https://bugzilla.redhat.com/show_bug.cgi?id=2255917 Fabio Valentini <decathorpe@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |POST --- Comment #11 from Fabio Valentini <decathorpe@xxxxxxxxx> --- (In reply to Ben Beasley from comment #9) > ===== Notes (no change required for approval) ===== > > - The tests are disabled. Since this package is security-relevant, it would > be > especially nice to enable the tests at some point. You said: > > The interprocess crate appears to be used only for *some* integration > tests, so with editdistancek and ntest available, I should be able to run > most of the test suite. > > If it’s possible to enable some tests as soon as this is imported, please > consider it. I will try to enable running at least *some* tests ASAP. > - You’ve reported doing a best-effort manual audit of the source code that > suggests that the SslConnector::builder() is never called, which suggests > that the rpmlint message > > sequoia-chameleon-gnupg.x86_64: W: crypto-policy-non-compliance-openssl > /usr/bin/gpg-sq SSL_CTX_set_cipher_list > > may be not be significant to this package. I’m prepared to believe that the > whole-program optimization (across crates) may not be be powerful enough to > remove the call site in the openssl crate even if it’s unreachable in the > binary. I believe all rpmlint can tell is that the SSL_CTX_set_cipher_list > symbol is linked. > > This might still need fixing in the rust-openssl crate, though, for the > sake > of other programs outside the Sequoia project. Yes. Best I can tell, no code path from this package reaches SSL_CTX_set_cipher_list, so it might really be just that the symbol is linked. I've just opened a tracking issue with the package for the openssl crate to track this for other packages. It might be a good idea to change the "default" initialization for the cipher list to "PROFILE=SYSTEM" instead of the list hard-coded in the openssl crate's code base. https://bugzilla.redhat.com/show_bug.cgi?id=2258234 ======================================== Thank you for the thorough review! -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2255917 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202255917%23c11 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue