On Wed, 2020-11-18 at 14:32 -0500, Steve Grubb wrote: > On Thursday, November 12, 2020 2:45:41 PM EST Steve Grubb wrote: > > A new version of libcap-ng is going to be released next week. Normally this > > isn't newsworthy, nor is this a soname version bump. But it is important > > to let the broader community know something about it. The behaviour of > > capng_apply is changing slightly. > > > > In the past, capng_apply would silently eat errors when the bounding set > > could not be changed. In order to change the bounding set, you have to have > > > > CAP_SETPCAP. A developer reported an issue in github where their project > > needed to know that capng_apply was completely successful changing the > > bounding set. Meaning that they need an error returned. I didn't think too > > much of it and made the change. > > > > Then one day I noticed that I could not update a package against Fedora's > > git or push a change. Looking into this, I found gnome-keyring was not > > working. [1] I dug into the source code and found that it was trying to > > change the bounding set when it had partial capabilities. The fix is to > > simply verify that you have CAP_SETPCAP before attempting this. > > > > I don't know of any other software that is affected. But I wanted to give > > everyone a heads up before I push it out. I always dogfood libraries I > > work on, so maybe this is the only issue. > > > > Eventually libcap-ng needs to get pushed over to F33 because there is a > > problem with ambient capailities that the new release fixes. And speaking > > of ambient capabilities, the new version of libcap-ng contains a new > > library libdrop_ambient.so. You can use it with LD_PRELOAD to force an app > > to drop ambient capabilities leaving the other capabilities intact. All > > the work is done in the constructor, so no function calls are needed. > > Hello, > > The new libcap-ng has been built into rawhide. ...and it does break gnome-keyring, and it also breaks cifs-utils (so you can't mount CIFS/SMB shares), as per this upstream bug report: https://github.com/stevegrubb/libcap-ng/issues/21 whose reporter also noted what looks like a valid problem in your gnome-keyring fix. Was it really necessary to build this when you *knew* a major package did not work with it? Did you talk to the Workstation folks about getting the patch applied to gnome-keyring? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx