Hi,
There is the long standing open topic, if AppArmor is the right choice
for a container host OS or if there is not something better.
There are really nice ideas to build a security framework on top of
ePBF, but there is nothing really useable and secure today.
So it's time to teach MicroOS SELinux ;) for a PoC and evaluation.
We have a working policy in security:SELinux/selinux-policy, and this
works fine for me on Tumbleweed, but we have quite some challanges to
get this running on MicroOS:
- read-only root filesystem
- subvolumes (labels on mount points)
- transactional-update who has to label the system
And we don't have SELinux experts (but we have open positions!)
So anybody here willing to spent some time and help with this topic?
Thanks,
Thorsten
--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
ca-certificates-mozilla (2.40 -> 2.42)
conmon (2.0.17 -> 2.0.20)
installation-images-MicroOS (16.0 -> 16.2)
libcontainers-common (20200603 -> 20200727)
libfido2
logrotate (3.16.0 -> 3.17.0)
mozilla-nspr (4.25 -> 4.26)
mozilla-nss (3.53.1 -> 3.54)
permissions (1550_20200710 -> 1550_20200727)
snapper (0.8.11 -> 0.8.12)
yast2 (4.3.17 -> 4.3.19)
=== Details ===
==== ca-certificates-mozilla ====
Version update (2.40 -> 2.42)
- update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017
==== conmon ====
Version update (2.0.17 -> 2.0.20)
- Update to v2.0.20
- journald: fix logging container name
- container logging: Implement none driver - "off", "null" or
"none" all work.
- ctrl: warn if we fail to unlink
- Drop fsync calls
- Reap PIDs before running exit command
- Fix log path parsing
- Add --sync option to prevent conmon from double forking
- Add --no-sync-log option to instruct conmon to not sync the
logs of the containers upon shutting down. This feature fixes a
regression where we unconditionally dropped the log sync. It is
possible the container logs could be corrupted on a sudden
power-off. If you need container logs to remain in consistent
state after a sudden shutdown, please update from v2.0.19 to
v2.0.20
==== installation-images-MicroOS ====
Version update (16.0 -> 16.2)
- merge gh#openSUSE/installation-images#399
- Remove pycache to save space (20 MB uncompressed)
- Remove pycache to save space (20:4 MiB pre:post squashfs-ing)
- 16.2
- merge gh#openSUSE/installation-images#400
- check_libs internals: use xargs, enable perl warnings
- check_libs internals: document data structures, use xargs, enable
perl warnings
- 16.1
==== libcontainers-common ====
Version update (20200603 -> 20200727)
- Added containers/common tarball for containers.conf(5) man page
- Install containers.conf default configuration in
/usr/share/containers
- libpod repository on github got renamed to podman
- Update to image 5.5.1
- Add documentation for credHelpera
- Add defaults for using the rootless policy path
- Update libpod/podman to 2.0.3
- docs: user namespace can't be shared in pods
- Switch references from libpod.conf to containers.conf
- Allow empty host port in --publish flag
- update document login see config.json as valid
- Update storage to 1.20.2
- Add back skip_mount_home
==== libfido2 ====
Subpackages: libfido2-1 libfido2-udev
- Cleanup udev rules, trying to use the Debian specific plugdev
group fills up the journal.
- Make the udev rules package noarch, correct Summary
==== logrotate ====
Version update (3.16.0 -> 3.17.0)
- Update to 3.17.0:
* lock state file to prevent parallel execution of logrotate
* add '.bak' extension to default taboo list
* allow to pass a home-relative path to 'include'
* 'switch_user_permanently': skip switchback check if switched to root
* logrotate.service: enable 'ProtectClock' to restrict setting of clock
* delete old logs hit by 'maxage' regardless of 'dateext'
==== mozilla-nspr ====
Version update (4.25 -> 4.26)
- update to version 4.26
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
* Better support parallel building on Windows.
* The internal release automatic script requires python 3.
==== mozilla-nss ====
Version update (3.53.1 -> 3.54)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs
- update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
* bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for "O=Government
Root Certification Authority; C=TW" root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove "LuxTrust Global Root 2" root certificate.
* bmo#1639987 - Remove "Staat der Nederlanden Root CA - G2" root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
==== permissions ====
Version update (1550_20200710 -> 1550_20200727)
Subpackages: chkstat permissions-config
- Update to version 20200727:
* etc/permissions: remove static /var/spool/* dirs
* etc/permissions: remove outdated entries
* etc/permissions: remove unnecessary static dirs and devices
* screen: remove now unused /var/run/uscreens
==== snapper ====
Version update (0.8.11 -> 0.8.12)
Subpackages: libsnapper5
- fixed error when using mksubvolume to create /tmp (bsc#1174401)
- version 0.8.12
==== yast2 ====
Version update (4.3.17 -> 4.3.19)
- XML: do not export the system ID if it is not defined
(boo#1174424).
- 4.3.19
- Handle exceptions when parsing xml file (related to bsc#1170886)
- 4.3.18
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
ca-certificates-mozilla (2.40 -> 2.42)
conmon (2.0.17 -> 2.0.20)
installation-images-MicroOS (16.0 -> 16.2)
libcontainers-common (20200603 -> 20200727)
libfido2
logrotate (3.16.0 -> 3.17.0)
mozilla-nss (3.53.1 -> 3.54)
permissions (1550_20200710 -> 1550_20200727)
snapper (0.8.11 -> 0.8.12)
yast2 (4.3.17 -> 4.3.19)
yomi-formula (0.0.1+git.1587986719.9a9097a -> 0.0.1+git.1595952633.b300be2)
=== Details ===
==== ca-certificates-mozilla ====
Version update (2.40 -> 2.42)
- update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017
==== conmon ====
Version update (2.0.17 -> 2.0.20)
- Update to v2.0.20
- journald: fix logging container name
- container logging: Implement none driver - "off", "null" or
"none" all work.
- ctrl: warn if we fail to unlink
- Drop fsync calls
- Reap PIDs before running exit command
- Fix log path parsing
- Add --sync option to prevent conmon from double forking
- Add --no-sync-log option to instruct conmon to not sync the
logs of the containers upon shutting down. This feature fixes a
regression where we unconditionally dropped the log sync. It is
possible the container logs could be corrupted on a sudden
power-off. If you need container logs to remain in consistent
state after a sudden shutdown, please update from v2.0.19 to
v2.0.20
==== installation-images-MicroOS ====
Version update (16.0 -> 16.2)
- merge gh#openSUSE/installation-images#399
- Remove pycache to save space (20 MB uncompressed)
- Remove pycache to save space (20:4 MiB pre:post squashfs-ing)
- 16.2
- merge gh#openSUSE/installation-images#400
- check_libs internals: use xargs, enable perl warnings
- check_libs internals: document data structures, use xargs, enable
perl warnings
- 16.1
==== libcontainers-common ====
Version update (20200603 -> 20200727)
- Added containers/common tarball for containers.conf(5) man page
- Install containers.conf default configuration in
/usr/share/containers
- libpod repository on github got renamed to podman
- Update to image 5.5.1
- Add documentation for credHelpera
- Add defaults for using the rootless policy path
- Update libpod/podman to 2.0.3
- docs: user namespace can't be shared in pods
- Switch references from libpod.conf to containers.conf
- Allow empty host port in --publish flag
- update document login see config.json as valid
- Update storage to 1.20.2
- Add back skip_mount_home
==== libfido2 ====
Subpackages: libfido2-1 libfido2-udev
- Cleanup udev rules, trying to use the Debian specific plugdev
group fills up the journal.
- Make the udev rules package noarch, correct Summary
==== logrotate ====
Version update (3.16.0 -> 3.17.0)
- Update to 3.17.0:
* lock state file to prevent parallel execution of logrotate
* add '.bak' extension to default taboo list
* allow to pass a home-relative path to 'include'
* 'switch_user_permanently': skip switchback check if switched to root
* logrotate.service: enable 'ProtectClock' to restrict setting of clock
* delete old logs hit by 'maxage' regardless of 'dateext'
==== mozilla-nss ====
Version update (3.53.1 -> 3.54)
- update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
* bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for "O=Government
Root Certification Authority; C=TW" root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove "LuxTrust Global Root 2" root certificate.
* bmo#1639987 - Remove "Staat der Nederlanden Root CA - G2" root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
==== permissions ====
Version update (1550_20200710 -> 1550_20200727)
Subpackages: chkstat permissions-config
- Update to version 20200727:
* etc/permissions: remove static /var/spool/* dirs
* etc/permissions: remove outdated entries
* etc/permissions: remove unnecessary static dirs and devices
* screen: remove now unused /var/run/uscreens
==== snapper ====
Version update (0.8.11 -> 0.8.12)
Subpackages: libsnapper5
- fixed error when using mksubvolume to create /tmp (bsc#1174401)
- version 0.8.12
==== yast2 ====
Version update (4.3.17 -> 4.3.19)
- XML: do not export the system ID if it is not defined
(boo#1174424).
- 4.3.19
- Handle exceptions when parsing xml file (related to bsc#1170886)
- 4.3.18
==== yomi-formula ====
Version update (0.0.1+git.1587986719.9a9097a -> 0.0.1+git.1595952633.b300be2)
- Update to version 0.0.1+git.1595952633.b300be2:
* pillar: install always kernel-default
* chroot: python3-base is now a capability
* Move systemctl calls inside chroot
* Network: initial work for network declaration
* MicroOS: Remove tmp subvolume
* Update format following the new standard
* Fix __mount_device wrapper
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
bluedevil5 (5.19.3 -> 5.19.4)
breeze (5.19.3 -> 5.19.4)
busybox (1.31.1 -> 1.32.0)
discover (5.19.3 -> 5.19.4)
drkonqi5 (5.19.3 -> 5.19.4)
hyper-v (7 -> 8)
kactivitymanagerd (5.19.3 -> 5.19.4)
kde-cli-tools5 (5.19.3 -> 5.19.4)
kde-user-manager (5.19.3 -> 5.19.4)
kdump
kgamma5 (5.19.3 -> 5.19.4)
khotkeys5 (5.19.3 -> 5.19.4)
kinfocenter5 (5.19.3 -> 5.19.4)
kmenuedit5 (5.19.3 -> 5.19.4)
kmod
kscreen5 (5.19.3 -> 5.19.4)
kscreenlocker (5.19.3 -> 5.19.4)
ksysguard5 (5.19.3 -> 5.19.4)
kwayland-integration (5.19.3 -> 5.19.4)
kwayland-server (5.19.3 -> 5.19.4)
kwin5 (5.19.3 -> 5.19.4)
kwrited5 (5.19.3 -> 5.19.4)
libkdecoration2 (5.19.3 -> 5.19.4)
libkscreen2 (5.19.3 -> 5.19.4)
libksysguard5 (5.19.3 -> 5.19.4)
llvm10 (10.0.0 -> 10.0.1)
milou5 (5.19.3 -> 5.19.4)
plasma-nm5 (5.19.3 -> 5.19.4)
plasma5-addons (5.19.3 -> 5.19.4)
plasma5-desktop (5.19.3 -> 5.19.4)
plasma5-integration (5.19.3 -> 5.19.4)
plasma5-openSUSE
plasma5-pa (5.19.3 -> 5.19.4)
plasma5-workspace (5.19.3 -> 5.19.4)
polkit-kde-agent-5 (5.19.3 -> 5.19.4)
powerdevil5 (5.19.3 -> 5.19.4)
systemsettings5 (5.19.3 -> 5.19.4)
