[Freeipa-devel] FreeIPA 4.0.3?
Ludwig Krispenz
lkrispen at redhat.com
Thu Sep 11 14:38:17 UTC 2014
On 09/11/2014 04:31 PM, Petr Viktorin wrote:
> On 09/11/2014 04:26 PM, Martin Kosek wrote:
>> On 09/11/2014 04:22 PM, Nathaniel McCallum wrote:
>>> On Thu, 2014-09-11 at 16:21 +0200, Ludwig Krispenz wrote:
>>>> On 09/11/2014 04:17 PM, Nathaniel McCallum wrote:
>>>>> On Thu, 2014-09-11 at 16:09 +0200, Ludwig Krispenz wrote:
>>>>>> On 09/11/2014 04:04 PM, Martin Kosek wrote:
>>>>>>> On 09/11/2014 03:47 PM, Nathaniel McCallum wrote:
>>>>>>>> On Thu, 2014-09-11 at 15:46 +0200, Petr Viktorin wrote:
>>>>>>>>> On 09/11/2014 01:37 PM, Martin Kosek wrote:
>>>>>>>>>> Hi team,
>>>>>>>>>>
>>>>>>>>>> It seems we have pretty serious bug in our FreeIPA 4.0.2
>>>>>>>>>> release, breaking
>>>>>>>>>> upgrade from older releases:
>>>>>>>>>>
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4529
>>>>>>>>>>
>>>>>>>>>> We also have packaging fix requested by Fedora Server roles
>>>>>>>>>> group:
>>>>>>>>>>
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4430
>>>>>>>>>>
>>>>>>>>>> It seems just these 2 bugs are enough for a quick FreeIPA
>>>>>>>>>> 4.0.3 release...
>>>>>>>>>> Makes sense? Any other tickets or patches we would like to
>>>>>>>>>> get in?
>>>>>>>>> Looks like it's just those two. I'll start releasing shortly.
>>>>>>>> I'd like to get a fix in for the missing ciphers in the new
>>>>>>>> NSS. I can
>>>>>>>> have a patch on the list shortly.
>>>>>>>>
>>>>>>>> Nathaniel
>>>>>>> Isn't this related to
>>>>>>> https://fedorahosted.org/freeipa/ticket/4395
>>>>>>> ? I think we do not work with the newest DS which fixed the
>>>>>>> default ciphers.
>>>>>> yes
>>>>>>> Don't we need to set our SSL ciphers setting to
>>>>>>>
>>>>>>> https://fedorahosted.org/389/ticket/47838#comment:29
>>>>>> yes
>>>>>> tjhe attached patch tries this, but at the moment I failed to
>>>>>> build and
>>>>>> also to upgrade to F21
>>>>> NACKallowweakcipher
>>>>>
>>>>>
>>>>> LDAP error: OBJECT_CLASS_VIOLATION
>>>>> attribute "allowweakcipher" not allowed
>>>>>
>>>>> I suspect we are missing a spec file requirement on a newer
>>>>> version of 389...
>>>> yes, you need the latest build of DS, Noriko added the allowweakcipher
>>>> only yesterday.
>>>> That's the problem, I wanted to wait with the ipa side patch until
>>>> allowweakcipher was implemented and then on F21 ipa and 389 no longer
>>>> played well and now there is a rush
>>
>> Also, we will need to add the F21 389-ds-base build to FreeIPA Copr:
>> http://copr.fedoraproject.org/coprs/mkosek/freeipa/
>> so that F20 users can upgrade to the newest FreeIPA. Are there any
>> known issues
>> in the F21 389-ds-base build that would prevent upstream FreeIPA
>> 4.0.x to be
>> based on it?
>>
>> If yes, we may need to include the patch in Fedora 21 downstream only
>> after all..
>
> We're basing the Fedora 21 Alpha downstream on FreeIPA 4.0.3, so we
> couldn't include the patch even there.
> There better be no such issues.
what do you mean by "no such issues" ? I don't think that 389/F21 will
be the first bug free software. At the moment Thierry is investigating a
crash in dna-plugin and Noriko a memory leak, which could be in F21 -
More information about the Freeipa-devel
mailing list