stable

gnutls-3.8.8-3.fc41, liboqs-0.12.0-2.fc41, & 1 more

FEDORA-2025-cc4e64ede9 created by dbelyavs 4 months ago for Fedora 41

Rebasing liboqs stuff to the latest NIST-approved versions of PQ cryptography

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2025-cc4e64ede9

This update's test gating status has been changed to 'waiting'.

4 months ago

This update has been submitted for testing by bodhi.

4 months ago
User Icon cmorris commented & provided feedback 4 months ago
karma

Thanks, but don't we need gnutls to be configured with --with-liboqs=yes/link/dlopen to actually use the new PQ crypto? The build log suggests that this is not the case.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago

@cmorris good catch, I can lower the liboqs requirement to enable PQC support in F41 as well, though it would also be ok to drop the gnutls build from this update, as it turned out that gnutls didn't use liboqs in F41 or earlier @dbelyavs.

@ueno yes, please drop then

@ueno knows the state of gnutls best, and perhaps would prefer to wait for 3.8.9, if that is imminent. As far as I'm concerned, the sooner everyone has FIPS 203, 204, and 205 enabled by default, and the latest versions of the other algorithms available to test, the better; and even a slightly mis-configured 3.8.8 is an improvement over 3.8.6, if only for the better multiple ocsp record and malformed compress_certificate handling.

dbelyavs edited this update.

New build(s):

  • gnutls-3.8.8-2.fc41

Removed build(s):

  • gnutls-3.8.8-1.fc41

Karma has been reset.

4 months ago

This update has been pushed to testing.

4 months ago
User Icon ueno commented & provided feedback 4 months ago
karma

I'm afraid this liboqs package can only be used with openssl applications for now, as it has an implicit dependency on libcrypto functions:

nm -g /usr/lib/debug/usr/lib64/liboqs.so.0.12.0-0.12.0-1.fc40.x86_64.debug | grep '^[[:space:]]*U '
                 U __assert_fail@GLIBC_2.2.5
                 U CRYPTO_free

I guess we could use the native memory allocation functions by removing defined(OQS_DLOPEN_OPENSSL) condition from the #if's in src/common/common.[ch].

karma
User Icon bojan commented & provided feedback 4 months ago
karma

Works.

User Icon besser82 commented & provided feedback 4 months ago
karma

Works great! LGTM! =)

This update can be pushed to stable now if the maintainer wishes

4 months ago

dbelyavs edited this update.

New build(s):

  • liboqs-0.12.0-2.fc41

Removed build(s):

  • liboqs-0.12.0-1.fc41

Karma has been reset.

4 months ago

This update has been submitted for testing by dbelyavs.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago
User Icon filiperosset commented & provided feedback 4 months ago
karma

no regressions noted

dbelyavs edited this update.

New build(s):

  • gnutls-3.8.8-3.fc41

Removed build(s):

  • gnutls-3.8.8-2.fc41

Karma has been reset.

4 months ago

I hope this is the final state of the project

This update's test gating status has been changed to 'passed'.

4 months ago

dbelyavs edited this update.

4 months ago

This update has been pushed to testing.

4 months ago
User Icon rjones commented & provided feedback 4 months ago
karma

Works great here.

Also noted that it doesn't cause gnutls to link libssl (presumably because it uses dlopen to get liboqs), as that would have caused problems with our application.

User Icon rhughes commented & provided feedback 4 months ago
karma

Works great here, "gnutls-cli --list | grep Pub" lists ML-KEM-768 for me.

This update can be pushed to stable now if the maintainer wishes

4 months ago

This update has been submitted for stable by dbelyavs.

4 months ago

This update has been pushed to stable.

4 months ago
User Icon johnthacker commented & provided feedback 3 months ago
karma

Somehow the mingw static library is missing various pkcs functions, which was not the case with the previous release. (Something to do with building against p11-key, I suppose):

        /usr/lib/gcc/x86_64-w64-mingw32/14.2.1/../../../../x86_64-w64-mingw32/bin/ld: CMakeFiles/cmTC_812e0.dir/CheckSymbolExists.c.obj:CheckSymbolExists.c:(.rdata$.refptr.gnutls_pkcs11_obj_list_import_url4[.refptr.gnutls_pkcs11_obj_list_import_url4]+0x0): undefined reference to `gnutls_pkcs11_obj_list_import_url4'
        collect2: error: ld returned 1 exit status
        ninja: build stopped: subcommand failed.
$ strings /usr/x86_64-w64-mingw32/sys-root/mingw/lib/libgnutls.dll.a | grep pkcs11
gnutls_pkcs11_set_pin_function
__imp_gnutls_pkcs11_set_pin_function
gnutls_pkcs11_get_pin_function
__imp_gnutls_pkcs11_get_pin_function
gnutls_pkcs11_set_pin_function
gnutls_pkcs11_set_pin_function
__imp_gnutls_pkcs11_set_pin_function
gnutls_pkcs11_get_pin_function
gnutls_pkcs11_get_pin_function
__imp_gnutls_pkcs11_get_pin_function

I suppose that's because p11-kit doesn't have a package for F42 and higher (lack of maintainer, etc.), but there is a package that installs on F41, so removing support for p11-kit functions on F41 as well is an unexpected regression.


Please login to add feedback.

Metadata
Type
enhancement
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 months ago
in testing
4 months ago
in stable
4 months ago
modified
4 months ago
approved
4 months ago

Automated Test Results