Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "URT:Agenda-2018-02-05"

From EGIWiki
Jump to navigation Jump to search
Line 106: Line 106:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28


There are updated packages for:
The original idea to update the bouncycastle package itself got a lot of negative comments due to it introducing to much backward compatibility. See the comments on the update ticket above. Instead an alternative approach was chosen: The existing bouncycastle package will not be updated but be kept at its current version, and a parallel installable bouncycastle1.54 package will be introduced that provides the updated version. The package review for this package has been completed and the package has been built.


* bouncycastle-1.58-2.el6
The dependent packages (canl-java, voms-api-java, voms-clients-java) will be rebuilt against this package.
** The new package uses the new bouncycastle package build mechanism used in the Fedora bouncycastle package, building all bouncycastle binary packages from the same source RPM:
*** bouncycastle-1.58-2.el6.noarch.rpm
*** bouncycastle-mail-1.58-2.el6.noarch.rpm
*** bouncycastle-pg-1.58-2.el6.noarch.rpm
*** bouncycastle-pkix-1.58-2.el6.noarch.rpm
*** bouncycastle-tls-1.58-2.el6.noarch.rpm
** Previously, only bouncycastle itself was in EPEL 6. This update adds the others to the EPEL 6 repository.
** A bouncycastle-mail package (matching the old bouncycastle version i EPEL 6) was provided in the UMD repo.
* jglobus-2.1.0-4.el6 (I guess noone is using this...)
* voms-api-java-3.2.0-7.el6
 
The update also adds packages previously not in EPEL 6 due to missing bouncycastle dependencies:
 
* canl-java-2.5.0-1.el6
* voms-clients-java-3.0.7-6.el6
 
With this update there are some changes w.r.t. the packages currently in UMD:
 
* Since voms-api-java is updated to version 3, the voms-api-java3 currently in UMD becomes obsolete, so references to /usr/share/java/voms-api-java3.jar should be changed to /usr/share/java/voms-api-java.jar
* In the new bouncycastle version some classes have moved between the different bouncycastle packages.
** The new canl-java depends on bouncycastle and bouncycastle-pkix.
** The new voms-api-java depends on canl-java (and hence on bouncycastle and bouncycastle-pkix), but no longer on bouncycastle-mail.
* The class org.bouncycastle.openssl.PasswordFinder is deprecated in the new bouncycastle and canl-java 2.5.0 provides a replacement eu.emi.security.authn.x509.helpers.PasswordSupplier.
 
Providers of products depending on these components should investigate compatibility and see what changes are needed to code and configuration.
 
Packages declaring dependencies on the affected packages in the UMD repo are:
 
* glite-ce-common-java
* glite-ce-cream-api-java
* argus-pap
* argus-pdp
* argus-pep-server
 
These are the directly declared dependencies, some recursive dependencies might be affected too.
 
The packages glite-security-trustmanager and glite-security-util-java in EPEL 6 have been retired.
 
There is also an update for EPEL 7:
 
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-50d69f64bd
 
Of the issues listed above only the PasswordFinder vs. PasswordSupplier issue should be relevant here.
 
The corresponding Fedora updates do not update bouncycastle, only update canl-java (and rebuilds the existing versions of voms-api-java and voms-clients-java for the PasswordFinder vs. PasswordSupplier change in canl-java). These are already in stable:
 
* https://bodhi.fedoraproject.org/updates/FEDORA-2018-d64f3921b6 (Fedora 26)
* https://bodhi.fedoraproject.org/updates/FEDORA-2018-651aed081f (Fedora 27)


== noarch packages depend on x86-64 ==
== noarch packages depend on x86-64 ==

Revision as of 17:38, 5 February 2018

Meeting

News

  • UMD4 regular release (4.7.0) planned for April 2018; dedicated updates are always possible
  • "bouncycastle update in EPEL" --> UMD emergency fix in preparation
    • release ready with buoncycastle package 1.46.1
    • @Joao: anything more needed?
  • UMD3 deprecation
    • WMS dismission plan presented at OMB
    • in parallel, UMD team will test upgrading the umd-release package from UMD3/SL6 to UMD4/SL6 to make usre everything works properly
    • plan will be arranged and agreed with PTs in January/February
    • at some point UMD3 will be "freezed" (no more updates of any kind, either security ones)
      • OMB suggested to remove it completely so that it's not used anymore
      • probably we will establish a period of 2-4 weeks during which sites get progressively aware that the old repos won't work anymore and switch to UMD4/SL6
      • if any security issue comes out during that period, we will ask to shut down the repository


  • CMD-OS update still in preparation: found SR for cloudkeeper, no way to include yet user id isolatin patch for Mitaka/Ubuntu
  • CMD-ONE first release to be fixed adding site BDII

UMD4

In Verification

Under Staged Rollout

Ready to be Released

CMD-OS

In Verification

In Staged Rollout

Ready to be released

CMD-ONE

In verification

In Staged Rollout

Ready to be released

Updates from Technical Providers

APEL

Frontier

Indigo-DataCloud

dCache

DPM/LFC

NTR

Data management clients

NTR

FTS

NTR

ARC

NTR

except repitition of ARC and VOMS server from the URT-mail list: Sites can configure an ARC CE in ways that discontinuing the support for the direct VOMS-server queries will not affect ARC-CEs.

