{"update": {"autokarma": false, "autotime": false, "stable_karma": 3, "stable_days": 0, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "Rebased:\n\n* **pki-core**   to *10.6.8* \n* **dogtag-pki** to *10.6.8*\n* **jss** to *4.5.1*\n* **freeipa** to *4.7.2*\n\nResubmitting the following since it didn't make it to the stable:\n\n* nuxwdog 1.0.5-3\n* tomcatjss 7.3.6-2\n\n\n\n----\n\nThis update resolves an issue which caused uninstall of a FreeIPA server to fail with authselect 1.0.2, which recently appeared as an update. See [the pull request](https://github.com/freeipa/freeipa/pull/2610) for more details.\n", "type": "enhancement", "status": "stable", "request": null, "severity": "unspecified", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2018-12-01 02:03:32", "date_modified": "2018-12-04 20:48:30", "date_approved": null, "date_testing": "2018-12-05 03:06:18", "date_stable": "2018-12-13 02:46:41", "alias": "FEDORA-2018-115068f60e", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2018-12-13 02:46:41", "meets_testing_requirements": true, "url": "https://bodhi.stg.fedoraproject.org/updates/FEDORA-2018-115068f60e", "title": "dogtag-pki-10.6.8-3.fc28 freeipa-4.7.2-1.fc28 jss-4.5.1-1.fc28 nuxwdog-1.0.5-3.fc28 pki-core-10.6.8-3.fc28", "version_hash": "94ee8982147d71108451cf63bd390b62a5eac882", "release": {"name": "F28", "long_name": "Fedora 28", "version": "28", "id_prefix": "FEDORA", "branch": "f28", "dist_tag": "f28", "stable_tag": "f28-updates", "testing_tag": "f28-updates-testing", "candidate_tag": "f28-updates-candidate", "pending_signing_tag": "f28-signing-pending", "pending_testing_tag": "f28-updates-testing-pending", "pending_stable_tag": "f28-updates-pending", "override_tag": "f28-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": null, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "dmoluguw", "email": "dmoluguw@redhat.com", "id": 4462, "avatar": "https://seccdn.libravatar.org/avatar/490fdf6e880adac900f19f052ff41efaf886a0f08556956b6c955b5560c85427?s=24&d=retro", "openid": "dmoluguw.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by dmoluguw. ", "timestamp": "2018-12-01 02:03:32", "update_id": 127730, "user_id": 91, "id": 869160, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2018-12-02 07:54:39", "update_id": 127730, "user_id": 91, "id": 869531, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": -1, "karma_critpath": 0, "text": "This update broke installation of freeIPA server. You can see it even in openQA tests\nhttps://openqa.fedoraproject.org/tests/314591#step/role_deploy_domain_controller/18", "timestamp": "2018-12-03 16:53:22", "update_id": 127730, "user_id": 809, "id": 869907, "bug_feedback": [{"karma": 0, "comment_id": 869907, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 869907, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "lslebodn", "email": "lslebodn@redhat.com", "id": 809, "avatar": "https://seccdn.libravatar.org/avatar/8c6fcfe0eec099f1f01f5c237935bb5c97f2063a5c1068e57c5815e0bfecbf70?s=24&d=retro", "openid": "lslebodn.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitsssd"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.", "timestamp": "2018-12-03 16:53:22", "update_id": 127730, "user_id": 91, "id": 869908, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This is a weird error, mostly because the IPA version is less than our minimum. I think we need to wait for FreeIPA to update and then we can retest.", "timestamp": "2018-12-03 20:32:27", "update_id": 127730, "user_id": 4423, "id": 869946, "bug_feedback": [{"karma": 0, "comment_id": 869946, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 869946, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}, {"karma": 0, "karma_critpath": 0, "text": "It's not really a 'weird error', you are doing a bad thing: creating an update that is incompatible with the distribution as it stands. If this PKI needs a newer FreeIPA than F28 currently contains, then either that FreeIPA should also be in this update, or a FreeIPA update should be created *first*, pushed stable, and *then* PKI can be updated. If the two newer versions are *interdependent* (neither works with the old version of the other), they *must* be updated together in a single update.", "timestamp": "2018-12-03 21:41:56", "update_id": 127730, "user_id": 302, "id": 869955, "bug_feedback": [{"karma": 0, "comment_id": 869955, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 869955, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "BTW, some more info on precisely how the test failed: in this update, the `pki-server` package had a `Conflicts: freeipa-server < 4.7.1` line added. However, none of the other `pki-core` subpackages had this done, and there are no dependencies between the various subpackages of `pki-core` which force them to always be of equal versions. So when the test asked DNF to install the group `@freeipa-server`, what DNF wound up doing to satisfy the PKI deps was installing version `10.6.8-1.fc28` of pki-base, pki-base-java, python3-pki, pki-symkey and pki-tools, but version `10.6.6-1.fc28` (the old version from the stable repos) of pki-server. There's nothing that makes this 'invalid' so far as dependencies are concerned; it's a correct solution to the request. Obviously, things don't work well with old FreeIPA, old pki-server, but new everything-else-pki. :)", "timestamp": "2018-12-03 21:55:15", "update_id": 127730, "user_id": 302, "id": 869958, "bug_feedback": [{"karma": 0, "comment_id": 869958, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 869958, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Sure, but I think calling this a \"weird error\" is acceptable as you just pointed out: we're doing a bad thing, and the error we see isn't that we're doing a bad thing, its that something else, later, way down the line, is broken.\n\nIn OpenQA, after the bodhi update installation stage, I'd expect to verify at least that the packages in this bodhi update were installed at the versions in the update. e.g., `rpm -qa` shows them as being installed at the versions here. \n\nPut another way, if I take `$CURRENT_VERSION` of `$PKG` and package `$CURRENT_VERSION+1` as `$CURRENT_VERSION` with a new line `Conflicts: $something_else < k` in the spec file, and `$something_else >= k` hasn't been released and so we get `$CURRENT_VERSION` installed in Bodhi (instead of `$CURRENT_VERSION+1`), I'd expect Bodhi to fail with a package version error. I would not expect it to pass (assuming that `$PKG @ $CURRENT_VERSION` passes Bodhi previously and will pass again).", "timestamp": "2018-12-04 13:57:14", "update_id": 127730, "user_id": 4423, "id": 870397, "bug_feedback": [{"karma": 0, "comment_id": 870397, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870397, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}, {"karma": 0, "karma_critpath": 0, "text": "(In the last paragraph, `s/Bodhi/OpenQA/g`, sorry).", "timestamp": "2018-12-04 14:03:43", "update_id": 127730, "user_id": 4423, "id": 870401, "bug_feedback": [{"karma": 0, "comment_id": 870401, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870401, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}, {"karma": 0, "karma_critpath": 0, "text": "> Sure, but I think calling this a \"weird error\" is acceptable as you just pointed out: we're doing a bad thing, and the error we see isn't that we're doing a bad thing, its that something else, later, way down the line, is broken.\n\nAre you sure that you are *not* doing a bad thing?  OpenQA do the same as normal user would do. Just call `dnf update` and the result is combination of packages which cause failures to install freeIPA.\n\nAnd it is obviously caused by this bodhi update because it pass without updates-testing.\nSure; error reporting could be better. But assumption about `$CURRENT_VERSION+1` is difficult. You can obsolete some packages; replace ... So it is would be a challenge to guess which set of  packages should be installed.\n\nI would appreciate if you could either un-push this update from updates-testing or add freeipa-4.7.2 to this update. I am not sure whether you have permissions for that.", "timestamp": "2018-12-04 16:04:39", "update_id": 127730, "user_id": 809, "id": 870450, "bug_feedback": [{"karma": 0, "comment_id": 870450, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870450, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "lslebodn", "email": "lslebodn@redhat.com", "id": 809, "avatar": "https://seccdn.libravatar.org/avatar/8c6fcfe0eec099f1f01f5c237935bb5c97f2063a5c1068e57c5815e0bfecbf70?s=24&d=retro", "openid": "lslebodn.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitsssd"}]}}, {"karma": 0, "karma_critpath": 0, "text": "sgallagh edited this update.\n\nNew build(s):\n\n- freeipa-4.7.2-1.fc28\n- pki-core-10.6.8-3.fc28\n\nRemoved build(s):\n\n- pki-core-10.6.8-1.fc28\n\nKarma has been reset.", "timestamp": "2018-12-04 20:42:33", "update_id": 127730, "user_id": 91, "id": 870494, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by sgallagh. ", "timestamp": "2018-12-04 20:42:36", "update_id": 127730, "user_id": 91, "id": 870495, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has obsoleted [freeipa-4.7.0-5.fc28](https://bodhi.fedoraproject.org/updates/FEDORA-2018-892835660b), and has inherited its bugs and notes.", "timestamp": "2018-12-04 20:42:40", "update_id": 127730, "user_id": 91, "id": 870497, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:54", "update_id": 127730, "user_id": 535, "id": 870499, "bug_feedback": [{"karma": 0, "comment_id": 870499, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870499, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870499, "bug_id": 1645708, "bug": {"bug_id": 1645708, "title": "authselect enable-features should error on unknown features", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}, {"karma": 0, "karma_critpath": 0, "text": "sgallagh edited this update.\n\nNew build(s):\n\n- dogtag-pki-10.6.8-3.fc28\n\nRemoved build(s):\n\n- dogtag-pki-10.6.8-1.fc28\n\nKarma has been reset.", "timestamp": "2018-12-04 20:48:27", "update_id": 127730, "user_id": 91, "id": 870501, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "It's arguable both ways. As @lslebodn points out, openQA's basic goal is to test how things work *as a user would encounter them*. He's correct that, had this update been pushed stable, a user would've seen exactly what openQA did: they'd run an update, it would apparently work just fine, then suddenly FreeIPA would break.\n\nHowever, we *can* improve things so that openQA provides more information to detect this kind of problem, certainly. The reason it doesn't at present is simply that I hadn't considered that this scenario might be possible; dependency issues in updates usually tend to manifest as *errors* in package install or update, not this kind of 'the operation succeeds but doesn't install what we expect it to' case. This is the first case like this I've come across in an openQA test.", "timestamp": "2018-12-04 20:50:31", "update_id": 127730, "user_id": 302, "id": 870503, "bug_feedback": [{"karma": 0, "comment_id": 870503, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870503, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870503, "bug_id": 1645708, "bug": {"bug_id": 1645708, "title": "authselect enable-features should error on unknown features", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2018-12-05 03:06:58", "update_id": 127730, "user_id": 91, "id": 870637, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 28 successfully.", "timestamp": "2018-12-05 13:16:49", "update_id": 127730, "user_id": 2622, "id": 870852, "bug_feedback": [{"karma": 0, "comment_id": 870852, "bug_id": 1534765, "bug": {"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870852, "bug_id": 1582323, "bug": {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false}}, {"karma": 0, "comment_id": 870852, "bug_id": 1645708, "bug": {"bug_id": 1645708, "title": "authselect enable-features should error on unknown features", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes", "timestamp": "2018-12-12 06:00:25", "update_id": 127730, "user_id": 91, "id": 873817, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for batched by sgallagh. ", "timestamp": "2018-12-12 18:15:20", "update_id": 127730, "user_id": 91, "id": 873991, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi. ", "timestamp": "2018-12-12 23:45:25", "update_id": 127730, "user_id": 91, "id": 874049, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2018-12-13 02:47:08", "update_id": 127730, "user_id": 91, "id": 874110, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "dogtag-pki-10.6.8-3.fc28", "signed": true, "release_id": 21, "type": "rpm", "epoch": 0}, {"nvr": "freeipa-4.7.2-1.fc28", "signed": true, "release_id": 21, "type": "rpm", "epoch": 0}, {"nvr": "jss-4.5.1-1.fc28", "signed": true, "release_id": 21, "type": "rpm", "epoch": 0}, {"nvr": "nuxwdog-1.0.5-3.fc28", "signed": true, "release_id": 21, "type": "rpm", "epoch": 0}, {"nvr": "pki-core-10.6.8-3.fc28", "signed": true, "release_id": 21, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 1534765, "title": "javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 869907, "bug_id": 1534765, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update broke installation of freeIPA server. You can see it even in openQA tests\nhttps://openqa.fedoraproject.org/tests/314591#step/role_deploy_domain_controller/18", "timestamp": "2018-12-03 16:53:22", "update_id": 127730, "user_id": 809, "id": 869907, "testcase_feedback": [], "user": {"name": "lslebodn", "email": "lslebodn@redhat.com", "id": 809, "avatar": "https://seccdn.libravatar.org/avatar/8c6fcfe0eec099f1f01f5c237935bb5c97f2063a5c1068e57c5815e0bfecbf70?s=24&d=retro", "openid": "lslebodn.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitsssd"}]}}}, {"karma": 0, "comment_id": 869911, "bug_id": 1534765, "comment": {"karma": -1, "karma_critpath": 0, "text": "Same OpenQA issue as FreeIPA: https://openqa.fedoraproject.org/tests/314576#step/role_deploy_domain_controller/29", "timestamp": "2018-12-03 18:51:53", "update_id": 127729, "user_id": 4423, "id": 869911, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869916, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "The issue that we see in OpenQA isn't reproducible in a normal dev/CI environment. We need to look why we get the following error: \n\n    java.lang.NoSuchMethodError: com.netscape.certsrv.apps.CMS.getLogger()Lcom/netscape/certsrv/logging/ILogger;\n\nWe don't depend on `CMS.getLogger()`any more. We try to instantiate a `slf4j` logger in its place.", "timestamp": "2018-12-03 19:16:14", "update_id": 127729, "user_id": 4462, "id": 869916, "testcase_feedback": [], "user": {"name": "dmoluguw", "email": "dmoluguw@redhat.com", "id": 4462, "avatar": "https://seccdn.libravatar.org/avatar/490fdf6e880adac900f19f052ff41efaf886a0f08556956b6c955b5560c85427?s=24&d=retro", "openid": "dmoluguw.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869946, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "This is a weird error, mostly because the IPA version is less than our minimum. I think we need to wait for FreeIPA to update and then we can retest.", "timestamp": "2018-12-03 20:32:27", "update_id": 127730, "user_id": 4423, "id": 869946, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869947, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "This is a weird error since openQA tests with a conflicting version of IPA. This new PKI package requires IPA >= 4.7.1\n\nA specific conflict was declared in PKI: https://github.com/dogtagpki/pki/blob/master/pki.spec#L679\n\nBut, open QA tests with FreeIPA 4.7.0: https://openqa.fedoraproject.org/tests/314576#step/_advisory_update/21\n\nSince `freeIPA 4.5.1` doesn't exist yet in bodhi, the errors occurred. Regardless, OpenQA must have reported a different error.", "timestamp": "2018-12-03 20:37:34", "update_id": 127729, "user_id": 4462, "id": 869947, "testcase_feedback": [], "user": {"name": "dmoluguw", "email": "dmoluguw@redhat.com", "id": 4462, "avatar": "https://seccdn.libravatar.org/avatar/490fdf6e880adac900f19f052ff41efaf886a0f08556956b6c955b5560c85427?s=24&d=retro", "openid": "dmoluguw.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869955, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "It's not really a 'weird error', you are doing a bad thing: creating an update that is incompatible with the distribution as it stands. If this PKI needs a newer FreeIPA than F28 currently contains, then either that FreeIPA should also be in this update, or a FreeIPA update should be created *first*, pushed stable, and *then* PKI can be updated. If the two newer versions are *interdependent* (neither works with the old version of the other), they *must* be updated together in a single update.", "timestamp": "2018-12-03 21:41:56", "update_id": 127730, "user_id": 302, "id": 869955, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 869958, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "BTW, some more info on precisely how the test failed: in this update, the `pki-server` package had a `Conflicts: freeipa-server < 4.7.1` line added. However, none of the other `pki-core` subpackages had this done, and there are no dependencies between the various subpackages of `pki-core` which force them to always be of equal versions. So when the test asked DNF to install the group `@freeipa-server`, what DNF wound up doing to satisfy the PKI deps was installing version `10.6.8-1.fc28` of pki-base, pki-base-java, python3-pki, pki-symkey and pki-tools, but version `10.6.6-1.fc28` (the old version from the stable repos) of pki-server. There's nothing that makes this 'invalid' so far as dependencies are concerned; it's a correct solution to the request. Obviously, things don't work well with old FreeIPA, old pki-server, but new everything-else-pki. :)", "timestamp": "2018-12-03 21:55:15", "update_id": 127730, "user_id": 302, "id": 869958, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 870397, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "Sure, but I think calling this a \"weird error\" is acceptable as you just pointed out: we're doing a bad thing, and the error we see isn't that we're doing a bad thing, its that something else, later, way down the line, is broken.\n\nIn OpenQA, after the bodhi update installation stage, I'd expect to verify at least that the packages in this bodhi update were installed at the versions in the update. e.g., `rpm -qa` shows them as being installed at the versions here. \n\nPut another way, if I take `$CURRENT_VERSION` of `$PKG` and package `$CURRENT_VERSION+1` as `$CURRENT_VERSION` with a new line `Conflicts: $something_else < k` in the spec file, and `$something_else >= k` hasn't been released and so we get `$CURRENT_VERSION` installed in Bodhi (instead of `$CURRENT_VERSION+1`), I'd expect Bodhi to fail with a package version error. I would not expect it to pass (assuming that `$PKG @ $CURRENT_VERSION` passes Bodhi previously and will pass again).", "timestamp": "2018-12-04 13:57:14", "update_id": 127730, "user_id": 4423, "id": 870397, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 870401, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "(In the last paragraph, `s/Bodhi/OpenQA/g`, sorry).", "timestamp": "2018-12-04 14:03:43", "update_id": 127730, "user_id": 4423, "id": 870401, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 870450, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "> Sure, but I think calling this a \"weird error\" is acceptable as you just pointed out: we're doing a bad thing, and the error we see isn't that we're doing a bad thing, its that something else, later, way down the line, is broken.\n\nAre you sure that you are *not* doing a bad thing?  OpenQA do the same as normal user would do. Just call `dnf update` and the result is combination of packages which cause failures to install freeIPA.\n\nAnd it is obviously caused by this bodhi update because it pass without updates-testing.\nSure; error reporting could be better. But assumption about `$CURRENT_VERSION+1` is difficult. You can obsolete some packages; replace ... So it is would be a challenge to guess which set of  packages should be installed.\n\nI would appreciate if you could either un-push this update from updates-testing or add freeipa-4.7.2 to this update. I am not sure whether you have permissions for that.", "timestamp": "2018-12-04 16:04:39", "update_id": 127730, "user_id": 809, "id": 870450, "testcase_feedback": [], "user": {"name": "lslebodn", "email": "lslebodn@redhat.com", "id": 809, "avatar": "https://seccdn.libravatar.org/avatar/8c6fcfe0eec099f1f01f5c237935bb5c97f2063a5c1068e57c5815e0bfecbf70?s=24&d=retro", "openid": "lslebodn.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitsssd"}]}}}, {"karma": 0, "comment_id": 870498, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:50", "update_id": 127729, "user_id": 535, "id": 870498, "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}}, {"karma": 0, "comment_id": 870499, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:54", "update_id": 127730, "user_id": 535, "id": 870499, "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}}, {"karma": 0, "comment_id": 870503, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "It's arguable both ways. As @lslebodn points out, openQA's basic goal is to test how things work *as a user would encounter them*. He's correct that, had this update been pushed stable, a user would've seen exactly what openQA did: they'd run an update, it would apparently work just fine, then suddenly FreeIPA would break.\n\nHowever, we *can* improve things so that openQA provides more information to detect this kind of problem, certainly. The reason it doesn't at present is simply that I hadn't considered that this scenario might be possible; dependency issues in updates usually tend to manifest as *errors* in package install or update, not this kind of 'the operation succeeds but doesn't install what we expect it to' case. This is the first case like this I've come across in an openQA test.", "timestamp": "2018-12-04 20:50:31", "update_id": 127730, "user_id": 302, "id": 870503, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 870515, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "There is a bunch of AVCs in two failed tests:\n\n- update.upgrade_realmd_client x86_64 server\tfreeipa_client module failed\t2 minutes ago\n- update.upgrade_server_domain_controller x86_64 server\t\t2 minutes ago\n\nAs far as I can see, the server upgrade failure is purely AVC-related. Client upgrade failure is due to a combination of few factors:\n- AVCs by SSSD\n- Certificate for IPA master issued with the same serial as it was used on some older install by this client. Is the client re-enrolled after upgrade? It might have unclean Firefox settings then.\n- GSSAPI failures in SSSD, preventing to contact and authenticate to LDAP, thus failing to provide user and group infromation. Perhaps, this one is driven by AVCs.\n\nIf we could re-run this update with permissive in staging to see if AVCs are the core issue, that would be very helpful.", "timestamp": "2018-12-04 22:03:34", "update_id": 127729, "user_id": 1242, "id": 870515, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 870851, "bug_id": 1534765, "comment": {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.", "timestamp": "2018-12-05 13:08:47", "update_id": 127729, "user_id": 2622, "id": 870851, "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 870852, "bug_id": 1534765, "comment": {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 28 successfully.", "timestamp": "2018-12-05 13:16:49", "update_id": 127730, "user_id": 2622, "id": 870852, "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 874040, "bug_id": 1534765, "comment": {"karma": 0, "karma_critpath": 0, "text": "@abbra the AVCs seem to always happen - if you look at the same tests on other updates, they also soft-fail due to the presence of AVCs. It should be looked into, but it doesn't appear to relate to this update. No, the client is not re-enrolled after upgrade.\n\nThe serial number-related failure is an odd one that seems to just sort of happen now and again, I think I've seen it in Rawhide too. I'm not sure what the cause is.\n\nThe most recent run of the tests passed; I'm not sure if I just manually restarted to see if the failure was something transient, or if they got auto-re-run by the edit to include dogtag-pki 3.fc29.", "timestamp": "2018-12-12 23:16:48", "update_id": 127729, "user_id": 302, "id": 874040, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}]}, {"bug_id": 1582323, "title": "DER encoding error for enumerated types with a value of zero", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 869907, "bug_id": 1582323, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update broke installation of freeIPA server. You can see it even in openQA tests\nhttps://openqa.fedoraproject.org/tests/314591#step/role_deploy_domain_controller/18", "timestamp": "2018-12-03 16:53:22", "update_id": 127730, "user_id": 809, "id": 869907, "testcase_feedback": [], "user": {"name": "lslebodn", "email": "lslebodn@redhat.com", "id": 809, "avatar": "https://seccdn.libravatar.org/avatar/8c6fcfe0eec099f1f01f5c237935bb5c97f2063a5c1068e57c5815e0bfecbf70?s=24&d=retro", "openid": "lslebodn.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitsssd"}]}}}, {"karma": 0, "comment_id": 869911, "bug_id": 1582323, "comment": {"karma": -1, "karma_critpath": 0, "text": "Same OpenQA issue as FreeIPA: https://openqa.fedoraproject.org/tests/314576#step/role_deploy_domain_controller/29", "timestamp": "2018-12-03 18:51:53", "update_id": 127729, "user_id": 4423, "id": 869911, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869916, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "The issue that we see in OpenQA isn't reproducible in a normal dev/CI environment. We need to look why we get the following error: \n\n    java.lang.NoSuchMethodError: com.netscape.certsrv.apps.CMS.getLogger()Lcom/netscape/certsrv/logging/ILogger;\n\nWe don't depend on `CMS.getLogger()`any more. We try to instantiate a `slf4j` logger in its place.", "timestamp": "2018-12-03 19:16:14", "update_id": 127729, "user_id": 4462, "id": 869916, "testcase_feedback": [], "user": {"name": "dmoluguw", "email": "dmoluguw@redhat.com", "id": 4462, "avatar": "https://seccdn.libravatar.org/avatar/490fdf6e880adac900f19f052ff41efaf886a0f08556956b6c955b5560c85427?s=24&d=retro", "openid": "dmoluguw.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869946, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "This is a weird error, mostly because the IPA version is less than our minimum. I think we need to wait for FreeIPA to update and then we can retest.", "timestamp": "2018-12-03 20:32:27", "update_id": 127730, "user_id": 4423, "id": 869946, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869947, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "This is a weird error since openQA tests with a conflicting version of IPA. This new PKI package requires IPA >= 4.7.1\n\nA specific conflict was declared in PKI: https://github.com/dogtagpki/pki/blob/master/pki.spec#L679\n\nBut, open QA tests with FreeIPA 4.7.0: https://openqa.fedoraproject.org/tests/314576#step/_advisory_update/21\n\nSince `freeIPA 4.5.1` doesn't exist yet in bodhi, the errors occurred. Regardless, OpenQA must have reported a different error.", "timestamp": "2018-12-03 20:37:34", "update_id": 127729, "user_id": 4462, "id": 869947, "testcase_feedback": [], "user": {"name": "dmoluguw", "email": "dmoluguw@redhat.com", "id": 4462, "avatar": "https://seccdn.libravatar.org/avatar/490fdf6e880adac900f19f052ff41efaf886a0f08556956b6c955b5560c85427?s=24&d=retro", "openid": "dmoluguw.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 869955, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "It's not really a 'weird error', you are doing a bad thing: creating an update that is incompatible with the distribution as it stands. If this PKI needs a newer FreeIPA than F28 currently contains, then either that FreeIPA should also be in this update, or a FreeIPA update should be created *first*, pushed stable, and *then* PKI can be updated. If the two newer versions are *interdependent* (neither works with the old version of the other), they *must* be updated together in a single update.", "timestamp": "2018-12-03 21:41:56", "update_id": 127730, "user_id": 302, "id": 869955, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 869958, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "BTW, some more info on precisely how the test failed: in this update, the `pki-server` package had a `Conflicts: freeipa-server < 4.7.1` line added. However, none of the other `pki-core` subpackages had this done, and there are no dependencies between the various subpackages of `pki-core` which force them to always be of equal versions. So when the test asked DNF to install the group `@freeipa-server`, what DNF wound up doing to satisfy the PKI deps was installing version `10.6.8-1.fc28` of pki-base, pki-base-java, python3-pki, pki-symkey and pki-tools, but version `10.6.6-1.fc28` (the old version from the stable repos) of pki-server. There's nothing that makes this 'invalid' so far as dependencies are concerned; it's a correct solution to the request. Obviously, things don't work well with old FreeIPA, old pki-server, but new everything-else-pki. :)", "timestamp": "2018-12-03 21:55:15", "update_id": 127730, "user_id": 302, "id": 869958, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 870397, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "Sure, but I think calling this a \"weird error\" is acceptable as you just pointed out: we're doing a bad thing, and the error we see isn't that we're doing a bad thing, its that something else, later, way down the line, is broken.\n\nIn OpenQA, after the bodhi update installation stage, I'd expect to verify at least that the packages in this bodhi update were installed at the versions in the update. e.g., `rpm -qa` shows them as being installed at the versions here. \n\nPut another way, if I take `$CURRENT_VERSION` of `$PKG` and package `$CURRENT_VERSION+1` as `$CURRENT_VERSION` with a new line `Conflicts: $something_else < k` in the spec file, and `$something_else >= k` hasn't been released and so we get `$CURRENT_VERSION` installed in Bodhi (instead of `$CURRENT_VERSION+1`), I'd expect Bodhi to fail with a package version error. I would not expect it to pass (assuming that `$PKG @ $CURRENT_VERSION` passes Bodhi previously and will pass again).", "timestamp": "2018-12-04 13:57:14", "update_id": 127730, "user_id": 4423, "id": 870397, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 870401, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "(In the last paragraph, `s/Bodhi/OpenQA/g`, sorry).", "timestamp": "2018-12-04 14:03:43", "update_id": 127730, "user_id": 4423, "id": 870401, "testcase_feedback": [], "user": {"name": "cipherboy", "email": "alexander.m.scheel@gmail.com", "id": 4423, "avatar": "https://seccdn.libravatar.org/avatar/06f57ad94d6d7bd0ffb1eec9135aadd13c27fbbc2e9b3fae7546dd2007bec29a?s=24&d=retro", "openid": "cipherboy.id.stg.fedoraproject.org", "groups": [{"name": "packager"}]}}}, {"karma": 0, "comment_id": 870450, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "> Sure, but I think calling this a \"weird error\" is acceptable as you just pointed out: we're doing a bad thing, and the error we see isn't that we're doing a bad thing, its that something else, later, way down the line, is broken.\n\nAre you sure that you are *not* doing a bad thing?  OpenQA do the same as normal user would do. Just call `dnf update` and the result is combination of packages which cause failures to install freeIPA.\n\nAnd it is obviously caused by this bodhi update because it pass without updates-testing.\nSure; error reporting could be better. But assumption about `$CURRENT_VERSION+1` is difficult. You can obsolete some packages; replace ... So it is would be a challenge to guess which set of  packages should be installed.\n\nI would appreciate if you could either un-push this update from updates-testing or add freeipa-4.7.2 to this update. I am not sure whether you have permissions for that.", "timestamp": "2018-12-04 16:04:39", "update_id": 127730, "user_id": 809, "id": 870450, "testcase_feedback": [], "user": {"name": "lslebodn", "email": "lslebodn@redhat.com", "id": 809, "avatar": "https://seccdn.libravatar.org/avatar/8c6fcfe0eec099f1f01f5c237935bb5c97f2063a5c1068e57c5815e0bfecbf70?s=24&d=retro", "openid": "lslebodn.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitsssd"}]}}}, {"karma": 0, "comment_id": 870498, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:50", "update_id": 127729, "user_id": 535, "id": 870498, "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}}, {"karma": 0, "comment_id": 870499, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:54", "update_id": 127730, "user_id": 535, "id": 870499, "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}}, {"karma": 0, "comment_id": 870503, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "It's arguable both ways. As @lslebodn points out, openQA's basic goal is to test how things work *as a user would encounter them*. He's correct that, had this update been pushed stable, a user would've seen exactly what openQA did: they'd run an update, it would apparently work just fine, then suddenly FreeIPA would break.\n\nHowever, we *can* improve things so that openQA provides more information to detect this kind of problem, certainly. The reason it doesn't at present is simply that I hadn't considered that this scenario might be possible; dependency issues in updates usually tend to manifest as *errors* in package install or update, not this kind of 'the operation succeeds but doesn't install what we expect it to' case. This is the first case like this I've come across in an openQA test.", "timestamp": "2018-12-04 20:50:31", "update_id": 127730, "user_id": 302, "id": 870503, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 870515, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "There is a bunch of AVCs in two failed tests:\n\n- update.upgrade_realmd_client x86_64 server\tfreeipa_client module failed\t2 minutes ago\n- update.upgrade_server_domain_controller x86_64 server\t\t2 minutes ago\n\nAs far as I can see, the server upgrade failure is purely AVC-related. Client upgrade failure is due to a combination of few factors:\n- AVCs by SSSD\n- Certificate for IPA master issued with the same serial as it was used on some older install by this client. Is the client re-enrolled after upgrade? It might have unclean Firefox settings then.\n- GSSAPI failures in SSSD, preventing to contact and authenticate to LDAP, thus failing to provide user and group infromation. Perhaps, this one is driven by AVCs.\n\nIf we could re-run this update with permissive in staging to see if AVCs are the core issue, that would be very helpful.", "timestamp": "2018-12-04 22:03:34", "update_id": 127729, "user_id": 1242, "id": 870515, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 870851, "bug_id": 1582323, "comment": {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.", "timestamp": "2018-12-05 13:08:47", "update_id": 127729, "user_id": 2622, "id": 870851, "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 870852, "bug_id": 1582323, "comment": {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 28 successfully.", "timestamp": "2018-12-05 13:16:49", "update_id": 127730, "user_id": 2622, "id": 870852, "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 874040, "bug_id": 1582323, "comment": {"karma": 0, "karma_critpath": 0, "text": "@abbra the AVCs seem to always happen - if you look at the same tests on other updates, they also soft-fail due to the presence of AVCs. It should be looked into, but it doesn't appear to relate to this update. No, the client is not re-enrolled after upgrade.\n\nThe serial number-related failure is an odd one that seems to just sort of happen now and again, I think I've seen it in Rawhide too. I'm not sure what the cause is.\n\nThe most recent run of the tests passed; I'm not sure if I just manually restarted to see if the failure was something transient, or if they got auto-re-run by the edit to include dogtag-pki 3.fc29.", "timestamp": "2018-12-12 23:16:48", "update_id": 127729, "user_id": 302, "id": 874040, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}]}, {"bug_id": 1645708, "title": "authselect enable-features should error on unknown features", "security": false, "parent": false, "feedback": [{"karma": 1, "comment_id": 866821, "bug_id": 1645708, "comment": {"karma": 1, "karma_critpath": 0, "text": "The bug is fixed", "timestamp": "2018-11-26 05:19:29", "update_id": 127316, "user_id": 307, "id": 866821, "testcase_feedback": [], "user": {"name": "lnie", "email": "lnie@redhat.com", "id": 307, "avatar": "https://seccdn.libravatar.org/avatar/acbe3c6c54b2d720727e6819b615121b75b25d6bfc69f245d4dcf4921bf32ec7?s=24&d=retro", "openid": "lnie.id.stg.