In our most recent Cockpit CI F40 image refresh [1] there were a few relevant package updates, see [2] for the whole list: gnutls (3.8.4-1.fc40 -> 3.8.3-2.fc40) kernel-core (6.8.2-300.fc40 -> 6.8.4-300.fc40) Note how gnutls *downgraded*. Not sure why, maybe bad interaction with the freeze, or some revert. But this now broke FIPS mode. [1] https://github.com/cockpit-project/bots/pull/6199 [2] https://cockpit-logs.us-east-1.linodeobjects.com/image-refresh-fedora-40-a36e735a-20240410-223741/log.html Reproducible: Always Steps to Reproduce: fips-mode-setup --enable reboot gnutls-cli localhost Actual Results: Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. Expected Results: well, passing self checks :-)
Running gnutls in FIPS mode against nettle/hogweed/gmp other than ones was compiled against is expected to fail. You might also want to downgrade these as well. There is no hard rpm-level dependency because it only matters in FIPS mode.
Same bug as in bug 2235589 or bug 2265507 . Couldn't you add a gating test that covers this somehow? I didn't *explicitly* downgrade gnutls. I'm saying that this happened in the distro. Last week a cloud install + dnf update got 3.8.4-1.fc40, this week it gets 3.8.3-2.fc40. I.e. this is as much "dnf update" as it gets.
This is with nettle-3.9.1-6.fc40.x86_64 and gmp-6.2.1-8.fc40.x86_64 (latest available).
> Last week a cloud install + dnf update got 3.8.4-1.fc40, this week it gets 3.8.3-2.fc40. I.e. this is as much "dnf update" as it gets. Hard to tell what's at play here, but if getting older versions is what you're observing, it's beyond the control of gnutls packagers, whose only mechanism of influencing the situation is releasing more updates. If you, say, don't pin a specific Fedora mirror and your latter reprovision attempt got georedirected to a slightly more stale mirror, that's something new gnutls updates can only exacerbate. I have to admit, I don't see a way to address your problem.
I suppose the proper way to address this would be to set rpm dependencies correctly? Anyway, I don't know the technical details enough, I'm just reporting observations.
If only there was a way to impose a strict dependency for those who run their system in FIPS mode, without compromising on the flexibility for the majority who doesn't.
> without compromising on the flexibility for the majority who doesn't. I really don't want to troll, but I'm curious: Is that really a thing? I found that basically noone cares about correct dependencies in Fedora, so that partial upgrades are very often broken anyway. It's usually "always the latest or you get to keep both halves". Not having them also caused the wrong versions to enter RHEL/CentOS 10, so I just reported https://issues.redhat.com/browse/RHEL-32945 . Is that "flexibility" worth the pain? (It's an honest question, I'm interested in the use cases of untested version mixes) Thanks!
Since this is a recurring problem, I have revamped my previous attempt to generate Requires: for nettle/gmp on the fly: https://src.fedoraproject.org/rpms/gnutls/pull-request/46 This allows FIPS consumers to always have the same version of nettle/gmp used at build time, as long as they install the `gnutls-fips` virtual package.
FEDORA-2024-01f234e965 (gnutls-3.8.6-1.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-01f234e965
FEDORA-2024-7ab1b36aa0 (gnutls-3.8.6-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7ab1b36aa0
FEDORA-2024-7ab1b36aa0 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-7ab1b36aa0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-7ab1b36aa0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-01f234e965 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-01f234e965` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-01f234e965 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-7ab1b36aa0 (gnutls-3.8.6-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-01f234e965 (gnutls-3.8.6-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.