The release status of Fedora 32 Final is no-go..
Due to open blocker bugs, Fedora 32 Final was declared "no-go". We
will reconvene at 1700 UTC on Thursday, 23 April[1] to re-evaluate.
If we determine at that time that Fedora 32 is go, it will release on
the "target release date #1" of 28 April.
For more information, please see the minutes[2] from the Fedora 32
Final Go/No-Go meeting.
[1] https://apps.fedoraproject.org/calendar/meeting/9738/
[2] https://meetbot.fedoraproject.org/fedora-meeting-1/2020-04-16/f32-final-go_…
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/systemd-resolved
== Summary ==
Enable systemd-resolved by default. glibc will perform name resolution
using nss-resolve rather than nss-dns.
== Owner ==
* Name: [[User:catanzaro| Michael Catanzaro]]
* Email: <mcatanzaro(a)redhat.com>
== Detailed Description ==
We will enable systemd-resolved by default.
# We will change the
[https://src.fedoraproject.org/rpms/fedora-release/blob/f4cc5b6ce095bb4233e5…
fedora-release presets] to enable systemd-resolved instead of disable
it.
# systemd-libs currently has
[https://src.fedoraproject.org/rpms/systemd/blob/bb79fb73875f8e71841a1ee8ede…
a %post scriplet] to enable nss-myhostname and nss-systemd by either
(a) modifying authselect's user-nsswitch.conf template, if authselect
is in use, or (b) directly modifying /etc/nsswitch.conf otherwise. We
will work with the systemd maintainers to enable nss-resolve here as
well.
# We will work with the authselect maintainers to update authselect's
minimal and nis profiles to enforce nss-resolve. These profiles modify
the hosts line of /etc/resolv.conf. (By default, Fedora uses
authselect's sssd profile, which does not modify the hosts line and
therefore does not have this problem.)
# We will remove our downstream patch to systemd that prevents systemd
from symlinking /etc/resolv.conf to
/run/systemd/resolve/stub-resolv.conf on new installs. For system
upgrades, a systemd-libs %post scriptlet will be used to reassign the
symlink during upgrade. Upon detecting this symlink, NetworkManager
will automatically enable its systemd-resolved support and configure
split DNS as appropriate.
systemd-resolved has been enabled by default in Ubuntu since Ubuntu
16.10, but please note we are doing this differently than Ubuntu has.
Ubuntu does not use nss-resolve. Instead, Ubuntu uses the traditional
nss-dns provided by glibc upstream, so glibc on Ubuntu continues to
read /etc/resolv.conf, as is traditional. This extra step is not
useful and not recommended by upstream. We want to follow upstream
recommendations in using nss-resolve instead.
If you do not wish to use systemd-resolved, then manual intervention
will be required to disable it:
* Modify /etc/authselect/user-nsswitch.conf and remove `resolve
[!UNAVAIL=return]` from the hosts line. Run `authselect
apply-changes`. (If you have disabled authselect, then edit
/etc/nsswitch.conf directly.)
* Disable and stop systemd-resolved.service.
* Restart the NetworkManager service. NetworkManager will then create
a traditional /etc/resolv.conf. (If you are not using NetworkManager,
you may create your own /etc/resolv.conf.)
== Benefit to Fedora ==
=== Standardization ===
Fedora will continue its history of enabling new systemd-provided
services whenever it makes sense to do so. Standardizing on upstream
systemd services is beneficial to the broader Linux ecosystem in
addition to Fedora, since standardizing reduces behavior differences
between different Linux distributions. Sadly, Fedora is no longer
leading in this area. Ubuntu has enabled systemd-resolved by default
since Ubuntu 16.10, so by the time Fedora 33 is released, we will be
three years behind Ubuntu here.
=== resolvectl ===
`resolvectl` has several useful functions (e.g. `resolvectl status` or
`resolvectl query`) that will be enabled out-of-the-box.
=== Caching ===
systemd-resolved caches DNS queries for a short while. This can
[https://gitlab.gnome.org/GNOME/glib/-/merge_requests/682#note_441846
dramatically] improve performance for applications that do not already
manually cache their own DNS results. (Generally, only web browsers
bother with manually caching DNS results.)
=== Split DNS ===
When systemd-resolved is enabled, users who use multiple VPNs at the
same time will notice that DNS requests are now sent to the correct
DNS server by default. Previously, this scenario would result in
embarrassing "DNS leaks" and, depending on the order that the VPN
connections were established, possible failure to resolve private
resources. These scenarios will now work properly. For example,
consider the scenario of Distrustful Denise, who (quite reasonably)
does not trust her ISP. Denise uses a public VPN service,
public-vpn.example.com, to hide her internet activity from her ISP,
but she also needs to use her employer's corporate VPN,
corporation.example.com, in order to access internal company resources
while working from home. Using the Network panel in System Settings,
Denise has configured her employer's VPN to "use this connection only
for resources on its network." Distrustful Denise expects that her
employer's VPN will receive all traffic for corporation.example.com,
and no other traffic. And while this mostly works in Fedora 32, she
discovers that it does not work properly for DNS:
* If Denise connects to public-vpn.example.com first and
corporation.example.com second, she is unable to access internal
company resources. All DNS requests are sent to
public-vpn.example.com's DNS server, so she is unable to resolve names
for internal company websites.
* If Denise connects to corporation.example.com first and
public-vpn.example.com second, then she is able to access internal
company resources. However, it only works because ''all'' her DNS
requests are sent to corporation.example.com's DNS server. Sadly for
Distrustful Denise, her employer discovers that she has been making
some embarrassing DNS requests that she had expected to go through
public-vpn.example.com instead.
Whichever VPN Denise connects to first receives all DNS requests
because glibc's nss-dns module is not smart enough to split the
requests. /etc/resolv.conf is just a list of DNS servers to try in
order, and NetworkManager has no plausible way to decide which to list
first, because both ways are broken, so it just prefers whichever was
connected first. And if one server fails to respond, then the next
server in the list will be tried, likely resulting in a DNS leak. In
contrast, when systemd-resolved is enabled, it will send each DNS
request only to the correct DNS server. The DNS server that will be
used for each tun interface can be inspected using the resolvectl
tool.
Migrating away from /etc/resolv.conf will also avoid an annoying
footgun with this legacy file: only the first three listed nameservers
are respected. All further nameservers are silently ignored.
NetworkManager adds a warning comment when writing more than three
nameservers to this file, but it cannot do any better than that.
=== DNS over TLS ===
systemd-resolved supports DNS over TLS (different from DNS over
HTTPS). Although this feature will not initially be enabled by
default, using systemd-resolved will enable us to turn on DNS over TLS
in a future Fedora release, providing improved security if the user's
DNS server supports DNS over TLS.
== Scope ==
* Proposal owners: We will update Fedora presets to enable
systemd-resolved by default.
* Other developers: This change requires coordination with the systemd
and authselect maintainers.
* Release engineering: [https://pagure.io/releng/issue/9367 #9367]
* Policies and guidelines: none required
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
systemd-resolved will be enabled automatically when upgrading to
Fedora 33. After upgrade, /etc/resolv.conf will be managed by systemd
and symlinked to /run/systemd/resolve/stub-resolv.conf. '''glibc will
no longer look at /etc/resolv.conf when performing name resolution.'''
Instead, glibc will communicate directly with systemd-resolved via
nss-resolve. systemd adds a large warning comment to the top of
/etc/resolv.conf to warn system administrators that changes to this
file will be ignored; however, scripts that edit this file manually
will break. Because this file is usually managed by NetworkManager,
impact to Fedora users will be limited to users who have manually
disabled NetworkManager; such users are expected to be experienced
system administrators who should be comfortable adapting to the change
(or disabling systemd-resolved).
Any applications that bypass glibc and read /etc/resolv.conf directly
will still work because /etc/resolv.conf will point to
systemd-resolved's stub resolver running on 127.0.0.53. Nevertheless,
/etc/resolv.conf is provided only for compatibility purposes, and
applications should prefer to use either glibc or the systemd-resolved
D-Bus API instead; see systemd-resolved(8) for details.
In short, '''applications that read /etc/resolv.conf will continue to
work as before.''' Applications that write to it will no longer work
as expected, but this only previously worked if NetworkManager is
disabled, a non-default configuration. It remains possible to disable
systemd-resolved if desired. Otherwise, any custom system
administration scripts that manage /etc/resolv.conf will need to be
updated.
