Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fedora 35 template #6969

Closed
7 tasks done
marmarek opened this issue Oct 14, 2021 · 24 comments
Closed
7 tasks done

Fedora 35 template #6969

marmarek opened this issue Oct 14, 2021 · 24 comments
Labels
C: Fedora P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release.
Milestone
Release 4.0 updates

Comments

@marmarek
Copy link
Member

marmarek commented Oct 14, 2021
edited
Loading

The problem you're addressing (if any)
Fedora 35 is going out soon.

Describe the solution you'd like
We should have a Fedora 35 template.

Where is the value to a user, and who might that user be?
Users of the Fedora template who prefer to upgrade their templates by reinstalling will have a new template to upgrade to.

Tasks:

  • build all packages
  • build the template
  • add to relevant qubes-builder/example-configs (including templates.conf)
  • document
  • upload to testing repo
  • migrate to stable repo
  • announce

If any issue affects Fedora 35 template (build failures, things that worked fine before etc), please add reference to this issue too.
@marmarek marmarek added T: enhancement P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Oct 14, 2021
@DemiMarie
Copy link

We need to add support for PipeWire in the audio code someday.

@marmarek
Copy link
Member Author

Yes, we do.

@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Oct 14, 2021
marmarek added a commit to marmarek/qubes-gui-daemon that referenced this issue Oct 14, 2021
@marmarek
rpm: add BR python3-setuptools
b7f8cf9 
It isn't implicit in F35

QubesOS/qubes-issues#6969
@qubesos-bot qubesos-bot mentioned this issue Oct 14, 2021
Closed
fepitre added a commit to fepitre/qubes-linux-utils that referenced this issue Oct 15, 2021
@fepitre
spec: allow matching python3.10 in %files
5be2b83 
QubesOS/qubes-issues#6969
fepitre added a commit to fepitre/qubes-python-objgraph that referenced this issue Oct 15, 2021
@fepitre
Update to 3.5.0 and handle python3.10
4899fb9 
Source hash cross confirmed with https://deb.debian.org/debian/pool/main/o/objgraph/objgraph_3.5.0-3.dsc

QubesOS/qubes-issues#6969
This was referenced Oct 15, 2021
Merged
Closed
fepitre added a commit to fepitre/qubes-python-u2flib-host that referenced this issue Oct 15, 2021
@fepitre
spec: allow matching python3.10 in %files
a32c624 
QubesOS/qubes-issues#6969
@fepitre fepitre mentioned this issue Oct 15, 2021
Merged
fepitre added a commit to fepitre/qubes-builder-rpm that referenced this issue Oct 15, 2021
@fepitre
Support for Fedora 35
43479da 
QubesOS/qubes-issues#6969
This was referenced Oct 15, 2021
Merged
Merged
marmarek added a commit to QubesOS/qubes-release-configs that referenced this issue Oct 19, 2021
@marmarek
R4.1: drop fc31, add fc35
94e62ac 
QubesOS/qubes-issues#6969
@qubesos-bot qubesos-bot mentioned this issue Oct 20, 2021
Closed
marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Oct 20, 2021
@marmarek
Avoid inheriting from multiple builtin exceptions
8754bcb 
Python 3.10 breaks inheriting from both IOError and AttributeError at
the same time. Python developers decided this is not supposed to work:
https://bugs.python.org/issue45464

QubesOS/qubes-issues#6969
@marmarek marmarek mentioned this issue Oct 20, 2021
Merged
This was referenced Oct 20, 2021
Closed
Closed
Closed
@iamahuman iamahuman mentioned this issue Oct 28, 2021
Closed
6 tasks
@sssoleileraaa sssoleileraaa mentioned this issue Nov 8, 2021
Closed
@qubesos-bot qubesos-bot mentioned this issue Nov 9, 2021
Closed
marmarek added a commit to QubesOS/qubes-release-configs that referenced this issue Nov 13, 2021
@marmarek
Add fedora-35 template to the config
d134727 
QubesOS/qubes-issues#6969
marmarek pushed a commit to QubesOS/qubes-linux-utils that referenced this issue Jan 10, 2022
@fepitre @marmarek
spec: allow matching python3.10 in %files
65b6af3 
QubesOS/qubes-issues#6969