transactional-update
xdg-desktop-portal-kde (5.19.3 -> 5.19.4)
=== Details ===
==== bluedevil5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== breeze ====
Version update (5.19.3 -> 5.19.4)
Subpackages: breeze5-cursors breeze5-decoration breeze5-style breeze5-wallpapers libbreezecommon5-5
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== busybox ====
Version update (1.31.1 -> 1.32.0)
- Update to busybox 1.32.0
- many bugfixes and new features
- Obsoletes busybox-no-stime.patch
- Disable ftpget/ftpput, non-standard, ftp is outdated
- Disable run-init, we don't use that
- Disable cttyhack, we don't provide the calling tools
- Disable dnsd
==== discover ====
Version update (5.19.3 -> 5.19.4)
Subpackages: discover-backend-flatpak
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== drkonqi5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== hyper-v ====
Version update (7 -> 8)
- Remove dependency to network-online.target now that gethostname
is used in kvp_daemon (bsc#1174443, bsc#1174444)
- Reopen the devices if read() or write() returns errors (9fc3c01a)
- Use either python2 or python3 for lsvmbus (bsc#1093910)
- Remove sysv init scripts
- Enable build on aarch64
==== kactivitymanagerd ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kde-cli-tools5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kde-user-manager ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kdump ====
- Make dracut and sed normal requires as we don't use them in
%pre/%post install. Use file requires for sed.
- Don't PreRequire coreutils but the tools we really need
==== kgamma5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== khotkeys5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kinfocenter5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kmenuedit5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kmod ====
Subpackages: libkmod2
- Drop old RPM constructs from the build recipe.
- Drop kmod-compat (boo#1173353):
The symlinks in kmod-compat are not obsolete. They are
desirable for kernel module autoload. The "kernel.modprobe"
sysctl references /sbin/modprobe, and changing it to
"/usr/bin/kmod load" is not possible, because this sysctl
specifies a single executable, not a command (so spaces will be
treated as part of the filename).
==== kscreen5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kscreenlocker ====
Version update (5.19.3 -> 5.19.4)
Subpackages: libKScreenLocker5
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== ksysguard5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kwayland-integration ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kwayland-server ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== kwin5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- Changes since 5.19.3:
* Check if we successfully restored input focus
* Grab all possible keyboard modifiers for window commands (kde#424272)
* KCM KWin Options setting ActiveMouseScreen set proper default value (kde#424389)
* Resize maximised windows upon workspace change (kde#423596)
* Partially revert a0c4a8e766a2160 (kde#424223)
* Don't perform MouseActivateRaiseAndPassClick for topmost windows
* [virtualkeyboard] Fix the qtvirtualkeyboard with Qt 5.15
* [scripts/videowall] Reenable the config dialog
==== kwrited5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== libkdecoration2 ====
Version update (5.19.3 -> 5.19.4)
Subpackages: libkdecorations2-5 libkdecorations2private7
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== libkscreen2 ====
Version update (5.19.3 -> 5.19.4)
Subpackages: libKF5Screen7 libkscreen2-plugin
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== libksysguard5 ====
Version update (5.19.3 -> 5.19.4)
Subpackages: libksysguard5-helper libksysguard5-imports
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- Changes since 5.19.3:
* correctly replace spaces with nothing
* fix presets loading
* delete the face config ui when face gets switched (kde#423071)
==== llvm10 ====
Version update (10.0.0 -> 10.0.1)
- Update to version 10.0.1.
* This release contains bug-fixes for the LLVM 10.0.0 release.
This release is API and ABI compatible with 10.0.0.
- Rebase llvm-do-not-install-static-libraries.patch.
- Replace ValueLattice-Add-new-state-for-undef-constants.patch,
which landed upstream in a modified version, by
restore-llvm10-abi.patch that resets the ABI to our 10.0.0.
- Rewrite lld-default-sha1.patch to be version-independent.
- Set flags consistently, so that we don't lose -DNDEBUG on 32-bit
architectures. Also we don't need the opt flags twice. This leads
to a significant reduction in binary sizes on 32-bit arches.
- Make it easier to package release candidates.
- Enable most tests on 32-bit ARM, but not for libcxx.
- Add fix-atomics-test.patch for architectures where native atomics
are not available.
- Lower build constraints for riscv64 a bit to allow building on
more workers.
- Allow more compile jobs in stage 2.