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 866893, "bug_id": 1645708, "comment": {"karma": 1, "karma_critpath": 0, "text": "+1", "timestamp": "2018-11-26 08:15:52", "update_id": 127318, "user_id": 506, "id": 866893, "testcase_feedback": [], "user": {"name": "smithp", "email": "smithpeter835@yahoo.co.uk", "id": 506, "avatar": "https://seccdn.libravatar.org/avatar/cdf0e9eb825568e6173694f0d1788bd389a980b3497928ce6f44f889943928a5?s=24&d=retro", "openid": "smithp.id.stg.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 870498, "bug_id": 1645708, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:50", "update_id": 127729, "user_id": 535, "id": 870498, "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}}, {"karma": 0, "comment_id": 870499, "bug_id": 1645708, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.", "timestamp": "2018-12-04 20:44:54", "update_id": 127730, "user_id": 535, "id": 870499, "testcase_feedback": [], "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.stg.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}}}, {"karma": 0, "comment_id": 870503, "bug_id": 1645708, "comment": {"karma": 0, "karma_critpath": 0, "text": "It's arguable both ways. As @lslebodn points out, openQA's basic goal is to test how things work *as a user would encounter them*. He's correct that, had this update been pushed stable, a user would've seen exactly what openQA did: they'd run an update, it would apparently work just fine, then suddenly FreeIPA would break.\n\nHowever, we *can* improve things so that openQA provides more information to detect this kind of problem, certainly. The reason it doesn't at present is simply that I hadn't considered that this scenario might be possible; dependency issues in updates usually tend to manifest as *errors* in package install or update, not this kind of 'the operation succeeds but doesn't install what we expect it to' case. This is the first case like this I've come across in an openQA test.", "timestamp": "2018-12-04 20:50:31", "update_id": 127730, "user_id": 302, "id": 870503, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}, {"karma": 0, "comment_id": 870515, "bug_id": 1645708, "comment": {"karma": 0, "karma_critpath": 0, "text": "There is a bunch of AVCs in two failed tests:\n\n- update.upgrade_realmd_client x86_64 server\tfreeipa_client module failed\t2 minutes ago\n- update.upgrade_server_domain_controller x86_64 server\t\t2 minutes ago\n\nAs far as I can see, the server upgrade failure is purely AVC-related. Client upgrade failure is due to a combination of few factors:\n- AVCs by SSSD\n- Certificate for IPA master issued with the same serial as it was used on some older install by this client. Is the client re-enrolled after upgrade? It might have unclean Firefox settings then.\n- GSSAPI failures in SSSD, preventing to contact and authenticate to LDAP, thus failing to provide user and group infromation. Perhaps, this one is driven by AVCs.\n\nIf we could re-run this update with permissive in staging to see if AVCs are the core issue, that would be very helpful.", "timestamp": "2018-12-04 22:03:34", "update_id": 127729, "user_id": 1242, "id": 870515, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 870851, "bug_id": 1645708, "comment": {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.", "timestamp": "2018-12-05 13:08:47", "update_id": 127729, "user_id": 2622, "id": 870851, "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 870852, "bug_id": 1645708, "comment": {"karma": 1, "karma_critpath": 0, "text": "FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 28 successfully.", "timestamp": "2018-12-05 13:16:49", "update_id": 127730, "user_id": 2622, "id": 870852, "testcase_feedback": [], "user": {"name": "cheimes", "email": "cheimes@redhat.com", "id": 2622, "avatar": "https://seccdn.libravatar.org/avatar/fb01cd1580c9fa10cf453f7c77b9a5ac59f645883d7bf9f921743803e0379c8d?s=24&d=retro", "openid": "cheimes.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitfreeipa"}, {"name": "git389"}, {"name": "latchset"}, {"name": "gitpki"}, {"name": "python-packagers-sig"}, {"name": "podengo"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 874040, "bug_id": 1645708, "comment": {"karma": 0, "karma_critpath": 0, "text": "@abbra the AVCs seem to always happen - if you look at the same tests on other updates, they also soft-fail due to the presence of AVCs. It should be looked into, but it doesn't appear to relate to this update. No, the client is not re-enrolled after upgrade.\n\nThe serial number-related failure is an odd one that seems to just sort of happen now and again, I think I've seen it in Rawhide too. I'm not sure what the cause is.\n\nThe most recent run of the tests passed; I'm not sure if I just manually restarted to see if the failure was something transient, or if they got auto-re-run by the edit to include dogtag-pki 3.fc29.", "timestamp": "2018-12-12 23:16:48", "update_id": 127729, "user_id": 302, "id": 874040, "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.stg.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}}]}], "updateid": "FEDORA-2018-115068f60e", "karma": 1, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}