On Thu, Aug 29, 2024 at 4:35 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Thu, Aug 29, 2024 at 9:37 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Tue, Aug 27, 2024 at 11:09 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > > > RHEL/CentOS Stream 10+ and Fedora ELN will have CONFIG_NET_KEY disabled > > > [1]. Make the test skip itself when it detects that PF_KEY is not > > > supported so that the testsuite can still pass out-of-the-box on these > > > platforms. > > > > > > [1] https://gitlab.com/cki-project/kernel-ark/-/commit/99d6d1c86fe1bb1df5c0b80f4717826c2330e291 > > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > > Wondering if we should drop NET_KEY from the testsuite defconfig too then. > > If we have a test for it, it seems like it might be worthwhile keeping > it as long as the upstream kernel still supports PF_KEY. I'm not sure > if Fedora plans to disable CONFIG_NET_KEY, but as of kernel > v6.11.0-0.rc5.20240827xxx CONFIG_NET_KEY is still enabled as a module. > Even if Fedora does disable it in their build I can enable it in my > testing, I already do that now for a few things. No, Fedora doesn't have any plans to disable it as far as I know. Fedora doesn't have any contractual obligation for maintenance and mostly just tracks the upstream kernel, so there is little motivation to disable functionality because of the lack of maintenance upstream. ("If it works, why risk breaking users? And if it doesn't, then upstream should be the one to remove it." seems to be the general philosophy in such cases.) I agree with keeping it in defconfig - after all, CONFIG_ANDROID=y is also there, even though it isn't strictly required (and so are other configs). -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