==== milou5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== plasma-nm5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- Changes since 5.19.3:
* Make hotspot configuration dialog bigger
* Remove (seemingly debug) warning statement from passworddialog
==== plasma5-addons ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== plasma5-desktop ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- Changes since 5.19.3:
* [kcms/desktoppath] Use folder dialogs instead of file dialogs (kde#424438)
* [kcm cursortheme] Also clear default theme when resetting
* Notify about changes when changing Global Theme (kde#421745)
==== plasma5-integration ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== plasma5-openSUSE ====
Subpackages: plasma5-defaults-openSUSE plasma5-theme-openSUSE sddm-theme-openSUSE
- Update to 5.19.4
==== plasma5-pa ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== plasma5-workspace ====
Version update (5.19.3 -> 5.19.4)
Subpackages: gmenudbusmenuproxy plasma5-session plasma5-session-wayland plasma5-workspace-libs xembedsniproxy
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- Changes since 5.19.3:
* emit countChanged when we get a new source model
* [wallpaper] Avoid using pluginId for indexing package indexes (kde#423987)
* Revert "Fix broken ENV variables for detailed settings" (kde#423995)
* [applet/systemtray] Regression: all applets in config are shown as disabled
* hide face config button if the face can't config
* Only open KCM in systemsettings if it can be displayed (kde#423612)
==== polkit-kde-agent-5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== powerdevil5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- Changes since 5.19.3:
* Split args in RunScript again
- Drop patches, now upstream:
* 0001-Split-args-in-RunScript-again.patch
- Add patch to restore behaviour of RunScript (boo#1173763):
* 0001-Split-args-in-RunScript-again.patch
==== systemsettings5 ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
==== transactional-update ====
Subpackages: transactional-update-zypp-config
- Remove unused attr requires
- Change bc to file requires
==== xdg-desktop-portal-kde ====
Version update (5.19.3 -> 5.19.4)
- Update to 5.19.4
* New bugfix release
* For more details please see:
* https://kde.org/announcements/plasma-5.19.4
- No code changes since 5.19.3
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
busybox (1.31.1 -> 1.32.0)
cri-o
hyper-v (7 -> 8)
kdump
kmod
transactional-update
=== Details ===
==== busybox ====
Version update (1.31.1 -> 1.32.0)
- Update to busybox 1.32.0
- many bugfixes and new features
- Obsoletes busybox-no-stime.patch
- Disable ftpget/ftpput, non-standard, ftp is outdated
- Disable run-init, we don't use that
- Disable cttyhack, we don't provide the calling tools
- Disable dnsd
==== cri-o ====
Subpackages: cri-o-kubeadm-criconfig
- Suggest katacontainers instead of recommending it. It's not
enabled by default, so it's just bloat
==== hyper-v ====
Version update (7 -> 8)
- Remove dependency to network-online.target now that gethostname
is used in kvp_daemon (bsc#1174443, bsc#1174444)
- Reopen the devices if read() or write() returns errors (9fc3c01a)
- Use either python2 or python3 for lsvmbus (bsc#1093910)
- Remove sysv init scripts
- Enable build on aarch64
==== kdump ====
- Make dracut and sed normal requires as we don't use them in
%pre/%post install. Use file requires for sed.
- Don't PreRequire coreutils but the tools we really need
==== kmod ====
Subpackages: libkmod2
- Drop old RPM constructs from the build recipe.
- Drop kmod-compat (boo#1173353):
The symlinks in kmod-compat are not obsolete. They are
desirable for kernel module autoload. The "kernel.modprobe"
sysctl references /sbin/modprobe, and changing it to
"/usr/bin/kmod load" is not possible, because this sysctl
specifies a single executable, not a command (so spaces will be
treated as part of the filename).
==== transactional-update ====
Subpackages: transactional-update-zypp-config
- Remove unused attr requires
- Change bc to file requires
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the aarch64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=3&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
Mesa (20.1.3 -> 20.1.4)
Mesa-drivers (20.1.3 -> 20.1.4)
apparmor
branding-openSUSE
ffmpeg-4
fftw3
gdk-pixbuf
grub2
ima-evm-utils (1.2.1 -> 1.3)
kscreenlocker
libedit
librsvg
noto-coloremoji-fonts (20200408 -> 20200722)
patterns-base
patterns-microos
perl-Bootloader (0.929 -> 0.931)
python-rpm-macros (20200701.9f5a2f6 -> 20200714.252de1f)
python38-core (3.8.3 -> 3.8.4)
raspberrypi-firmware-dt
read-only-root-fs
sudo (1.9.1 -> 1.9.2)
sysconfig (0.85.4 -> 0.85.5)
xkeyboard-config
yast2 (4.3.15 -> 4.3.17)
=== Details ===
==== Mesa ====
Version update (20.1.3 -> 20.1.4)
Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1
- update to 20.1.4
* fourth bugfix release for the 20.1 branch
* just a few fixes here and there, nothing major
==== Mesa-drivers ====
Version update (20.1.3 -> 20.1.4)
Subpackages: Mesa-dri Mesa-gallium
- update to 20.1.4
* fourth bugfix release for the 20.1 branch
* just a few fixes here and there, nothing major
==== apparmor ====
Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils perl-apparmor python3-apparmor
- add abstractions-X-xauth-mr582.diff to allow reading the xauth file
from its new sddm location (boo#1174290, boo#1174293)
==== branding-openSUSE ====
Subpackages: grub2-branding-openSUSE wallpaper-branding-openSUSE
- Stop building grub2-branding-openSUSE for Power architectures [boo#1171146]
==== ffmpeg-4 ====
Subpackages: libavcodec58_91 libavformat58_45 libavutil56_51 libswresample3_7
- Apply upstream fix to avoid segfaults in x86/yuv2rgb conversion
ffmpeg.git-ba3e771a42c29ee02c34e7769cfc1b2dbc5c760a.patch
==== fftw3 ====
- Add gnu compiler support up to gcc9.
- Fix typo which caused issus building openmpi HPC flavors
(bsc#1174329).
- Add support for openmpi4 (provided by Alin Marin Elena).
==== gdk-pixbuf ====
Subpackages: gdk-pixbuf-query-loaders libgdk_pixbuf-2_0-0 typelib-1_0-GdkPixbuf-2_0
- Add gdk-pixbuf-boo1174307-io-gif-overflow.patch: Avoid overflows
by checking the memset length argument (boo#1174307).
- Raise dependency glib-2.0 version.
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-snapper-plugin
- No 95_textmode for PowerPC (boo#1174166)
==== ima-evm-utils ====
Version update (1.2.1 -> 1.3)
- Use %autosetup -p1
- Remove suse_version check for tpm2-0-tss-devel as the package is available
for back as far as SLE 12 SP2 and respective openSUSE versions (also check
was wrong, should have been 1500).
- Fixes from previous SR (reported by fvogt):
* Move ibmtss runtime dependency to evmctl package
* Remove dependencies to devel package (should not be needed)
- Update to version 1.3
version 1.3 new features:
* NEW ima-evm-utils regression test infrastructure with two initial
tests:
- ima_hash.test: calculate/verify different crypto hash algorithms
- sign_verify.test: EVM and IMA sign/verify signature tests
* TPM 2.0 support
- Calculate the new per TPM 2.0 bank template data digest
- Support original padding the SHA1 template data digest
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
TPM 2.0 bank PCR values
- Calculate the per TPM bank "boot_aggregate" values, including
PCRs 8 & 9 in calculation
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- boot_aggregate.test: compare the calculated "boot_aggregate"
values with the "boot_aggregate" value included in the IMA
measurement.
* TPM 1.2 support
- Additionally support reading the TPM 1.2 PCRs from a supplied file
("--pcrs" option)
* Based on original IMA LTP and standalone version support
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
TPM 1.2 BIOS event log.
- In addition to verifying the IMA measurement list against the
the TPM PCRs, verify the IMA template data digest against the
template data. (Based on LTP "--verify" option.)
- Ignore file measurement violations while verifying the IMA
measurment list. (Based on LTP "--validate" option.)
- Verify the file data signature included in the measurement list
based on the file hash also included in the measurement list
(--verify-sig)
- Support original "ima" template (mixed templates not supported)
* Support "sm3" crypto name
Bug fixes and code cleanup:
* Don't exit with -1 on failure, exit with 125
* On signature verification failure, include pathname.
* Provide minimal hash_info.h file in case one doesn't exist, needed
by the ima-evm-utils regression tests.
* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
* Fix hash_algo type comparison mismatch
* Simplify/clean up code
* Address compiler complaints and failures
* Fix memory allocations and leaks
* Sanity check provided input files are regular files
* Revert making "tsspcrread" a compile build time decision.
* Limit additional messages based on log level (-v)
- Add patch 0001-pcr_tss-Fix-compilation-for-old-compilers.patch
- Upstream bumped soname to 2.0.0
- Add tpm2-0-tss-devel for Tumbleweed as build dependency, for the rest ibmtss
as runtime dependency (needed for for reading PCR in ima_boot_aggregate cmd;
better to use libtss2-esys and libtss2-rc than require tsspcrread binary in
runtime, but tpm2-0-tss-devel is available only for Tumbleweed) + the same
logic as runtime dependency for devel package
- Mark COPYING as %license
==== kscreenlocker ====
Subpackages: libKScreenLocker5
- Add patch to disable the seccomp sandbox (boo#1174448):
* 0001-Disable-the-seccomp-sandbox.patch
==== libedit ====
- autoreconf already runs libtoolize no need to run twice
==== librsvg ====
Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 typelib-1_0-Rsvg-2_0
- Add _constraints for PowerPC avoid "no space left on device" build error
==== noto-coloremoji-fonts ====
Version update (20200408 -> 20200722)
- Update to v2020-07-22-unicode13_0
* Unicode 13.0 update.
==== patterns-base ====
Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11
- Move pam_pwquality to Recommends section, as it is not required
and user should be able to de-install the full pwquality stack.
- Stop trying to install grub2-branding on ppc64/ppc64le [boo#1171146]
==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-defaults patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap
- Re-add kernel-firmware back to the DVDs [bsc#1174521]
==== perl-Bootloader ====
Version update (0.929 -> 0.931)
- merge gh#openSUSE/perl-bootloader#129
- Check tpm.mod in the new grub2 directory (bsc#1174320)
- 0.931
- merge gh#openSUSE/perl-bootloader#130
- Throw less warnings about fstab
- 0.930
==== python-rpm-macros ====
Version update (20200701.9f5a2f6 -> 20200714.252de1f)
- Update to version 20200714.252de1f:
* Add pyunittest and pyunittest_arch macros
==== python38-core ====
Version update (3.8.3 -> 3.8.4)
- Minor spec file fixes
- Fix minor issues found in the staging.
- Update to 3.8.4:
- Assignment expressions (PEP-572)
- Positional-only parameters (PEP-570)
- Parallel filesystem cache for compiled bytecode files
(PYTHONPYCACHEPREFIX variable)
- Debug build uses the same ABI as release build
- f-strings support = for self-documenting expressions
and debugging
- Python Runtime Audit Hooks (PEP-578)
- Python Initialization Configuration (PEP-587)
- Vectorcall: a fast calling protocol for CPython (PEP-590)
- Pickle protocol 5 with out-of-band data buffers (PEP-574)
- Many other smaller bug fixes
- Removed OBS_dev-shm.patch: contained in upstream
- Removed bpo40784-Fix-sqlite3-deterministic-test.patch:
contained in upstream
- Changed bpo-31046_ensurepip_honours_prefix.patch: to be
compatible with new version
- Fix %py3_compile being incorrectly defined
- Update pre_checkin.sh and regenerate
- Convert few dependencies to their pkgconfig counterparts
- Remove release requirement on libpython, it is not really needed
to be equal as the abi changes with versions
- Add provides python3-bla on all the subpkgs in case we are
primary provider of the functionality
- Remove unversioned files from devel subpkg too
- Remove main python3 files from -base based whether we are
primary interpreter or not
- Fix idle to be co-installable
- Add condition to be primary to provide/obsolete python3-*
- Fix doc to build in versioned folder so the pythons can be
installed next to each other
- Revert the full versioning of calls on the macros. These
are generic so they should really just call python3 X
- For the doc package we can build with generic flavor, we don't
need the our-interpreter based one
- Add provides for pytohn3X-typing/etc to allow BR on those still
to work when needed
- Change macros.python3 to use full versioned 3.8 instead of just 3
for python interpreter
==== raspberrypi-firmware-dt ====
- Add vl805-firware-loader-overlay.dts which registers a reset controller
that'll take care of triggering vl805's firmware load.
==== read-only-root-fs ====
- Use file requires, add sed
==== sudo ====
Version update (1.9.1 -> 1.9.2)
- Update to 1.9.2:
* The configure script now uses pkg-config to find the openssl cflags
and libs where possible.
* The contents of the log.json I/O log file is now documented in
the sudoers manual.
* The sudoers plugin now properly exports the sudoers_audit symbol
on systems where the compiler lacks symbol visibility controls.
This caused a regression in 1.9.1 where a successful sudo command
was not logged due to the missing audit plugin. Bug #931.
* Fixed a regression introduced in 1.9.1 that can result in crash
when there is a syntax error in the sudoers file. Bug #934.
- Rebase sudo-sudoers.patch
==== sysconfig ====
Version update (0.85.4 -> 0.85.5)
Subpackages: sysconfig-netconfig
- version 0.85.5
- spec: Fix Requires, use file requires
(https://github.com/openSUSE/sysconfig/pull/25)
- ntp: call chrony helper in background (bsc#1173391)
==== xkeyboard-config ====
- U_Fix-symbols-in-syntax-error-spurious-git-conflict-ma.patch
* Fix symbols/in syntax error: spurious git conflict marker
(boo#1174483)
==== yast2 ====
Version update (4.3.15 -> 4.3.17)
- Provide a way to determine which resources (zones, services...)
have been modified from the default values (bsc#1171356)
- 4.3.17
- update is_wsl function to match wsl1 and wsl2 osrelease spellings
(boo#1174183)
- Add Layout class to configure a Wizard layout.
- Related to jsc#PM-1998.
- 4.3.16
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the aarch64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=3&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
apparmor
branding-openSUSE
cri-o (1.18.2 -> 1.18.3)
grub2
haproxy (2.2.0+git0.3a00c915f -> 2.2.1+git0.0ef71a557)
ima-evm-utils (1.2.1 -> 1.3)
libedit
patterns-base
patterns-microos
perl-Bootloader (0.929 -> 0.931)
python-rpm-macros (20200701.9f5a2f6 -> 20200714.252de1f)
python38-core (3.8.3 -> 3.8.4)
raspberrypi-firmware-dt
read-only-root-fs
sudo (1.9.1 -> 1.9.2)
sysconfig (0.85.4 -> 0.85.5)
yast2 (4.3.15 -> 4.3.17)
=== Details ===
==== apparmor ====
Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils perl-apparmor python3-apparmor
- add abstractions-X-xauth-mr582.diff to allow reading the xauth file
from its new sddm location (boo#1174290, boo#1174293)
==== branding-openSUSE ====
Subpackages: grub2-branding-openSUSE
- Stop building grub2-branding-openSUSE for Power architectures [boo#1171146]
==== cri-o ====
Version update (1.18.2 -> 1.18.3)
Subpackages: cri-o-kubeadm-criconfig
- Update to version 1.18.3:
- Fix a bug where a sudden reboot causes incomplete image writes.
This could cause image storage to be corrupted, resulting in an
error layer not known.
- Fixed bug where pod names would sometimes leak on creation,
causing the kubelet to fail to recreate
- If conmon is v2.0.19 or greater, ExecSync requests will not
double fork, causing systemd to have fewer conmons re-parented
to it
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-snapper-plugin
- No 95_textmode for PowerPC (boo#1174166)
==== haproxy ====
Version update (2.2.0+git0.3a00c915f -> 2.2.1+git0.0ef71a557)
- Update to version 2.2.1+git0.0ef71a557:
* [RELEASE] Released version 2.2.1
* BUG/MEDIUM: http-ana: Only set CF_EXPECT_MORE flag on data filtering
* BUG/MEDIUM: stream-int: Don't set MSG_MORE flag if no more data are expected
* BUG/MINOR: htx: add two missing HTX_FL_EOI and remove an unexpected one
* MEDIUM: htx: Add a flag on a HTX message when no more data are expected
* BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
* BUG/MAJOR: dns: Make the do-resolve action thread-safe
* BUG/MAJOR: tasks: don't requeue global tasks into the local queue
* BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
* BUG/MEDIUM: arg: empty args list must be dropped
* DOC: ssl: req_ssl_sni needs implicit TLS
* BUILD: config: fix again bugs gcc warnings on calloc
* BUG/MAJOR: tasks: make sure to always lock the shared wait queue if needed
* BUILD: config: address build warning on raspbian+rpi4
* BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked
* BUG/MEDIUM: server: fix possibly uninitialized state file on close
* BUG/MEDIUM: server: resolve state file handle leak on reload
* BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers
* BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
* BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty FCGI_STDOUT
* BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record padding
* BUG/MINOR: mux-fcgi: Handle empty STDERR record
* BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode
* BUG/MEDIUM: mux-fcgi: Don't add private connections in available connection list
* BUG/MEDIUM: mux-h2: Don't add private connections in available connection list
* CONTRIB: da: fix memory leak in dummy function da_atlas_open()
* BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ
* BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD()
* BUG/MINOR: sample: Free str.area in smp_check_const_meth
* BUG/MINOR: sample: Free str.area in smp_check_const_bool
==== ima-evm-utils ====
Version update (1.2.1 -> 1.3)
- Use %autosetup -p1
- Remove suse_version check for tpm2-0-tss-devel as the package is available
for back as far as SLE 12 SP2 and respective openSUSE versions (also check
was wrong, should have been 1500).
