[Bug 2255917] Review Request: rust-sequoia-chameleon-gnupg - Sequoia's reimplementation of the GnuPG interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=2255917

Fabio Valentini <decathorpe@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |POST



--- Comment #11 from Fabio Valentini <decathorpe@xxxxxxxxx> ---
(In reply to Ben Beasley from comment #9)

> ===== Notes (no change required for approval) =====
> 
> - The tests are disabled. Since this package is security-relevant, it would
> be
>   especially nice to enable the tests at some point. You said:
> 
>     The interprocess crate appears to be used only for *some* integration
>     tests, so with editdistancek and ntest available, I should be able to run
>     most of the test suite.
> 
>   If it’s possible to enable some tests as soon as this is imported, please
>   consider it.

I will try to enable running at least *some* tests ASAP.

> - You’ve reported doing a best-effort manual audit of the source code that
>   suggests that the SslConnector::builder() is never called, which suggests
>   that the rpmlint message
> 
>     sequoia-chameleon-gnupg.x86_64: W: crypto-policy-non-compliance-openssl
> /usr/bin/gpg-sq SSL_CTX_set_cipher_list
> 
>   may be not be significant to this package. I’m prepared to believe that the
>   whole-program optimization (across crates) may not be be powerful enough to
>   remove the call site in the openssl crate even if it’s unreachable in the
>   binary. I believe all rpmlint can tell is that the SSL_CTX_set_cipher_list
>   symbol is linked.
> 
>   This might still need fixing in the rust-openssl crate, though, for the
> sake
>   of other programs outside the Sequoia project.

Yes. Best I can tell, no code path from this package reaches
SSL_CTX_set_cipher_list, so it might really be just that the symbol is linked.

I've just opened a tracking issue with the package for the openssl crate to
track this for other packages. It might be a good idea to change the "default"
initialization for the cipher list to "PROFILE=SYSTEM" instead of the list
hard-coded in the openssl crate's code base.

https://bugzilla.redhat.com/show_bug.cgi?id=2258234

========================================

Thank you for the thorough review!


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2255917

Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202255917%23c11
--
_______________________________________________
package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite Conditions]     [KDE Users]

  Powered by Linux