDAV (calendar) and CardDAV (contact) server RPMs: python3-radicale3 radicale3 radicale3-httpd radicale3-selinux Size: 342.97 KiB Size change: 2.91 KiB Changelog: * Sat Jun 08 2024 Python Maint <python-maint(a)redhat.com> - 3.2.1-1.1 - Rebuilt for Python 3.13 * Sat Jun 08 2024 Peter Bieringer <pb(a)bieringer.de> - 3.2.1-2 - Major review of bundled Apache configuration example * Sat Jun 08 2024 Peter Bieringer <pb(a)bieringer.de> - 3.2.1-3 - Additional review+extension of bundled Apache configuration example - Fix group+permissions of /etc/radicale/rights - Create an empty file /etc/radicale/users with proper permissions Package: rubygem-http-cookie-1.0.7-1.fc41 Old package: rubygem-http-cookie-1.0.5-6.fc40 Summary: Ruby library to handle HTTP Cookies based on RFC 6265 RPMs: rubygem-http-cookie rubygem-http-cookie-doc Size: 388.76 KiB Size change: 3.10 KiB Changelog: * Fri Jun 07 2024 Mamoru TASAKA <mtasaka(a)fedoraproject.org> - 1.0.7-1 - 1.0.7 Package: rust-greetd_ipc-0.10.3-1.fc41 Old package: rust-greetd_ipc-0.10.0-1.fc41 Summary: Implementation of the greetd IPC protocol RPMs: rust-greetd_ipc+async-trait-devel rust-greetd_ipc+codec-devel rust-greetd_ipc+default-devel rust-greetd_ipc+sync-codec-devel rust-greetd_ipc+thiserror-devel rust-greetd_ipc+tokio-codec-devel rust-greetd_ipc+tokio-devel rust-greetd_ipc-devel Size: 79.98 KiB Size change: 819 B Changelog: * Mon Jun 10 2024 Aleksei Bavshin <alebastr(a)fedoraproject.org> - 0.10.3-1 - Update to 0.10.3 (#2290644) Package: shairport-sync-4.3.3-0.fc41 Old package: shairport-sync-4.3.2-0.fc41 Summary: AirTunes emulator. Multi-Room with Audio Synchronisation RPMs: shairport-sync Size: 705.43 KiB Size change: -2.33 KiB Changelog: * Sun Jun 09 2024 Bill Peck <bpeck(a)redhat.com> - 4.3.3-0 - New upstream release Package: siril-1.2.1-4.fc41 Old package: siril-1.2.1-3.fc40 Summary: Astronomical image processing software RPMs: siril Size: 9.88 MiB Size change: -5.07 KiB Changelog: * Sun Jun 09 2024 Mattia Verga <mattia.verga(a)proton.me> - 1.2.1-4 - Add AV1 and JPEGXL support through libheif Package: video-downloader-0.12.14-1.fc41 Old package: video-downloader-0.12.13-1.fc41 Summary: Download videos from websites like YouTube and many others RPMs: video-downloader Size: 165.50 KiB Size change: 909 B Changelog: * Sun Jun 09 2024 Packit <hello(a)packit.dev> - 0.12.14-1 - Update to 0.12.14 upstream release - Resolves: rhbz#2291088 ===== DOWNGRADED PACKAGES =====

2 weeks, 1 day

1
0
0 / 0

[HEADS UP] Fedora 41 Python 3.13 rebuilds to start in a side tag (hopefully) next week

by Karolina Surma

Hello, To deliver Python 3.13 with Fedora Linux 41, we will run a coordinated rebuild in a side tag. https://fedoraproject.org/wiki/Changes/Python3.13 Python 3.13.0b2 is scheduled for Tuesday, Jun 4th 2024. We hope to start the mass rebuild shortly after it's available. TL;DR: If you can, for the period of the mass rebuild just don't build your packages in rawhide. We will let you know when the side tag rebuild actually starts and when it is merged and it's safe to build in rawhide with Python 3.13. Details: If you see a "Rebuilt for Python 3.13" (or similar) commit in your package, please don't rebuild it in regular rawhide or another rawhide side tag. If you need to, please let us know, so we can coordinate. If you'd like to build a package after we already rebuilt it, you should be able to build it in the side tag via: on branch rawhide: $ fedpkg build --target=f41-python $ koji wait-repo f41-python --build <nvr> It takes time to build all the essential packages, so don't expect all your dependencies to be available right away. Any attempts to build your packages in the side tag before we do will likely fail due to missing dependencies. When in trouble, ask here or on Fedora's Matrix - Fedora Python room (https://matrix.to/#/#python:fedoraproject.org) Ping me (ksurma) or Miro (mhroncok) if you need to talk to us. Builds will appear here: https://koji.fedoraproject.org/koji/builds?latest=0&tagID=f41-python&orde... Please avoid any potentially disturbing or major changes in Python packages until the rebuild is over. Thanks! Karolina

2 weeks, 2 days

6
11
0 / 0

uploading big sources to lookaside cache

by Mattia Verga

I was just thinking... for users with a limited upload bandwidth it is a pain to upload big sources to the lookaside cache. What about implementing a way to avoid the chain "user downloads the source -> user upload the source to lookaside cache" by having some service running in the infrastructure which downloads the source file directly in the lookaside cache? My idea is that a user could issue a command like "fedpkg new-sources-download <SOURCE_FILE_URL> <HASH>" which triggers some service running in Fedora infra, near to the system where the lookaside cache is stored, which downloads the source from <SOURCE_FILE_URL>, check the hash of the downloaded file with the hash provided by user command and then store the source in lookaside cache. The user still need to download the source to provide the hash, for enhanced security, but at least avoids the limits of their upload bandwidth. This is just an idea, I don't really know how to implement that, where the backend service could run, etc... just posting to gather some thoughts. Mattia

2 weeks, 2 days

3
2
0 / 0

SPDX Statistics - Rokoku Edition

by Miroslav Suchý

Hot news: SPDX released new license list https://github.com/spdx/license-list-XML/releases/tag/v3.24.0 with 25 new licenses. Lot of them are there because of Fedora maintainers. Thank you. Two weeks ago we had: > * 24034spec files in Fedora > > * 30706license tags in all spec files > > * 10497 tags have not been converted to SPDX yet > > * 4620 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 65,81% ░░░░░░████ 100% > > ELN subset: > > 92 out of 2375 packages are not converted yet (progress 96.07%) > Today we have: * 24102spec files in Fedora * 30778license tags in all spec files * 10461 tags have not been converted to SPDX yet * 4600 tags can be trivially converted using `license-fedora2spdx` * Progress: 66,01% ░░░░░░████ 100% ELN subset: 88 out of 2347 packages are not converted yet (progress 96.25%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80... The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. With: 1 new license . 4 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%... Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/ New projection when we will be finished is 2025-06-05 (+25 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why Rokoku edition? On today's date at 671 Japanese Emperor Tenji introduced a water clock called Rokoku. https://wadokei.org/rokoku/ https://en.wikipedia.org/wiki/Water_clock https://www.youtube.com/watch?v=UlOKaL7s0VI&t=113s Miroslav

2 weeks, 2 days

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

devel June 2024