Hi,
On a fresh MicroOS install with podman, when I want to set memory limit
for a container (using the -m flag) I get the following error:
Error: container_linux.go:367: starting container process caused:
process_linux.go:459: container init caused: process_linux.go:422:
setting cgroup config for procHooks process caused: cannot set memory
limit: container could not join or create cgroup: OCI runtime error
I am not able to understand the nature of the error. Searching around,
I found similar issue where adding cgroup_enable=memory parameter to
boot settings in Grub might solve the issue.
Is that correct ? If so, what is the proper way to update Grub config
on a RO filesystem ?
podman version 2.0.4
podman info (ociRuntime part):
ociRuntime:
name: runc
package: runc-1.0.0~rc91-1.2.x86_64
path: /usr/bin/runc
version: |-
runc version 1.0.0-rc91
spec: 1.0.2-dev
Regards,
--
Sébastien 'sogal' Poher
> When there's no more room at school, the dumb will walk the Earth!
Hello,
I've finally had the chance to put in a VM an instance of MicroOS
Desktop with the new partition layout and. IMO, the fact that it has
/var in a (nocow) subvolume is really a big improvement, so thanks
Richard for that!
We have /home in a subvolume too, which is also great, and it as well
has the nocow flag set. I know this mostly come from a conversation we
had on #microos-desktop on IRC but thinking more about that, and
discussing this with some users, I wonder whether it is really the best
choice.
I mean, it sure is ok for /var, but for /home, using nocow means that
we give up on some of the nicer BTRFS features, especially for home
folders, wouldn't it?
That might be especially true for MicroOS Desktop. E.g., think at being
able to compress (if not the entire home directories or the entire
subvolume) the user installed flatpaks (and using that as an argument
"against" those that are still complaining that <Ah, but flatpaks takes
a lot of space on disk!>> :-D).
So, are there reasons why it's really preferable to keep the /home
subvolume as nocow and I'm missing them? Or shall we switch it to cow?
Also, while there, shall we evaluate adding other flags by default
(i.e., things like autodefrag, or even compression itself)?
E.g., AFAIUI, on Fedora, while not doing that right now, they're
considering doing something like that, e.g.:
https://pagure.io/fedora-btrfs/project/issue/5
Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<<This happens because _I_ choose it to happen!>> (Raistlin Majere)
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
libva (2.9.1 -> 2.10.0)
=== Details ===
==== libva ====
Version update (2.9.1 -> 2.10.0)
Subpackages: libva-drm2 libva2
- update to 2.10.0:
* add: Pass offset and size of pred_weight_table
* add: add vaCopy interface to copy surface and buffer
* add: add definition for different execution
* add: New parameters for transport controlled BRC were added
* add: add FreeBSD support
* add: add a bufer type to adjust context priority dynamically
* fix: correct the api version in meson.build
* fix: remove deprecated variable from va_trace.c
* fix: Use va_deprecated for the deprecate variable
* fix: Mark chroma_sample_position as deprecated
* doc: va_dec_av1: clarifies CDEF syntax element packing
* doc: [AV1] Update documented ranges for loop filter and quantization params.
* doc: Update va.h for multi-threaded usages
* trace: va/va_trace: ignore system gettid() on Linux
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
cantarell-fonts (0.201 -> 0.301)
cyrus-sasl
ell (0.33 -> 0.35)
kio
libhandy (1.0.2 -> 1.0.3)
mpg123 (1.26.3 -> 1.26.4)
=== Details ===
==== cantarell-fonts ====
Version update (0.201 -> 0.301)
- Update to version 0.301:
+ Oopsie-release: The last one was missing PostScript names for
the new glyphs. Only relevant for when extracting text from
PDFs where the generator omitted the text stream.
+ Rounded coordinates of macronbelowcomb.narrow and
macroncomb.narrow.case. Leftovers from when they were scaled
components.
+ Internal: Removed stale layers and data, added normalization
script to prune unnecessary data. import-glyphs.py also imports
PostScript names now.
- Update to version 0.300:
+ Import Greek glyph set designed by Florian Fecher for GSoC
2018. No kerning, might need a slight respacing. Imported
anyway because someting is better than nothing.
+ Correct positioning of dotaccentcomb.case.
+ Correct mark positioning in caroncomb.case.
+ Correct appearance of ustraightstroke in variable font, the
overlap became visible at smaller, autohinted sizes.
+ Correct bar positioning in Ustraightstroke and
ustraightstroke.
+ Correct anchor positioning in Y.
+ Internal: Consolidate various anchors in composites into the
base outline glyphs, to reduce the chance they get out sync.
+ Updated translations.
==== cyrus-sasl ====
Subpackages: cyrus-sasl-gssapi libsasl2-3
- Remove Berkeley DB dependency (JIRA#SLE-12190)
The pacakges cyrus-sasl and cyrus-sasl-saslauthd are build
without Berkely DB support. gdbm will be used instead of BDB.
The pacakges cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are build
with Berkely DB support.
- Update to 2.1.27
* Added support for OpenSSL 1.1
* Added support for lmdb
* Lots of build fixes
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech
* DIGEST-MD5 plugin:
Fixed memory leaks
Fixed a segfault when looking for non-existent reauth cache
Prevent client from going from step 3 back to step 2
Allow cmusaslsecretDIGEST-MD5 property to be disabled
* GSSAPI plugin:
Added support for retrieving negotiated SSF
Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
Properly compute maxbufsize AFTER security layers have been set
* SCRAM plugin:
Added support for SCRAM-SHA-256
* LOGIN plugin:
Don?t prompt client for password until requested by server
* NTLM plugin:
Fixed crash due to uninitialized HMAC context
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- bsc#983938 `After=syslog.target` left-overs in several unit files
- added patches:
fix_libpq-fe_include.diff for fixing including libpq-fe.h
- removed patches obsoleted by upstream changes:
* shared_link_on_ppc.patch
* cyrus-sasl-2.1.27-openssl-1.1.0.patch
* 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
* 0003-Check-return-error-from-gss_wrap_size_limit.patch
* 0004-Add-support-for-retrieving-the-mech_ssf.patch
* 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
* cyrus-sasl-fix-logging-in-gssapi.patch
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
* Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
* Add 0003-Check-return-error-from-gss_wrap_size_limit.patch
* Add 0004-Add-support-for-retrieving-the-mech_ssf.patch
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
* Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
==== ell ====
Version update (0.33 -> 0.35)
- Update to release 0.35
* Add support for DHCP v6 Rapid Commit.
* Add support for ICMP v6 implementation.
* Add support for PKCS#1 formatted private keys.
==== kio ====
Subpackages: kio-core
- Add upstream patch to prevent crashing when using "apply to all"
in the move/copy/overwrite dialog (kde#430374):
* 0001-RenameDialog-Add-missing-nullptr-initialization.patch
==== libhandy ====
Version update (1.0.2 -> 1.0.3)
Subpackages: libhandy-1-0 typelib-1_0-Handy-1_0
- Update to version 1.0.3:
+ Fix build warnings with newer GCC.
+ HdyActionRow: Clarify hdy_action_row_get_icon_name()
documentation.
+ HdyCarousel: Fix drawing cache invalidation on resize.
+ HdyComboRow: Use the right checkmark icon.
+ HdyLeaflet and HdyDeck: Increase the edge swipe area size.
+ HdyKeypad: Fix typing the '+' symbol.
+ HdyPreferencesGroup:
- Fix a memory leak when destroying the widget.
- Don't show empty title and description when using
gtk_widget_show_all().
+ HdySwipeTracker:
- Correctly transform widget coordinates for touchpad swipes.
- Fix a memory leak.
==== mpg123 ====
Version update (1.26.3 -> 1.26.4)
- Update to version 1.26.4
* Clarify seeking documentation regarding samples and PCM
frames.
* Fix cmake build to install fmt123.h.
* Some cmake build fixes, tinyalsa addition by Maarten.