- Fixes from previous SR (reported by fvogt):
* Move ibmtss runtime dependency to evmctl package
* Remove dependencies to devel package (should not be needed)
- Update to version 1.3
version 1.3 new features:
* NEW ima-evm-utils regression test infrastructure with two initial
tests:
- ima_hash.test: calculate/verify different crypto hash algorithms
- sign_verify.test: EVM and IMA sign/verify signature tests
* TPM 2.0 support
- Calculate the new per TPM 2.0 bank template data digest
- Support original padding the SHA1 template data digest
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
TPM 2.0 bank PCR values
- Calculate the per TPM bank "boot_aggregate" values, including
PCRs 8 & 9 in calculation
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- boot_aggregate.test: compare the calculated "boot_aggregate"
values with the "boot_aggregate" value included in the IMA
measurement.
* TPM 1.2 support
- Additionally support reading the TPM 1.2 PCRs from a supplied file
("--pcrs" option)
* Based on original IMA LTP and standalone version support
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
TPM 1.2 BIOS event log.
- In addition to verifying the IMA measurement list against the
the TPM PCRs, verify the IMA template data digest against the
template data. (Based on LTP "--verify" option.)
- Ignore file measurement violations while verifying the IMA
measurment list. (Based on LTP "--validate" option.)
- Verify the file data signature included in the measurement list
based on the file hash also included in the measurement list
(--verify-sig)
- Support original "ima" template (mixed templates not supported)
* Support "sm3" crypto name
Bug fixes and code cleanup:
* Don't exit with -1 on failure, exit with 125
* On signature verification failure, include pathname.
* Provide minimal hash_info.h file in case one doesn't exist, needed
by the ima-evm-utils regression tests.
* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
* Fix hash_algo type comparison mismatch
* Simplify/clean up code
* Address compiler complaints and failures
* Fix memory allocations and leaks
* Sanity check provided input files are regular files
* Revert making "tsspcrread" a compile build time decision.
* Limit additional messages based on log level (-v)
- Add patch 0001-pcr_tss-Fix-compilation-for-old-compilers.patch
- Upstream bumped soname to 2.0.0
- Add tpm2-0-tss-devel for Tumbleweed as build dependency, for the rest ibmtss
as runtime dependency (needed for for reading PCR in ima_boot_aggregate cmd;
better to use libtss2-esys and libtss2-rc than require tsspcrread binary in
runtime, but tpm2-0-tss-devel is available only for Tumbleweed) + the same
logic as runtime dependency for devel package
- Mark COPYING as %license
==== libedit ====
- autoreconf already runs libtoolize no need to run twice
==== patterns-base ====
Subpackages: patterns-base-apparmor patterns-base-base patterns-base-bootloader patterns-base-minimal_base
- Move pam_pwquality to Recommends section, as it is not required
and user should be able to de-install the full pwquality stack.
- Stop trying to install grub2-branding on ppc64/ppc64le [boo#1171146]
==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap
- Re-add kernel-firmware back to the DVDs [bsc#1174521]
==== perl-Bootloader ====
Version update (0.929 -> 0.931)
- merge gh#openSUSE/perl-bootloader#129
- Check tpm.mod in the new grub2 directory (bsc#1174320)
- 0.931
- merge gh#openSUSE/perl-bootloader#130
- Throw less warnings about fstab
- 0.930
==== python-rpm-macros ====
Version update (20200701.9f5a2f6 -> 20200714.252de1f)
- Update to version 20200714.252de1f:
* Add pyunittest and pyunittest_arch macros
==== python38-core ====
Version update (3.8.3 -> 3.8.4)
- Minor spec file fixes
- Fix minor issues found in the staging.
- Update to 3.8.4:
- Assignment expressions (PEP-572)
- Positional-only parameters (PEP-570)
- Parallel filesystem cache for compiled bytecode files
(PYTHONPYCACHEPREFIX variable)
- Debug build uses the same ABI as release build
- f-strings support = for self-documenting expressions
and debugging
- Python Runtime Audit Hooks (PEP-578)
- Python Initialization Configuration (PEP-587)
- Vectorcall: a fast calling protocol for CPython (PEP-590)
- Pickle protocol 5 with out-of-band data buffers (PEP-574)
- Many other smaller bug fixes
- Removed OBS_dev-shm.patch: contained in upstream
- Removed bpo40784-Fix-sqlite3-deterministic-test.patch:
contained in upstream
- Changed bpo-31046_ensurepip_honours_prefix.patch: to be
compatible with new version
- Fix %py3_compile being incorrectly defined
- Update pre_checkin.sh and regenerate
- Convert few dependencies to their pkgconfig counterparts
- Remove release requirement on libpython, it is not really needed
to be equal as the abi changes with versions
- Add provides python3-bla on all the subpkgs in case we are
primary provider of the functionality
- Remove unversioned files from devel subpkg too
- Remove main python3 files from -base based whether we are
primary interpreter or not
- Fix idle to be co-installable
- Add condition to be primary to provide/obsolete python3-*
- Fix doc to build in versioned folder so the pythons can be
installed next to each other
- Revert the full versioning of calls on the macros. These
are generic so they should really just call python3 X
- For the doc package we can build with generic flavor, we don't
need the our-interpreter based one
- Add provides for pytohn3X-typing/etc to allow BR on those still
to work when needed
- Change macros.python3 to use full versioned 3.8 instead of just 3
for python interpreter
==== raspberrypi-firmware-dt ====
- Add vl805-firware-loader-overlay.dts which registers a reset controller
that'll take care of triggering vl805's firmware load.