=== DNSSEC ===
systemd-resolved's DNSSEC support is known to cause compatibility
problems with certain network access points. Per recommendation from
the systemd developers, we will change the default value of this
setting in Fedora from the upstream default `DNSSEC=allow-downgrade`
to `DNSSEC=no` by building systemd with the build option
`-Ddefault-dnssec=no`. The upstream default attempts to use DNSSEC if
it is working, but automatically disable it otherwise, allowing
man-in-the-middle attackers to disable DNSSEC. Sadly, even the
allow-downgrade setting suffers known compatibility problems. Because
Fedora is not prepared to handle an influx of DNSSEC-related bug
reports, we will disable this feature altogether. We anticipate that
enabling DNSSEC by default will not be possible in the foreseeable
future, or perhaps ever. Instead, enabling DNS over TLS (when
supported by the DNS server) seems likely in the near future.
=== Multicast DNS ===
systemd-resolved's multicast DNS support conflicts with Avahi. Per
recommendation from the systemd developers, we will change the default
value of this setting in Fedora from the upstream default
`MulticastDNS=yes` to `MulticastDNS=resolve`. Multicast DNS resolving
will be enabled, but responding will be disabled. This will require
adding a new systemd build option to control the default value of the
MulticastDNS setting, similar to the existing `default-dnssec` and
`default-dns-over-tls` build options.
== How To Test ==
Load any website in a web browser. If you succeed, then name
resolution probably works.
Try using `resolvectl status` and, for example, `resolvectl query
fedoraproject.org`, to see how they work and sanity-check their
output.
Users who use multiple VPNs at the same time are encouraged to test
DNS in a multiple VPN scenario, to ensure that DNS requests are sent
to the expected DNS server.
== User Experience ==
See the Benefit to Fedora section, above, for direct benefits to users
who use multiple VPNs at the same time.
Users will be able to use the resolvectl tool and the functionality it provides.
/etc/resolv.conf will now be managed by systemd rather than by
NetworkManager. As before, this file must not be modified directly
when it is managed.
== Dependencies ==
In Fedora, /etc/nsswitch.conf is managed by authselect. By default,
authselect uses the sssd profile to generate configuration compatible
with sssd. In this mode of operation, it does not modify the hosts
line in /etc/nsswitch.conf. This is also true if using the winbind
profile instead of the sssd profile. However, authselect's minimal and
nis profiles do modify the hosts line. These authselect profiles must
be updated to enable nss-resolved. If you are using authselect in one
of these modes, it will not be possible to cleanly disable
systemd-resolved because the hosts line in /etc/nsswitch.conf will be
clobbered whenever 'authselect apply-changes' is run. If you wish to
disable systemd-resolved and you are using authselect in one of these
modes, then you should stop using authselect. This is not expected to
cause many problems because virtually all Fedora users will be using
the default sssd profile.
We do not need to directly make any changes to the /etc/nsswitch.conf
shipped by glibc. Changes will be applied in the systemd-libs %post
scriptlet.
== Contingency Plan ==
The contingency plan, in the unlikely event of unexpected problems, is
simply to revert any changes and not enable systemd-resolved.
* Contingency deadline: beta freeze
* Blocks release? No
* Blocks product? No
== Documentation ==
* systemd-resolved is documented in several manpages: resolvectl(1),
resolved.conf(5), nss-resolve(8), systemd-resolved(8).
* [https://wiki.archlinux.org/index.php/Systemd-resolved Arch Wiki
documentation]
* [https://wiki.gnome.org/Projects/NetworkManager/DNS NetworkManager
DNS documentation]
== Release Notes ==
systemd-resolved is now enabled by default. systemd-resolved provides
a system-level DNS cache that can substantially improve performance
for applications that do not cache their own DNS results, allows
correct handling of split DNS scenarios such as when multiple VPNs are
in use, and will allow Fedora to enable DNS over TLS in the future.
/etc/resolv.conf will now be managed by systemd-resolved rather than
by NetworkManager. /etc/resolv.conf will no longer be read when
performing name resolution using glibc; however, it is still provided
for compatibility with applications that manually read this file to
perform name resolution. Writing to /etc/resolv.conf will no longer
work as expected.
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/Erlang_23
== Summary ==
Update Erlang/OTP to version 23.
== Owner ==
* Name: [[User:Peter|Peter Lemenkov]], [[SIGs/Erlang|Fedora Erlang
SIG]], [[User:bowlofeggs|Randy Barlow]], [[User:jcline|Jeremy Cline]]
* Email: lemenkov(a)gmail.com, erlang(a)lists.fedoraproject.org,
bowlofeggs(a)fedoraproject.org, jcline(a)fedoraproject.org
== Detailed Description ==
Upgrade Erlang to version 23 which brings a lot of changes. Just a few
highlights:
* Numerous scalability and performance improvements.
* New modules - pg (pool group) and erpc (enhanced RPC).
* Removed SSL 3.0 support entirely.
* Removed deprecated part of erl_interface API
* An experimental socket backend for TCP and UDP API.
* Even faster SSL/TLS operations.
* Now it's possible to work w/o external EPMD in production-ready applications
Aside from this, we plan to improve quality of Erlang and related
packages. These are shortcomings we want to address:
Besides that we still have a lengthy list of TODOs:
* Every daemon written in Erlang has its own logging solution which
doesn't use neither syslog nor Journald. We should start switching
them to unified logger..
* We should allow D-Bus API via [https://github.com/lizenn/erlang-dbus
erlang-dbus] library or any other recent implementations..
* Further improve [[User:Peter/Erlang_Packaging_Guidelines|Erlang
Packaging Guidelines]] and promote it as the official guideline.
* Switch to rebar3 as a main build tool.
* SELinux rules for main Erlang applications (Ejabberd, CouchDB,
RabbitMQ) are outdated or missing.
== Benefit to Fedora ==
Fedora users, both developers and end-users, will have visible
benefits from using Fedora-provided packages. Namely:
* Improved scalability and robustness.
== Scope ==
* Proposal owners:
** [https://bugzilla.redhat.com/807897 Upgrade Erlang to the latest
version (23.0)].
** We must rebuild every package which requires NIF version (listed
below in the [[#Dependencies|Dependencies]] section) against Erlang
23.x.y.
** Every Erlang daemon's systemd unit must require epmd.socket.
** We need to fill new review request for
[https://github.com/lizenn/erlang-dbus erlang-dbus]
** Upgrade outdated packages:
*** {{package|riak|Riak}}
**** {{package|riak|Riak}} has has been retired. We have to re-add it back.
*** {{package|ejabberd|Ejabberd}}
*** {{package|rabbitmq-server|RabbitMQ}}.
*** {{package|couchdb|CouchDB}}
** {{package|erlang-rebar3|rebar3}}
*** Provide/adjust RPM macros for rebar3.
** Package GDB macros for easier coredump debugging (see also
[https://bugzilla.redhat.com/show_bug.cgi?id=663253 this ticket]).
* Other developers: N/A
* Release engineering: TBA
* Policies and guidelines:
** We should promote officially
[[User:Peter/Erlang_Packaging_Guidelines|Erlang Packaging
Guidelines]].
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
* Every Erlang upgrade requires the rebuilding of modules which
contains [http://www.erlang.org/doc/reference_manual/ports.html ports]
or [http://www.erlang.org/doc/tutorial/nif.html NIFs], and we will
rebuild all such modules in Fedora. However if a user has some
additional modules not available in a Fedora repository, then these
modules must be rebuilt manually.
* So-called [http://erlang.org/doc/man/HiPE_app.html HiPE] continues
to deteriorate. In this version it's barely functional and likely is
going to be removed in the next one.
== How To Test ==
* Ensure that high-grade Erlang applications are still working:
(see wiki)
* Collect feedback from volunteers regarding their experience with
this Erlang/OTP version
== User Experience ==
Users will get more robust, scalable, and fast Erlang applications.
== Dependencies ==
The following packages must be rebuilt:
(see wiki)
== Contingency Plan ==
* Contingency mechanism: None necessary. Instead of falling back to
the previous version we should fix existing packages in order to help
the Community. We should also monitor upstream development process for
potentially discovered issues and proactively apply patches (as we
already did with [[Features/Erlang_R14|Erlang R14]],
[[Features/Erlang_R15|Erlang R15]], [[Features/Erlang_R16|Erlang
R16]], [[Changes/BetterErlangSupport|Erlang 17]],
[[Changes/Erlang_18|Erlang 18]], [[Changes/Erlang_19|Erlang 19]],
[[Changes/Erlang_20|Erlang 20]], [[Changes/Erlang_21|Erlang 21]] and
[[Changes/Erlang_22|Erlang 22]]). It should be noted that this change
consists from an independent or loosely coupled smaller changes. If we
fail to deliver some changes in time, we should reschedule these exact
changes to the future Fedora release while keeping already implemented
ones.
* Contingency deadline: N/A
* Blocks release? N/A
* Blocks product? N/A
== Documentation ==
* [https://www.erlang.org/news/138 Erlang/OTP 23 Release Candidate 2
release notes]
== Release Notes ==
Erlang/OTP 23.0 is available in Fedora 33.
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
Good Morning Everyone,
You may remember that Nils, Adam and pingou have been investigating what
it would take to get rid of maintaining the changelog and release fields
manually in our spec files (but still have them in the produced RPMs).
We have already discussed the idea in a few threads:
- https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
announced the original idea
- https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
presented some of the possible approaches to do this
The result of these discussions and our investigations is `rpmautospec`
As its documentation says:
`rpmautospec` is a program and library used to automatically generate the
release and changelog fields in RPM spec files opting to use it.
`rpmautospec` is currently a proof of concept, we have deployed it in staging
and with this email we would like to invite you to test it there.
We have written some documentation on how `rpmautospec` works and how you
can opt in at: https://docs.pagure.org/Fedora-Infra.rpmautospec/
To interact with staging you will need:
- to use `stg-koji` instead of `koji`
- to use `fedpkg-stage` instead of `fedpkg` (``dnf install fedpkg-stage``)
- to kinit against `STG.FEDORAPROJECT.ORG`
- to test with rawhide as rpmautospec is only available there in staging at this
point
To remove some of the warnings thrown by `fedpkg` or to simply keep `rpmbuild`
working locally, you will have to install the `rpmautospec-rpm-macros` package
available in your nearest bodhi (it's still hot from the oven at the time of
writing this email so it hasn't made it yet to updates-testing).
Note, this task was very much time-bound for us and we reached this limit, so
this is not something that we will be heavily working on in the coming 3 months.
However, if there are sufficient people testing this in staging, providing
feedback or contributing to it, we may (depending on that feedback) look at
pushing this project forward later in the year.
Finally, while we've tried to be careful, we're sure that we've missed some
use cases and that this software isn't bug free, so please bear with us if
some of its edges are rough and report your issues/RFEs at:
https://pagure.io/Fedora-Infra/rpmautospec/
Thanks in advance for your help and feedback,
Adam, Nils and Pierre
PS:
- F32 update: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7f41380eb9
- F31 update: https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ee46bf2cd
- F30 update: https://bodhi.fedoraproject.org/updates/FEDORA-2020-081a876918
https://fedoraproject.org/wiki/Changes/perl5.32
== Summary ==
A new ''perl 5.32'' version brings a lot of changes done over a year
of development. Perl 5.32 will be released in May 2020. See
[https://metacpan.org/pod/release/XSAWYERX/perl-5.31.10/pod/perldelta.pod
5.31.10 perldelta] for more details about preparing release.
== Owner ==
* Name: [[User:Jplesnik| Jitka Plesníková]]
* Email: <jplesnik(a)redhat.com>
* Name: [[User:Ppisar| Petr Písař]]
* Email: <ppisar(a)redhat.com>
=== Completed Items ===
=== Items in Progress ===
=== Items to Be Done ===
* Upstream to release Perl 5.32
* Get dedicated build-root <!-- [https://pagure.io/releng/issue/8384
build-root from rel-engs (''f31-perl'') ] -->
* Define perl_bootstrap in perl-srpm-macros
* Rebase perl to 5.32.0
<!--* Build new perl 5.32 keeping old COMPAT Provides -->
* Rebuild dual-lived packages (otherwise dnf recommends --skip-broken and fails)
* Rebuild packages needed for minimal build-root
* Rebuild packages needed for building source packages from git repository
* Rebuild other packages: Use Fedora::Rebuild dependency solver
<!--* Remove old perl(:MODULE_COMPAT_5.30.*) from perl -->
* Undefine perl_bootstrap
* Rebuild packages having perl_bootstrap condition in spec file
* Rebuild all updated packages
* [https://jplesnik.fedorapeople.org/5.32/ Final lists of results]
* Merge dedicated build-root to rawhide and remove the dedicated one by rel-engs
* Synchronize packages upgraded in ''f33'' build root
* Rebuilt Perl packages: 0 of 3182 done (0.00%)
* Failed builds (0):
== Detailed Description ==
New perl is released every year and updates containing mainly bug
fixes follow during the year. The 5.32.0 version is stable release
this year.
