[Bug 1694206] Re: openssl-ibmca and libica2 should be in default installation
Dimitri John Ledkov
launchpad at surgut.co.uk
Mon Jun 26 10:43:23 UTC 2017
Usually, packages on Ubuntu systems are configured and ready for use
(e.g. installing apache2 starts httpd daemon and it serves stock pages
on port 80).
Installing openssl-ibmca will not enable it by default as further
configuration is required. What is the goal here? To have packages more
available? Or for example to ease the configuration?
I have severe reservations about installing these packages by default.
Many of the upstream releases would fail to build from source on Ubuntu,
and/or broke API and ABI on Ubuntu. These bug reports would initially be
dismissed as irrelevant. And only subsequently fixed in brown-paper-bag
fixup releases. Lack of upstream CI testing on Ubuntu, and API/ABI
stability is a concern.
There are bugs observed in core packages, when openssl-ibmca is enabled.
For example, the sandboxing failure on openssh (now fixed). Does
upstream track syscalls and/or e.g. run test-suites under seccomp
filter/jail?
When locally configuring to use openssl-ibmca, I see failures of
wget/curl to e.g. download https://launchpad.net.
Which systems can be accelerated with these packages? and are all the
flags enabled by default in HMC? As far as I recall there are tickboxes
that need to be enabled in the underlying LPAR before this is usable?
(And thus installing these on lxd container, on kvm, on z/vm - nested,
may not make sense if the underlying LPAR is not activated to use
accelerated LPAR) Are you enabling crypto by default in HMC? Ideally, we
should not install inert packages which are not used by default and/or
are not suitable to be used in a specific configuration.
Creating a task or a metapackage to group this collection of packages
may make sense that way "s390x-ibmca-task-name-to-be-made-up" could be
offered via taskselect / apt install. Maybe a simple recommends would be
enough. However, to be honest it is currently simply a single package
installation away of openssl-ibmca package alone.
I'm not comfortable in promoting / advocating installation of these
packages, until there are improvements in upstream QA and
commitments/improvements in integration of these packages on Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1694206
Title:
openssl-ibmca and libica2 should be in default installation
Status in Ubuntu on IBM z Systems:
New
Status in debian-installer package in Ubuntu:
Incomplete
Bug description:
Default installation of Ubuntu on s390x should contain
* openssl-ibmca
* libica2
* zcrypt driver
per default - or at leat propose installation per default
---uname output---
name at machine:~$ uname -a Linux zla16199 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:36 UTC 2016 s390x s390x s390x GNU/Linux
Machine Type = IBM z13: 2964-748
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Default Ubuntu server should contain
openssl-ibmca and libica2 (zcrypt) per default, or should propose it during install time.
This simplifies hardware crypto setup for customer
Userspace tool common name: openssl-ibmca, libica2 (zcrypt)
The userspace tool has the following bit modes: 64
Userspace rpm: openssl-ibmca, libica2 (zcrypt)
Userspace tool obtained from project website: na
*Additional Instructions for Manfred Gnirss gnirss at de.ibm.com:
-Post a private note with access information to the machine that the bug is occuring on.
-Attach ltrace and strace of userspace application.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1694206/+subscriptions
More information about the foundations-bugs
mailing list