Spec URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07829939-wolfssl/wolfssl.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07829939-wolfssl/wolfssl-5.7.0-1.fc41.src.rpm Description: The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set. It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3, is up to 20 times smaller than OpenSSL, and offers progressive ciphers such as ChaCha20, Curve25519, Blake2b and Post-Quantum TLS 1.3 groups. User bench-marking and feedback reports dramatically better performance when using wolfSSL over OpenSSL. wolfSSL is powered by the wolfCrypt cryptography library. Two versions of wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and certificate #3389). FIPS 140-3 validation is in progress. For additional information, visit the wolfCrypt FIPS FAQ or contact fips. Fedora Account System Username: kni BACKGROUND: The Netatalk project recently started building against wolfssl. Today it is optional, but the long term goals of the project are to make wolfssl a requirement. As the Netatalk package maintainer, I want to stay ahead of this and get wolfssl added to Fedora repos to avoid any blockages. RPMLINT: $ rpmlint /var/lib/mock/fedora-40-x86_64/result/*.rpm ============================ rpmlint session starts ============================ rpmlint: 2.5.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 6 wolfssl.src: E: spelling-error ('wolfCrypt', '%description -l en_US wolfCrypt -> wolf Crypt, wolf-crypt, Cryptozoic') wolfssl.x86_64: E: spelling-error ('wolfCrypt', '%description -l en_US wolfCrypt -> wolf Crypt, wolf-crypt, Cryptozoic') wolfssl-devel.x86_64: W: no-manual-page-for-binary wolfssl-config wolfssl.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/libwolfssl.so.42.1.0 SSL_CTX_set_cipher_list 6 packages and 0 specfiles checked; 2 errors, 2 warnings, 40 filtered, 2 badness; has taken 4.1 s RPMLINT RESPONSES: >wolfssl.src: E: spelling-error ('wolfCrypt', '%description -l en_US wolfCrypt -> wolf Crypt, wolf-crypt, Cryptozoic') This is the proper name of the project, thus this error can be ignored >wolfssl-devel.x86_64: W: no-manual-page-for-binary wolfssl-config wolfssl-config is dynamically created during configure. The authors have not provided a man page for this executable. This is by design: https://github.com/wolfSSL/wolfssl/blob/master/debian/include.am#L60 >wolfssl.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/libwolfssl.so.42.1.0 SSL_CTX_set_cipher_list Fedora Packaging Reference: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Grepping the source code, one can see that wolfssl calls wolfSSL_CTX_set_cipher_list() rather than SSL_CTX_set_cipher_list(). Thus, this is a false positive and can be ignored.
Note this review request is for wolfssl 2.7.0. The latest version of wolfssl is 2.7.2. However, there appears to be a regression in version 2.7.2 which I have reported here: https://github.com/wolfSSL/wolfssl/issues/7827 If this issue is resolved before this review request is approved, I will generate new spec and srpms for the review process.
> License: GPLv2 Use SPDX license expression format A side note: Do you have tried to build wolssl with CMake build system since the upstream repo supports CMake, which CMake is a little better than configure script?
Ah right. Good catch. I'll change that to GPL-2.0-or-later based on the project LICENSING statement: https://github.com/wolfSSL/wolfssl/blob/master/LICENSING I very much prefer cmake, but you may have noticed cmake is still under development: https://github.com/wolfSSL/wolfssl/blob/master/INSTALL#L80 After skimming through past and present github issues, it seems they let it fall behind autotools. For example: https://github.com/wolfSSL/wolfssl/issues/6983 https://github.com/wolfSSL/wolfssl/issues/7425 Once the project makes a dedicated move to cmake, I will absolutely consider switching.
> https://github.com/wolfSSL/wolfssl/blob/master/INSTALL#L80 It seems that that line was written 4 years ago, it may be improved a lot currently. The wolfssl package in Arch Linux also uses CMake. https://gitlab.archlinux.org/archlinux/packaging/packages/wolfssl/-/blob/main/PKGBUILD?ref_type=heads
Well, using configure script will be also fine. --- Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - The License field must be a valid SPDX expression. Note: Not a valid SPDX expression 'GPLv2'. It seems that you are using the old Fedora license abbreviations. Try `license-fedora2spdx' for converting it to SPDX. See: https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 ===== MUST items ===== C/C++: [ ]: Package does not contain kernel modules. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [ ]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Using prebuilt packages [ ]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [ ]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "GNU General Public License, Version 2", "*No copyright* GNU General Public License v2.0 or later", "Apache License 2.0 and/or GNU General Public License, Version 2 and/or GNU General Public License, Version 3", "GNU General Public License v2.0 or later", "FSF All Permissive License", "GNU General Public License v3.0 or later", "BSD 3-Clause License", "FSF Unlimited License (with License Retention)", "*No copyright* GNU General Public License, Version 2", "Apache License 2.0", "GNU General Public License". 1778 files have unknown license. Detailed output of licensecheck in /var/lib/copr-rpmbuild/results/wolfssl/licensecheck.txt [ ]: License file installed when any subpackage combination is installed. [ ]: Package requires other packages for directories it uses. Note: No known owner of /usr/include/wolfssl/wolfcrypt, /usr/include/wolfssl/openssl, /usr/lib, /usr/share/licenses, /usr/share/doc, /usr/include/wolfssl, /usr/lib64/pkgconfig, /usr/share, /usr/src, /usr/src/debug, /usr/include, /usr, /usr/bin, /usr/lib64 [ ]: Package must own all directories that it creates. Note: Directories without known owners: /usr/lib64/pkgconfig, /usr/src/debug, /usr/include, /usr/include/wolfssl/wolfcrypt, /usr, /usr/include/wolfssl/openssl, /usr/share, /usr/lib, /usr/share/licenses, /usr/bin, /usr/src, /usr/share/doc, /usr/lib64, /usr/include/wolfssl [ ]: %build honors applicable compiler flags or justifies otherwise. [ ]: Package contains no bundled libraries without FPC exception. [ ]: Changelog in prescribed format. [ ]: Sources contain only permissible code or content. [ ]: Package contains desktop file if it is a GUI application. [ ]: Development files must be in a -devel package [ ]: Package uses nothing in %doc for runtime. [ ]: Package consistently uses macros (instead of hard-coded directory names). [ ]: Package is named according to the Package Naming Guidelines. [ ]: Package does not generate any conflict. [ ]: Package obeys FHS, except libexecdir and /usr/target. [ ]: If the package is a rename of another package, proper Obsoletes and Provides are present. [ ]: Requires correct, justified where necessary. [ ]: Spec file is legible and written in American English. [ ]: Package contains systemd file(s) if in need. [ ]: Useful -debuginfo package or justification otherwise. [ ]: Package is not known to require an ExcludeArch tag. [ ]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 726315 bytes in 17 files. [ ]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [!]: Reviewer should test that the package builds in mock. [ ]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [ ]: Final provides and requires are sane (see attachments). [ ]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in wolfssl- devel [ ]: Package functions as described. [ ]: Latest version is packaged. [ ]: Package does not include license text files separate from upstream. [ ]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [ ]: Package should compile and build into binary rpms on all supported architectures. [ ]: %check is present and all tests pass. [ ]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Package should not use obsolete m4 macros Rpmlint ------- Checking: wolfssl-5.7.0-1.fc41.x86_64.rpm wolfssl-devel-5.7.0-1.fc41.x86_64.rpm wolfssl-doc-5.7.0-1.fc41.noarch.rpm wolfssl-debuginfo-5.7.0-1.fc41.x86_64.rpm wolfssl-debugsource-5.7.0-1.fc41.x86_64.rpm wolfssl-5.7.0-1.fc41.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.5.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmphs_7l_p6')] checks: 32, packages: 6 wolfssl.src: E: spelling-error ('wolfCrypt', '%description -l en_US wolfCrypt -> wolf Crypt, wolf-crypt, Cryptozoic') wolfssl.x86_64: E: spelling-error ('wolfCrypt', '%description -l en_US wolfCrypt -> wolf Crypt, wolf-crypt, Cryptozoic') wolfssl-devel.x86_64: W: no-manual-page-for-binary wolfssl-config wolfssl.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/libwolfssl.so.42.1.0 SSL_CTX_set_cipher_list 6 packages and 0 specfiles checked; 2 errors, 2 warnings, 40 filtered, 2 badness; has taken 1.3 s Rpmlint (debuginfo) ------------------- Checking: wolfssl-debuginfo-5.7.0-1.fc41.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.5.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpvo9vz9ge')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 6 filtered, 0 badness; has taken 0.2 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "wolfssl-debugsource". (none): E: there is no installed rpm "wolfssl-doc". (none): E: there is no installed rpm "wolfssl". (none): E: there is no installed rpm "wolfssl-debuginfo". ============================ rpmlint session starts ============================ rpmlint: 2.5.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s (none): E: there is no installed rpm "wolfssl-devel". There are no files to process nor additional arguments. Nothing to do, aborting. Source checksums ---------------- https://github.com/wolfSSL/wolfssl/archive/v5.7.0-stable.tar.gz#/wolfssl-5.7.0.tar.gz : CHECKSUM(SHA256) this package : 2de93e8af588ee856fe67a6d7fce23fc1b226b74d710b0e3946bc8061f6aa18f CHECKSUM(SHA256) upstream package : 2de93e8af588ee856fe67a6d7fce23fc1b226b74d710b0e3946bc8061f6aa18f Requires -------- wolfssl (rpmlib, GLIBC filtered): libc.so.6()(64bit) libm.so.6()(64bit) rtld(GNU_HASH) wolfssl-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config /usr/bin/sh libwolfssl.so.42()(64bit) wolfssl wolfssl-doc (rpmlib, GLIBC filtered): wolfssl-debuginfo (rpmlib, GLIBC filtered): wolfssl-debugsource (rpmlib, GLIBC filtered): Provides -------- wolfssl: libwolfssl.so.42()(64bit) wolfssl wolfssl(x86-64) wolfssl-devel: pkgconfig(wolfssl) wolfssl-devel wolfssl-devel(x86-64) wolfssl-doc: wolfssl-doc wolfssl-debuginfo: debuginfo(build-id) libwolfssl.so.42.1.0-5.7.0-1.fc41.x86_64.debug()(64bit) wolfssl-debuginfo wolfssl-debuginfo(x86-64) wolfssl-debugsource: wolfssl-debugsource wolfssl-debugsource(x86-64) Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/bin/fedora-review --no-colors --prebuilt --rpm-spec --name wolfssl --mock-config /var/lib/copr-rpmbuild/results/configs/child.cfg Buildroot used: fedora-rawhide-x86_64 Active plugins: C/C++, Generic, Shell-api Disabled plugins: PHP, Perl, fonts, Haskell, R, Python, Java, SugarActivity, Ocaml Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH
Here are some more comments: 1. > [ ]: Package must own all directories that it creates. > Note: Directories without known owners: /usr/lib64/pkgconfig, > /usr/src/debug, /usr/include, /usr/include/wolfssl/wolfcrypt, /usr, > /usr/include/wolfssl/openssl, /usr/share, /usr/lib, > /usr/share/licenses, /usr/bin, /usr/src, /usr/share/doc, /usr/lib64, > /usr/include/wolfssl own the related directories. 2. > [ ]: Fully versioned dependency in subpackages if applicable. > Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in wolfssl- > devel change the corresponding line 3. > # pickup the documentation placed into pgkdocdir during install > %doc %{_pkgdocdir}/* > %exclude %{_pkgdocdir}/example move these files to the wolfssl-doc subpackage. And why you exclude the %{_pkgdocdir}/example directory?
Thank you for taking the time to perform this review. Good to know Archlinux packages wolfssl. I may ping the package maintainer to learn why he chose the build options he did (since there are so many to choose from). Debian has wolfssl as well. They are using autotools, and UPDATED Spec URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07896744-wolfssl/wolfssl.spec UPDATED SRPM URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07896744-wolfssl/wolfssl-5.7.0-1.fc41.src.rpm RESPONSES TO COMMENTS: License updated GPLv2 -> GPL-2.0-or-later 1)Directory ownership has been added: %dir %{_includedir}/wolfssl %{_includedir}/wolfssl/*.h %dir %{_includedir}/wolfssl/wolfcrypt %{_includedir}/wolfssl/wolfcrypt/*.h %dir %{_includedir}/wolfssl/openssl %{_includedir}/wolfssl/openssl/*.h I hope we can agree that all the other mentioned folders should NOT be owned by the wolfssl package. ;-) 2) %{isa} has been added to devel subpackage requires 3) The way the documentation is organized is by design. The example folder contains only .c code samples, and does not belong in the main package. Instead example folder and its contents have been bundled with -devel. The main package has just these files under doc: /usr/share/doc/wolfssl/ChangeLog.md /usr/share/doc/wolfssl/QUIC.md /usr/share/doc/wolfssl/README /usr/share/doc/wolfssl/README.md /usr/share/doc/wolfssl/README.txt /usr/share/doc/wolfssl/taoCert.txt Essentially, the changelog, README's containing notes about the project and a url to the online documentation, and instructions on how to make a cert The doc subpackage has been defined as an HTML doc subpackage. This is identified as such in the subpackage description. This is extra documentation, generated by make dox-html. Due to its large size, it made sense to put this into its own subpackage. However, one could perhaps argue the html documentation isn't not really needed at all, since the README points one to the online documentation.
