| From: | Mark Wong <markwkm(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Cc: | buildfarm(at)enterprisedb(dot)com |
| Subject: | Re: New buildfarm animals with FIPS mode enabled |
| Date: | 2025-02-15 16:55:32 |
| Message-ID: | bf370df1-5524-4a87-8d14-b58aabf185d6@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Tom,
On 2/14/25 10:01 AM, Tom Lane wrote:
> I see that somebody decided to crank up some animals running
> RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals
> pass on v17 and master, but not older branches; the RHEL8
> animals pass nowhere. This is unsurprising given that the
> v17-era commits that allowed our regression tests to pass
> under FIPS mode (795592865 and a bunch of others) explicitly
> targeted only OpenSSL 3:
>
> These new expected files currently cover the FIPS mode provided by
> OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
> Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
> Fedora 35). (The latter will have some error message wording
> differences.)
>
> I'm kind of disinclined to do all the work that'd be needed to turn
> these animals completely green, especially when the reason to do it
> seems to be that someone decided we should without any community
> consultation. Perhaps others have different opinions though.
That's my fault. I did a sloppy job copying configs etc from the s390x
fips animals and forgot about the OS versions, branches, etc. Peter
Eisentraut reminded me I think I cleaned that all up.
Regards,
Mark
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-02-15 16:57:40 | Re: New buildfarm animals with FIPS mode enabled |
| Previous Message | Christoph Berg | 2025-02-15 16:55:12 | Re: pg17.3 PQescapeIdentifier() ignores len |