[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

Martin Pitt martin.pitt at ubuntu.com
Wed Apr 13 06:48:13 UTC 2016 

> Dividing up the patch proved to be a challenge but was the right thing
to do.

Many thanks for doing this!

Can you please fix the "Origin:
http://dl.fedoraproject.org/pub/fedora/linux/development" fields still?
They should point to a particular patch in a place like
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/, but that does
not have "openssl-1.0.2g-fips-ctor.patch", only "openssl-1.0.2a-fips-
ctor.patch". Although the patch there is almost identical, except for
some patch header noise. So I suppose pointing to those is fine (bonus
points if you just add the DEP-3 patch header but otherwise leave the
patch intact, but that's not a biggie).

But e. g. your openssl-1.0.2g-fips-ec.patch has quite a lot of changes
compared to
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0
.2a-fips-ec.patch (Note, Ubuntu modifications should go into openssl-1.0
.2g-ubuntu-fips-cleanup.patch). Same for
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0
.2f-new-fips-reqs.patch.

Current Fedora rawhide's package is openssl1.0.2g as well, just like
our's, so these patches ought to be identical?

Maybe you took them from a different branch, but the Fedora 24 version
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0
.2f-new-fips-reqs.patch?h=f24 is also different than  your's.

> Weird, but the fedora patches were not independent of each other.

That's quite normal, and it would actually be a surprise if patches that
are this big were  independent.

I'll upload this now so that we can see the autopkgtests against this
version, and we have at least a few days of testing this in the wild
before the final release. But please still clean up the patches as above
(Origin: and patches differing from Fedora) with a follow-up upload.

Thanks for bearing with me!

** Changed in: openssl (Ubuntu)
       Status: Incomplete => In Progress

** Changed in: openssl (Ubuntu)
     Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  In Progress

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

More information about the foundations-bugs mailing list