>[ ]: Large documentation must go in a -doc subpackage. Large could be size > (~1MB) or number of files. > Note: Documentation size is 726315 bytes in 17 files. In order to comply with this, large documentation has previously been moved to -doc subpackage. In this case, the large documentation is the offline html documentation, which most users wont need. They can instead follow the link to the online documentation shown in README.txt. In order to make it more clear what doc files go where, I have reorganized relevant lines under %files: >%files >%license COPYING LICENSING >%doc ChangeLog.md README README.md ># these files are placed into pkgdocdir during make install >%doc %{_pkgdocdir}/QUIC.md >%doc %{_pkgdocdir}/README.txt >%doc %{_pkgdocdir}/taoCert.txt >%files devel >%doc %{_pkgdocdir}/example >%files doc ># offline html documentation only >%license COPYING LICENSING >%doc doc/html UPDATED Spec URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07913580-wolfssl/wolfssl.spec UPDATED SRPM URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07913580-wolfssl/wolfssl-5.7.0-1.fc42.src.rpm
[x] package name is OK [x] license is acceptable for Fedora: GPL-2.0-or-later [x] builds and installs OK [x] BR/P/R look correct [x] no scriptlets needed or present [x] rpmlint finds no big issue wolfssl.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/libwolfssl.so.42.1.0 SSL_CTX_set_cipher_list It is a false positive. Package is APPROVED.
Would you mind sparing some time on my review request? https://bugzilla.redhat.com/show_bug.cgi?id=2305343
Technically, this would require additional review: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries
(In reply to Fabio Valentini from comment #11) > Technically, this would require additional review: > https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ > #_new_crypto_libraries I'm not sure that is true, but I will give you the benefit of the doubt. The linked article is titled New Crypto Libraries, but the content describes something different. The content describes how applications that use existing crypto libraries should be configured. The paragraph just before that suggests all one has to do is follow the advice of rpmlint, which has already been done. It then goes on to suggest, when in doubt, contact Fedora Security Team. However the provided contact link is HTTP 404. After asking around on fedora devel list, I learned the Fedora Security Team no longer exists in the same capacity it did previously (explains the HTTP 404). It was suggested I ask my question here, which has been done: https://matrix.to/#/#security:fedoraproject.org I will wait until I return from travels later this week to see if a response was given. If not, I am going to push ahead.
Fedora Security gave the recommendation to build with AES-NI, which has been done. UPDATED Spec URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07920611-wolfssl/wolfssl.spec UPDATED SRPM URL: https://download.copr.fedorainfracloud.org/results/kni/wolfssl/fedora-rawhide-x86_64/07920611-wolfssl/wolfssl-5.7.0-1.fc42.src.rpm Requesting new package repo now...
The Pagure repository was created at https://src.fedoraproject.org/rpms/wolfssl
FEDORA-2024-7212da0e31 (wolfssl-5.7.0-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7212da0e31
FEDORA-2024-783600f7bb (wolfssl-5.7.0-1.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-783600f7bb
FEDORA-EPEL-2024-59f421a1df (wolfssl-5.7.0-1.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-59f421a1df
FEDORA-2024-783600f7bb has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-783600f7bb \*` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-783600f7bb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-7212da0e31 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-7212da0e31 \*` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-7212da0e31 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-59f421a1df has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-59f421a1df See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-59f421a1df (wolfssl-5.7.0-1.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-783600f7bb (wolfssl-5.7.0-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-7212da0e31 (wolfssl-5.7.0-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
It looks like you ignored this completely? > New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team. I don't think it's OK to just import the package regardless, especially after this was pointed out during the review.
(In reply to Fabio Valentini from comment #24) > It looks like you ignored this completely? > > > New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team. > > I don't think it's OK to just import the package regardless, especially > after this was pointed out during the review. This statement is incorrect. Please read comments 12 & 13 closely. I made the recommendation from Fedora Security and the package was built. This conversation occurred here: https://matrix.to/#/#security:fedoraproject.org
So, does the package follow system-wide crypto policy? If not, have you received an exception from the FPC? (you have not)
I asked Fedora Security point blank what I needed to do in this case, and they responded with a simple request to build with AES-NI. That's it. They approved this. If you disagree then you will have to take it up with them.
I still don't think you understand the statement in the policy here (and the people in the security channel apparently don't, either): > New crypto libraries must comply with the crypto policies to enter Fedora -> wolfssl does not > unless an exception has been granted by Fedora packaging committee -> it has not > after consulting with Fedora security team. -> this has happened So at least one step in this process has been skipped. I'll ask in the Security channel.
I am sorry without further review on crypto policies and approved this. I am busy with my graduation things these days so I may not response timely. Anyway, I created an issue on https://pagure.io/packaging-committee/issue/1390.
(In reply to Fabio Valentini from comment #28) > I still don't think you understand the statement in the policy here (and the > people in the security channel apparently don't, either): > > > New crypto libraries must comply with the crypto policies to enter Fedora > > -> wolfssl does not > > > unless an exception has been granted by Fedora packaging committee > > -> it has not > > > after consulting with Fedora security team. > > -> this has happened > > So at least one step in this process has been skipped. > > I'll ask in the Security channel. Yes, I what you are saying, but in my opinion the documentation is not clear, in the ways previously noted. Once we identify the source of authority, looks like that's Felix, I'll be glad to work work through this.