* libmpg123: explicitly handle some irrelevant corner cases in
tabinit
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
cyrus-sasl
=== Details ===
==== cyrus-sasl ====
Subpackages: cyrus-sasl-gssapi libsasl2-3
- Remove Berkeley DB dependency (JIRA#SLE-12190)
The pacakges cyrus-sasl and cyrus-sasl-saslauthd are build
without Berkely DB support. gdbm will be used instead of BDB.
The pacakges cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are build
with Berkely DB support.
- Update to 2.1.27
* Added support for OpenSSL 1.1
* Added support for lmdb
* Lots of build fixes
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech
* DIGEST-MD5 plugin:
Fixed memory leaks
Fixed a segfault when looking for non-existent reauth cache
Prevent client from going from step 3 back to step 2
Allow cmusaslsecretDIGEST-MD5 property to be disabled
* GSSAPI plugin:
Added support for retrieving negotiated SSF
Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
Properly compute maxbufsize AFTER security layers have been set
* SCRAM plugin:
Added support for SCRAM-SHA-256
* LOGIN plugin:
Don?t prompt client for password until requested by server
* NTLM plugin:
Fixed crash due to uninitialized HMAC context
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- bsc#983938 `After=syslog.target` left-overs in several unit files
- added patches:
fix_libpq-fe_include.diff for fixing including libpq-fe.h
- removed patches obsoleted by upstream changes:
* shared_link_on_ppc.patch
* cyrus-sasl-2.1.27-openssl-1.1.0.patch
* 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
* 0003-Check-return-error-from-gss_wrap_size_limit.patch
* 0004-Add-support-for-retrieving-the-mech_ssf.patch
* 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
* cyrus-sasl-fix-logging-in-gssapi.patch
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
* Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
* Add 0003-Check-return-error-from-gss_wrap_size_limit.patch
* Add 0004-Add-support-for-retrieving-the-mech_ssf.patch
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
* Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
libtirpc (1.2.6 -> 1.3.1)
=== Details ===
==== libtirpc ====
Version update (1.2.6 -> 1.3.1)
Subpackages: libtirpc-netconfig libtirpc3
- Fix sed call to fixup libtirpc.pc.in: as we want our tirpc to be
a transparent drop-in-replacement for rpc, we move the files
from /usr/include/tirpc to /usr/include. Due to an upstream
change in libtirpc.pc.in, though, the existing sed call no longer
matched and no longer corrected the information according to our
package.
- Update to libtirpc 1.3.1
- Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
- svc_dg: Free xp_netid during destroy
- Fix memory management issues of fd locks
- libtirpc: replace array with list for per-fd locks
- __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
- __rpc_dtbsize: rlim_cur instead of rlim_max
- pkg-config: use the correct replacements for libdir/includedir
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
libtirpc (1.2.6 -> 1.3.1)
=== Details ===
==== libtirpc ====
Version update (1.2.6 -> 1.3.1)
Subpackages: libtirpc-netconfig libtirpc3
- Fix sed call to fixup libtirpc.pc.in: as we want our tirpc to be
a transparent drop-in-replacement for rpc, we move the files
from /usr/include/tirpc to /usr/include. Due to an upstream
change in libtirpc.pc.in, though, the existing sed call no longer
matched and no longer corrected the information according to our
package.
- Update to libtirpc 1.3.1
- Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
- svc_dg: Free xp_netid during destroy
- Fix memory management issues of fd locks
- libtirpc: replace array with list for per-fd locks
- __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
- __rpc_dtbsize: rlim_cur instead of rlim_max
- pkg-config: use the correct replacements for libdir/includedir
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
boost-base
dolphin
gtk2 (2.24.32+70 -> 2.24.33)
mozilla-nss (3.58 -> 3.59)
plasma5-desktop
python-importlib-metadata (3.1.1 -> 3.3.0)
python-more-itertools (8.5.0 -> 8.6.0)
python-pyOpenSSL
sudo (1.9.4 -> 1.9.4p2)
timezone (2020d -> 2020e)
xmlsec1 (1.2.30 -> 1.2.31)
=== Details ===
==== boost-base ====
Subpackages: boost-license1_75_0 libboost_thread1_75_0
- libboost_nowide now uses same pattern of Provides/Conflicts
and version numbers as other Boost libraries
- Add missing conflicts for Boost 1.66
- Boost.Build (jam) implementation is now obsoletes older versions
==== dolphin ====
Subpackages: dolphin-part libdolphinvcs5
- Add upstream patch to fix crash on launch (kde#429628,
kde#430434):
* 0001-Fix-access-url-navigator-while-creating-new-tab-in-f.patch
==== gtk2 ====
Version update (2.24.32+70 -> 2.24.33)
Subpackages: gtk2-tools libgtk-2_0-0
- Update to version 2.24.33:
+ This is the final GTK 2.x release. There will be no more
updates to GTK 2. All users are encouraged to update to GTK 3
or 4.
+ Make the output of gtk-query-immodules deterministic.
+ GtkCalendar: Use %OB if supported.
+ GtkIconTheme: prefer exact matches.
+ build:
- Support automake 1.16.
- Fix compiler warnings with newer gcc.
==== mozilla-nss ====
Version update (3.58 -> 3.59)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs
- update to NSS 3.59
Notable changes
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
==== plasma5-desktop ====
- Add upstream patch to fix keyboard repeat settings not being
applied immediately (boo#1164739, kde#418175):
* Reparse-the-key-repeat-rate-config-when-we-try-to-load-it.patch
==== python-importlib-metadata ====
Version update (3.1.1 -> 3.3.0)
- New version requires typing_extensions for Python < 3.8
(Leap and TW python36 flavor)
- update to 3.3.0:
* * #265: ``EntryPoint`` objects now expose a ``.dist`` object
referencing the ``Distribution`` when constructed from a
Distribution.
* The object returned by ``metadata()`` now has a
formally-defined protocol called ``PackageMetadata``
with declared support for the ``.get_all()`` method.
Fixes #126.
- add typing-extensions dependency for older python versions
==== python-more-itertools ====
Version update (8.5.0 -> 8.6.0)
- update to 8.6.0:
* :func:`all_unique` (thanks to brianmaissy)
* :func:`nth_product` and :func:`nth_permutation` (thanks to N8Brooks)
* :func:`chunked` and :func:`sliced` now accept a ``strict`` parameter (thanks to shlomif and jtwool)
* Python 3.5 has reached its end of life and is no longer supported.
* Python 3.9 is officially supported.
==== python-pyOpenSSL ====
- Adjust metadata for skip-networked-test.patch and refer to the proper
upstream ticket gh#pyca/pyopenssl#68.
==== sudo ====
Version update (1.9.4 -> 1.9.4p2)
- Update to 1.9.4p2
* Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
if the sudoers file contains a runas user-specific Defaults entry.
Bug #951.
- News in 1.9.4p1
* Fixed a regression introduced in version 1.9.4 where sudo would
not build when configured using the --without-sendmail option.
Bug #947.
* Fixed a problem where if I/O logging was disabled and sudo was
unable to connect to sudo_logsrvd, the command would still be
allowed to run even when the "ignore_logfile_errors" sudoers
option was enabled.
* Fixed a crash introduced in version 1.9.4 when attempting to run
a command as a non-existent user. Bug #948.
* The installed sudo.conf file now has the default sudoers Plugin
lines commented out. This fixes a potential conflict when there
is both a system-installed version of sudo and a user-installed
version. GitHub issue #75.
* Fixed a regression introduced in sudo 1.9.4 where sudo would run
the command as a child process even when a pseudo-terminal was
not in use and the "pam_session" and "pam_setcred" options were
disabled. GitHub issue #76.
* Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
sudoers option could not be set to a value of 3. Bug #950.
==== timezone ====
Version update (2020d -> 2020e)
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
==== xmlsec1 ====
Version update (1.2.30 -> 1.2.31)
Subpackages: libxmlsec1-1 libxmlsec1-openssl1
- Update to version 1.2.31:
+ Unload error strings in OpenSSL shutdown.
