Re: F30 Self-Contained Change proposal: krb5 crypto modernization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On ma, 14 tammi 2019, Robbie Harwood wrote:
Tomasz Torcz <tomek@xxxxxxxxxxxxxx> writes:

On Mon, Jan 07, 2019 at 04:12:47PM -0500, Robbie Harwood wrote:
Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> writes:

> On Thu, 2019-01-03 at 22:40 -0600, Jason L Tibbitts III wrote:
>
>> But to be fair, MIT krb5 is not known for having great error output.
>> Not being able to start at all because the K/M has an enctype which is
>> acceptable and not at all deprecated according to the documentation that
>> exists today _and_ failing in the way the software tends to fail (with
>> obscure and sometimes numeric messages) would be... tough.  Not that I
>> think anyone would just do dnf system-upgrade on their master KDC.
>
> Anyone using FreeIPA and upgrading it is doing this, I guess. (Like
> me...)

We appreciate that you *do* do this because it means others will hit
fewer bugs that they need to roll back!  But while krb5 version upgrades
are safe, distro upgrades aren't something that can be tested except in
a distro context.

  Distro context?  But we are talking about Fedora here, this couldn't
be less “distro context”.
  Distro upgrade is a suggested way to keep one's installation at
supportable release (as opposed to reinstall), so distro-upgrade path
MUST be tested and working.

I don't disagree with any of that.  What I mean to say is that if you
hold all other package versions the same, krb5 upgrades are always safe
- but we can't, as krb5, make guarantees about what any other packages
do, especially our dependencies.  The testing needs to happen when the
distro is assembled - i.e., in the context of the distro, not
beforehand.
With FreeIPA we attempt to do that in Fedora and it helped to find quite
a few issues with FreeIPA components already. If there are specific
additional tests that can be exercised in deploying IPA server and a
client and then upgrading both of them in a sequence, using IPA Web UI
and other tools, feel free to suggest those scenarios.

For existing tests see
https://pagure.io/fedora-qa/os-autoinst-distri-fedora/blob/master/f/tests,
tests with freeipa and domain_controller in the names

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux