mlandres
commented
1 year ago i | fips | FIPS 140-2 specific packages patternThe type column says it's the pattern fips, which is indeed installed, not the package.
bee0de10134d:/ # zypper info pattern:fips
Loading repository data...
Reading installed packages...
Information for pattern fips:
-----------------------------
Repository : openSUSE-Tumbleweed-Oss
Name : fips
Version : 20200505-42.1
Arch : x86_64
Vendor : openSUSE
Installed : Yes (automatically)
Visible to User : Yes
Summary : FIPS 140-2 specific packages
Description :
This pattern installs the FIPS 140-2 specific packages that complete the various
cryptographic modules in use. It is required if you want to run the
machine with "fips=1".
Please note that this pattern only enables FIPS 140-2 compliant operation, it does
not directly make the system FIPS 140-2 certified nor validated.
Please refer to SUSE official statements on the state of FIPS 140-2 certification.
Contents :
S | Name | Type | Dependency
---+-----------------------+---------+-----------
| dracut-fips | package | Required
| libcryptsetup12 | package | Required
| libcryptsetup12-32bit | package | Required
| libfreebl3 | package | Required
| libfreebl3-32bit | package | Required
i | libgcrypt20 | package | Required
| libgnutls30 | package | Required
| libgnutls30-32bit | package | Required
| libopenssl1_0_0 | package | Required
| libopenssl1_0_0-32bit | package | Required
| libopenssl1_1 | package | Required
| libopenssl1_1-32bit | package | Required
| libsoftokn3 | package | Required
| libsoftokn3-32bit | package | Required
| openssh-fips | package | Required
i+ | patterns-base-fips | package | Required
| strongswan-hmac | package | RequiredBut the Contents: list is indeed something we should review. pattern:fips requires patterns-base-fips. The remaining packages are expanded requirements of patterns-base-fips, which is intended.
But the required dracut-fips e.g. is indeed a conditional dependency (dracut-fips if dracut). Because dracut is not installed, the requirement is fulfilled without dracut-fips being installed. The truncated form shown in the table is pretty missleading.
bwoodsend
luc14n0
In a fresh Tumbleweed Docker container, if I run
zypper info fipsit correctly tells me thatfipsis not installed. If I askzypperto list all installed packages (zypper search --installed-only), it includes the line:That line should not be there because
fipsis not an installed package.Full console output:
```console > docker images opensuse/tumbleweed REPOSITORY TAG IMAGE ID CREATED SIZE opensuse/tumbleweed latest a81f47dc7384 2 weeks ago 107MB > docker run --rm --platform=linux/x86_64 -it opensuse/tumbleweed:latest manjaro-2212:/ # zypper info fips Retrieving repository 'openSUSE-Tumbleweed-Non-Oss' metadata ...........................................................................................................................................................................[done] Building repository 'openSUSE-Tumbleweed-Non-Oss' cache ................................................................................................................................................................................[done] Retrieving repository 'Open H.264 Codec (openSUSE Tumbleweed)' metadata ................................................................................................................................................................[done] Building repository 'Open H.264 Codec (openSUSE Tumbleweed)' cache .....................................................................................................................................................................[done] Retrieving repository 'openSUSE-Tumbleweed-Oss' metadata ...............................................................................................................................................................................[done] Building repository 'openSUSE-Tumbleweed-Oss' cache ....................................................................................................................................................................................[done] Retrieving repository 'openSUSE-Tumbleweed-Update' metadata ............................................................................................................................................................................[done] Building repository 'openSUSE-Tumbleweed-Update' cache .................................................................................................................................................................................[done] Loading repository data... Reading installed packages... Information for package fips: ----------------------------- Repository : openSUSE-Tumbleweed-Oss Name : fips Version : 3.4.0-1.19 Arch : x86_64 Vendor : openSUSE Installed Size : 555.4 KiB Installed : No Status : not installed Source package : fips-3.4.0-1.19.src Upstream URL : https://github.com/matwey/fips3 Summary : OpenGL-based FITS image viewer Description : FIPS is a cross-platform FITS viewer with responsive user interface. Unlike other FITS viewers FIPS uses GPU hardware via OpenGL to provide usual functionality such as zooming, panning and level adjustments. OpenGL 2.1 and later is supported. FIPS supports all 2D image formats except of 64-bit floating point numbers (BITPIX=-64). FITS image extension has basic limited support. manjaro-2212:/ # zypper search --installed-only Loading repository data... Reading installed packages... S | Name | Summary | Type ---+-----------------------------------+--------------------------------------------------------------------------+-------- i+ | aaa_base | openSUSE Base Package | package i+ | bash | The GNU Bourne-Again Shell | package i | bash-sh | Handle behaviour of /bin/sh | package i | boost-license1_82_0 | Boost License | package i+ | ca-certificates | Utilities for system wide CA certificate installation | package i+ | ca-certificates-mozilla | CA certificates for OpenSSL | package i | compat-usrmerge-tools | UsrMerge tools | package i+ | coreutils | GNU Core Utilities | package i+ | cracklib-dict-small | Small dictionary for cracklib, a password checking library | package i | crypto-policies | System-wide crypto policies | package i+ | curl | A Tool for Transferring Data from URLs | package i+ | filesystem | Basic Directory Layout | package i | fillup | Tool for Merging Config Files | package i | findutils | The GNU versions of find utilities (find and xargs) | package i | fips | FIPS 140-2 specific packages | pattern i | gawk | Domain-specific language for text processing | package i+ | glibc | Standard Shared Libraries (from the GNU C Library) | package i+ | glibc-locale-base | en_US Locale Data for Localized Programs | package i | gpg2 | File encryption, decryption, signature creation and verification utility | package i | grep | Print lines matching a pattern | package i+ | gzip | GNU Zip Compression Utilities | package i | krb5 | MIT Kerberos5 implementation | package i | libabsl2301_0_0 | C++11 libraries which augment the C++ stdlib | package i | libacl1 | A dynamic library for accessing POSIX Access Control Lists | package i | libassuan0 | IPC library used by GnuPG version 2 | package i | libattr1 | A dynamic library for filesystem extended attribute support | package i | libaugeas0 | A library for changing configuration files | package i | libboost_thread1_82_0 | Boost.Thread runtime libraries | package i | libbrotlicommon1 | Common Library for Brotli Compression | package i | libbrotlidec1 | Library for Brotli Decompression | package i | libbz2-1 | The bzip2 runtime library | package i | libcap2 | Library for Capabilities (linux-privs) Support | package i | libcom_err2 | E2fsprogs error reporting library | package i | libcurl4 | Library for transferring data from URLs | package i | libfa1 | Finite automaton library for Augeas | package i | libffi8 | Foreign Function Interface Library | package i | libgcc_s1 | C compiler runtime library | package i | libgcrypt20 | The GNU Crypto Library | package i | libglib-2_0-0 | General-Purpose Utility Library | package i | libgmp10 | A library for calculating huge numbers | package i | libgpg-error0 | Library That Defines Common Error Values for All GnuPG Components | package i | libgpgme11 | Programmatic library interface to GnuPG | package i | libidn2-0 | Support for Internationalized Domain Names (IDN) | package i | libkeyutils1 | Key utilities library | package i | libksba8 | A X.509 Library | package i | libldap2 | OpenLDAP Client Libraries | package i | liblua5_4-5 | The Lua integration library | package i | liblz4-1 | Hash-based predictive Lempel-Ziv compressor | package i | liblzma5 | Lempel–Ziv–Markov chain algorithm compression library | package i | libmpfr6 | The GNU multiple-precision floating-point shared library | package i | libncurses6 | Terminal control library | package i | libnghttp2-14 | Shared library for nghttp2 | package i | libnpth0 | GNU Portable Threads library | package i | libnss_usrfiles2 | NSS usrfiles plugin for glibc | package i | libopenssl3 | Secure Sockets and Transport Layer Security | package i | libp11-kit0 | Library to work with PKCS#11 modules | package i | libpcre2-8-0 | A library for Perl-compatible regular expressions | package i | libpopt0 | A C library for parsing command line parameters | package i | libprocps8 | The procps library | package i | libprotobuf-lite23_4_0 | Protocol Buffers - Google's data interchange format | package i | libproxy1 | Automatic proxy configuration management for applications | package i | libpsl5 | C library for the Publix Suffix List | package i | libreadline8 | The Readline Library | package i | libsasl2-3 | Simple Authentication and Security Layer (SASL) library | package i | libselinux1 | SELinux runtime library | package i | libsigc-2_0-0 | Typesafe Signal Framework for C++ | package i | libsolv-tools | Utilities to work with .solv files | package i | libsqlite3-0 | Shared libraries for the Embeddable SQL Database Engine | package i | libssh-config | SSH library configuration files | package i | libssh4 | SSH library | package i | libstdc++6 | The standard C++ shared library | package i | libsystemd0 | Component library for systemd | package i | libtasn1-6 | ASN.1 parsing library | package i | libudev1 | Dynamic library to access udev device information | package i | libunistring5 | GNU Unicode string library | package i | libusb-1_0-0 | USB Library | package i | libverto1 | Runtime libraries for libverto | package i | libxml2-2 | A Library to Manipulate XML Files | package i | libyaml-cpp0_7 | YAML parser and emitter in C++ | package i | libz1 | Library implementing the DEFLATE compression algorithm | package i | libzck1 | Zchunk library | package i | libzstd1 | Zstd compression library | package i | libzypp | Library for package, patch, pattern and product management | package i+ | lsb-release | Linux Standard Base Release Tools | package i | ncurses-utils | Tools using the new curses libraries | package i+ | netcfg | Network Configuration Files in /etc | package i+ | openssl | Secure Sockets and Transport Layer Security | package i | openssl-3 | Secure Sockets and Transport Layer Security | package i+ | openSUSE | openSUSE Tumbleweed | product i+ | openSUSE-build-key | The public gpg keys for rpm package signature verification | package i+ | openSUSE-release | openSUSE Tumbleweed | package i+ | openSUSE-release-appliance-docker | openSUSE Tumbleweed | package i | p11-kit | Library to work with PKCS#11 modules | package i | p11-kit-tools | Library to work with PKCS#11 modules -- Tools | package i+ | patterns-base-fips | FIPS 140-2 specific packages | package i | pinentry | Collection of Simple PIN or Passphrase Entry Dialogs | package i | procps | The ps utilities for /proc | package i | rpm | The RPM Package Manager | package i | rpm-config-SUSE | SUSE specific RPM configuration files | package i | sed | A Stream-Oriented Non-Interactive Text Editor | package i | system-user-root | System user and group root | package i+ | tar | GNU implementation of ((t)ape (ar)chiver) | package i | terminfo-base | A terminal descriptions database | package i+ | timezone | Time Zone Descriptions | package i | xz | A Program for Compressing Files with the Lempel–Ziv–Markov algorithm | package i+ | zypper | Command line software manager using libzypp | package ```