Hi Tom,
On 2/14/25 10:01 AM, Tom Lane wrote:
> I see that somebody decided to crank up some animals running
> RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals
> pass on v17 and master, but not older branches; the RHEL8
> animals pass nowhere. This is unsurprising given that the
> v17-era commits that allowed our regression tests to pass
> under FIPS mode (795592865 and a bunch of others) explicitly
> targeted only OpenSSL 3:
>
> These new expected files currently cover the FIPS mode provided by
> OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
> Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
> Fedora 35). (The latter will have some error message wording
> differences.)
>
> I'm kind of disinclined to do all the work that'd be needed to turn
> these animals completely green, especially when the reason to do it
> seems to be that someone decided we should without any community
> consultation. Perhaps others have different opinions though.
That's my fault. I did a sloppy job copying configs etc from the s390x
fips animals and forgot about the OS versions, branches, etc. Peter
Eisentraut reminded me I think I cleaned that all up.
Regards,
Mark