==== read-only-root-fs ====
- Use file requires, add sed
==== sudo ====
Version update (1.9.1 -> 1.9.2)
- Update to 1.9.2:
* The configure script now uses pkg-config to find the openssl cflags
and libs where possible.
* The contents of the log.json I/O log file is now documented in
the sudoers manual.
* The sudoers plugin now properly exports the sudoers_audit symbol
on systems where the compiler lacks symbol visibility controls.
This caused a regression in 1.9.1 where a successful sudo command
was not logged due to the missing audit plugin. Bug #931.
* Fixed a regression introduced in 1.9.1 that can result in crash
when there is a syntax error in the sudoers file. Bug #934.
- Rebase sudo-sudoers.patch
==== sysconfig ====
Version update (0.85.4 -> 0.85.5)
Subpackages: sysconfig-netconfig
- version 0.85.5
- spec: Fix Requires, use file requires
(https://github.com/openSUSE/sysconfig/pull/25)
- ntp: call chrony helper in background (bsc#1173391)
==== yast2 ====
Version update (4.3.15 -> 4.3.17)
- Provide a way to determine which resources (zones, services...)
have been modified from the default values (bsc#1171356)
- 4.3.17
- update is_wsl function to match wsl1 and wsl2 osrelease spellings
(boo#1174183)
- Add Layout class to configure a Wizard layout.
- Related to jsc#PM-1998.
- 4.3.16
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
ffmpeg-4
gdk-pixbuf
grub2
kscreenlocker
patterns-base
patterns-microos
sudo (1.9.1 -> 1.9.2)
xkeyboard-config
=== Details ===
==== ffmpeg-4 ====
Subpackages: libavcodec58_91 libavformat58_45 libavutil56_51 libswresample3_7
- Apply upstream fix to avoid segfaults in x86/yuv2rgb conversion
ffmpeg.git-ba3e771a42c29ee02c34e7769cfc1b2dbc5c760a.patch
==== gdk-pixbuf ====
Subpackages: gdk-pixbuf-query-loaders libgdk_pixbuf-2_0-0 typelib-1_0-GdkPixbuf-2_0
- Add gdk-pixbuf-boo1174307-io-gif-overflow.patch: Avoid overflows
by checking the memset length argument (boo#1174307).
- Raise dependency glib-2.0 version.
==== grub2 ====
Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi
- No 95_textmode for PowerPC (boo#1174166)
==== kscreenlocker ====
Subpackages: libKScreenLocker5
- Add patch to disable the seccomp sandbox (boo#1174448):
* 0001-Disable-the-seccomp-sandbox.patch
==== patterns-base ====
Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11
- Move pam_pwquality to Recommends section, as it is not required
and user should be able to de-install the full pwquality stack.
==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-defaults patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap
- Re-add kernel-firmware back to the DVDs [bsc#1174521]
==== sudo ====
Version update (1.9.1 -> 1.9.2)
- Update to 1.9.2:
* The configure script now uses pkg-config to find the openssl cflags
and libs where possible.
* The contents of the log.json I/O log file is now documented in
the sudoers manual.
* The sudoers plugin now properly exports the sudoers_audit symbol
on systems where the compiler lacks symbol visibility controls.
This caused a regression in 1.9.1 where a successful sudo command
was not logged due to the missing audit plugin. Bug #931.
* Fixed a regression introduced in 1.9.1 that can result in crash
when there is a syntax error in the sudoers file. Bug #934.
- Rebase sudo-sudoers.patch
==== xkeyboard-config ====
- U_Fix-symbols-in-syntax-error-spurious-git-conflict-ma.patch
* Fix symbols/in syntax error: spurious git conflict marker
(boo#1174483)
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
grub2
patterns-base
patterns-microos
sudo (1.9.1 -> 1.9.2)
=== Details ===
==== grub2 ====
Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi
- No 95_textmode for PowerPC (boo#1174166)
==== patterns-base ====
Subpackages: patterns-base-apparmor patterns-base-base patterns-base-bootloader patterns-base-minimal_base
- Move pam_pwquality to Recommends section, as it is not required
and user should be able to de-install the full pwquality stack.
==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap
- Re-add kernel-firmware back to the DVDs [bsc#1174521]
==== sudo ====
Version update (1.9.1 -> 1.9.2)
- Update to 1.9.2:
* The configure script now uses pkg-config to find the openssl cflags
and libs where possible.
* The contents of the log.json I/O log file is now documented in
the sudoers manual.
* The sudoers plugin now properly exports the sudoers_audit symbol
on systems where the compiler lacks symbol visibility controls.
This caused a regression in 1.9.1 where a successful sudo command
was not logged due to the missing audit plugin. Bug #931.
* Fixed a regression introduced in 1.9.1 that can result in crash
when there is a syntax error in the sudoers file. Bug #934.
- Rebase sudo-sudoers.patch
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org
Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version…https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com…
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
yast2 (4.3.15 -> 4.3.17)
=== Details ===
==== yast2 ====
Version update (4.3.15 -> 4.3.17)
- Provide a way to determine which resources (zones, services...)
have been modified from the default values (bsc#1171356)
- 4.3.17
- update is_wsl function to match wsl1 and wsl2 osrelease spellings
(boo#1174183)
- Add Layout class to configure a Wizard layout.
- Related to jsc#PM-1998.
- 4.3.16
--
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org