(cherry picked from commit 5be2b83)
@qubesos-bot qubesos-bot mentioned this issue Jan 10, 2022
Closed
@andrewdavidwong andrewdavidwong pinned this issue May 18, 2022
@DemiMarie DemiMarie added P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. and removed P: major Priority: major. Between "default" and "critical" in severity. labels May 23, 2022
@marmarek
Copy link
Member Author

The template is in stable repo for R4.1 already. It will be soon in R4.0 too, just after current test run completes.
@andrewdavidwong can you prepare announcement?

andrewdavidwong pushed a commit to QubesOS/qubes-posts that referenced this issue May 25, 2022
Announcement: F34 approaching EOL; F35 templates available
734e15b 
QubesOS/qubes-issues#6969
@andrewdavidwong andrewdavidwong mentioned this issue May 25, 2022
Merged
@andrewdavidwong
Copy link
Member

The template is in stable repo for R4.1 already. It will be soon in R4.0 too, just after current test run completes. @andrewdavidwong can you prepare announcement?

Opened: QubesOS/qubes-posts#96

I notice that "document" is still unchecked in the list in the OP. Is there actually still something left to document, @marmarek?

andrewdavidwong pushed a commit to QubesOS/qubes-doc that referenced this issue May 25, 2022
Add Fedora 35 to supported template releases
66e0f04 
QubesOS/qubes-issues#6969
QubesOS/qubes-posts#96
@andrewdavidwong andrewdavidwong mentioned this issue May 25, 2022
Merged
@marmarek
Copy link
Member Author

Is there actually still something left to document,

I haven't found anything really. It was about upgrade documentation, but those we have version-agnostic already.

@resulin
Copy link

resulin commented May 25, 2022

Is the update out yet? I seem to be getting these errors (even after doing sudo qubes-dom0-update to refresh the packages):

[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-35
Redirecting to 'qvm-template install  fedora-35'
Downloading 'qubes-template-fedora-35-0:4.0.6-202205081759'...
qubes-template-fedora-35-0:4.0.6-202205081759:   0%| | 0.00/1.75G [00:00<?, ?B/sError canonicalizing file: not an RPM package
qubes-template-fedora-35-0:4.0.6-202205081759:   0%| | 0.00/1.75G [00:01<?, ?B/s
ERROR: [Errno 2] No such file or directory: '/root/.cache/qvm-template/tmp6nuswhpi/qubes-template-fedora-35-0:4.0.6-202205081759.rpm.UNTRUSTED'

@marmarek
Copy link
Member Author

Looks like an issue with a repository mirror (the package is not yet at https://mirrors.edge.kernel.org/qubes/repo/yum/r4.1/templates-itl/rpm/, but theoretically it's past the mirror sync time already). I'll check why an alternative wasn't chosen automatically.

@Nurmagoz
Copy link

Got this on first run of Fedora-35-minimal: (downloaded from qubes testing repo)

kicksecurecallsyswhonix cleaned

@marmarek
Copy link
Member Author

Looks about right - keys are imported by dnf on first use.

@marmarek
Copy link
Member Author

Uploaded to R4.0 repos too.

@fireneat
Copy link

Currently it seems like Fedora 35 hasn't been added to https://github.com/QubesOS/qubes-builder/blob/master/example-configs/templates.conf so it isn't shown when you want to build it with qubes-builder

@andrewdavidwong
Copy link
Member

Currently it seems like Fedora 35 hasn't been added to https://github.com/QubesOS/qubes-builder/blob/master/example-configs/templates.conf so it isn't shown when you want to build it with qubes-builder

@marmarek, should this be added to the standard checklist for new officially-supported template releases?

@marmarek
Copy link
Member Author

@marmarek, should this be added to the standard checklist for new officially-supported template releases?

Good idea.

marmarek added a commit to marmarek/qubes-builder that referenced this issue May 29, 2022
@marmarek
example-configs: drop fc33, add fc35 and fc36
df5b4a0 
QubesOS/qubes-issues#6969
QubesOS/qubes-issues#7342
@ejose19
Copy link

ejose19 commented May 30, 2022
edited
Loading

Got this on first run of Fedora-35-minimal: (downloaded from qubes testing repo)

Looks about right - keys are imported by dnf on first use.

Is there any particular reason on why the key is not already imported in the pristine template? When I also saw that my first thought was that there's something off, especially when previous minimal templates didn't ask to import any new key (and one needs to verify the fingerprint shown there, which adds burden to the user)

@andrewdavidwong
Copy link
Member

(and one needs to verify the fingerprint shown there, which adds burden to the user)

Technically, the user does not have to authenticate this fingerprint, since the key is already inside the template and is being imported locally (not from the internet). Since the entire template package containing this key was already authenticated when the template was installed (or the update packages when the template was upgraded in-place), one could argue that the fingerprint has already been authenticated by other means.

@ejose19
Copy link

ejose19 commented May 30, 2022

(and one needs to verify the fingerprint shown there, which adds burden to the user)

Technically, the user does not have to authenticate this fingerprint, since the key is already inside the template and is being imported locally (not from the internet). Since the entire template package containing this key was already authenticated when the template was installed (or the update packages when the template was upgraded in-place), one could argue that the fingerprint has already been authenticated by other means.

If the key is already assumed to be trusted (based on these arguments, which I also agree), then it's another point in favor of having the key already added to dnf to save user time, unless there's a compelling reason to not do so.

@DemiMarie
Copy link

(and one needs to verify the fingerprint shown there, which adds burden to the user)

Technically, the user does not have to authenticate this fingerprint, since the key is already inside the template and is being imported locally (not from the internet). Since the entire template package containing this key was already authenticated when the template was installed (or the update packages when the template was upgraded in-place), one could argue that the fingerprint has already been authenticated by other means.

If the key is already assumed to be trusted (based on these arguments, which I also agree), then it's another point in favor of having the key already added to dnf to save user time, unless there's a compelling reason to not do so.

DNF should not be asking for the key to be imported. That it does is a bug in DNF when repo_gpgcheck=1 is enabled, as it is for Qubes repositories.

@ejose19
Copy link

ejose19 commented May 30, 2022

(and one needs to verify the fingerprint shown there, which adds burden to the user)

Technically, the user does not have to authenticate this fingerprint, since the key is already inside the template and is being imported locally (not from the internet). Since the entire template package containing this key was already authenticated when the template was installed (or the update packages when the template was upgraded in-place), one could argue that the fingerprint has already been authenticated by other means.

If the key is already assumed to be trusted (based on these arguments, which I also agree), then it's another point in favor of having the key already added to dnf to save user time, unless there's a compelling reason to not do so.

DNF should not be asking for the key to be imported. That it does is a bug in DNF when repo_gpgcheck=1 is enabled, as it is for Qubes repositories.

There seems to be a reported bug that looks like this issue (https://bugzilla.redhat.com/show_bug.cgi?id=1768206), can something be done on Qubes side in the meanwhile? It was reported 3 years ago with no hints that it will be fixed anytime soon.

@DemiMarie
Copy link

(and one needs to verify the fingerprint shown there, which adds burden to the user)

Technically, the user does not have to authenticate this fingerprint, since the key is already inside the template and is being imported locally (not from the internet). Since the entire template package containing this key was already authenticated when the template was installed (or the update packages when the template was upgraded in-place), one could argue that the fingerprint has already been authenticated by other means.

If the key is already assumed to be trusted (based on these arguments, which I also agree), then it's another point in favor of having the key already added to dnf to save user time, unless there's a compelling reason to not do so.

DNF should not be asking for the key to be imported. That it does is a bug in DNF when repo_gpgcheck=1 is enabled, as it is for Qubes repositories.

There seems to be a reported bug that looks like this issue (https://bugzilla.redhat.com/show_bug.cgi?id=1768206), can something be done on Qubes side in the meanwhile? It was reported 3 years ago with no hints that it will be fixed anytime soon.

It will be fixed in DNF 5 hopefully. Upstream is not interested in fixing it for DNF 4.

@andrewdavidwong andrewdavidwong unpinned this issue May 30, 2022
@qubesos-bot qubesos-bot mentioned this issue Oct 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Fedora P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release.
Projects
None yet
Milestone
Release 4.0 updates
Development

No branches or pull requests
7 participants
@marmarek @DemiMarie @ejose19 @andrewdavidwong @Nurmagoz @resulin @fireneat