| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-verify-warn-about-weak-certs.patch | verify: warn about weak cert keys or signing algos Extend x509.VerifyX509Certificate() to also check certificates for weak keys or signing algorithms. Rename _VerifyCertificateInner() to _VerifyX509CertificateValidity() to better match what it does, and add a new _VerifyX509CertificateStrength() function that checks: - whether the public key's length is smaller than constants.RSA_KEY_BITS - whether the certificate is signed using a known-weak signature algorithm Apart from cluster verify, VerifyX509Certificate() is also called in a number of places as a pre-flight check with expiration warnings disabled, where every non-empty response is treated as a hard error. In order not to break these uses, we need to change VerifyX509Certificate()'s API to make strength checks optional. Also we refactor the error handling logic to return multiple error XOR warning message that originate from different checks. |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2018-09-03 | ||
| 0002-remove-hardcoded-libc-linux-constants.patch | Do not hardcode arch-dependent libc/linux constants commit 1abcb876d279f698b0fafe723feac22540d145f9 utils.mlock: do not use hardcoded mlockall(2) flags Switch to using the build-time detected flags from constants. Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org> commit b273f537019249ce693f8df78640ff5c6c6bdf4c kvm.netdev: do not use hardcoded ioctl values Switch to using the build-time detected values from constants. Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org> commit 681b23e163fc7d1fd1c9a88906834c67b9f0bf2e Derive arch-dependent constant values from libc/linux headers We are currently hardcoding some C constants in our Python code in two places: the mlockall(2) flags (used via ctypes), and the TUN/TAP driver ioctls. These constants are actually architecture-dependent and should be derived at build time. Use hsc2py to append these definitions to src/AutoConf.hs, and have them propagate to Ganeti.Constants (and from there lib/_constants.py). A follow-up commit will replace the current constants with the derived ones. Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org> |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2019-01-28 | ||
| 0003-py-tests-Add-compatibility-with-PyYAML-6.0.patch | py-tests: Add compatibility with PyYAML 6.0. PyYAML requires a 'Loader' argument since version 6.0. Explicitly add FullLoader which was default in previous versions. (cherry picked from commit 61d775002a5ded15586c58bd0708a16b0fc25536) |
Marius Bakke <marius@gnu.org> | no | 2022-04-08 | ||
| 0004-py-tests-Use-the-safe-PyYAML-loader.patch | py-tests: Use the "safe" PyYAML loader. There are few reasons to use the "unsafe" FullLoader, none of which affect the QA suite. Use the "safe" loader to set a precedence for future uses of PyYAML. (cherry picked from commit 0d7738656b0bdd3ba1e4ed50bcff0d182d850ce2) |
Marius Bakke <marius@gnu.org> | no | 2022-04-08 | ||
| 0005-Relax-Haskell-dependencies-to-allow-LTS-19-packages.patch | Relax Haskell dependencies to allow LTS-19 packages | Apollon Oikonomopoulos <apoikos@debian.org> | no | 2022-11-11 | ||
| 0006-Template-Haskell-2.17-compatibility.patch | Template Haskell 2.17 compatibility Handle the following changes in a backwards compatible manner: - TyVarBndr is now annotated with a flag. - The data constructors DoE and MDoE got a new Maybe ModName argument to describe the qualifier of do blocks. (cherry picked from commit a3bef2675e94cab1f6cab411bf319148c769325e) |
Apollon Oikonomopoulos <apoikos@dmesg.gr> | no | 2022-12-04 | ||
| 0007-Allow-building-with-GHC-9-Lens-5.patch | Allow building with GHC 9 / Lens 5 It looks like something in the GHC 9 / Lens 5 combination yields unexpected results when using view on Lens', with GHC complaining that it's passed a Lens' instead of a Getting (which should be compatible). Commenting out the singatures of Ganeti.Network.poolLens, Ganeti.Network.poolArrayLens and Ganeti.Utils.MultiMap.multiMapL makes Ganeti build again, so I'll keep this ugly hack until I figure out what's actually wrong. |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2022-12-07 | ||
| 0008-make-allow-C.utf8-alongside-C.UTF-8.patch | make: allow C.utf8 alongside C.UTF-8 Since Debian glibc 2.34-1, the C.UTF-8 locale has been renamed to C.utf8 to match upstream naming. Update the grep command used to figure out the locale name to match against both names. |
Apollon Oikonomopoulos <apoikos@debian.org> | no | 2022-12-07 | ||
| 0009-uidpool_unittest-avoid-using-negative-UIDs.patch | uidpool_unittest: avoid using negative UIDs The uidpool unittests long relied on the fact that pgrep would accept "-1" as a valid uid and in turn would match nothing. As of propcs 4.0.3 however, pgrep will error out when passed a negative uid, thus breaking the tests. Work around this by using a valid UID, but one that is unlikely to be used in real systems: on most systems, SUB_UID_MAX which is the highest uid expected to be in regular use, is set to 600100000. Picking 2^30 + 42 looks like a reasonably safe choice. This fixes #1691. |
Apollon Oikonomopoulos <apoikos@dmesg.gr> | no | 2023-03-06 |