+ Make userData available when executing preExecCallback
function.
+ Add an option to use secure memset.
- Pass --disable-md5 to configure: The cryptographic strength of
the MD5 algorithm is sufficiently doubtful that its use is
discouraged at this time. It is not listed as an algorithm in
[XMLDSIG-CORE1]
https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
boost-base
mozilla-nss (3.58 -> 3.59)
python-importlib-metadata (3.1.1 -> 3.3.0)
python-more-itertools (8.5.0 -> 8.6.0)
python-pyOpenSSL
sudo (1.9.4 -> 1.9.4p2)
timezone (2020d -> 2020e)
xmlsec1 (1.2.30 -> 1.2.31)
=== Details ===
==== boost-base ====
Subpackages: boost-license1_75_0 libboost_thread1_75_0
- libboost_nowide now uses same pattern of Provides/Conflicts
and version numbers as other Boost libraries
- Add missing conflicts for Boost 1.66
- Boost.Build (jam) implementation is now obsoletes older versions
==== mozilla-nss ====
Version update (3.58 -> 3.59)
- update to NSS 3.59
Notable changes
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
==== python-importlib-metadata ====
Version update (3.1.1 -> 3.3.0)
- New version requires typing_extensions for Python < 3.8
(Leap and TW python36 flavor)
- update to 3.3.0:
* * #265: ``EntryPoint`` objects now expose a ``.dist`` object
referencing the ``Distribution`` when constructed from a
Distribution.
* The object returned by ``metadata()`` now has a
formally-defined protocol called ``PackageMetadata``
with declared support for the ``.get_all()`` method.
Fixes #126.
- add typing-extensions dependency for older python versions
==== python-more-itertools ====
Version update (8.5.0 -> 8.6.0)
- update to 8.6.0:
* :func:`all_unique` (thanks to brianmaissy)
* :func:`nth_product` and :func:`nth_permutation` (thanks to N8Brooks)
* :func:`chunked` and :func:`sliced` now accept a ``strict`` parameter (thanks to shlomif and jtwool)
* Python 3.5 has reached its end of life and is no longer supported.
* Python 3.9 is officially supported.
==== python-pyOpenSSL ====
- Adjust metadata for skip-networked-test.patch and refer to the proper
upstream ticket gh#pyca/pyopenssl#68.
==== sudo ====
Version update (1.9.4 -> 1.9.4p2)
- Update to 1.9.4p2
* Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
if the sudoers file contains a runas user-specific Defaults entry.
Bug #951.
- News in 1.9.4p1
* Fixed a regression introduced in version 1.9.4 where sudo would
not build when configured using the --without-sendmail option.
Bug #947.
* Fixed a problem where if I/O logging was disabled and sudo was
unable to connect to sudo_logsrvd, the command would still be
allowed to run even when the "ignore_logfile_errors" sudoers
option was enabled.
* Fixed a crash introduced in version 1.9.4 when attempting to run
a command as a non-existent user. Bug #948.
* The installed sudo.conf file now has the default sudoers Plugin
lines commented out. This fixes a potential conflict when there
is both a system-installed version of sudo and a user-installed
version. GitHub issue #75.
* Fixed a regression introduced in sudo 1.9.4 where sudo would run
the command as a child process even when a pseudo-terminal was
not in use and the "pam_session" and "pam_setcred" options were
disabled. GitHub issue #76.
* Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
sudoers option could not be set to a value of 3. Bug #950.
==== timezone ====
Version update (2020d -> 2020e)
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
==== xmlsec1 ====
Version update (1.2.30 -> 1.2.31)
Subpackages: libxmlsec1-1 libxmlsec1-openssl1
- Update to version 1.2.31:
+ Unload error strings in OpenSSL shutdown.
+ Make userData available when executing preExecCallback
function.
+ Add an option to use secure memset.
- Pass --disable-md5 to configure: The cryptographic strength of
the MD5 algorithm is sufficiently doubtful that its use is
discouraged at this time. It is not listed as an algorithm in
[XMLDSIG-CORE1]
https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1