[fedora-arm] Fedora Linux 39 Final blocker status summary #2

Hi folks! We're still trying to get F39 done, so time for another
status update...

Action summary

Accepted blockers

1. curl - - ON_QA: QA to test and

2. distribution - - ASSIGNED:
maintainers to try and squeeze out any possible space savings, FESCo to

3. ghostscript - - ON_QA: QA to
test and karma

4. initial-setup - - ON_QA: QA (and
pwhalen, who reported the bug) to test and karma

5. mutter - - ASSIGNED: desktop
team to investigate and fix, now this is well triaged

6. shim - - NEW: stakeholders to
consider waiving again at go/no-go

7. uboot-tools - - ASSIGNED: ARM
team to investigate and fix

8. distribution - - NEW:
stakeholders to consider whether any 'fix' is realistic, implement if

Proposed blockers

1. anaconda - - POST: blocker
voters to vote, anaconda team to fix if accepted

Bug-by-bug detail

Accepted blockers

1. curl - - ON_QA
CVE-2023-38545 curl: a heap based buffer overflow in the SOCKS5 proxy
handshake [fedora-all]

The fix for this is in updates-testing and just needs testing and

2. distribution - - ASSIGNED
Fedora 39: Server boot aarch64 image exceeds maximum size

This image is oversize because of increases in the size of qualcomm
firmware. (The sizes of aarch64 and x86_64 images differ somewhat
because they include different firmware packages; x86_64 is fine ATM).
We can't drop the new firmware files (says pbrobinson) and I couldn't
see any obvious other place to save 6M when I looked at this. In any
case, the 700M size limit makes no practical sense for aarch64 (700M is
set as the limit because it's the size of a CD; hands up if you have an
aarch64 device with a CD-but-not-DVD drive!), and we are probably
reaching the limits of its usefulness as a protection against "bloat",
since linux-firmware is constantly increasing in size even if we don't
introduce any new "bloat" to the installer environment. So I've
proposed to bump the size limit to
1G for the aarch64 image at least. If FESCo goes for that proposal,
this would be addressed.

3. ghostscript - - ON_QA
CVE-2023-43115 ghostscript: GhostPDL can lead to remote code execution
via crafted PostScript documents [fedora-all]

The fix for this is in updates-testing and just needs testing and

4. initial-setup - - ON_QA
initial-setup text fails on hardware

The fix for this is in updates-testing and just needs testing and
karma. Especially it'd be great if pwhalen could test and confirm as he
reported the issue.

5. mutter - - ASSIGNED
Netinstall ISO renders a black screen when using kickstart install
(bare metal and VM)

I've managed to narrow this down to a specific mutter pull request
which caused the problem, and found a small change (discovered by
someone from upstream to address a different symptom) that avoids this
bug. Now up to the desktop team to decide what the best real fix is.

6. shim - - NEW
Live image made with BOOTX64.EFI from latest shim-x64-15.6-2 fails to
boot on some boards

Sadly we will probably have to waive this one more time, at this point
in the cycle it's not realistic to start backporting kernel changes.

7. uboot-tools - - ASSIGNED
Fedora-Workstation-39_Beta-1.1 boots to a black screen on Raspberry Pi

pbrobinson has said he's working on this, unless anyone else expert in
uboot-tools stuff wants to help, not much more to be done.

8. distribution - - NEW
dnf system-upgrade fails on some RPi4 due to system boot date that pre-
dates gpg key

We seem to have developed a pretty good understanding of this one now,
but based on that understanding, it may not be realistically possible
to "fix" it - the only interventions proposed so far that might "fix"
it seem rather too radical to introduce as updates to a stable release
(F38), which is where they'd have to go. Unless anyone has a bright
idea, we might just have to accept that this isn't realistically
fixable and waive it to be addressed with documentation.

Proposed blockers

1. anaconda - - POST
anaconda should allow installations on drives providing installation

This is at -3, +1 in voting currently. Needs more votes. If it happens
to be accepted, anaconda team would have to decide on a fix.
