* Adam Williamson > At the meeting, we made the call that IPv6-only networks are becoming > a configuration sufficiently important that a serious breach of the > criteria in the context of an IPv6-only network is significant enough > to be considered a release blocker, and we accepted the bug as a > blocker. Thank you! This is very welcome news. It is about time Fedora joins rank with the likes of Apple Mac OS X and Microsoft Windows in supporting IPv6-only networks out of the box, especially given Fedora's «First» core value. Getting the IPv6 migration moving is getting increasingly urgent, with one part of the world (East Asia-Pacific) already out of available IPv4 addresses and another (EMEA) set to deplete in a few months, the dual-stack transition plan originally envisioned by the IETF is simply not going to work, there are simply not enough IPv4 addresses to last us through the entire transition period. IPv6-only networks are therefore inevitable, and it is important that from the end users' point of view, they work just as smoothly and in a "plug&play" fashion as any other dual-stacked or IPv4-only network. > Obviously this is a pretty significant call that would set a > precedent for future releases and proposed blockers, so we wanted to > flag it up for wider discussion in case anyone thinks it was the > wrong way to go. For a long time, there have been bugs open and patches made available, yet the issue has remained unresolved for several releases straight. For that reason, I believe a more forceful incentive is essential if we are get the patches applied and the bugs closed before yet another release goes out the door without proper IPv6 support. I therefore strongly support the use of the release blocker mechanism. > 18:41:26 <buggbot> Bug 591630: high, urgent, ---, twoerner, > ASSIGNED, DHCPv6 responses are not allowed by default ip6tables > ruleset Regarding this bug in particular, I'll just note that it there is already a precedent. In a default Fedora installation, traffic to the DHCPv4 client (which is the same binary as the DHCPv6 client) is allowed from the entire internet. From a security standpoint, blocking only one of the two does not make much sense. At least not to me, and there has been no attempt at an explanation for any other viewpoint that I'm aware of. There are also a few other problems that prevent IPv6-only from working out of the box. I have also nominated those as release blockers: https://bugzilla.redhat.com/show_bug.cgi?id=538499#c65 https://bugzilla.redhat.com/show_bug.cgi?id=798697#c3 Also, I also understand that the "ip6tables" service might be replaced with "firewalld" in F17 (cf. https://fedorahosted.org/fesco/ticket/805). If so, that would probably make #591630 irrelevant, however firewalld has IPv6 problems all on its own (even more so than just breaking DHCPv6, *all* IPv6 connectivity is broken by default), see: https://bugzilla.redhat.com/show_bug.cgi?id=801182 I did not nominate this one as a blocker yet though, as I don't know if firewalld will indeed be made the default solution for F17. However, if it does, #801182 needs to be a release blocker as well. Best regards, -- Tore Anderson -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
