Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python3 getting pulled in by crypto-policies #280

Closed
dustymabe opened this issue Sep 20, 2019 · 7 comments · Fixed by coreos/fedora-coreos-config#266
Closed

python3 getting pulled in by crypto-policies #280

dustymabe opened this issue Sep 20, 2019 · 7 comments · Fixed by coreos/fedora-coreos-config#266
Assignees
@ajeddeloh
Labels
-python card related to removing a python dependency fallout/f31

Comments

@dustymabe
Copy link
Member

dustymabe commented Sep 20, 2019
edited
Loading

In rawhide right now we grew a dependency on python again:

[root@coreos ~]# rpm -e python3
error: Failed dependencies:
        /usr/bin/python3 is needed by (installed) crypto-policies-20190816-3.gitbb9bf99.fc32.noarch

Looks like we need to dig into why crypto-policies now requires python3.
@dustymabe
Copy link
Member Author

This is the case in f31 as well.

@lucab
Copy link
Contributor

lucab commented Sep 21, 2019
edited
Loading

The underlying reason is that /usr/bin/update-crypto-policies has been rewritten (from bash/perl to python3) circa one month ago: https://gitlab.com/redhat-crypto/fedora-crypto-policies/commit/1d527f5d8be544ba5b394bd37f66fafcddb6a0c4#c79ed67fb72b2d57acc8874b18106d8891510f68

@dustymabe
Copy link
Member Author

and crypto-policies is needed by:

[core@coreos ~]$ rpm -e crypto-policies
error: Failed dependencies:
        crypto-policies >= 20180730 is needed by (installed) openssl-libs-1:1.1.1d-1.fc31.x86_64
        crypto-policies is needed by (installed) gnutls-3.6.9-1.fc31.x86_64
        crypto-policies >= 20180306-1 is needed by (installed) openssh-clients-8.0p1-8.fc31.1.x86_64
        crypto-policies >= 20180306-1 is needed by (installed) openssh-server-8.0p1-8.fc31.1.x86_64
        /etc/crypto-policies/back-ends/krb5.config is needed by (installed) krb5-libs-1.17-40.fc31.x86_64

@dustymabe dustymabe added the meeting topics for meetings label Sep 23, 2019
@ajeddeloh
Copy link
Contributor

I've been doing some digging. It looks like this package is composed of two parts:

  1. a bunch of configuration for various packages to set different options related to which crypto algorithms to use. These are included in the rpm (not generated on the fly)
  2. a script to enable or switch between them (now in python)

I think it's probably worth investigating if we can get the latter split out into a subpackage and not include it, then support what the script is doing in FCCT. Something like:

crypto_policy: fips

Using the script is somewhat of an antipattern for FCOS since all it does is write/link configs.

Thoughts?

@ajeddeloh
Copy link
Contributor

Filed a bug upstream about splitting out the package: https://bugzilla.redhat.com/show_bug.cgi?id=1755629

@dustymabe dustymabe removed the meeting topics for meetings label Oct 2, 2019
@jlebon jlebon added the -python card related to removing a python dependency label Oct 2, 2019
@jlebon jlebon mentioned this issue Oct 16, 2019
Merged
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Oct 18, 2019
@jlebon
ci: blacklist fcos.python
524521a 
This is known to fail right now due to
coreos/fedora-coreos-tracker#280.
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Oct 18, 2019
@jlebon
ci: blacklist fcos.python
e1470f0 
This is known to fail right now due to
coreos/fedora-coreos-tracker#280.
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Oct 21, 2019
@jlebon
ci: blacklist fcos.python
d39ff35 
This is known to fail right now due to
coreos/fedora-coreos-tracker#280.
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Oct 21, 2019
@jlebon
ci: blacklist fcos.python
c327840 
This is known to fail right now due to
coreos/fedora-coreos-tracker#280.
jlebon added a commit to coreos/fedora-coreos-config that referenced this issue Oct 21, 2019
@jlebon
ci: blacklist fcos.python
889b3d1 
This is known to fail right now due to
coreos/fedora-coreos-tracker#280.
This was referenced Nov 14, 2019
Closed
Closed
@dustymabe dustymabe added the meeting topics for meetings label Nov 19, 2019
@dustymabe
Copy link
Member Author

We had been holding a release trying to get this in (so we didn't ship python3). We decided in the meeting today to go ahead and release while the work on this continues.

@dustymabe dustymabe removed the meeting topics for meetings label Nov 20, 2019
@dustymabe
Copy link
Member Author

I tested https://src.fedoraproject.org/rpms/crypto-policies/pull-request/6# with a scratch build and python3 is gone!

Upgraded:                                     
  crypto-policies 20191128-2.gitcd267a5.fc31 -> 20191128-3.gitcd267a5.fc32                                            
Removed:                                    
  gdbm-libs-1:1.18.1-1.fc31.x86_64         
  python-pip-wheel-19.1.1-7.fc31.noarch      
  python-setuptools-wheel-41.2.0-1.fc31.noarch                                                                        
  python3-3.7.5-2.fc31.x86_64                   
  python3-libs-3.7.5-2.fc31.x86_64

dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Jan 13, 2020
@dustymabe
overrides: pull in crypto-policies without python dependencies
457fe18 
We're pulling from rawhide here as this is a brand new change
and the maintainer is not comfortable sending it to F31 yet.

See https://src.fedoraproject.org/rpms/crypto-policies/pull-request/6#comment-35958

Fixes: coreos/fedora-coreos-tracker#280
@dustymabe dustymabe mentioned this issue Jan 13, 2020
Merged
dustymabe added a commit to coreos/fedora-coreos-config that referenced this issue Jan 13, 2020
@dustymabe
overrides: pull in crypto-policies without python dependencies
26153ca 
We're pulling from rawhide here as this is a brand new change
and the maintainer is not comfortable sending it to F31 yet.

See https://src.fedoraproject.org/rpms/crypto-policies/pull-request/6#comment-35958

Fixes: coreos/fedora-coreos-tracker#280
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Jan 15, 2020
@jlebon
kola-blacklist: drop fcos.python
3be2bed 
This is fixed now:
coreos/fedora-coreos-tracker#280
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Jan 15, 2020
@jlebon
kola-blacklist: drop fcos.python
c870c3c 
This is fixed now:
coreos/fedora-coreos-tracker#280
@jlebon jlebon mentioned this issue Jan 15, 2020
Merged
jlebon added a commit to coreos/fedora-coreos-config that referenced this issue Jan 15, 2020
@jlebon
kola-blacklist: drop fcos.python
7df45f3 
This is fixed now:
coreos/fedora-coreos-tracker#280
@jlebon jlebon mentioned this issue Feb 27, 2020
Closed
@jlebon jlebon mentioned this issue Aug 19, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ajeddeloh ajeddeloh

Labels
-python card related to removing a python dependency fallout/f31
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

overrides: pull in crypto-policies without python dependencies dustymabe/fedora-coreos-config
4 participants
@lucab @ajeddeloh @dustymabe @jlebon