F27 System Wide Change: NSS Default File Format SQL
by Jaroslav Reznik
= System Wide Change: NSS Default File Format SQL =
https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
Change owner(s):
* Kai Engert <kaie(a)redhat.com>
Change the NSS library default to use the sqlite based data storage,
when applications don't specify their preferred storage file format.
== Detailed Description ==
Applications that use the NSS library often use a database for storage
of keys, certificates and trust. NSS supports two different file
formats, one called DBM (based on berkeley DB files) and another one
called SQL (based on sqlite DB files).
Today's default file format used by NSS, used when applications omit
the type parameter, is the older DBM file format, which forbids
parallel access to the storage. The suggestion is to change the
default file format to SQL, which allows parallel access to the
storage.
Applications, or users using the NSS command line utilities, often
provide the database storage location using a simple directory path
parameter. Some might not be aware, or forget, that the parameter can
be prefixed with a type modifier, either "dbm:" or "sql:".
As a result, when not providing this parameter, the file format used
will be the fragile DBM file format. This is particuarly problematic,
if a user attempts to modify the NSS storage using command line tools,
while another process, such as a daemon, is running concurrently,
which also accesses the same database in the DBM file format. This
often results in corrupted database storage, which cannot be
recovered.
By changing the default, all applications that currently use the DBM
file format, will automatically be migrated to the SQL file format.
NSS has the ability to discover if a storage location (a directory)
contains the DBM file format. If configured to use the modern SQL
format, NSS will automatically perform a one-time conversion from the
DBM to the SQL format.
The same applies to the NSS command line utilities. If the NSS library
default is changed to SQL, the NSS tools will also trigger the
one-time conversion, or access the already converted files.
== Scope ==
* Proposal owners:
A small downstream patch needs to be applied to the NSS library
package, which changes the library default.
* Other developers:
It's up to developers of NSS applications, if they accept the new
default and an automatic conversion, or if they prefer to continue to
use the classic DBM storage format. Although not recommended,
developers can easily do so, by adding a "dbm:" prefix to the storage
parameter they provide to NSS at NSS library initialization time.
* Release engineering: [1]
No help should be necessary. No mass rebuild necessary.
* Policies and guidelines: N/A
* Trademark approval: N/A
[1] https://pagure.io/releng/issue/6883
Thanks,
Jaroslav
6 years, 4 months
Removal of code signing trust bits from ca-certificates
by Kai Engert
Until recently, Mozilla maintained three individual trust bits for each root CA
certificate:
- trust for TLS servers
- trust for email security
- trust for code signing
The next CA update from Mozilla will switch the code signing trust bit
OFF for all CAs.
Mozilla will no longer maintain this trust bit.
See
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/004uv...
for background.
I'm not aware of anyone using this trust bit. The removal might have no effect.
This update of the CA list is supposed to get published with Firefox 56 on
September 26.
In order to allow the Fedora community to test potential effects of this change,
I intend to publish an update to the ca-certificates packages early, and keep it
in updates-testing for a few weeks.
Tracking bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1472468
Thanks
Kai
6 years, 8 months
PkgDB and the ArbitraryBranching Change
by Ralph Bean
Hello,
As part of the Factory 2.0 and Modularity efforts[1], we’ve been
developing a plan to migrate to an “arbitrary” branching model from
our current model of one branch per release (as had been discussed at
Flock and DevConf[2]).
The main motivation behind this is to enable functionality required by
Modularity[3] and to ultimately reduce some package maintenance
burden. For some packages, it makes sense to have only a single branch
that feeds into multiple releases. For other packages, it makes sense
to have multiple branches which correlate with multiple upstream minor
releases. Today, our source branches are tied to the distro release,
via PkgDB. We want to decouple that and use modules to put it all
back together again.
To make this happen requires significant infrastructure changes. Our
proposed plan[4] is to decommission PkgDB entirely and to replace it
with a combination of PDC[5] and pagure over dist-git. (Tangentially,
getting pagure over dist-git to play nicely with PkgDB was a
challenge. This route gets us to a pull-request interface for spec
files quicker.)
We have brought this Change to FESCo[6][7][8] who expressed general
agreement on the project but also concern that the community may be
caught by off guard by the removal of PkgDB. As part of this change,
we have proposed a timeline[9] that outlines the steps we plan to take
to actually proceed with the migration. Please review that if you have
time and provide feedback. We are most concerned with missing
scripts/tools that may rely on PkgDB’s API. If you can think of any
that we may have overlooked, please let us know and we will add it to
the timeline!
We are meeting again with FESCo next Friday, June 2nd, where a
decision will be made on the Change. Any feedback before that would be
greatly appreciated.
Ralph and Matt,
From the so-called Factory 2.0 team
[1] https://fedoraproject.org/wiki/Infrastructure/Factory2
[2] https://youtu.be/5gqccjyjwFk?t=26m27s
[3] https://docs.pagure.org/modularity/
[4] https://fedoraproject.org/wiki/Infrastructure/Factory2/Focus/ArbitraryBra...
[5] https://fedoraproject.org/wiki/Changes/ProductDefinitionCenter
[6] https://fedoraproject.org/wiki/Changes/ArbitraryBranching
[7] https://meetbot.fedoraproject.org/teams/fesco/fesco.2017-05-19-16.00.html
[8] https://meetbot.fedoraproject.org/teams/fesco/fesco.2017-05-26-16.00.html
[9] https://fedoraproject.org/wiki/Changes/ArbitraryBranching#Timeline
_______________________________________________
devel-announce mailing list -- devel-announce(a)lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave(a)lists.fedoraproject.org
6 years, 8 months
debuginfo/source improvements vs mass rebuild
by Mark Wielaard
Hi packagers,
Just before the mass rebuild some debuginfo/source improvements were
enabled by default (%_debugsource_packages and %_debuginfo_subpackages).
See https://pagure.io/releng/issue/6863 and
https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo for
some background.
It didn't cause mass breakage, but there were some issues. Sorry about
that. The good news is that we now have fixes (or workarounds) for the
bugs found. So hopefully if your package did fail to rebuild you can
just resubmit it again or add a small tweak to get it building. Here is
an overview of the issues you might have seen and how it was resolved
(and a few questions on what the proper default/workaround/fix should be
in some cases).
= -debugsource generation fails with
error: Could not open %files file
This was caused by the package changing the working directory in %
install. Fixed upstream and backported to rpm-4.13.0.1-38.
Please just rebuild your package.
= -debugsource generation fails with
error: Empty %files file
Caused by rpm/find-debuginfo.sh/debugedit being unable to find any
source files for the generated .debug files. This could be seen as a
packaging bug. Most likely caused by missing -g in the package build
flags.
But the old non-split debuginfo/source generation would silently accept
an empty debug source list. So there is an upstream patch to just create
an empty -debugsource package in that case (and generate a warning):
http://lists.rpm.org/pipermail/rpm-maint/2017-July/006098.html
Upstream indicated they would rather not generate a -debugsource package
at all in that case (which seems hard, but maybe I didn't try hard
enough) or to just treat it as a hard error (also for the non-split
case).
= Using %excludes resulted in error after generating -debuginfo:
error: Installed (but unpackaged) file(s) found:
/usr/lib/debug/bin/hello3-1.0-1.x86_64.debug
Fixed upstream and backported to rpm-4.13.0.1-39
Please just rebuild your package.
= Using RemovePathPostfixes failed after generationg -debuginfo:
error: Installed (but unpackaged) file(s) found:
/usr/lib/debug/bin/hello.foobar-1.0-1.x86_64.debug
Fixed upstream and backported to rpm-4.13.0.1-39
Please just rebuild your package.
Note that in both of the above cases in the old situation your
-debuginfo package would contain .debug files for executables not
installed by the main package... With the fix, in case you use
split-debuginfo (the default) these aren't included anymore making the
debuginfo packages smaller.
= No .gdb_index in .debug files.
Caused by missing %_include_gdb_index macro in redhat-rpm-config
https://bugzilla.redhat.com/show_bug.cgi?id=1476722
This used to not be easily configurable. Now it is. But we got the
default wrong. If you like to have .gdb_index sections right now then
add %global _include_gdb_index 1 to your spec file. Or wait till
fedora-rpm-config has been updated.
- Putting extra files under /usr/lib/debug causes:
error: Installed (but unpackaged) file(s) found:
/usr/lib/debug/usr/lib64/__pycache__/libpython3.6dm.so.1.0.debug-gdb.cpython-36.opt-1.pyc
/usr/lib/debug/usr/lib64/__pycache__/libpython3.6dm.so.1.0.debug-gdb.cpython-36.opt-2.pyc
/usr/lib/debug/usr/lib64/__pycache__/libpython3.6dm.so.1.0.debug-gdb.cpython-36.pyc
/usr/lib/debug/usr/lib64/__pycache__/libpython3.6m.so.1.0.debug-gdb.cpython-36.opt-1.pyc
/usr/lib/debug/usr/lib64/__pycache__/libpython3.6m.so.1.0.debug-gdb.cpython-36.opt-2.pyc
/usr/lib/debug/usr/lib64/__pycache__/libpython3.6m.so.1.0.debug-gdb.cpython-36.pyc
/usr/lib/debug/usr/lib64/libpython3.6dm.so.1.0.debug-gdb.py
/usr/lib/debug/usr/lib64/libpython3.6m.so.1.0.debug-gdb.py
https://bugzilla.redhat.com/show_bug.cgi?id=1476593
This is caused by split debuginfo checking which file corresponds to
which main/sub-package. Without split debuginfo anything found
under /usr/lib/debug is just put into the -debuginfo package, no
questions asked.
The immediate workaround is to add the following to your spec file:
%undefine _debuginfo_subpackages
This disables split debuginfo packages and just generates one big
-debuginfo packages with everything under /usr/lib/debug/ included.
But this might or might not be a packaging bug. In particular if it
contains generated pyc files those probably really shouldn't be there.
The basic issue is that we have been trying to make the debuginfo
packages self-contained and non-conflicting between versions.
So you can easily install debuginfo for different (bi)arches or
versions. But some packages assume that if they drop anything
under /usr/lib/debug it will just magically appear in the debuginfo
package (which has been historically true). But with the split
debuginfo we have to make a choice which subpackage it belongs
to. Best rpm fix would probably be to add such files to the "main"
debuginfo package.
But it would probably be better to move these files to the
python3-devel package. Maybe we should discuss with the gdb
maintainers how/where they would like to see these gdb python
extensions installed. I doubt the -debuginfo package really is
the place for them anyway.
= Packages that already create sub-debuginfo or split-debugsource
packages by hand probably will fail with an error similar to the
above (Installed (but unpackaged) file(s) found).
Please add either (or both) to your spec file:
%undefine _debugsource_packages
%undefine _debuginfo_subpackages
But we would like to know if that is necessary. Please file a bug report
against rpm in fedora bugzilla and we'll take a look to see if we can
help use the fedora rpm defaults in your .spec file.
Cheers,
Mark
6 years, 8 months