== Benefit to Fedora ==
Up-to-date and latest perl release will be delivered to Fedora users.
== Scope ==
Every Perl package will be rebuilt in a dedicated ''f33-perl''
build-root against perl 5.32.0 and then if no major problem emerges
the packages will be merged back to ''f33'' build-root.
* Proposal owners:
New perl and all packages requiring perl or a Perl module will be
rebuilt into ''f33-perl'' build-root.
* Other developers:
Owners of packages that fail to rebuild, mainly perl-sig users, will
be asked using Bugzilla to fix or remove their packages from the
distribution.
* Release engineering: [https://pagure.io/releng/issue/9387 #9387]
Release engineers will be asked for new ''f33-perl'' build-root
inheriting from ''f33'' build-root. After successful finishing the
rebuild, they will be asked to merge ''f33-perl'' packages back to
''f33'' build-root.
* Policies and guidelines:
No policies have to be modified to complete this change.
== Upgrade/compatibility impact ==
Vast majority of functionality will be preserved. Only the packages
that failed to build against perl 5.30 will be removed from the
distribution. That will require to remove those packages from existing
systems otherwise package manager will encounter unsatisfied
dependencies.
== How To Test ==
Try upgrading from Fedora 32 to 33. Try some Perl application to
verify they work as expected. Try embedded perl in slapd or snmpd.
== User Experience ==
There should not be any remarkable change in user experience. With the
exception that previously locally installed modules with a CPAN
clients will need a reinstalation.
== Dependencies ==
There is more than 3100 packages depending on perl. Most of them are
expected not to break. Finishing this change can be endangered only by
critical changes in a toolchain.
== Contingency Plan ==
If we find perl 5.32 is not suitable for Fedora 33, we will revert
back to perl 5.30 and we drop the temporary build-root with already
rebuilt packages.
* Contingency deadline: branching Fedora 33 from Rawhide.
* Blocks release? No.
== Documentation ==
* perldelta
* An announcement on the perl-devel mailing list
* An announcement on fedora-devel mailing list
== Release Notes ==
* TBD - when release candidate appears
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/Changes/OpenSSL3.0
== Summary ==
The OpenSSL package is rebased to version 3.0 and the dependent
packages are rebuilt.
== Owner ==
* Name: [[User:Tmraz| Tomáš Mráz]]
* Email: <tmraz(a)redhat.com>
== Detailed Description ==
The OpenSSL 3.0 release is going to be a significantly new release
with changed ABI however with minimal API changes. That means most of
the dependent packages will need just a rebuild to work with the new
OpenSSL package. However (at least temporarily) a compat-openssl11
package will be provided along the base package so the operation of
the Rawhide is not disrupted.
The OpenSSL 3.0 is still in development now but a first beta release
should be done in June. After that time the work on the rebase will
start and it should be possible to finish it still with a beta
releases. Later releases up to the final one should not be disruptive
and they should not break API/ABI.
== Benefit to Fedora ==
This change introduces OpenSSL 3.0 with its significantly reworked
internals which allow for better replacement of the crypto
implementations via the
[https://www.openssl.org/docs/OpenSSL300Design.html Crypto Providers]
concept.
== Scope ==
* Proposal owners: Provide a compat-openssl11 package, identify
dependent packages, provide the rebased openssl package, work with
dependent package owners on rebuilds.
* Other developers: Dependent package owners rebuild their packages.
Most of the dependencies will not require code changes but for some
more fragile dependencies (mostly language bindings) there might be
changes needed especially in the test cases which depend on some
legacy behavior.
* Release engineering: [https://pagure.io/releng/issues #Releng issue
number] If compat package is provided a mass rebuild should not be
necessary.
* Policies and guidelines: No update of packaging guidelines or other
policies should be needed.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
If compat-openssl11 package is provided there should be no issues with upgrades.
== How To Test ==
If your application uses OpenSSL to communicate via TLS or perform
other tasks that use cryptographic algorithms from OpenSSL, please
test whether it continues to work properly. This should be covered by
the comprehensive upstream testsuite of OpenSSL. However many
dependent packages also provide good test coverage of OpenSSL
functionality.
== User Experience ==
There should be no impact on end-user experience.
== Dependencies ==
There are many packages which depend on libssl or libcrypto from
OpenSSL. Most of them should just work after rebuild with the new
openssl package. However it is also not critically needed to rebuild
everything at once if compat library compat-openssl11 package is
provided.
== Contingency Plan ==
If the openssl-3.0 is too unstable before the branching point of
Fedora 33 we will not update the package and delay the change to
Fedora 34.
If the openssl is already updated but it is found out to be too
unstable later we can revert to previous version however a rebuild of
all dependencies that were already rebuilt will be needed.
* Contingency mechanism: Revert package, rebuild updated dependencies.
* Contingency deadline: Before release
* Blocks release? No
* Blocks product? No
== Documentation ==
[https://www.openssl.org/docs/OpenSSL300Design.html OpenSSL 3.0
upstream design document]
[https://www.openssl.org/policies/releasestrat.html OpenSSL 3.0
release schedule]
== Release Notes ==
Fedora 33 comes with OpenSSL 3.0 as the primary OpenSSL package. It
brings support for Crypto Providers interface.
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I've just published a fourth version[1] of the ELN proposal. With a
lot of input from Miro Hrončok, I think I've finally been able to
clarify some of the points that we were getting hung up on.
Changes in this version of the proposal[2]:
* Improve our explanation of why we are doing ELN in the first place
* Clarify the relationship with Rawhide
* Better describe what happens if packages don't build on ELN
* Explain our plan for when to use conditionals (this was getting a
larger share of the conversation than it warranted because we didn't
do a good job of explaining that they should be the exception and not
the rule)
* Clarify that the time limit on PRs is only for determining if the
maintainer is responsive. If they reply, the timer is cleared.
* Fixed the question about upstream features to make it clear that
what we meant is that new features should go upstream first, not be
implemented as a fork in ELN
* Added a section explaining how we will deal with side-tags
* Make it clear that we don't want to diverge wherever possible and
that any planned divergence should be discussed with the ELN SIG ahead
of time
* Cleaned up the contingency plan section.
I hope that these changes will make our position more clear. Thank you
to everyone who has contributed to this discussion. I think the
feedback has been very valuable and I sincerely appreciate it.
[1] https://fedoraproject.org/wiki/Changes/ELN_Buildroot_and_Compose
[2] https://fedoraproject.org/w/index.php?title=Changes%2FELN_Buildroot_and_Com…
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCAAdFiEEhQqd0dvyrMxvxJSRRduFpWgobREFAl6LpNgACgkQRduFpWgo
bRH4MAwAu1INM0mplL1yQiW2DMS148VubU5DkxRbaE3biZTvw5WzzbpxwpXr+nFp
eZf7IUyn5HCdtCAk1TQ4ga/TuV5VsaEEZ+a9p8PZfs4XTEMGpB7olP0Z8Jq1PWwn
EM6+4BAUWJ4JS7Q1+/CnEkUHA+1ZVeAzeb5bfSlcae2Vgx6evQMB4rEqAXdr16Qk
3Hi082+4SutmBv67cRA/JdRZmvUaHYtS4y5DrWAXOS23k8SHUCT/2O2f7NRPAoG/
f+04nG5JyUePY64pnVtDnsVMwETWiNSSs4V1dbKYe9Fj5H/jbvKIsvo8AWxw4BAq
rXCSIB3wMf08eM2KTaLvk0x+cz2BiSEZEDVdceffVXMwnUZulu/oeYDKdQg9OoHW
IQJbMoASgxRUXH1ZiMy8Q3SgQHvcu/YLmjS+djlVakLunhW7NfQjZB7txMyDi0PY
Hwn32C1kXnaoBJds4zB4QpWiJy5wI82CRL92Zvz0kiRPiO9TMCuj+t5kLZVmVTnI
8ShPIeos
=+lwN
-----END PGP SIGNATURE-----
https://fedoraproject.org/wiki/Changes/NetworkTimeSecurity
== Summary ==
Support for the Network Time Security (NTS) authentication mechanism
in the NTP client/server (chrony) and installer (anaconda).
== Owner ==
* Name: [[User:mlichvar| Miroslav Lichvar]], [[User:mkolman| Martin Kolman]]
* Email: mlichvar(a)redhat.com, mkolman(a)redhat.com
== Detailed Description ==
NTP is a widely used protocol for synchronization of clocks over
network. Authentication of NTP packets is important to prevent a
Man-in-the-middle (MITM) attacker from taking full control over the
client's clock (e.g. force it to jump to a distant future or past).
Several different authentication mechanisms have been specified for
NTP. The oldest and simplest one uses secret keys, where each client
has its own key which needs to be securely distributed to the server
and client. This means it is mostly limited to local networks. Autokey
is a newer mechanism based on public-key cryptography, but it was
shown to be insecure and it is rarely supported on public servers.
NTS is a new authentication mechanism
[https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp
specified by the IETF] for NTP. NTS has an NTS-KE protocol using
Transport Layer Security (TLS) to establish the keys and provide the
client with cookies which allow the NTP server to not keep any
client-specific state. NTP packets are authenticated using
Authenticated Encryption with Associated Data (AEAD). NTS is expected
to scale well to a large numbers of clients. There are already some
public NTP servers with NTS support.
The default NTP client and server on Fedora is `chrony`. Support for
NTS is added in version 4.0. It uses the GnuTLS library for TLS and
the Nettle library for AEAD.
NTS authentication can be enabled on the client by adding the `nts`
option to the `server` or `pool` directive in ''/etc/chrony.conf''.
Until a standard port is assigned for NTS by IANA, the port may need
to be specified with the `ntsport` option. For example
`
server time.example.com iburst nts ntsport 12123
`
When using NTS-enabled NTP sources, any NTP source that is not trusted
and reachable over a trusted network should be disabled. This includes
servers provided by DHCP. They should be disabled by adding
`PEERNTP=no` to ''/etc/sysconfig/network''.
We can consider changing the default ''/etc/chrony.conf'' to use some
trusted public NTP servers with NTS support. There are public servers
provided by [https://www.cloudflare.com/time/ Cloudflare] and
[https://www.netnod.se/time-and-frequency/how-to-use-nts Netnod]. Both
would be ok with Fedora using their servers by default (after some
testing and coordination). There is also a possibility that
pool.ntp.org will support NTS, although it is not very clear how
useful would NTS be in this case as the servers are owned by
individual contributors instead of a single trusted entity and
attackers can easily join the pool (some mitigations have been
proposed on the pool mailing list).
Potential issues with enabling NTS by default:
* Firewalls may block the NTS-KE port.
* ISPs may block or rate limit longer NTP packets as a mitigation for
amplification attacks using NTP mode 6 and 7. NTS-KE supports port
negotiation and an alternative port could be used to avoid this issue.
* Computers with no RTC (e.g. some ARM boards), or RTC that is too far
from the real time, will fail to verify TLS certificates. An option
could be added to disable the time checks before the first update of
the clock. This would have an impact on security.
== Benefit to Fedora ==
This change enables Fedora users to securely synchronize the system
clock to local or public NTP servers.
TBD: This change also makes the default configuration of the NTP client secure.
== Scope ==
* Proposal owners:
# Update `chrony` to 4.0 and enable the NTS support (adding dependency
on GnuTLS)
# TBD: Modify the default ''/etc/chrony.conf'' to use public servers
with NTS support
# Add an NTS option to the NTP settings in anaconda
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
Fedora systems updated from a previous version will use the new
''/etc/chrony.conf'' automatically if the installed file was not
modified. If it was modified, the users will need to update the file
manually or rename ''/etc/chrony.conf.rpmnew'' to
''/etc/chrony.conf'' in order to enable NTS.
== How To Test ==
If the default configuration is modified for this Change, it needs to
be tested that it works correctly on most systems where the previous
default configuration using pool.ntp.org servers worked.
The installer needs to be tested that it enables NTS in
''/etc/chrony.conf'' as expected and that it adds `PEERNTP=no` to
''/etc/sysconfig/network''.
The `chronyc -N sources` command can be used to verify that NTP
sources are responding. The `chronyc ntpdata` command can be used to
verify that the NTP sources are authenticated. For example:
# chronyc -N sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* time.cloudflare.com 3 6 377 28 -115us[
-111us] +/- 13ms
^+ nts.ntp.se 2 6 377 27 +212us[
+212us] +/- 22ms
# chronyc ntpdata | grep Auth
Authenticated : Yes
Authenticated : Yes
== User Experience ==
Client NTS can be enabled in the NTP settings in the installer.
Client and server NTS can be enabled by editing ''/etc/chrony.conf''
as documented in the `chrony.conf` man page.
== Dependencies ==
N/A (not a System Wide Change)
== Contingency Plan ==
* Contingency mechanism: N/A (not a System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
* Blocks product?
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
TBD
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis