[opensuse-factory] New Tumbleweed snapshot 20180116 released!
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20180116
When you reply to report some issues, make sure to change the subject.
It is not helpful to keep the release announcement subject in a thread
while discussing a specific problem.
Packages changed:
ImageMagick (7.0.7.15 -> 7.0.7.21)
Mesa (17.2.6 -> 17.3.2)
Mesa-drivers (17.2.6 -> 17.3.2)
ModemManager (1.6.8 -> 1.6.12)
MozillaFirefox
NetworkManager-applet
acpica
antlr
bluez (5.47 -> 5.48)
brltty
btrfsprogs (4.13.3 -> 4.14.1)
cairo (1.15.8 -> 1.15.10)
corosync
deltarpm
device-mapper
evince (3.26.0 -> 3.26.0+20171120.3955d480)
evolution (3.26.3 -> 3.26.4)
evolution-data-server (3.26.3 -> 3.26.4)
evolution-ews (3.26.3 -> 3.26.4)
fftw3
fluidsynth (1.1.8 -> 1.1.9)
freerdp
gdk-pixbuf
gdm
gimp
gnome-font-viewer
gnome-shell (3.26.2 -> 3.26.2+20171218.15b1810a6)
gnome-software (3.26.3 -> 3.26.4)
gpgme
gstreamer-plugins-base
gtk2 (2.24.31+20171209.61d5c82f5c -> 2.24.32)
gutenprint (5.2.13 -> 5.2.13pre14.2)
harfbuzz
hdf5
hwinfo (21.50 -> 21.51)
hyper-v
iputils
ispell
k3b (17.12.0 -> 17.12.1)
kdump
kernel-source (4.14.12 -> 4.14.13)
kio
krita (3.3.2.1 -> 3.3.3)
krusader
ldns
libdrm (2.4.88 -> 2.4.89)
libe-book (0.1.2 -> 0.1.3)
libepoxy
libglvnd
libmediaart
libpagemaker (0.0.3 -> 0.0.4)
libpeas
libpwquality (1.3.0 -> 1.4.0)
libqt5-qtwebengine
libqt5-qtwebsockets
librsvg (2.40.20 -> 2.42.0)
libsamplerate
libteam
libvirt
libxcb
libzio (1.05 -> 1.06)
llvm
logrotate (3.12.3 -> 3.13.0)
lvm2
makedumpfile
mdadm
mjpegtools
mutter (3.26.2 -> 3.26.2+20171231.0bd1d7cf0)
nbd (3.16.1 -> 3.16.2)
newt
nghttp2 (1.28.0 -> 1.29.0)
ntp
numactl
openblas_pthreads
opencv
openssh (7.2p2 -> 7.6p1)
patterns-kde
php7 (7.2.0 -> 7.2.1)
plasma5-desktop
plasma5-pk-updates
publicsuffix (20171028 -> 20171228)
python-attrs (17.3.0 -> 17.4.0)
python-cssselect (1.0.1 -> 1.0.3)
python-dbus-python
python-gpgme
python-httplib2
python-kiwi (9.11.24 -> 9.11.30)
python-numpy (1.13.3 -> 1.14.0)
python-pywbem
qemu
qemu-linux-user
rsync
ruby2.4
serd
speech-dispatcher
swig
tbb
texinfo (6.4 -> 6.5)
totem
tracker
tracker-miners
vim (8.0.1417 -> 8.0.1428)
virtualbox
webkit2gtk3 (2.18.4 -> 2.18.5)
wireless-regdb (2017.03.07 -> 2017.12.23)
wireshark (2.4.3 -> 2.4.4)
xen (4.10.0_08 -> 4.10.0_10)
xorg-x11-server (1.19.5 -> 1.19.6)
yast2-ruby-bindings (4.0.3 -> 4.0.4)
=== Details ===
==== ImageMagick ====
Version update (7.0.7.15 -> 7.0.7.21)
Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 perl-PerlMagick
- update to 7.0.7.21
* Fix some enum values in the OpenCL code.
* Fixed numerous memory leaks.
* Check for webpmux library version 0.4.4.
* Fix heap use after free error.
* Fix error reading multi-layer XCF image file.
* Fix possible stack overflow in WEBP reader.
==== Mesa ====
Version update (17.2.6 -> 17.3.2)
Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1
- U_intel-Add-more-Coffee-Lake-PCI-IDs.patch
* Add more Coffeelake PCI IDs (request by Intel)
- Update to 17.3.2
* Multiple fixes in the RADV Vulkan driver, workaround when using
slibtool and a GLSL workaround for various titles using Unreal
Engine 4.
- Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch
- Modify u_mesa-python3-only.patch to not break python 2.
- Update to 17.3.1
* Multiple fixes and improvements of the GLSL shader cache. The
RADV driver no longer advertises VK_EXT_debug_report - there is
no support for it.
* The i965, radeonsi, nvc0 and freedreno drivers have received a
few small fixes each.
* A number of big endian fixes have been merged.
- Switch to python3 during build instead of python2
* Add patch u_mesa-python3-only.patch
- Add Mesa-dri and Mesa-gallium to baselibs.conf.
- Require llvm >= 3.9.0
* The build fails otherwise because it is required for multiple
Mesa components.
- Drop some redundant wording from descriptions.
Drop redundant %if guard around a %post section.
- Use different form of split for faster build (bnc#1071297)
* Mesa.spec does not use llvm and builds most of the *-devel
subpackages.
* Mesa-drivers.spec uses llvm and builds extra things installable
in addition to packages from Mesa.spec. These packages are
required for actual rendering.
- update to 17.3.0
- drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch
* new major release comitng with changes in RADV, intel ANV,
S3TC support, RadeonSI driver with RX Vega. On-disk shader cache
- Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on
llvm and its purpose is to build fast and allow other packages
that BuildRequire Mesa to be build independently on llvm.
Packages built against Mesa-mini should work correctly when
installed with full Mesa package. (bsc#1071297)
==== Mesa-drivers ====
Version update (17.2.6 -> 17.3.2)
Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2
- U_intel-Add-more-Coffee-Lake-PCI-IDs.patch
* Add more Coffeelake PCI IDs (request by Intel)
- Update to 17.3.2
* Multiple fixes in the RADV Vulkan driver, workaround when using
slibtool and a GLSL workaround for various titles using Unreal
Engine 4.
- Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch
- Modify u_mesa-python3-only.patch to not break python 2.
- Update to 17.3.1
* Multiple fixes and improvements of the GLSL shader cache. The
RADV driver no longer advertises VK_EXT_debug_report - there is
no support for it.
* The i965, radeonsi, nvc0 and freedreno drivers have received a
few small fixes each.
* A number of big endian fixes have been merged.
- Switch to python3 during build instead of python2
* Add patch u_mesa-python3-only.patch
- Add Mesa-dri and Mesa-gallium to baselibs.conf.
- Require llvm >= 3.9.0
* The build fails otherwise because it is required for multiple
Mesa components.
- Drop some redundant wording from descriptions.
Drop redundant %if guard around a %post section.
- Use different form of split for faster build (bnc#1071297)
* Mesa.spec does not use llvm and builds most of the *-devel
subpackages.
* Mesa-drivers.spec uses llvm and builds extra things installable
in addition to packages from Mesa.spec. These packages are
required for actual rendering.
- update to 17.3.0
- drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch
* new major release comitng with changes in RADV, intel ANV,
S3TC support, RadeonSI driver with RX Vega. On-disk shader cache
- Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on
llvm and its purpose is to build fast and allow other packages
that BuildRequire Mesa to be build independently on llvm.
Packages built against Mesa-mini should work correctly when
installed with full Mesa package. (bsc#1071297)
==== ModemManager ====
Version update (1.6.8 -> 1.6.12)
Subpackages: ModemManager-bash-completion ModemManager-devel ModemManager-lang libmm-glib0 typelib-1_0-ModemManager-1_0
- Update to version 1.6.12:
+ Blacklist:
- Ignored Pycom devices.
- Added Microchip's VID to the greylist.
+ QMI:
- Fixed connection state machine when built against libqmi <
1.18.
- Fixed connection state machine when an error is reported
setting up WDS indications.
- Changes from version 1.6.10:
+ Blacklist:
- Ignored Silicon Labs USB Zigbee dongles.
- Ignored Garmin ANT+ sticks.
- Ignored Intel coredump downloader device.
+ QMI:
- Fixed potential user-after-free issues.
- Fixed missing handler cleanups on network-initiated
disconnects.
+ MBIM:
- Fix invalid session_id and nw_error reads.
- Avoid calling mbim_message_unref() on NULL message.
- Fixed invalid object access due to handlers not being removed
correctly.
- Ensure session is disconnected before trying to connect.
- Fixed t crash when modem doesn't send gateways.
+ udev:
- Removed default ID_MM_PLATFORM_DRIVER_PROBE whitelist.
Devices exposed via the 'atmel_usart' driver aren't probed
automatically any more.
+ Core:
- Fixed running init sequence after port flashing in
disconnection.
- Fixed "forbidden product strings" check in plugins.
- Fixed multiple memory leaks and invalid memory read/writes.
- Fixed multiple async operation completions in event handlers.
- Fixed multiple potential NULL dereferences.
- Fixed deadlock when trying to disconnect cancellable.
- Fixed reporting TX/RX stats (numbers were swapped).
- Ignored USB interface removal events.
+ libmm-glib: Fix NULL dereference on firmware unique_id checks.
+ polkit: Added missing Location interface method rules.
+ Plugins:
- MBM: set data port for Dell DW5560.
- Simtech: fix error reporting in 3gpp unsolicited events
enabling.
- Fixed multiple memory leaks.
+ systemd: Drop After=syslog.target rule.
- Drop post(un) handling of icon_theme_cache_post(un), no longer
needed, file-triggers takes care of this now.
- Drop ModemManager-1.0.0-systemd-activation.patch: No longer
needed.
==== MozillaFirefox ====
Subpackages: MozillaFirefox-translations-common
- fixed build with latest rust (mozilla-rust-1.23.patch)
==== NetworkManager-applet ====
Subpackages: NetworkManager-applet-lang NetworkManager-connection-editor libnm-gtk0 libnma0 nma-data typelib-1_0-NMGtk-1_0
- Add
0001-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch
and
0002-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch:
fix crashes due to double frees.
==== acpica ====
- Changed shebang path in wmidump_add_she_bang.patch
to /usr/bin/python3
[bsc#1075687,wmidump_add_she_bang.patch]
==== antlr ====
Subpackages: antlr-devel antlr-java
- Add condition about python2 module, the rewrite happened in antlr4
for python3 support and it is completely different than the antlr2
* The python module is not used by any package in TW bsc#1068226
==== bluez ====
Version update (5.47 -> 5.48)
Subpackages: bluez-cups bluez-devel libbluetooth3
- update to version 5.48:
This release brings many fixes and feature enhancements.
Some notable enhancements include support for devices with the
BLE battery service, as well as improved Mesh support in the
meshctl tool. Several previously experimental D-Bus APIs have now
been marked as stable, notably the Advertising Manager API as
well as the AquireWrite & AquireNotify GATT APIs.
As far as fixes go, these can be found in many areas of the stack,
including A2DP, AVCTP, device discovery, Mesh, and GATT.
==== brltty ====
Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-espeak brltty-driver-speech-dispatcher brltty-driver-xwindow brltty-lang libbrlapi0_6 python3-brlapi xbrlapi
- Fix %pre, %post, and %postun: brltty.service is now
brltty@.service (boo#1074096).
==== btrfsprogs ====
Version update (4.13.3 -> 4.14.1)
Subpackages: btrfsprogs-udev-rules libbtrfs0
- spec: fix distro version condition
- update to version 4.14.1
* dump-tree: print times of root items
* check: fix several lowmem mode bugs
* convert: fix rollback after balance
* other
* new and updated tests, enabled lowmem mode in CI
* docs updates
* fix travis CI build
* build fixes
* cleanups
- update to version 4.14
* build: libzstd now required by default
* check: more lowmem mode repair enhancements
* subvol set-default: also accept path
* prop set: compression accepts no/none, same as ""
* filesystem usage: enable for filesystem on top of a seed device
* rescue: new command fix-device-size
* other
* new tests
* cleanups and refactoring
* doc updates
- Removed patches:
- rollback-regression-fix.patch - upstreamed
- spec: disable static build, missing libzstd-devel-static
- spec: disable zstd support for non-Tumbleweed distros
==== cairo ====
Version update (1.15.8 -> 1.15.10)
Subpackages: cairo-devel libcairo-gobject2 libcairo-script-interpreter2 libcairo2 libcairo2-32bit
- Update to version 1.15.10:
+ Features and Enhancements:
- Add support for OpenGL ES 3.0 to the gl backend.
- Use Reusable streams for forms in Level 3 Postscript.
- Add CAIRO_MIME_TYPE_EPS mime type for embedding EPS files.
- Add CCITT_FAX mime type for PDF and PS surfaces.
- svg: add a new function to specify the SVG document unit
(fdo#90166).
- Use UTF-8 filenames on Windows.
+ API Changes: cairo_svg_surface_set_document_unit() and
cairo_svg_surface_get_document_unit().
+ Bugs fixed:
- Fix regression in gles version detection.
- Fix undefined-behavior with integer math.
- Handle SOURCE and CLEAR operators when painting color glyphs
(fdo#102661).
- Convert images to rgba or a8 formats when uploading with
GLESv2.
- Use _WIN32 instead of windows.h to check for windows build.
- Fix sigabrt printing documents with fonts lacking the
mandatory .nodef glyph (fdo#102922).
- Prevent curved strokes in small ctms from being culled from
vector surfaces (fdo#103071).
- Fix painting an unbounded recording surface with the SVG
backend.
- Fix falling back to system font with PDFs using certain
embedded fonts, due to truncated font names (fdo#103249).
- Fix handling of truetype fonts with excessively long font
names (fdo#103249).
- Fix race conditions with cairo_mask_compositor_t
(fdo#103037).
- Fix build error with util/font-view.
- Fix assertion hit with PDFs using Type 4 fonts rendered with
user fonts, due to error when destroying glyph page
(fdo#103335).
- Set default creation date for PDFs.
- Prevent invalid ptr access for > 4GB images (fdo#98165).
- Prevent self-copy infinite loop in Postscript surface.
- Fix padded image crash in Postscript surface.
- Fix annotation bugs in PDFs and related memory leaks.
- Fix test failures and other assorted issues in ps and pdf
code.
- Fix code generation when using GCC legacy atomic operations
(fdo#103559).
- Fix various compilation warnings and errors.
- Fix various distcheck errors with private symbols, doxygen
formatting etc.
- Drop cairo-image-prevent-invalid-ptr-access.patch
==== corosync ====
Subpackages: libcmap4 libcorosync_common4
- totemudp[u]: Drop truncated packets on receive(bsc#1075300)
Added: 0012-totemudp-u-Drop-truncated-packets-on-receive.patch
- issue with partial packets assembly when multiple nodes are sending big packets(bsc#1074929)
Added: 0011-libcpg-Fix-issue-with-partial-big-packet-assembly.patch
==== deltarpm ====
Subpackages: python2-deltarpm
- Make python2 and python3 conditional to ensure we can build with
python3 only
==== device-mapper ====
Subpackages: libdevmapper-event1_03 libdevmapper1_03 libdevmapper1_03-32bit
- lvmlockd: add lockopt values for skipping selected locks (fate#323203)
+ fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch
==== evince ====
Version update (3.26.0 -> 3.26.0+20171120.3955d480)
Subpackages: evince-lang evince-plugin-comicsdocument evince-plugin-djvudocument evince-plugin-dvidocument evince-plugin-pdfdocument evince-plugin-psdocument evince-plugin-tiffdocument evince-plugin-xpsdocument libevdocument3-4 libevview3-3 nautilus-evince typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0
- Update to version 3.26.0+20171120.3955d480:
+ Updated translations.
- Switch to git-checkout via source service.
- Following the above, add gnome-common BuildRequires, pass
autogen.sh and pass enable-gtk doc to configure, as we need to
bootstrap the tarball.
- Clean up spec, use modern macros.
- Drop update-desktop-files BuildRequires and stop using
suse_update_desktop macro, no longer needed.
- Drop obsolete conditionals for no longer supported versions of
openSUSE.
- Avoid running fdupes across hardlink boundaries.
==== evolution ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-lang evolution-plugin-bogofilter evolution-plugin-pst-import evolution-plugin-spamassassin
- Update to version 3.26.4:
+ Bugs fixed: bgo#791291, bgo#791341, bgo#791346, bgo#791793.
+ Updated translations.
==== evolution-data-server ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-data-server-lang libcamel-1_2-60 libebackend-1_2-10 libebook-1_2-19 libebook-contacts-1_2-2 libecal-1_2-19 libedata-book-1_2-25 libedata-cal-1_2-28 libedataserver-1_2-22 libedataserverui-1_2-1
- Update to version 3.26.4:
+ Prevent passing NULL ldap handle into LDAP functions.
+ [Maildir]: Correct double free when the source message file
doesn't exist.
+ Bugs fixed: bgo#791475, bgo#791282.
==== evolution-ews ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-ews-lang
- Update to version 3.26.4:
+ Bugs fixed: bgo#792190.
==== fftw3 ====
Subpackages: fftw3-devel libfftw3-3 libfftw3_threads3
- Disable the openmpi3 flavor in some products.
- Add gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).
- Add support for mpich and openmpi3 for HPC.
==== fluidsynth ====
Version update (1.1.8 -> 1.1.9)
- Update to version 1.1.9:
* fix building the portaudio driver on Windows
* fix build if no MIDI drivers are available
* fix return value of fluid_file_set_encoding_quality()
* fix use-after-free in fluid_timer
* fix memory leak in pulseaudio driver
* fix memory leak in rvoice_mixer
* fix dumptuning shell command displaying uninitialized values
* fix a resource leak in source shell command
* harmonize fluidsynth's output library naming with autotools on Windows
* dont set LIB_SUFFIX when building with MinGW
* avoid a possible deadlock when initializing fluidsynths DLL on windows
* avoid a buffer overrun when mixing effects channels in fluid_synth_nwrite_float()
* correctly clean up fluid_server on Windows
* implement handling of FLUID_SEQ_ALLSOUNDSOFF events in fluid_seq_fluidsynth_callback()
* support for registering audio drivers based on actual needs
==== freerdp ====
Subpackages: libfreerdp2 libwinpr2
- Users can connect only once wo windows sessions due to
[#]gh/FreeRDP/FreeRDP/4348
Therefore WITH_GSSAPI has been disabled until that issue has been
solved
==== gdk-pixbuf ====
Subpackages: gdk-pixbuf-devel gdk-pixbuf-lang gdk-pixbuf-query-loaders gdk-pixbuf-query-loaders-32bit gdk-pixbuf-thumbnailer libgdk_pixbuf-2_0-0 libgdk_pixbuf-2_0-0-32bit typelib-1_0-GdkPixbuf-2_0
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
gdk-pixbuf-gif-uninitialized-variable.patch: protect against
access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
short block length when reading icns (boo#1027024
CVE-2017-6313).
==== gdm ====
Subpackages: gdm-lang gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0
- Add gdm-nb-translations.patch: Update Norwegian Bokm�l
translations.
- Drop gdmflexiserver Obsoletes from main package, we ship
gdmflexiserver again, so this is not needed nor wanted.
- Do minor spec-cleanup, silence a couple of rpmlint warnings.
- Add gdm-not-run-with-bogus-DISPLAY-XAUTHORITY.patch: When run
PreSession script, don't set DISPLAY and XAUTHORITY environment
variable, avoiding environment variable equal (null)
(bsc#1068016 bgo#792150).
- Remove gdm-ignore-SLE-CLASSIC-MODE.patch: SLE-Classic doesn't use
environment variable SLE_CLASSIC_MODE anymore.
==== gimp ====
Subpackages: gimp-lang gimp-plugin-aa gimp-plugins-python libgimp-2_0-0 libgimpui-2_0-0
- Run spec-cleaner, modernize spec, drop Obsoletes for versions
no longer supported.
- Don't build with webkit1, as it is no longer maintained and has
plenty of security bugs. This disables the GIMP's built-in help
browser; it will use an external browser when configured this way.
This works around a number of security vulnerabilities in Webkit1:
https://bugzilla.suse.com/show_bug.cgi?id=923223
https://bugzilla.suse.com/show_bug.cgi?id=906375
https://bugzilla.suse.com/show_bug.cgi?id=906374
https://bugzilla.suse.com/show_bug.cgi?id=906373
https://bugzilla.suse.com/show_bug.cgi?id=1034856
https://bugzilla.suse.com/show_bug.cgi?id=871792
https://bugzilla.suse.com/show_bug.cgi?id=879607
https://bugzilla.suse.com/show_bug.cgi?id=892084
==== gnome-font-viewer ====
Subpackages: gnome-font-viewer-lang
- Add gfv-handle-ttf-otf-mime-types.patch: Handle new font/ttf and
font/otf mime types (bgo#788383).
- Add gfv-update-nb-translations.patch: Update Norwegian Bokm�l
translations.
==== gnome-shell ====
Version update (3.26.2 -> 3.26.2+20171218.15b1810a6)
Subpackages: gnome-shell-browser-plugin gnome-shell-calendar gnome-shell-lang
- Add gnome-shell-network-fix-visibility-VPN.patch: network: Fix
visibility of VPN section (bgo#787845).
- Own directories
{_datadir}/gnome-shell/extensions|search-providers|modes again,
seems a lot of packages depended on this beeing true.
- Update to version 3.26.2+20171218.15b1810a6:
+ background: don't leak wall clock when background changes.
+ dateMenu:
- Fix possible crash with unknown locations.
- Ignore malformed world-clocks settings.
+ dash:
- Do not shadow ClutterActor's destroy().
- Make sure item labels are only destroyed once.
+ status/keyboard: Reset menuItems and Label objects on change.
+ overview: Protect ::drag-end handlers.
+ Updated translations.
- Switch to git-checkout via source services.
- Pass enable-browser-plugin=true, enable-documentation=true,
enable-man=true, enable-networkmanager=yes and
enable-systemd=yes to meson, ensure we build the features we
want.
- Following the above, add gtk-doc BuildRequires and build
documentation again.
- Run spec-cleaner, modernize spec.
- Drop update-desktop-files BuildRequires and stop using the
suse_update_desktop_file macro.
- Drop conditional libaccountsservice0, libcaribou0 and
libgdmgreeter1 Requires needed for no longer supported versions
of openSUSE.
- Add fdupes BuildRequires and pass fdupes macro, remove duplicate
files.
- Drop gnome-shell-wayland Obsoletes: No currently supported
version of openSUSE have ever had this binary, so this is no
longer needed.
- Stop exporting BROWSER_PLUGIN_DIR=%%{_libdir}/browser-plugins,
does not work as we are using meson buildsystem.
==== gnome-software ====
Version update (3.26.3 -> 3.26.4)
Subpackages: gnome-software-lang
- Update to version 3.26.4:
+ Fix crashes in the repos plugin due to missing locking.
+ Work around Firefox deleting rpm/deb files downloaded to /tmp
when closing.
+ Do not require the user to keep clicking 'More reviews' after
each click.
+ Fix a critical when updating (flatpak) packages live.
+ fwupd: Prepend the vendor name to the device name if not
included.
+ Improve SPDX ID parsing when working out if it is 'free'.
+ packagekit: Do not crash when getting an invalid ID from
PackageKit.
+ Do not crash when closing the source dialog while it is
loading.
+ Updated translations.
- Drop gs-add-locking-to-the-repos-plugin.patch: Fixed upstream.
==== gpgme ====
Subpackages: libgpgme-devel libgpgme11 libgpgmepp6 libqgpgme7
- Tweak up the python conditional to allow us finegraining and
selecting only py2 or py3 if needed
==== gstreamer-plugins-base ====
Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0
- Add gst-pb-playbin3-fix-accessing-invalid-index.patch: playbin3:
Fix accessing invalid index in GstStream when received
select-stream event (bgo#791638).
- Clean up spec with spec-cleaner.
==== gtk2 ====
Version update (2.24.31+20171209.61d5c82f5c -> 2.24.32)
Subpackages: gtk2-data gtk2-devel gtk2-immodule-amharic gtk2-immodule-inuktitut gtk2-immodule-thai gtk2-immodule-vietnamese gtk2-immodule-xim gtk2-lang gtk2-tools gtk2-tools-32bit libgtk-2_0-0 libgtk-2_0-0-32bit typelib-1_0-Gtk-2_0
- Update to version 2.24.32:
+ Fix abicheck.
- Use the release version as revision and set versionformat to
PARENT_TAG, ensure we build the upstream released tag.
==== gutenprint ====
Version update (5.2.13 -> 5.2.13pre14.2)
- Version upgrade to 5.2.13pre14.2 which is the
second pre-release of Gutenprint 5.2.14.
Major changes in this release (compared to 5.2.12):
* The PCL driver now supports color laser printers
that use PCL 5c natively (as opposed to emulation).
The support is considered to be preliminary at this time.
Tons of PCL printers have been added with color support.
Please report success or failure with PCL color laser printers
using the Generic PCL Color drivers.
Based on feedback from this pre-release, some or all of these
printers may be removed from the list prior to 5.2.14 release.
* Support for the Brother HL-2030 and HL-2035 has been removed
because these printers do not support standard PCL.
* A crash that affected certain dyesub printers when used with
simplified PPD files has been fixed.
* Enhanced support for some dye-sublimation printers.
For details see the NEWS file.
==== harfbuzz ====
Subpackages: harfbuzz-devel libharfbuzz-icu0 libharfbuzz0 libharfbuzz0-32bit
- harfbuzz-devel hb-ft.h requires pkgconfig(freetype2) but it is
not automatically added by the dependency generator.
==== hdf5 ====
Subpackages: libhdf5-101 libhdf5_hl100
- Disable the openmpi3 flavor in some products.
- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Add support for mpich and openmpi3 for HPC.
==== hwinfo ====
Version update (21.50 -> 21.51)
Subpackages: hwinfo-devel
- merge gh#openSUSE/hwinfo#55
- Please make CDBISDN_DATE ignore timezone.
- 21.51
==== hyper-v ====
- update buffer handling in hv_fcopy_daemon
- remove unnecessary header files and netlink related code
- Avoid reading past allocated blocks from KVP file
- fix snprintf warning in kvp_daemon
- properly handle long paths
- kvp: configurable external scripts path
- vss: Thaw the filesystem and continue if freeze call has timed out
- vss: Skip freezing filesystems backed by loop
==== iputils ====
Subpackages: rarpd
- Backport iputils-ping-fix-pmtu-for-ipv6.patch from upstream
to fix PMTU discovery in ping6. (bsc#1072460)
==== ispell ====
Subpackages: ispell-american ispell-british
- Avoid `set -e' in munchlist (boo#1075882)
==== k3b ====
Version update (17.12.0 -> 17.12.1)
Subpackages: k3b-lang
- Update to 17.12.1
* New bugfix release
* For more details please see:
* https://www.kde.org/announcements/announce-applications-17.12.1.php
- Changes since 17.12.0:
* Revert "Fix Settings dialog resizes itself issue"
- Add fix-build-with-older-kio.patch to make it build again on
standard Leap 42.x.
==== kdump ====
- Add kdump-fillupdir-fixes.patch and correct specfile to build
with new fillupdir location
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
==== kernel-source ====
Version update (4.14.12 -> 4.14.13)
Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms
- Linux 4.14.13 (bnc#1012628).
- x86/mm: Set MODULES_END to 0xffffffffff000000 (bnc#1012628).
- x86/mm: Map cpu_entry_area at the same place on 4/5 level
(bnc#1012628).
- x86/kaslr: Fix the vaddr_end mess (bnc#1012628).
- x86/events/intel/ds: Use the proper cache flush method for
mapping ds buffers (bnc#1012628).
- x86/tlb: Drop the _GPL from the cpu_tlbstate export
(bnc#1012628).
- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline
asm (bnc#1012628).
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
(bnc#1012628).
- kernel/acct.c: fix the acct->needcheck check in
check_free_space() (bnc#1012628).
- mm/mprotect: add a cond_resched() inside change_pmd_range()
(bnc#1012628).
- mm/sparse.c: wrong allocation for mem_section (bnc#1012628).
- userfaultfd: clear the vma->vm_userfaultfd_ctx if
UFFD_EVENT_FORK fails (bnc#1012628).
- btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes
(bnc#1012628).
- efi/capsule-loader: Reinstate virtual capsule mapping
(bnc#1012628).
- crypto: n2 - cure use after free (bnc#1012628).
- crypto: chacha20poly1305 - validate the digest size
(bnc#1012628).
- crypto: pcrypt - fix freeing pcrypt instances (bnc#1012628).
- crypto: chelsio - select CRYPTO_GF128MUL (bnc#1012628).
- drm/i915: Disable DC states around GMBUS on GLK (bnc#1012628).
- drm/i915: Apply Display WA #1183 on skl, kbl, and cfl
(bnc#1012628).
- sunxi-rsb: Include OF based modalias in device uevent
(bnc#1012628).
- fscache: Fix the default for fscache_maybe_release_page()
(bnc#1012628).
- x86 / CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu()
(bnc#1012628).
- x86 / CPU: Always show current CPU frequency in /proc/cpuinfo
(bnc#1012628).
- kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks
from SIGKILL (bnc#1012628).
- kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from
!sig_kernel_only() signals (bnc#1012628).
- kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE
check in complete_signal() (bnc#1012628).
- iommu/arm-smmu-v3: Don't free page table ops twice
(bnc#1012628).
- iommu/arm-smmu-v3: Cope with duplicated Stream IDs
(bnc#1012628).
- ARC: uaccess: dont use "l" gcc inline asm constraint modifier
(bnc#1012628).
- powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR
(bnc#1012628).
- Input: elantech - add new icbody type 15 (bnc#1012628).
- apparmor: fix regression in mount mediation when feature set
is pinned (bnc#1012628).
- parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit
SMP kernel (bnc#1012628).
- parisc: qemu idle sleep support (bnc#1012628).
- mtd: nand: pxa3xx: Fix READOOB implementation (bnc#1012628).
- KVM: s390: fix cmma migration for multiple memory slots
(bnc#1012628).
- KVM: s390: prevent buffer overrun on memory hotplug during
migration (bnc#1012628).
- commit bd444a0
- Refresh
patches.suse/0007-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
patches.suse/0013-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch.
- Refresh
patches.suse/0015-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch.
Fix double fault in 32bit binaries (bnc#1074869, bnc#1074918,
bnc#1074920, bnc#1074921, bnc#1075018, bnc#1075034)
- commit f4b3cf0
- rpm/constraints.in: lower kernel-syzkaller's mem requirements
OBS now reports that it needs only around 2G, so lower the limit to
8G, so that more compliant workers can be used.
- commit 7637ae2
==== kio ====
Subpackages: kio-core kio-devel kio-lang
- Add patch to fix layout of icons in the file dialog (kde#352776):
* 0001-Fix-KFilePreviewGenerator-LayoutBlocker.patch
==== krita ====
Version update (3.3.2.1 -> 3.3.3)
Subpackages: krita-lang
- Update to 3.3.3:
* See https://krita.org/en/item/krita-3-3-3/
* Fix an issue where it would not be possible to select certain
blending modes when the current layer is grayscale but the
image is rgb.
* Set the OS and platform when reporting a bug from within Krita
on Windows.
* Make it possible to enter color values as percentage in the
specific color selector
* Add OpenGL warnings and make ANGLE default on Intel GPUs
* Add an Invert button to the levels filter
* Implement loading and saving of styles for group layers to and
from PSD
* Fix the erase mode not showing correctly when returning to the
brush tool
* Save the visibility of individual assistants in .kra files
* Add an option to draw ruler tips as a power of 2
* Disable autoscroll on move and transform tools
* Improve handling of native mouse events when using a pen and
the Windows Ink API
* Fix the focal point for the pinch zoom gesture
* Fix loading netpbm files with comment
==== krusader ====
Subpackages: kio_iso
- Add Panel-fixed-actions-in-PanelContextMenu-ignored.patch to fix
the "Create New" context menu not working when the '..' entry is
selected (boo#1075690, kde#383544)
==== ldns ====
Subpackages: libldns2
- Switch directly to python3 in order for us to proceed with py2
obsoletion for future releases
* Upstream sadly can build only against one of the two
==== libdrm ====
Version update (2.4.88 -> 2.4.89)
Subpackages: libdrm-devel libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1
- U_intel-Add-more-Coffeelake-PCI-IDs.patch
* Add more Coffeelake PCI IDs (request by Intel)
- Update to version 2.4.89:
libdrm release with leasing and syncobj api updates, updated amdgpu marketing
ids, amdgpu tests, updated uapi headers & etnaviv updates.
==== libe-book ====
Version update (0.1.2 -> 0.1.3)
- Cure linguistic problem in descriptions.
- Update to 0.1.3:
* Fix various problems when reading broken files, found with the help of
american-fuzzy-lop and oss-fuzz.
* Fix build with boost >= 1.59.
* Set default page margins. (tdf#94162)
* Make output of ebook2* --help more compatible with help2man.
* Check for librevenge-stream if tests are enabled. (gentoo#603098)
* Require C++11 for build.
* Drop outdated MSVC project files.
* Fix several issues found by Coverity.
* FictionBook v.2:
* Use document language as default language for text.
* Use note title as footnote mark.
* Handle subscript and superscript.
* Output content of <code> in monospace font.
==== libepoxy ====
- -devel package requires pkgconfig(x11), pkgconfig(egl)
but those deps are not generated automatically.
==== libglvnd ====
Subpackages: libglvnd-32bit libglvnd-devel
- Make sure to use only python3 for the build and do not rely
on env calls for python
==== libmediaart ====
Subpackages: libmediaart-2_0-0 typelib-1_0-MediaArt-2_0
- Add meson-Introspection-fix.patch: The meson build did not add
the extractdummy.c to the sources, which contains introspection
annotations (bgo#792272, bgo#791586).
==== libpagemaker ====
Version update (0.0.3 -> 0.0.4)
- Cure linguistic problem in descriptions.
- Update to 0.0.4:
* Add a command line tool for conversion to plain text, called pmd2text.
* Require C++11 for build.
* Drop outdated MSVC project files.
* Fix parsing of page dimensions and shape coordinates in Mac documents.
That makes the output at least somewhat useful, but more work is needed
to handle big endian files properly.
* Fix parsing of color tint in Mac documents. (tdf#109126)
* Fix parsing of text formatting attributes in Mac documents.
* Properly handle all caps and small caps.
* Parse more text formatting attributes.
* Parse more paragraph attributes.
==== libpeas ====
Subpackages: libpeas-1_0-0 libpeas-gtk-1_0-0 libpeas-lang libpeas-loader-python libpeas-loader-python3 typelib-1_0-Peas-1_0 typelib-1_0-PeasGtk-1_0
- Use make_build macro.
- Avoid running fdupes across hardlink boundaries.
- Update URL to reflect current web, old was 404.
- Run spec-cleaner.
- Fix typo on parallel build command call.
- Conditionalize py2 and py3 build to allow us building of the
one we desire based on codestream.
==== libpwquality ====
Version update (1.3.0 -> 1.4.0)
Subpackages: libpwquality-lang libpwquality1
- Update RPM groups and summaries.
- Switch url to https://github.com/libpwquality/libpwquality/
- Update to release 1.4.0:
* Fix possible buffer overflow with data from /dev/urandom
in pwquality_generate().
* Do not try to check presence of too short username in password.
(thanks to Nikos Mavrogiannopoulos)
* Make the user name check optional (via usercheck option).
* Add an 'enforcing' option to make the checks to be warning-only
in PAM.
* The difok = 0 setting will disable all old password similarity
checks except new and old passwords being identical.
* Updated translations from Zanata.
- Add patch libpwquality-pythons.patch to avoid duping pythondir
- Make python3 default and enable py2 only when needed
==== libqt5-qtwebengine ====
- Also work around crashes on wayland by disabling the GPU by default (boo#1060990):
* disable-gpu-when-using-nouveau-boo-1005323.diff
==== libqt5-qtwebsockets ====
Subpackages: libQt5WebSockets5 libQt5WebSockets5-imports libqt5-qtwebsockets-devel
- fix Typo
==== librsvg ====
Version update (2.40.20 -> 2.42.0)
Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0
- Update to version 2.42.0:
+ Fix a memory leak in rsvg_handle_new_from_file().
+ Optimize the xml:space normalization function.
+ Fix a runtime warning in the feMergeNode code
(glgo#GNOME/librsvg#179).
+ Clarify documentation about the rsvg_*_sub() APIs
(glgo#GNOME/librsvg#175).
+ Stylistic fixes from cargo-clippy.
+ Port the Pango glue code to Rust.
+ New ARCHITECTURE.md with a description of librsvg's internals.
- Clean up spec, use autosetup macro.
==== libsamplerate ====
Subpackages: libsamplerate-devel libsamplerate0
- Add libsamplerate-0.1.9-reproducible.patch to disable throughput
test to make builds reproducible in spite of Profile Guided Optimizations
==== libteam ====
- Drop /pkg/ subpart from includedir
- Remove defattr that is not really needed
- Add condition around python bindings, they are really based on
swig code that would need to be rewritten to support python3
==== libvirt ====
Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-uml libvirt-daemon-driver-vbox libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs
- Add a qemu hook script providing functionality similar to Xen's
block-dmmd script
suse-qemu-domain-hook.py
FATE#324177
==== libxcb ====
Subpackages: libxcb-render0-32bit libxcb-shm0-32bit libxcb1-32bit
- Enable xinput extension. (bnc#1074249)
- U_add-support-for-eventstruct.patch
* Update xinput to the state when it was enabled by default
upstream.
- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
* Prevent infinite loop also in case DISPLAY is non-local.
- Use spaces instead of tabs in the patches (as does the original
source code) to avoid confusion.
- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
* If authentication (with *stage == 0) failed and the variable
XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2
in the original patch, causing calls to xcb_connect_to_display
to be stuck in an infinite loop.
Now we also go to stage 2 if the variable isn't set.
==== libzio ====
Version update (1.05 -> 1.06)
- Add changes from Jerrell Watts which has kindly provided
his changes for lzma/xz support with large I/O buffers
==== llvm ====
- Add missing %files for lld.
==== logrotate ====
Version update (3.12.3 -> 3.13.0)
- Version update to 3.13.0:
* make distribution tarballs report logrotate version properly
* make (un)compress work even if stdin and/or stdout are closed (#154)
* remove -s from DEFAULT_MAIL_COMMAND and improve its documenation (#152)
* uncompress logs before mailing them even if delaycompress is enabled (#151)
* handle unlink of a non-existing log file as a warning only (#144)
* include compile-time options in the output of logrotate --version (#145)
* make logrotate --version print to stdout instead of stderr (#145)
* flush write buffers before syncing state file (#148)
* specify (un)compress utility explicitly in tests (#137)
* enable running tests in parallel (#132)
* explicitly map root UID/GID to 0 on Cygwin (#133)
* add .dpkg-bak and .dpkg-del to default tabooext list (#134)
==== lvm2 ====
Subpackages: liblvm2app2_2 liblvm2cmd2_02
- lvmlockd: add lockopt values for skipping selected locks (fate#323203)
+ fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch
==== makedumpfile ====
- makedumpfile-__cpu_online_mask-symbol.patch: Support symbol
__cpu_online_mask (FATE#323473, bsc#1070291).
- makedumpfile-vtop4_x86_64_pagetable.patch: Introduce
vtop4_x86_64_pagetable (FATE#323473, bsc#1070291).
- makedumpfile-fix-KASLR-for-sadump.patch: Fix a KASLR problem of
sadump (FATE#323473, bsc#1070291).
- makedumpfile-fix-KASLR-for-sadump-while-kdump.patch: sadump: Fix
a KASLR problem of sadump while kdump is working (FATE#323473,
bsc#1070291).
==== mdadm ====
- 0208-mdadm-grow-correct-the-s-size-1-to-make-max-work.patch
(bsc#1074949)
==== mjpegtools ====
Subpackages: libmjpegutils-2_0-0
- Add conditional post(un) handling for libmpeg2encpp-2_0-0.
==== mutter ====
Version update (3.26.2 -> 3.26.2+20171231.0bd1d7cf0)
Subpackages: libmutter-1-0 mutter-data mutter-lang
- Update to version 3.26.2+20171231.0bd1d7cf0:
+ Revert "window: Raise and lower tile match in tandem".
+ wayland: Only send full sequences of touch events to clients.
+ stage: Push framebuffer before setting up viewport.
+ keybindings: Only add multiple keycodes from the same level.
+ wayland-outputs: Delay wl_output destruction.
+ monitor-manager-kms:
- Fix recently introduced build issue.
- poll() on KMS fd on EAGAIN.
+ compositor: reset top_window_actor and remove it from windows
when destroyed.
+ monitor-manager: Compare keys when checking whether a config is
complete.
+ Updated translations.
- Switch to git-checkout via source services.
- Following the above, add intltool and libtool BuildRequires and
pass autogen.sh to bootstrap the generated tarball.
- Pkgconfigy the BuildRequires, replace:
gobject-introspection-devel, libSM-devel, libX11-devel and
libXinerama-devel with pkgconfig(gobject-introspection-1.0),
pkgconfig(sm), pkgconfig(x11) and pkgconfig(xinerama).
- Drop update-desktop-files BuildRequires and stop using
suse_update_desktop_file macro, no longer needed.
- Drop pkgconfig(gbm) BuildRequires listed twice.
- Run spec-cleaner, modernize spec, use make_build macro.
==== nbd ====
Version update (3.16.1 -> 3.16.2)
- Update to version 1.16.2:
* Make the test suite less chatty
* Various build system improvements
* Fixes to the systemd unit to make it work again with recent
systemd
* Point to the nbd mailinglist, rather than to the maintainer's
personal email address, for bug reports.
==== newt ====
- Build without py2 if needed
- Fix upstream url
==== nghttp2 ====
Version update (1.28.0 -> 1.29.0)
- Update to version 1.29.0:
* lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by
GOAWAY
* build: Remove SPDY
* build: Fix CMAKE_MODULE_PATH
* nghttpx: Revert "nghttpx: Use an existing h2 backend connection
as much as possible"
* nghttpx: Write API request body in temporary file
* nghttpx: Increase api-max-request-body
* nghttpx: Faster configuration loading with lots of backends
* nghttpx: Fix crash with --backend-http-proxy-uri option
==== ntp ====
Subpackages: ntp-doc
- Add ntp-reproducible.patch to make build reproducible (boo#1047218)
- Restart nptd if failed or aborted (FATE#315133).
- Do not try to set the HW clock when adding a server at runtime
to avoid blocking systemd.
==== numactl ====
Subpackages: libnuma1
- Disable building at 32-bit ARM.
NUMA is not supported by 32-bit ARM Linux Kernel, so build failed
with
[#]error "Add syscalls for your architecture or update kernel headers"
==== openblas_pthreads ====
- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).
- Fix unexpanded rpm macro in environment module file for HPC (boo#1074897).
==== opencv ====
Subpackages: libopencv3_3 opencv-devel
- Add conditionals for python2 and python3 to allow us enabling
only desired python variants when needed
- Do not depend on sphinx as py2 and py3 seem to collide there
==== openssh ====
Version update (7.2p2 -> 7.6p1)
Subpackages: openssh-helpers
- Replace forgotten references to /var/adm/fillup-templates
with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
- --- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
only included for legacy compatibility.
* ssh(1), sshd(8): Improve operation ordering of MAC
verification for Encrypt-then-MAC (EtM) mode transport MAC
algorithms to verify the MAC before decrypting any
ciphertext. This removes the possibility of timing
differences leaking facts about the plaintext, though no such
leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
- --- New Features
* ssh(1): Add a ProxyJump option and corresponding -J
command-line flag to allow simplified indirection through a
one or more SSH bastions or "jump hosts".
* ssh(1): Add an IdentityAgent option to allow specifying
specific agent sockets instead of accepting one from the
environment.
* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
be optionally overridden when using ssh -W. bz#2577
* ssh(1), sshd(8): Implement support for the IUTF8 terminal
mode as per draft-sgtatham-secsh-iutf8-00.
* ssh(1), sshd(8): Add support for additional fixed
Diffie-Hellman 2K, 4K and 8K groups from
draft-ietf-curdle-ssh-kex-sha2-03.
* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
signatures in certificates;
* ssh(1): Add an Include directive for ssh_config(5) files.
* ssh(1): Permit UTF-8 characters in pre-authentication banners
sent from the server. bz#2058
- --- Bugfixes
* ssh(1), sshd(8): Reduce the syslog level of some relatively
common protocol events from LOG_CRIT. bz#2585
* sshd(8): Refuse AuthenticationMethods="" in configurations
and accept AuthenticationMethods=any for the default
behaviour of not requiring multiple authentication. bz#2398
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
ATTEMPT!" message when forward and reverse DNS don't match.
bz#2585
* ssh(1): Close ControlPersist background process stderr except
in debug mode or when logging to syslog. bz#1988
* misc: Make PROTOCOL description for
direct-streamlocal@openssh.com channel open messages match
deployed code. bz#2529
* ssh(1): Deduplicate LocalForward and RemoteForward entries to
fix failures when both ExitOnForwardFailure and hostname
canonicalisation are enabled. bz#2562
* sshd(8): Remove fallback from moduli to obsolete "primes"
file that was deprecated in 2001. bz#2559.
* sshd_config(5): Correct description of UseDNS: it affects ssh
hostname processing for authorized_keys, not known_hosts;
bz#2554
* ssh(1): Fix authentication using lone certificate keys in an
agent without corresponding private keys on the filesystem.
bz#2550
* sshd(8): Send ClientAliveInterval pings when a time-based
RekeyLimit is set; previously keepalive packets were not
being sent. bz#2252
- --- Portability
* ssh(1), sshd(8): Fix compilation by automatically disabling
ciphers not supported by OpenSSL. bz#2466
* misc: Fix compilation failures on some versions of AIX's
compiler related to the definition of the VA_COPY macro.
bz#2589
* sshd(8): Whitelist more architectures to enable the
seccomp-bpf sandbox. bz#2590
* ssh-agent(1), sftp-server(8): Disable process tracing on
Solaris using setpflags(__PROC_PROTECT, ...). bz#2584
* sshd(8): On Solaris, don't call Solaris setproject() with
UsePAM=yes it's PAM's responsibility. bz#2425
- OpenSSH 7.4
- --- Potentially-incompatible changes
* ssh(1): Remove 3des-cbc from the client's default proposal.
64-bit block ciphers are not safe in 2016 and we don't want
to wait until attacks like SWEET32 are extended to SSH. As
3des-cbc was the only mandatory cipher in the SSH RFCs, this
may cause problems connecting to older devices using the
default configuration, but it's highly likely that such
devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed
reasonable in the 1990s, but today it's clearly a bad idea in
terms of both cryptography (cf. multiple compression oracle
attacks in TLS) and attack surface. Pre-auth compression
support has been disabled by default for >10 years. Support
remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a
whitelist of trusted paths by default. The path whitelist may
be specified at run-time.
* sshd(8): When a forced-command appears in both a certificate
and an authorized keys/principals command= restriction, sshd
will now refuse to accept the certificate unless they are
identical. The previous (documented) behaviour of having the
certificate forced-command override the other could be a bit
confusing and error-prone.
* sshd(8): Remove the UseLogin configuration directive and
support for having /bin/login manage login sessions.
- --- Security
* ssh-agent(1): Will now refuse to load PKCS#11 modules from
paths outside a trusted whitelist (run-time configurable).
Requests to load modules could be passed via agent forwarding
and an attacker could attempt to load a hostile PKCS#11
module across the forwarded agent channel: PKCS#11 modules
are shared libraries, so this would result in code execution
on the system running the ssh-agent if the attacker has
control of the forwarded agent-socket (on the host running
the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the
ssh client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded
Unix- domain sockets would be created by sshd(8) with the
privileges of 'root' instead of the authenticated user. This
release refuses Unix-domain socket forwarding when privilege
separation is disabled (Privilege separation has been enabled
by default for 14 years). Reported by Jann Horn of Project
Zero.
* sshd(8): Avoid theoretical leak of host private key material
to privilege-separated child processes via realloc() when
reading keys. No such leak was observed in practice for
normal-sized keys, nor does a leak to the child processes
directly expose key material to unprivileged users. Reported
by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided
by some optimising compilers. Additionally, this memory
manager was incorrectly accessible when pre-authentication
compression was disabled. This could potentially allow
attacks against the privileged monitor process from the
sandboxed privilege-separation process (a compromise of the
latter would be required first). This release removes
support for pre-authentication compression from sshd(8).
Reported by Guido Vranken using the Stack unstable
optimisation identification tool
(http://css.csail.mit.edu/stack/)
* sshd(8): Fix denial-of-service condition where an attacker
who sends multiple KEXINIT messages may consume up to 128MB
per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept
invalid ones. It was previously possible to specify invalid
CIDR address ranges (e.g. user@127.1.2.3/55) and these would
always match, possibly resulting in granting access where it
was not intended. Reported by Laurence Parry.
- --- New Features
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
the version in PuTTY by Simon Tatham. This allows a
multiplexing client to communicate with the master process
using a subset of the SSH packet and channels protocol over a
Unix-domain socket, with the main process acting as a proxy
that translates channel IDs, etc. This allows multiplexing
mode to run on systems that lack file- descriptor passing
(used by current multiplexing code) and potentially, in
conjunction with Unix-domain socket forwarding, with the
client and multiplexing master process on different machines.
Multiplexing proxy mode may be invoked using "ssh -O proxy
..."
* sshd(8): Add a sshd_config DisableForwarding option that
disables X11, agent, TCP, tunnel and Unix domain socket
forwarding, as well as anything else we might implement in
the future. Like the 'restrict' authorized_keys flag, this is
intended to be a simple and future-proof way of restricting
an account.
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method
named "curve25519-sha256@libssh.org".
* sshd(8): Improve handling of SIGHUP by checking to see if
sshd is already daemonised at startup and skipping the call
to daemon(3) if it is. This ensures that a SIGHUP restart of
sshd(8) will retain the same process-ID as the initial
execution. sshd(8) will also now unlink the PidFile prior to
SIGHUP restart and re-create it after a successful restart,
rather than leaving a stale file in the case of a
configuration error. bz#2641
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
match those supported by AuthorizedKeysCommand (key, key
type, fingerprint, etc.) and a few more to provide access to
the contents of the certificate being offered.
* Added regression tests for string matching, address matching
and string sanitisation functions.
* Improved the key exchange fuzzer harness.
- --- Bugfixes
* ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key.
bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
* ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted. bz#2642
* regress: Allow the PuTTY interop tests to run unattended.
bz#2639
* ssh-agent(1), ssh(1): improve reporting when attempting to
load keys from PKCS#11 tokens with fewer useless log messages
and more detail in debug messages. bz#2610
* ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the
terminal mode correctly if suspended during a password
prompt.
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a
password prompt.
* ssh(1), sshd(8): Correctly report errors during sending of
ext- info messages.
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
* sshd(8): Correct list of supported signature algorithms sent
in the server-sig-algs extension. bz#2547
* sshd(8): Fix sending ext_info message if privsep is disabled.
* sshd(8): more strictly enforce the expected ordering of
privilege separation monitor calls used for authentication
and allow them only when their respective authentication
methods are enabled in the configuration
* sshd(8): Fix uninitialised optlen in getsockopt() call;
harmless on Unix/BSD but potentially crashy on Cygwin.
* Fix false positive reports caused by explicit_bzero(3) not
being recognised as a memory initialiser when compiled with
- fsanitize-memory.
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
for configuration examples.
- --- Portability
* On environments configured with Turkish locales, fall back to
the C/POSIX locale to avoid errors in configuration parsing
caused by that locale's unique handling of the letters 'i'
and 'I'. bz#2643
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
ptrace(PT_DENY_ATTACH, ..)
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8)
OpenSSL.
* Fix compilation for libcrypto compiled without RIPEMD160
support.
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
* sshd(8): Improve PRNG reseeding across privilege separation
and force libcrypto to obtain a high-quality seed before
chroot or sandboxing.
* All: Explicitly test for broken strnvis. NetBSD added an
strnvis and unfortunately made it incompatible with the
existing one in OpenBSD and Linux's libbsd (the former having
existed for over ten years). Try to detect this mess, and
assume the only safe option if we're cross compiling.
- OpenSSH 7.5
- --- Potentially-incompatible changes
* This release deprecates the sshd_config
UsePrivilegeSeparation option, thereby making privilege
separation mandatory. Privilege separation has been on by
default for almost 15 years and sandboxing has been on by
default for almost the last five.
* The format of several log messages emitted by the packet code
has changed to include additional information about the user
and their authentication state. Software that monitors
ssh/sshd logs may need to account for these changes. For
example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234
[preauth] Connection closed by invalid user x 1.1.1.1 port
1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal
messages generated by the packet code.
* [Portable OpenSSH only] This version removes support for
building against OpenSSL versions prior to 1.0.1. OpenSSL
stopped supporting versions prior to 1.0.1 over 12 months ago
(i.e. they no longer receive fixes for security bugs).
- --- Security
* ssh(1), sshd(8): Fix weakness in CBC padding oracle
countermeasures that allowed a variant of the attack fixed in
OpenSSH 7.3 to proceed. Note that the OpenSSH client
disables CBC ciphers by default, sshd offers them as
lowest-preference options and will remove them by default
entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen
of Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client
making a recursive file transfer could be maniuplated by a
hostile server to perform a path-traversal attack. creating
or modifying files outside of the intended target directory.
Reported by Jann Horn of Google Project Zero.
- --- New Features
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods
from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
- --- Bugfixes
* sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
* ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
* sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods
were not being correctly advertised. bz#2680
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
in known_hosts processing. bz#2591 bz#2685
* ssh(1): Allow ssh to use certificates accompanied by a
private key file but no corresponding plain *.pub public key.
bz#2617
* ssh(1): When updating hostkeys using the UpdateHostKeys
option, accept RSA keys if HostkeyAlgorithms contains any RSA
keytype. Previously, ssh could ignore RSA keys when only the
ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
not the old ssh-rsa method. bz#2650
* ssh(1): Detect and report excessively long configuration file
lines. bz#2651
* Merge a number of fixes found by Coverity and reported via
Redhat and FreeBSD. Includes fixes for some memory and file
descriptor leaks in error paths. bz#2687
* ssh-keyscan(1): Correctly hash hosts with a port number.
bz#2692
* ssh(1), sshd(8): When logging long messages to stderr, don't
truncate "\r\n" if the length of the message exceeds the
buffer. bz#2688
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J
command- line; avoid confusion over IPv6 addresses and shells
that treat square bracket characters specially.
* ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed
entries.
* Fix various fallout and sharp edges caused by removing SSH
protocol 1 support from the server, including the server
banner string being incorrectly terminated with only \n
(instead of \r\n), confusing error messages from ssh-keyscan
bz#2583 and a segfault in sshd if protocol v.1 was enabled
for the client and sshd_config contained references to legacy
keys bz#2686.
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
* sshd(8): Fix Unix domain socket forwarding for root
(regression in OpenSSH 7.4).
* sftp(1): Fix division by zero crash in "df" output when
server returns zero total filesystem blocks/inodes.
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
errors encountered during key loading to more meaningful
error codes. bz#2522 bz#2523
* ssh-keygen(1): Sanitise escape sequences in key comments sent
to printf but preserve valid UTF-8 when the locale supports
it; bz#2520
* ssh(1), sshd(8): Return reason for port forwarding failures
where feasible rather than always "administratively
prohibited". bz#2674
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a
key is matched early. bz#2655
* Regression tests: several reliability fixes. bz#2654 bz#2658
bz#2659
* ssh(1): Fix typo in ~C error message for bad port forward
cancellation. bz#2672
* ssh(1): Show a useful error message when included config
files can't be opened; bz#2653
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
manual page (previously incorrectly) advertised. bz#2637
* sshd_config(5): Repair accidentally-deleted mention of %k
token in AuthorizedKeysCommand; bz#2656
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
bz#2665
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
* sftp-client(1): Fix non-exploitable integer overflow in
SSH2_FXP_NAME response handling.
* ssh-agent(1): Fix regression in 7.4 of deleting
PKCS#11-hosted keys. It was not possible to delete them
except by specifying their full physical path. bz#2682
- --- Portability
* sshd(8): Avoid sandbox errors for Linux S390 systems using an
ICA crypto coprocessor.
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox
arg inspection.
* ssh(1): Fix X11 forwarding on OSX where X11 was being started
by launchd. bz#2341
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for
various that contain non-printable characters where the
codeset in use is ASCII.
* build: Fix builds that attempt to link a kerberised libldns.
bz#2603
* build: Fix compilation problems caused by unconditionally
defining _XOPEN_SOURCE in wide character detection.
* sshd(8): Fix sandbox violations for clock_gettime VSDO
syscall fallback on some Linux/X32 kernels. bz#2142
- OpenSSH 7.6
- --- Potentially-incompatible changes
This release includes a number of changes that may affect
existing configurations:
* ssh(1): delete SSH protocol version 1 support, associated
configuration options and documentation.
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): remove support for the arcfour, blowfish and
CAST ciphers.
* Refuse RSA keys <1024 bits in length and improve reporting
for keys that do not meet this requirement.
* ssh(1): do not offer CBC ciphers by default.
- --- Security
* sftp-server(8): in read-only mode, sftp-server was
incorrectly permitting creation of zero-length files.
Reported by Michal Zalewski.
- --- New Features
* ssh(1): add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command
line. This allows the configuration file to specify the
command that will be executed on the remote host.
* sshd(8): add ExposeAuthInfo option that enables writing
details of the authentication methods used (including public
keys where applicable) to a file that is exposed via a
$SSH_USER_AUTH environment variable in the subsequent
session.
* ssh(1): add support for reverse dynamic forwarding. In this
mode, ssh will act as a SOCKS4/5 proxy and forward
connections to destinations requested by the remote SOCKS
client. This mode is requested using extended syntax for the
- R and RemoteForward options and, because it is implemented
solely at the client, does not require the server be updated
to be supported.
* sshd(8): allow LogLevel directive in sshd_config Match
blocks; bz#2717
* ssh-keygen(1): allow inclusion of arbitrary string or flag
certificate extensions and critical options.
* ssh-keygen(1): allow ssh-keygen to use a key held in
ssh-agent as a CA when signing certificates. bz#2377
* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
explicit ToS/DSCP value and just use the operating system
default.
* ssh-add(1): added -q option to make ssh-add quiet on success.
* ssh(1): expand the StrictHostKeyChecking option with two new
settings. The first "accept-new" will automatically accept
hitherto-unseen keys but will refuse connections for changed
or invalid hostkeys. This is a safer subset of the current
behaviour of StrictHostKeyChecking=no. The second setting
"off", is a synonym for the current behaviour of
StrictHostKeyChecking=no: accept new host keys, and continue
connection for hosts with incorrect hostkeys. A future
release will change the meaning of StrictHostKeyChecking=no
to the behaviour of "accept-new". bz#2400
* ssh(1): add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8). bz#2705
- --- Bugfixes
* ssh(1): use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728
* sftp(1): implement sorting for globbed ls; bz#2649
* ssh(1): add a user@host prefix to client's "Permission
denied" messages, useful in particular when using "stacked"
connections (e.g. ssh -J) where it's not clear which host is
denying. bz#2720
* ssh(1): accept unknown EXT_INFO extension values that contain
\0 characters. These are legal, but would previously cause
fatal connection errors if received.
* ssh(1)/sshd(8): repair compression statistics printed at
connection exit
* sftp(1): print '?' instead of incorrect link count (that the
protocol doesn't provide) for remote listings. bz#2710
* ssh(1): return failure rather than fatal() for more cases
during session multiplexing negotiations. Causes the session
to fall back to a non-mux connection if they occur. bz#2707
* ssh(1): mention that the server may send debug messages to
explain public key authentication problems under some
circumstances; bz#2709
* Translate OpenSSL error codes to better report incorrect
passphrase errors when loading private keys; bz#2699
* sshd(8): adjust compatibility patterns for WinSCP to
correctly identify versions that implement only the legacy DH
group exchange scheme. bz#2748
* ssh(1): print the "Killed by signal 1" message only at
LogLevel verbose so that it is not shown at the default
level; prevents it from appearing during ssh -J and
equivalent ProxyCommand configs. bz#1906, bz#2744
* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
clobber existing keys if they exist but are zero length.
zero-length keys could previously be made if ssh-keygen
failed or was interrupted part way through generating them.
bz#2561
* ssh(1): fix pledge(2) violation in the escape sequence "~&"
used to place the current session in the background.
* ssh-keyscan(1): avoid double-close() on file descriptors;
bz#2734
* sshd(8): avoid reliance on shared use of pointers shared
between monitor and child sshd processes. bz#2704
* sshd_config(8): document available AuthenticationMethods;
bz#2453
* ssh(1): avoid truncation in some login prompts; bz#2768
* sshd(8): Fix various compilations failures, inc bz#2767
* ssh(1): make "--" before the hostname terminate argument
processing after the hostname too.
* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
encrypting new-style private keys. Fixes problems related to
private key handling for no-OpenSSL builds. bz#2754
* ssh(1): warn and do not attempt to use keys when the public
and private halves do not match. bz#2737
* sftp(1): don't print verbose error message when ssh
disconnects from under sftp. bz#2750
* sshd(8): fix keepalive scheduling problem: activity on a
forwarded port from preventing the keepalive from being sent;
bz#2756
* sshd(8): when started without root privileges, don't require
the privilege separation user or path to exist. Makes running
the regression tests easier without touching the filesystem.
* Make integrity.sh regression tests more robust against
timeouts. bz#2658
* ssh(1)/sshd(8): correctness fix for channels implementation:
accept channel IDs greater than 0x7FFFFFFF.
- --- Portability
* sshd(9): drop two more privileges in the Solaris sandbox:
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
* sshd(8): expose list of completed authentication methods to
PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
* ssh(1)/sshd(8): fix several problems in the tun/tap
forwarding code, mostly to do with host/network byte order
confusion. bz#2735
* Add --with-cflags-after and --with-ldflags-after configure
flags to allow setting CFLAGS/LDFLAGS after configure has
completed. These are useful for setting sanitiser/fuzzing
options that may interfere with configure's operation.
* sshd(8): avoid Linux seccomp violations on ppc64le over the
socketcall syscall.
* Fix use of ldns when using ldns-config; bz#2697
* configure: set cache variables when cross-compiling. The
cross- compiling fallback message was saying it assumed the
test passed, but it wasn't actually set the cache variables
and this would cause later tests to fail.
* Add clang libFuzzer harnesses for public key parsing and
signature verification.
- packaging:
* moving patches into a separate archive
* first round of rebased patches:
[-X11_trusted_forwarding]
[-allow_root_password_login]
[-blocksigalrm]
[-cavstest-ctr]
[-cavstest-kdf]
[-disable_short_DH_parameters]
[-eal3]
[-enable_PAM_by_default]
[-fips]
[-fips_checks]
[-gssapi_key_exchange]
[-hostname_changes_when_forwarding_X]
[-lastlog]
[-missing_headers]
[-pam_check_locks]
[-pts_names_formatting]
[-remove_xauth_cookies_on_exit]
[-seccomp_geteuid]
[-seccomp_getuid]
[-seccomp_stat]
[-seed-prng]
[-send_locale]
[-systemd-notify]
* not rebased (obsoleted) patches (so far):
[-additional_seccomp_archs]
[-allow_DSS_by_default]
[-default_protocol]
[-dont_use_pthreads_in_PAM]
[-eal3_obsolete]
[-gssapimitm]
[-saveargv-fix]
* obviously removing all standalone patch files:
[openssh-7.2p2-allow_root_password_login.patch]
[openssh-7.2p2-allow_DSS_by_default.patch]
[openssh-7.2p2-X11_trusted_forwarding.patch]
[openssh-7.2p2-lastlog.patch]
[openssh-7.2p2-enable_PAM_by_default.patch]
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
[openssh-7.2p2-eal3.patch]
[openssh-7.2p2-blocksigalrm.patch]
[openssh-7.2p2-send_locale.patch]
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
[openssh-7.2p2-pts_names_formatting.patch]
[openssh-7.2p2-pam_check_locks.patch]
[openssh-7.2p2-disable_short_DH_parameters.patch]
[openssh-7.2p2-seccomp_getuid.patch]
[openssh-7.2p2-seccomp_geteuid.patch]
[openssh-7.2p2-seccomp_stat.patch]
[openssh-7.2p2-additional_seccomp_archs.patch]
[openssh-7.2p2-fips.patch]
[openssh-7.2p2-cavstest-ctr.patch]
[openssh-7.2p2-cavstest-kdf.patch]
[openssh-7.2p2-seed-prng.patch]
[openssh-7.2p2-gssapi_key_exchange.patch]
[openssh-7.2p2-audit.patch]
[openssh-7.2p2-audit_fixes.patch]
[openssh-7.2p2-audit_seed_prng.patch]
[openssh-7.2p2-login_options.patch]
[openssh-7.2p2-disable_openssl_abi_check.patch]
[openssh-7.2p2-no_fork-no_pid_file.patch]
[openssh-7.2p2-host_ident.patch]
[openssh-7.2p2-sftp_homechroot.patch]
[openssh-7.2p2-sftp_force_permissions.patch]
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
[openssh-7.2p2-ldap.patch]
[openssh-7.2p2-IPv6_X_forwarding.patch]
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
[openssh-7.2p2-limit_password_length.patch]
[openssh-7.2p2-keep_slogin.patch]
[openssh-7.2p2-kex_resource_depletion.patch]
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
[openssh-7.2p2-restrict_pkcs11-modules.patch]
[openssh-7.2p2-prevent_private_key_leakage.patch]
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
[openssh-7.2p2-disable_preauth_compression.patch]
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
==== patterns-kde ====
Subpackages: patterns-kde-devel_kde patterns-kde-devel_kde_frameworks patterns-kde-devel_qt5 patterns-kde-kde patterns-kde-kde_edutainment patterns-kde-kde_games patterns-kde-kde_ide patterns-kde-kde_imaging patterns-kde-kde_internet patterns-kde-kde_multimedia patterns-kde-kde_office patterns-kde-kde_plasma patterns-kde-kde_utilities patterns-kde-kde_utilities_opt patterns-kde-kde_yast
- Recommend discover in the kde_plasma pattern
==== php7 ====
Version update (7.2.0 -> 7.2.1)
Subpackages: apache2-mod_php7 php7-bcmath php7-bz2 php7-calendar php7-ctype php7-curl php7-dba php7-devel php7-dom php7-exif php7-fastcgi php7-ftp php7-gd php7-gettext php7-gmp php7-iconv php7-imap php7-json php7-ldap php7-mbstring php7-mysql php7-odbc php7-openssl php7-pdo php7-pear php7-pear-Archive_Tar php7-pgsql php7-shmop php7-snmp php7-sockets php7-sqlite php7-sysvsem php7-sysvshm php7-tidy php7-tokenizer php7-wddx php7-xmlreader php7-xmlwriter php7-xsl php7-zlib
- updated to 7.2.1: Several security bugs were fixed in this release.
http://php.net/ChangeLog-7.php#7.2.1
- build against newer webp [bsc#1074121]
==== plasma5-desktop ====
Subpackages: plasma5-desktop-lang
- Add patch to fix generation of font previews:
* 0001-Support-font-ttf-and-font-otf-mimetypes-in-kfontinst.patch
==== plasma5-pk-updates ====
Subpackages: plasma5-pk-updates-lang
- Fix refresh logic on startup:
* 0001-Only-save-the-last-update-timestep-on-success.patch
* 0002-Show-that-the-last-check-failed-if-no-updates-availa.patch
* 0003-List-known-updates-on-startup.patch
==== publicsuffix ====
Version update (20171028 -> 20171228)
- Update to version 20171228:
* Add Paris region (#579)
* Fixed alwaysdata.net. (#555)
* Add Combell domains (#565)
* Adding scrysec.com (#528)
* Add Fedora Openshift app domains (#533)
* Add resin.io device domains to list (#499)
* Add nh-serv.co.uk to list file (#491)
* Add 1Password domains (#562)
* Add s5y.io (#572)
* Add social domains - NIC.bo (#467)
==== python-attrs ====
Version update (17.3.0 -> 17.4.0)
- specfile:
* update copyright year
- update to version 17.4.0:
* Backward-incompatible Changes
+ The traversal of MROs when using multiple inheritance was
backward:
If you defined a class "C" that subclasses "A" and "B" like
"C(A, B)", "attrs" would have collected the attributes from "B"
* before* those of "A".
This is now fixed and means that in classes that employ multiple
inheritance, the output of "__repr__" and the order of
positional arguments in "__init__" changes.
Due to the nature of this bug, a proper deprecation cycle was
unfortunately impossible.
Generally speaking, it's advisable to prefer "kwargs"-based
initialization anyways ? *especially* if you employ multiple
inheritance and diamond-shaped hierarchies.
+ The "__repr__" set by "attrs" no longer produces an
"AttributeError" when the instance is missing some of the
specified attributes (either through deleting or after using
"init=False" on some attributes).
This can break code that relied on "repr(attr_cls_instance)"
raising "AttributeError" to check if any attr-specified members
were unset.
If you were using this, you can implement a custom method for
checking this::
def has_unset_members(self):
for field in attr.fields(type(self)):
try:
getattr(self, field.name)
except AttributeError:
return True
return False
* Deprecations
+ The "attr.ib(convert=callable)" option is now deprecated in
favor of "attr.ib(converter=callable)".
This is done to achieve consistency with other noun-based
arguments like *validator*. *convert* will keep working until
at least January 2019 while raising a "DeprecationWarning".
* Changes
+ Generated "__hash__" methods now hash the class type along with
the attribute values. Until now the hashes of two classes with
the same values were identical which was a bug.
The generated method is also *much* faster now.
+ "attr.ib"?s "metadata" argument now defaults to a unique empty
"dict" instance instead of sharing a common empty "dict" for
all. The singleton empty "dict" is still enforced.
+ "ctypes" is optional now however if it's missing, a bare
"super()" will not work in slots classes. This should only
happen in special environments like Google App Engine.
+ The attribute redefinition feature introduced in 17.3.0 now
takes into account if an attribute is redefined via multiple
inheritance. In that case, the definition that is closer to the
base of the class hierarchy wins.
+ Subclasses of "auto_attribs=True" can be empty now.
+ Equality tests are *much* faster now.
+ All generated methods now have correct "__module__", "__name__",
and (on Python 3) "__qualname__" attributes.
==== python-cssselect ====
Version update (1.0.1 -> 1.0.3)
Subpackages: python2-cssselect python3-cssselect
- specfile:
* update copyright year
- update to version 1.0.3:
* Fix artifact uploads to pypi
- changes from version 1.0.2:
* Drop support for Python 2.6 and Python 3.3.
* Fix deprecation warning in Python 3.6.
* Minor cleanups.
==== python-dbus-python ====
Subpackages: python2-dbus-python python3-dbus-python
- drop unneeded epydoc requirement properly
==== python-gpgme ====
- Use python macros to not directly pull both develpackages
==== python-httplib2 ====
- update httplib2-use-system-certs.patch: handle
the case with ssl_version being None correctly
- update httplib2-use-system-certs.patch: Also use
ssl.create_default_context in the python2 case so that
the system wide certificates are loaded as trusted again.
==== python-kiwi ====
Version update (9.11.24 -> 9.11.30)
- Bump version: 9.11.29 ? 9.11.30
- Deleted syslinux from ppc/oemboot/suse-SLES15
syslinux is not provided for ppc. This Fixes bsc#1073310
[boot] fix double quote in grub menu which makes kernel updates for CentOS / RHEL / Fedora break grub.cfg
- Omit kiwi-repart dracut module in oemboot initrd
KIWI's oemboot initrd with initrd_system="dracut" together with
installiso="true" requires to have dracut-kiwi-oem-repart package
installed in the system, thus it ends up also being included in the
recreated dracut initrd after booting the oemboot initrd from the
installation iso. This kiwi-repart module causes a boot failure in that
case since no .profile file is present, moreover, it has no sense to
run it at that stage, since the disk is already reparted by the
oemboot code.
This commit allows installiso="true" and initrd_system="dracut" to
play well together.
- Improve locale pattern in schema
Now the locale pattern in the schema also supports POSIX. Note
that POSIX will be only accepted if listed in the first place of the comma
separated list.
This commit fixes #570
- Bump version: 9.11.28 ? 9.11.29
- Allow to choose dracut live module
There is the standard dracut dmsquash-live module based on
the device mapper technology and the kiwi-live module based
on the overlayfs technology. The setup of the live iso structure
in kiwi is compatible to both modules. Thus it makes sense
to allow to choose the technology via the flags attribute
As a heads-up: if you're using xtables-addons, be aware that the version shipped with snapshot 20180116 is broken for at least the xt_geoip module (due to symbols that can't be resolved). -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
==== Mesa ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1
==== Mesa-drivers ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2
[...] - Add Mesa-dri and Mesa-gallium to baselibs.conf.
This or something connected to this has caused an issue with the Plasma 5 splash screen not going away and therefore the Plasma desktop not becoming usable (on both my Tumbleweed machines, with SandyBridge/IvyBridge graphics). In looking at logs, I saw something about DRI drivers not being able to load and I remembered the Mesa update, so I looked at packages that may have issues or may be missing and saw that "Mesa-dri" was not installed. After installing that one manually, the issue was fixed. I suspect that there is an issue of some missing dependency that should pull Mesa-dri in. Cheers, Robert Kaiser -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 2018-01-18 at 12:03 +0100, Robert Kaiser wrote:
==== Mesa ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1
==== Mesa-drivers ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2
[...] - Add Mesa-dri and Mesa-gallium to baselibs.conf.
This or something connected to this has caused an issue with the Plasma 5 splash screen not going away and therefore the Plasma desktop not becoming usable (on both my Tumbleweed machines, with SandyBridge/IvyBridge graphics). In looking at logs, I saw something about DRI drivers not being able to load and I remembered the Mesa update, so I looked at packages that may have issues or may be missing and saw that "Mesa-dri" was not installed. After installing that one manually, the issue was fixed.
I suspect that there is an issue of some missing dependency that should pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
Dne čtvrtek 18. ledna 2018 12:03:56 CET, Robert Kaiser napsal(a):
==== Mesa ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1
==== Mesa-drivers ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2
[...] - Add Mesa-dri and Mesa-gallium to baselibs.conf.
This or something connected to this has caused an issue with the Plasma 5 splash screen not going away and therefore the Plasma desktop not becoming usable (on both my Tumbleweed machines, with SandyBridge/IvyBridge graphics). In looking at logs, I saw something about DRI drivers not being able to load and I remembered the Mesa update, so I looked at packages that may have issues or may be missing and saw that "Mesa-dri" was not installed. After installing that one manually, the issue was fixed.
I suspect that there is an issue of some missing dependency that should pull Mesa-dri in.
After today TW update, Plasma started and showed message Plasma Failed to Start - Plasma Plasma is unable to start as ic could not correctly use OpenGL 2. Please check that you graphic drivers are set up correctly. If I click to OK, plasma closes. Starting it manually leads to same result. Plasma is started, but nothing is clickable and there is no window decoration. I do not use OpenGL driver for Plasma composition (XRander instead). I have Intel i7-7820HQ CPU and 00:02.0 VGA compatible controller: Intel Corporation Device 591b (rev 04). xsession-errors log says intel libEGL warning: DRI2: failed to open i965 (search paths /usr/lib64/dri) Installation of Mesa-dri (and reboot) fixes it. Thank You! -- Vojtěch Zeisek https://trapa.cz/
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X. Reverting to 7.2p2-6.2 fixed the problem. I haven't really investigated - I just reverted quickly because I use this constantly. Is there something new about the configuration in 7.6p1-1.1 ? -- ============================ Roger Whittaker roger@disruptive.org.uk ============================ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dne čtvrtek 18. ledna 2018 12:11:36 CET, Dominique Leuenberger / DimStar napsal(a):
On Thu, 2018-01-18 at 12:03 +0100, Robert Kaiser wrote:
==== Mesa ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1
==== Mesa-drivers ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2
[...] - Add Mesa-dri and Mesa-gallium to baselibs.conf.
This or something connected to this has caused an issue with the Plasma 5 splash screen not going away and therefore the Plasma desktop not becoming usable (on both my Tumbleweed machines, with SandyBridge/IvyBridge graphics). In looking at logs, I saw something about DRI drivers not being able to load and I remembered the Mesa update, so I looked at packages that may have issues or may be missing and saw that "Mesa-dri" was not installed. After installing that one manually, the issue was fixed.
I suspect that there is an issue of some missing dependency that should pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
I am, indeed. But in this case, IMHO, it should be required and no "just" recommended...? -- Vojtěch Zeisek https://trapa.cz/
On Thu, 2018-01-18 at 11:46 +0000, Roger Whittaker wrote:
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
I know this won't really help you to solve the problem, but this is apparenly nothing generic, since we have an openQA tests to run xterm over ssh -X, which passed: https://openqa.opensuse.org/tests/584669#step/sshxterm/5 Do you have any .rpmsave/.rpmnew files in /etc that you did not merge changes yet? Cheers Dominique
On Thu, 18 Jan 2018 11:46:07 +0000, Roger Whittaker
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
No problem here, works like a charm Linux 4.14.13-1-default [openSUSE Tumbleweed 20180116] $ rpm -q openssh openssh-7.6p1-1.1.x86_64 $ ssh -V OpenSSH_7.6p1, OpenSSL 1.0.2n-fips 7 Dec 2017 Out of interest: what is the version of sshd on the host you are connecting to? $ ssh -v -X remotehost pwd 2>&1 | grep -i version debug1: Local version string SSH-2.0-OpenSSH_7.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
-- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.27 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
On Thu, 2018-01-18 at 12:49 +0100, Vojtěch Zeisek wrote:
I suspect that there is an issue of some missing dependency that should
pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
I am, indeed. But in this case, IMHO, it should be required and no "just" recommended...?
Difficult to say - since there are multiple Mesa-dri-* packages (that supplement Mesa and other X-related graphics drivers). Simply requiring 'any dri driver' might get you the wrong one installed on your system. If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do) The only option I'd see with a requires is to break it up in OBS (which is possible, but something I really try to avoid, as it's often causing interesting bug reports as it's easy to confuse packagers) Cheers Dominique
Op donderdag 18 januari 2018 12:46:07 CET schreef Roger Whittaker:
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
Works fine here. Using ssh -X all day, to various machines. -- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dominique Leuenberger / DimStar schrieb:
On Thu, 2018-01-18 at 12:03 +0100, Robert Kaiser wrote:
==== Mesa ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1
==== Mesa-drivers ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2
[...] - Add Mesa-dri and Mesa-gallium to baselibs.conf.
This or something connected to this has caused an issue with the Plasma 5 splash screen not going away and therefore the Plasma desktop not becoming usable (on both my Tumbleweed machines, with SandyBridge/IvyBridge graphics). In looking at logs, I saw something about DRI drivers not being able to load and I remembered the Mesa update, so I looked at packages that may have issues or may be missing and saw that "Mesa-dri" was not installed. After installing that one manually, the issue was fixed.
I suspect that there is an issue of some missing dependency that should pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
Yes, indeed: zypper dup --no-allow-vendor-change --no-recommends That said, this sounds like it should be an actual "Requires" somewhere and not just a "Recommends", or am I mistaken? Cheers, Robert -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Jan 18, 2018 at 12:56:46PM +0100, H.Merijn Brand wrote:
Out of interest: what is the version of sshd on the host you are connecting to?
Both ends were updated to 7.6p1-1.1 - that's when I saw the failure. I'm slightly puzzled because I can't see what in the configuration was blocking this. -- ============================ Roger Whittaker roger@disruptive.org.uk https://notes.smuvelious.org ============================ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, well I have the same Problem, having a R7-290 OpenGL-card from AMD. The Error in former Mails are quite correct. Fortunatly, thunderbird and firefox started before Plasma quits. Because all programs quit, except those 2, I am unable to open a terminal. So I can't look, exept startind tumblewed in textmode. Well, Alt F2 works but entering konsole& doesb't start. cheers Hartmut Delmenhorst ----------- Am 18.01.2018 um 12:58 schrieb Dominique Leuenberger / DimStar:
On Thu, 2018-01-18 at 12:49 +0100, Vojtěch Zeisek wrote:
I suspect that there is an issue of some missing dependency that should
pull Mesa-dri in. Are you installing/maintaining your machine with --no-recommends? I am, indeed. But in this case, IMHO, it should be required and no "just" recommended...? Difficult to say - since there are multiple Mesa-dri-* packages (that supplement Mesa and other X-related graphics drivers). Simply requiring 'any dri driver' might get you the wrong one installed on your system.
If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do)
The only option I'd see with a requires is to break it up in OBS (which is possible, but something I really try to avoid, as it's often causing interesting bug reports as it's easy to confuse packagers)
Cheers Dominique
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dne čtvrtek 18. ledna 2018 13:19:48 CET, Hartmut Rosch napsal(a):
well I have the same Problem, having a R7-290 OpenGL-card from AMD. The Error in former Mails are quite correct. Fortunatly, thunderbird and firefox started before Plasma quits. Because all programs quit, except those 2, I am unable to open a terminal. So I can't look, exept startind tumblewed in textmode.
What about pressing Ctrl+Alt+F1? Return then to GUI by Alt+F7. -- Vojtěch Zeisek https://trapa.cz/
Dominique Leuenberger / DimStar schrieb:
On Thu, 2018-01-18 at 12:49 +0100, Vojtěch Zeisek wrote:
I suspect that there is an issue of some missing dependency that should
pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
I am, indeed. But in this case, IMHO, it should be required and no "just" recommended...?
Difficult to say - since there are multiple Mesa-dri-* packages (that supplement Mesa and other X-related graphics drivers). Simply requiring 'any dri driver' might get you the wrong one installed on your system.
That sounds like fun, esp. as most of the drivers (including the fallback swrast) are in that "Mesa-dri" package from what I can see. Cheers, Robert -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Reading some contributions on this mailiglist about Mesa and that like, so I looked in my installed packages and discovered that the Mesa-dri package was not installed. So I installed that package and everything went okay. Thanks for the help Hartmut Delmenhorst ----------- Am 18.01.2018 um 13:24 schrieb Robert Kaiser:
Dominique Leuenberger / DimStar schrieb:
On Thu, 2018-01-18 at 12:49 +0100, Vojtěch Zeisek wrote:
I suspect that there is an issue of some missing dependency that should
pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
I am, indeed. But in this case, IMHO, it should be required and no "just" recommended...?
Difficult to say - since there are multiple Mesa-dri-* packages (that supplement Mesa and other X-related graphics drivers). Simply requiring 'any dri driver' might get you the wrong one installed on your system.
That sounds like fun, esp. as most of the drivers (including the fallback swrast) are in that "Mesa-dri" package from what I can see.
Cheers, Robert
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Dominique Leuenberger / DimStar
On Thu, 2018-01-18 at 12:49 +0100, Vojtěch Zeisek wrote:
I suspect that there is an issue of some missing dependency that should
pull Mesa-dri in.
Are you installing/maintaining your machine with --no-recommends?
I am, indeed. But in this case, IMHO, it should be required and no "just" recommended...?
Difficult to say - since there are multiple Mesa-dri-* packages (that supplement Mesa and other X-related graphics drivers). Simply requiring 'any dri driver' might get you the wrong one installed on your system.
If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do)
The only option I'd see with a requires is to break it up in OBS (which is possible, but something I really try to avoid, as it's often causing interesting bug reports as it's easy to confuse packagers)
same problem on toshiba laptop with intel graphics. installing Mesa-dri solved. odd that Mesa-dri was not previously installed, ever to my knowledge. did not have problem on an intel box with nvidia drivers. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Patrick Shanahan wrote:
* Dominique Leuenberger / DimStar
[01-18-18 07:02]:
If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do)
But why were they moved from Mesa to Mesa-dri? Is it an option to just move them back?
same problem on toshiba laptop with intel graphics. installing Mesa-dri solved. odd that Mesa-dri was not previously installed, ever to my knowledge.
For me it had been on once, but I had removed it at some point. The needed libs were in the main Mesa package until yesterday....
did not have problem on an intel box with nvidia drivers.
Will see tonight - my Intel-Nvidia box is at home.... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Jan 18, 2018 at 11:46:07AM +0000, Roger Whittaker wrote:
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
In case this is of use to anyone else: the system I was connecting to had ipv6 disabled, and in /etc/ssh/sshd_config had the default setting AddressFamily any With 7.2p2-6.2 I could ssh -X to it without problems. After the update to 7.6p1-1.1 I needed to set AddressFamily inet and the problem was then solved. -- ============================ Roger Whittaker roger@disruptive.org.uk ============================ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 2018-01-18 at 13:51 +0000, Peter Suetterlin wrote:
Patrick Shanahan wrote:
* Dominique Leuenberger / DimStar
[01-18-18 07:02]: If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do)
But why were they moved from Mesa to Mesa-dri? Is it an option to just move them back?
Moving them back is a no-go: The Mesa package needed to be split to stop a build-dependency on LLVM; this is too expensive and continuisly blcoked the entire distro from building. With this split of Mesa/Mesa- drivers, we can much better parallelize the build of the distro (and react sooner to issues) Cheers Dominique
On Thursday 2018-01-18 15:01, Roger Whittaker wrote:
On Thu, Jan 18, 2018 at 11:46:07AM +0000, Roger Whittaker wrote:
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
In case this is of use to anyone else: the system I was connecting to had ipv6 disabled, and in /etc/ssh/sshd_config had the default setting After the update to 7.6p1-1.1 I needed to set
AddressFamily inet
and the problem was then solved.
Sounds more like a bandaid than a solution (like disabling IPv6 is). -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jan Engelhardt wrote:
On Thursday 2018-01-18 15:01, Roger Whittaker wrote:
On Thu, Jan 18, 2018 at 11:46:07AM +0000, Roger Whittaker wrote:
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
In case this is of use to anyone else: the system I was connecting to had ipv6 disabled, and in /etc/ssh/sshd_config had the default setting After the update to 7.6p1-1.1 I needed to set
AddressFamily inet
and the problem was then solved.
Sounds more like a bandaid than a solution (like disabling IPv6 is).
Let me rephrase it: I haven't yet rebased the bandaid we had in previous
packages - what you see is upstream behaviour. It will be fixed with
next update (about by the end of the next week).
That said, please do not use X forwarding unless you really must even
after ten people told you this sentence. Every time someone uses X
forwarding,
Dominique Leuenberger / DimStar wrote:
On Thu, 2018-01-18 at 13:51 +0000, Peter Suetterlin wrote:
Patrick Shanahan wrote:
* Dominique Leuenberger / DimStar
[01-18-18 07:02]: If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do)
But why were they moved from Mesa to Mesa-dri? Is it an option to just move them back?
Moving them back is a no-go: The Mesa package needed to be split to stop a build-dependency on LLVM; this is too expensive and continuisly blcoked the entire distro from building. With this split of Mesa/Mesa- drivers, we can much better parallelize the build of the distro (and react sooner to issues)
OK, I can understand this. But do you really gain something if now Mesa-dri has to wait for llvm, and Mesa-dri is needed for probably a huge part of the TW users? Or can those be updated out-of-sync? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 18 Jan 2018 15:20:20 +0100, Petr Cerny
That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
.
Doesn't sound convincing. What is the most current definitive guide for not using X11 forwarding? What should I tell a newby when he/she asks *WHY* it should not be used? -- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.27 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Roger Whittaker wrote:
In case this is of use to anyone else: the system I was connecting to had ipv6 disabled, and in /etc/ssh/sshd_config had the default setting
AddressFamily any
With 7.2p2-6.2 I could ssh -X to it without problems.
After the update to 7.6p1-1.1 I needed to set
AddressFamily inet
and the problem was then solved.
Interesting that this shows up only now for you. In my Tips_and_Tricks file I have an entry X forwarding in openSUSE 12.3: If IPv6 is disabled, sshd_config needs AddressFamily INET So it somehow seems to be a long-standing thing... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 2018-01-18 at 14:22 +0000, Peter Suetterlin wrote:
Dominique Leuenberger / DimStar wrote:
On Thu, 2018-01-18 at 13:51 +0000, Peter Suetterlin wrote:
Patrick Shanahan wrote:
* Dominique Leuenberger / DimStar
[01-18-18 07:02]: If we have Mesa require Mesa-dri, we are back to the problem that anything pulling ni Mesa-headers must wait for llvm to build, even though nothing uses any dri driver in a build environment (and believe me, wating for llvm is nothing you want to do)
But why were they moved from Mesa to Mesa-dri? Is it an option to just move them back?
Moving them back is a no-go: The Mesa package needed to be split to stop a build-dependency on LLVM; this is too expensive and continuisly blcoked the entire distro from building. With this split of Mesa/Mesa- drivers, we can much better parallelize the build of the distro (and react sooner to issues)
OK, I can understand this.
But do you really gain something if now Mesa-dri has to wait for llvm, and Mesa-dri is needed for probably a huge part of the TW users? Or can those be updated out-of-sync?
We gain a lot even! Basically nothing depends on Mesa-dri to build; of course we will still only be able to release a snapshot once everything is built, but the build time graph is definitively much improved dependson Mesa | wc -l 2323 -> that many package need Mesa to be built dependson Mesa-drivers | wc -l 3 -> Those need to wait for Mesa-drivers Having > 2k packages waiting for llvm/Mesa-drivers or only 3 makes a huge difference. And for completenes: dependson llvm5 | wc -l 31 -> Things that have to wait for llvm5 now Especially being able to build other large things like LibreOffice in parallel makes a lot of difference. Cheers Dominique
Petr Cerny wrote:
That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc.
Are you trying to indoctrinate people for Wayland? Some background for this 'warning' definitely is needed. I'll definitely not start a whole X session just for a single console application that might (or not) open some graphics window. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dominique Leuenberger / DimStar wrote: [ long explanation snipped ]
Especially being able to build other large things like LibreOffice in parallel makes a lot of difference.
Thanks a lot. I really appreciate such detailed information and (hope to) learn from them every time :D -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
H.Merijn Brand wrote:
On Thu, 18 Jan 2018 15:20:20 +0100, Petr Cerny
wrote: That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. Doesn't sound convincing. What is the most current definitive guide for not using X11 forwarding? What should I tell a newby when he/she asks *WHY* it should not be used?
1) security - application can only grab inputs it gets from its X server. If you run it in a Xvnc, it only gets input that it is sent by the VNC client. 2) speed - the X protocol is usually much more verbose when compared to VNC, since it carries requests to draw things, while VNC only transports bitmaps (compressed). Try running Firefox via ssh -X and through VNC. I've also seen things that just didn't work via SSH-forwarded X11. 3) network outages - X forwarded apps will break on connection interrupt, VNC lives fully on the server and one can reconnect to it. Downside of VNC is, that you may be putting more strain on the server (the system that is running the application), but I would argue that if that becomes the problem, the question actually is, whether running that application remotely is the optimal solution (likely it isn't). Thanks Cheers Petr -- Petr Cerny Mozilla/OpenSSH maintainer for SUSE Linux -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Peter Suetterlin wrote:
Petr Cerny wrote:
That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc.
Are you trying to indoctrinate people for Wayland? Some background for this 'warning' definitely is needed.
I haven't mentioned Wayland anywhere, my statement was: "I strongly advocate using VNC". If you would you like my opinion on Wayland, please move it off this thread.
I'll definitely not start a whole X session just for a single console application that might (or not) open some graphics window.
I haven't mentioned starting a whole X session (I suppose you understand it as fully fledged GNOME/KDE environment). What Xnvc/vncserver does is a matter of configuration. Speaking of console application that may open a X window, that is actually easily done with VNC as well. Just ssh to the remote side, export the DISPLAY environment variable pointing to a Xvnc server running on that machine and you are all set up (you may need to export XAUTHORITY as well). Thanks Cheers Petr -- Petr Cerny Mozilla/OpenSSH maintainer for SUSE Linux -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 18 Jan 2018 15:40:00 +0100, Petr Cerny
H.Merijn Brand wrote:
On Thu, 18 Jan 2018 15:20:20 +0100, Petr Cerny
wrote: That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. Doesn't sound convincing. What is the most current definitive guide for not using X11 forwarding? What should I tell a newby when he/she asks *WHY* it should not be used?
I'll bite, not for war's, but to get as much info as possible on why I should or should not use X11 versus VNC I'll stop if the list finds this inappropriate here
1) security - application can only grab inputs it gets from its X server. If you run it in a Xvnc, it only gets input that it is sent by the VNC client.
A legit reason, but somewhat void if on an internal network behind big firewalls
2) speed - the X protocol is usually much more verbose when compared to VNC, since it carries requests to draw things, while VNC only transports bitmaps (compressed). Try running Firefox via ssh -X and through VNC. I've also seen things that just didn't work via SSH-forwarded X11.
With 100+ synchronous networks on both end, who will notice?
3) network outages - X forwarded apps will break on connection interrupt, VNC lives fully on the server and one can reconnect to it.
I've seen outages of close to 2 minutes and the client still managed to "revive" the application/window. If I need the output, it is likely I have a long running process, and then I'll start screen.
Downside of VNC is, that you may be putting more strain on the server (the system that is running the application), but I would argue that if that becomes the problem, the question actually is, whether running that application remotely is the optimal solution (likely it isn't).
Another downside is that the server needs to be set up. When using X11 forwarding, both sides are likely to support the protocol by default. For me, the fact that the server gets a higher load, alone is good enough a reason not to use VNC but stick to ssh -Y. My server(s) are usually under a higher strain than my desktop is. That's why it is a server, right? Now if all distributions had tools like YaST2 that work fine in non-X11 environments (ASCII only), I would not need X11 that much, but the competing distro's like CentOS- and Ubuntu-like still require an awful lot of tools to show in GUI's (X11). Try finding how to install a printer in Ubuntu: 90% og the pages you find start with "Click on ..." like they expect you to have a desktop. For me that usually is $ ssh -Y admin_user@server server$ sudo bash $ system-config-printer openSUSE++ $ sudo yast2 printer
Cheers Petr
-- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.27 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
H.Merijn Brand wrote:
On Thu, 18 Jan 2018 15:40:00 +0100, Petr Cerny
wrote: not using X11 forwarding? What should I tell a newby when he/she asks *WHY* it should not be used?
I'll bite, not for war's, but to get as much info as possible on why I should or should not use X11 versus VNC
1) security - application can only grab inputs it gets from its X server. If you run it in a Xvnc, it only gets input that it is sent by the VNC client.
A legit reason, but somewhat void if on an internal network behind big firewalls
The key word is "somewhat". The question is not whether there are attackers on your network, but how many.
2) speed - the X protocol is usually much more verbose when compared to VNC, since it carries requests to draw things, while VNC only transports bitmaps (compressed). Try running Firefox via ssh -X and through VNC. I've also seen things that just didn't work via SSH-forwarded X11.
With 100+ synchronous networks on both end, who will notice?
Out of curiosity: have you actually tried?
3) network outages - X forwarded apps will break on connection interrupt, VNC lives fully on the server and one can reconnect to it.
I've seen outages of close to 2 minutes and the client still managed to "revive" the application/window. If I need the output, it is likely I have a long running process, and then I'll start screen.
VNC *is* screen/tmux for X11 applications
Downside of VNC is, that you may be putting more strain on the server (the system that is running the application), but I would argue that if that becomes the problem, the question actually is, whether running that application remotely is the optimal solution (likely it isn't).
Another downside is that the server needs to be set up. When using X11 forwarding, both sides are likely to support the protocol by default.
Installing 1 package on the server and one on the client (plus optional dependencies shouldn't be that much of an effort). Configuration is a matter of 5 minutes (20 if you include reading man pages).
For me, the fact that the server gets a higher load, alone is good enough a reason not to use VNC but stick to ssh -Y. My server(s) are usually under a higher strain than my desktop is. That's why it is a server, right?
Try checking the load a heavy graphic app puts on your system when running as X11@SSH and VNC (I haven't benchmarked it). Or just check whatever you are usually running.
Now if all distributions had tools like YaST2 that work fine in non-X11 environments (ASCII only), I would not need X11 that much, but the competing distro's like CentOS- and Ubuntu-like still require an awful lot of tools to show in GUI's (X11). Try finding how to install a printer in Ubuntu: 90% og the pages you find start with "Click on ..." like they expect you to have a desktop. For me that usually is
$ ssh -Y admin_user@server server$ sudo bash $ system-config-printer
I feel your pain, yet this argument is almost irrelevant to what we're discussing now (almost since it is a bit easier to run `ssh -Y` than invoking the ssh+vncserver+vncviewer combo indeed - but then we have scripting languages...).
openSUSE++
$ sudo yast2 printer
Thanks Cheers Petr -- Petr Cerny Mozilla/OpenSSH maintainer for SUSE Linux -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Petr Cerny wrote:
Peter Suetterlin wrote:
Are you trying to indoctrinate people for Wayland? Some background for this 'warning' definitely is needed.
I haven't mentioned Wayland anywhere, my statement was: "I strongly advocate using VNC". If you would you like my opinion on Wayland, please move it off this thread.
No, just curious. Most people I met so far trying to push VNC for everything were (also) wayland wanters. Doesn't really matter....
I'll definitely not start a whole X session just for a single console application that might (or not) open some graphics window.
I haven't mentioned starting a whole X session (I suppose you understand it as fully fledged GNOME/KDE environment). What Xnvc/vncserver does is a matter of configuration.
Sure, it's still the X server plus some window manager. With 20 users doing that on our server that might consume quite a part of its memory that is much better used for data processing...
Speaking of console application that may open a X window, that is actually easily done with VNC as well. Just ssh to the remote side, export the DISPLAY environment variable pointing to a Xvnc server running on that machine and you are all set up (you may need to export XAUTHORITY as well).
Yes. It's possible. But needs (quite some) configuration, opposite to the X forwarding. I guess my main issue is your general condemnation of forwarding. For me, this largely depends on context. Our main use of forwarding is an ssh -X login to a server, run computational-heavy stuff in languages like IDL or Python from the command line, and display results. This in the local network. Your assumed application(?) rather is running something like a browser or IDE via forwarding. I completely agree with you that for that purpose VNC is superior. But X forwarding in ssh *does* have many reasonable applications. And I strongly believe that no cat is harmed by doing it :D (The only thing I personally use VNC for regularly is x11vnc_ssh, to connect to running sessions of remote users for support) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 2018-01-18 16:16, Petr Cerny wrote:
H.Merijn Brand wrote:
On Thu, 18 Jan 2018 15:40:00 +0100, Petr Cerny
wrote: not using X11 forwarding? What should I tell a newby when he/she asks *WHY* it should not be used?
I'll bite, not for war's, but to get as much info as possible on why I should or should not use X11 versus VNC
1) security - application can only grab inputs it gets from its X server. If you run it in a Xvnc, it only gets input that it is sent by the VNC client.
A legit reason, but somewhat void if on an internal network behind big firewalls
The key word is "somewhat". The question is not whether there are attackers on your network, but how many.
But SSH's security mechanisms win over VNC. And running VNC through ssh -L gets into the realm of "more security means less usability". Hrrm - probably pick RDP over VNC?
2) speed - the X protocol is usually much more verbose when compared to VNC, since it carries requests to draw things, while VNC only transports bitmaps (compressed). Try running Firefox via ssh -X and through VNC. I've also seen things that just didn't work via SSH-forwarded X11.
With 100+ synchronous networks on both end, who will notice?
Out of curiosity: have you actually tried?
I had the fun of experiencing SunRays 15 years ago. Worked like X11 - which means it only worked well so long as the line was neither congested nor latent. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Donnerstag, 18. Januar 2018 15:20:20 CET Petr Cerny wrote:
That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc.
I second that. Note: There’s xrdp, too, which is compatible with Windows’ built-in RDP client and also supports forwarding audio, clipboard and other things, and it can forward single application windows (rather than a full session). However, setup is unfortunately more complicated than sshd.
On Thu, Jan 18, 2018 at 03:20:20PM +0100, Petr Cerny wrote: [...]
I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc.
On current tumbleweed doing this fails with errors of the following type from vncviewer. Thu Jan 18 17:34:58 2018 DecodeManager: Detected 4 CPU core(s) DecodeManager: Creating 4 decoder thread(s) CConn: connected to host teapot port 5902 CConnection: Server supports RFB protocol version 3.8 CConnection: Using RFB protocol version 3.8 CConnection: Choosing security type VeNCrypt(19) CVeNCrypt: Choosing security type [unknown secType] (0) CConn: No valid VeNCrypt sub-type -- ============================ Roger Whittaker roger@disruptive.org.uk ============================ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 18 Jan 2018 17:57:34 +0100, Martin Herkt
On Donnerstag, 18. Januar 2018 15:20:20 CET Petr Cerny wrote:
That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc.
I second that. Note: There’s xrdp, too, which is compatible with Windows’ built-in RDP client and also supports forwarding audio, clipboard and other things, and it can forward single application windows (rather than a full session). However, setup is unfortunately more complicated than sshd.
These are to take over a desktop, something IMHO seldom needed on servers. Additionally, xrdp needs to run as a service, which will - again - use server resources where I most of the time would need them for server processing tasks. FWIW the old rdesktop tool will not connect to recentish Windows systems. You'll need xfreerdp for that, which - hate hate hate hate - changed the option syntax to something very NOT unix/linux like ☠☠☠☠☠ Old (rdesktop): rdesktop \ -T windows \ -u username -p - \ -g 1600x1024 -a 24 -C -x l \ -r clipboard:CLIPBOARD \ -K -N -P \ windows New (xfreerdp): xfreerdp \ /t:windows \ /u:username /from-stdin \ /size:1600x1024 /bpp:32 \ +clipboard \ /cert-ignore \ /nsc \ /v:windows And the worst thing there is that xfreerdb used to support the old-style options and they removed that in favor of this windows-like unremberable bullshit -- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.27 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
On 01/18/2018 09:43 AM, H.Merijn Brand wrote:
On Thu, 18 Jan 2018 17:57:34 +0100, Martin Herkt
wrote: That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc. I second that. Note: There’s xrdp, too, which is compatible with Windows’ built-in RDP client and also supports forwarding audio, clipboard and other
On Donnerstag, 18. Januar 2018 15:20:20 CET Petr Cerny wrote: things, and it can forward single application windows (rather than a full session). However, setup is unfortunately more complicated than sshd. These are to take over a desktop, something IMHO seldom needed on servers. Additionally, xrdp needs to run as a service, which will - again - use server resources where I most of the time would need them for server processing tasks.
FWIW the old rdesktop tool will not connect to recentish Windows systems. You'll need xfreerdp for that, which - hate hate hate hate - changed the option syntax to something very NOT unix/linux like ☠☠☠☠☠
Old (rdesktop):
rdesktop \ -T windows \ -u username -p - \ -g 1600x1024 -a 24 -C -x l \ -r clipboard:CLIPBOARD \ -K -N -P \ windows
New (xfreerdp):
xfreerdp \ /t:windows \ /u:username /from-stdin \ /size:1600x1024 /bpp:32 \ +clipboard \ /cert-ignore \ /nsc \ /v:windows
And the worst thing there is that xfreerdb used to support the old-style options and they removed that in favor of this windows-like unremberable bullshit
Actually, if you're talking about RDP type protocols, you're talking about MS Windows. Saying "seldom needed on servers" is less than accurate. To pay my bills, I support many enterprises that use MS Windows, including Fortune 500 level enterprises. It's not just common, but the only thing they know how to and/or allowed do... "Desktop" takeover of the server via the windows native methods. "Strongly" advocating VNC with or without tunnels, in all of it's fragmented forms, is simply not realistic either. Apple has it's flavor, then there are Tiger, Tight and Real. Sometimes they interoperate. More and more often, they don't. Sigh -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 18 Jan 2018 10:04:21 -0800, Bruce Ferrell
On 01/18/2018 09:43 AM, H.Merijn Brand wrote:
On Thu, 18 Jan 2018 17:57:34 +0100, Martin Herkt
wrote: That said, please do not use X forwarding unless you really must even after ten people told you this sentence. Every time someone uses X forwarding,
. I strongly advocate using VNC (tunnelled through an ssh connection, if you like) - quick guide: 1) start `Xnvc` (preferably through the `vncserver`) - you'll need the xorg-x11-Xvnc package (on openSUSE); 2) connect to it with a VNC client (e.g. tigervnc, but there are more). It is also possible to attach to a running desktop session with x11vnc. I second that. Note: There’s xrdp, too, which is compatible with Windows’ built-in RDP client and also supports forwarding audio, clipboard and other
On Donnerstag, 18. Januar 2018 15:20:20 CET Petr Cerny wrote: things, and it can forward single application windows (rather than a full session). However, setup is unfortunately more complicated than sshd. These are to take over a desktop, something IMHO seldom needed on servers. Additionally, xrdp needs to run as a service, which will - again - use server resources where I most of the time would need them for server processing tasks.
FWIW the old rdesktop tool will not connect to recentish Windows systems. You'll need xfreerdp for that, which - hate hate hate hate - changed the option syntax to something very NOT unix/linux like __ __ __ __ __
Old (rdesktop):
rdesktop \ -T windows \ -u username -p - \ -g 1600x1024 -a 24 -C -x l \ -r clipboard:CLIPBOARD \ -K -N -P \ windows
New (xfreerdp):
xfreerdp \ /t:windows \ /u:username /from-stdin \ /size:1600x1024 /bpp:32 \ +clipboard \ /cert-ignore \ /nsc \ /v:windows
And the worst thing there is that xfreerdb used to support the old-style options and they removed that in favor of this windows-like unremberable bullshit
Actually, if you're talking about RDP type protocols, you're talking about MS Windows.
Unless one promotes xrdp, which is the server-side of this on Linux
Saying "seldom needed on servers" is less than accurate.
Oh yes. I am sorry. I should have been accurate: Seldom needed on Linux servers (or any Unix like HP-UX, AIX, Solaris, ...)
To pay my bills, I support many enterprises that use MS Windows, including Fortune 500 level enterprises. It's not just common, but the only thing they know how to and/or allowed do... "Desktop" takeover of the server via the windows native methods.
I feel your pain. Same here.
"Strongly" advocating VNC with or without tunnels, in all of it's fragmented forms, is simply not realistic either. Apple has it's flavor, then there are Tiger, Tight and Real. Sometimes they interoperate. More and more often, they don't.
Sigh
/o\ -- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.27 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Citeren Arjen de Korte
As a heads-up: if you're using xtables-addons, be aware that the version shipped with snapshot 20180116 is broken for at least the xt_geoip module (due to symbols that can't be resolved).
https://bugzilla.opensuse.org/show_bug.cgi?id=1076650 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
18.01.2018 17:01, Roger Whittaker пишет:
On Thu, Jan 18, 2018 at 11:46:07AM +0000, Roger Whittaker wrote:
The new openssh version 7.6p1-1.1 in 20180116 seems to break X forwarding with ssh -X.
Reverting to 7.2p2-6.2 fixed the problem.
I haven't really investigated - I just reverted quickly because I use this constantly.
Is there something new about the configuration in 7.6p1-1.1 ?
In case this is of use to anyone else: the system I was connecting to had ipv6 disabled, and in /etc/ssh/sshd_config had the default setting
AddressFamily any
With 7.2p2-6.2 I could ssh -X to it without problems.
After the update to 7.6p1-1.1 I needed to set
AddressFamily inet
and the problem was then solved.
https://bugzilla.novell.com/show_bug.cgi?id=618068 https://bugzilla.mindrot.org/show_bug.cgi?id=1356 https://bugzilla.mindrot.org/show_bug.cgi?id=2143 The problem happens when IPv6 is disabled on host. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Peter Suetterlin wrote:
Petr Cerny wrote:
I haven't mentioned starting a whole X session (I suppose you understand it as fully fledged GNOME/KDE environment). What Xnvc/vncserver does is a matter of configuration.
Sure, it's still the X server plus some window manager. With 20 users doing that on our server that might consume quite a part of its memory that is much better used for data processing...
My guess(!) is, that 20 users running X-forwarded terminals are going to consume more resources than 20 users having regular ssh sessions with occasional display to a Xvnc server. Interactions of the remote application window with others (read expose events triggered when part of a window is uncovered) can easily waste resources. Window managers like open/fluxbox, icewm have low overhead. Actually, if you only need to display one window (say matplotlib output spawned from IPython), you might be better off without any window managers at all.
Speaking of console application that may open a X window, that is actually easily done with VNC as well. Just ssh to the remote side, export the DISPLAY environment variable pointing to a Xvnc server running on that machine and you are all set up (you may need to export XAUTHORITY as well).
Yes. It's possible. But needs (quite some) configuration, opposite to the X forwarding.
Um, short script that gets executed by vncserver at startup that runs whatever you want to get the X environment ready. For me it looks something like (~/.vnc/xstartup): #!/bin/sh xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 96x40+10+10 -ls & None of those are actually needed to be able to display something on the server.
I guess my main issue is your general condemnation of forwarding. For me, this largely depends on context. Our main use of forwarding is an ssh -X login to a server, run computational-heavy stuff in languages like IDL or Python from the command line, and display results. This in the local network.
Your assumed application(?)
True, yet...
rather is running something like a browser or IDE via forwarding. I completely agree with you that for that purpose VNC is superior. But X forwarding in ssh *does* have many reasonable applications.
... no. I'd put it this way: in some cases, the overhead of writing a script that would make VNC as simple to use as ssh X11 forwarding (or issuing 3 commands instead of just one) might seem unjustifiable.
And I strongly believe that no cat is harmed by doing it :D Well, you never know, which way the superposition is going to collapse until you open the box... :)
Thanks Cheers Petr -- Petr Cerny Mozilla/OpenSSH maintainer for SUSE Linux -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jan Engelhardt wrote:
On Thursday 2018-01-18 16:16, Petr Cerny wrote:
1) security - application can only grab inputs it gets from its X server. If you run it in a Xvnc, it only gets input that it is sent by the VNC client.
A legit reason, but somewhat void if on an internal network behind big firewalls
The key word is "somewhat". The question is not whether there are attackers on your network, but how many.
But SSH's security mechanisms win over VNC.
It's not SSH's security mechanism, rather X11's - and that's exactly where it starts to break apart. :(
And running VNC through ssh -L gets into the realm of "more security means less usability". Hrrm - probably pick RDP over VNC?
Some VNCs can do encryption natively, and port forwarding isn't really that big of an issue (with several users each running their own Xvnc it might get a bit trickier). Thanks Cheers Petr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Petr! Petr Cerny wrote
Doesn't sound convincing. What is the most current definitive guide for not using X11 forwarding? What should I tell a newby when he/she asks *WHY* it should not be used? (...)
(...) 2) speed - the X protocol is usually much more verbose when compared to VNC, since it carries requests to draw things, while VNC only transports bitmaps (compressed). Try running Firefox via ssh -X and through VNC. I've also seen things that just didn't work via SSH-forwarded X11. (...)
I've been following this discussion with a lot of interest, and I've been learning a lot from it. BTW, just out of curiosity: are you really saying that it is more "compact" to send bitmaps through the network rather than sending plain text commands? Because I have always thought to the contrary, and that that was one of the great advantages of X forwarding. Actually, I've always been experiencing bad results (talking about visual quality here) with VNC unless on very fast and not-congested networks, while X forwarding is just like running a local application. I know that bitmaps can be compressed, but bitmaps are not very compressible unless you want to lose on the quality of the image (i.e. lossy compression). And as the network speed/congestion gets bad, so is the quality of the image to the point where, sometimes, you cannot even clearly read text. On the other hand, even a very verbose *text* protocol can be very easily compressed down to nearly nothing, and you always get perfect graphics because they are rendered locally. Also, there should be no overhead on the server, because the X11 protocol works the same way when used locally or remotely. That's exactly why it can be forwarded. At least that's what I learned back when I was in school, I don't know what's the situation right now with compositors and all that stuff. That said, I use X forwarding only when I have to use the occasional GUI application window; when I have to grab a whole remote desktop I usually use current NoMachine's NX, which is a lot more reliable than VNC in my experience (despite not being open source). But that is usually because I have to grab the desktop of another user, not because of efficiency considerations (with respect to X11 forwarding, I mean). I've been trying to use xrdp *server* too, but I find it too much unstable in my experience. OTOH I use xfreerdp client all the time when I have to connect to Windows server (due to my work) and I find it quite fast and stable. Just my 2c. Cris -- Sent from: http://opensuse.14.x6.nabble.com/opensuse-factory-f3292933.html -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (17)
-
Andrei Borzenkov
-
Arjen de Korte
-
Bruce Ferrell
-
Cris70
-
Dominique Leuenberger
-
Dominique Leuenberger / DimStar
-
H.Merijn Brand
-
Hartmut Rosch
-
Jan Engelhardt
-
Knurpht - Gertjan Lettink
-
Martin Herkt
-
Patrick Shanahan
-
Peter Suetterlin
-
Petr Cerny
-
Robert Kaiser
-
Roger Whittaker
-
Vojtěch Zeisek