QCG

Globus

xrootd

caNl

Preview

released on 2018-01-23

  • Preview 1.16.0 AppDB info (sl6): APEL-SSM 2.2.0, ARC 15.03 update 18, CVMFS 2.4.4, davix 0.6.7, dCache 2.16.58 and dcap 2.47.12, DPM 1.9.2, XRootD 4.8.0
  • Preview 1.16.1 (sl6): it simply fixes a problem in the apel-ssm file released with the previous update
  • Preview 2.16.0 AppDB info (CentOS 7): APEL-SSM 2.2.0, ARC 15.03 update 18, CVMFS 2.4.4, davix 0.6.7, dCache 3.1.27 and dcap 2.47.12, DPM 1.9.2, XRootD 4.8.0

to include for the next update:

  • frontier-squid 3.5.27-3.1

AOB

products that need to download from VOMS the list of users

VOMS allows to every owner of a IGTF certificate to download the list of users. This is not compliant with the European GDPR, since VO membership is considered sensitive data., so that VOMS needs to implement a stricter ACL to the users list.

In order to understand how to proceed, first of all we need to figure out all the use cases: please let us know if any of your products needs to get the users DN for performing the authentication and authorisation mechanism (i.e. grid-mapfile generation containing the users certificate subject).

bouncycastle update in EPEL

There is an update coming to EPEL 6 involving some Java components.

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-71db8f6f28

The original idea to update the bouncycastle package itself got a lot of negative comments due to it introducing to much backward compatibility. See the comments on the update ticket above. Instead an alternative approach was chosen: The existing bouncycastle package will not be updated but be kept at its current version, and a parallel installable bouncycastle1.54 package will be introduced that provides the updated version. The package review for this package has been completed and the package has been built.

The dependent packages (canl-java, voms-api-java, voms-clients-java) will be rebuilt against this package.

noarch packages depend on x86-64

when trying to install the following “noarch” packages on ppc64le system, some of them still required x86-64 dependency: 

fts-rest-3.5.4-1.el7.centos.noarch.rpm
fts-rest-cloud-storage-3.5.4-1.el7.centos.noarch.rpm
fts-rest-http-authz-signed-cert-3.5.4-1.el7.centos.noarch.rpm
fts-rest-oauth2-3.5.4-1.el7.centos.noarch.rpm
fts-rest-selinux-3.5.4-1.el7.centos.noarch.rpm

glexec-wrapper-scripts-0.0.7-1.el7.noarch.rpm

mkgltempdir-0.0.5-1.el7.noarch.rpm

nordugrid-arc-aris-5.3.1-1.el7.centos.noarch.rpm
nordugrid-arc-ca-utils-5.3.1-1.el7.centos.noarch.rpm
nordugrid-arc-client-tools-1.0.7-1.el7.centos.noarch.rpm
nordugrid-arc-compute-element-1.0.7-1.el7.centos.noarch.rpm
nordugrid-arc-doc-2.0.15-1.el7.centos.noarch.rpm
nordugrid-arc-gridmap-utils-5.3.1-1.el7.centos.noarch.rpm
nordugrid-arc-information-index-1.0.7-1.el7.centos.noarch.rpm
nordugrid-arc-ldap-infosys-5.3.1-1.el7.centos.noarch.rpm
nordugrid-arc-ldap-monitor-5.3.1-1.el7.centos.noarch.rpm
nordugrid-arc-nagios-plugins-doc-1.9.1-0.rc1.el7.centos.noarch.rpm
nordugrid-arc-nagios-plugins-egi-1.9.1-0.rc1.el7.centos.noarch.rpm
nordugrid-arc-ws-monitor-5.3.1-1.el7.centos.noarch.rpm

qcg-appscripts-4.0.0-18.centos7.noarch.rpm
qcg-broker-4.2.0-6.centos7.noarch.rpm
qcg-broker-client-4.2.0-4.centos7.noarch.rpm
qcg-comp-egi-is-provider-4.0.0-5.centos7.noarch.rpm
qcg-egi-is-conf-4.0.0-1.centos7.noarch.rpm
qcg-ntf-egi-is-provider-4.0.0-1.centos7.noarch.rpm
qcg-ntf-nagios-probe-4.0.0-1.noarch.rpm

other AOB

Retrieved from "https://wiki.egi.eu/w/index.php?title=URT:Agenda-2018-02-05&oldid=98494"