From Fedora Project Wiki
(Added me, myself and I)
No edit summary
 
(18 intermediate revisions by 2 users not shown)
Line 25: Line 25:
== Summary ==
== Summary ==


The proposed change is about deprecating libidn, which supports IDNA2003, and switch all applications using libidn, to libidn2 2.0, which supports IDNA2008.
The proposed change is about deprecating libidn, which supports IDNA2003, and switch all applications using libidn, to [https://gitlab.com/libidn/libidn2/tags/libidn2-2.0.0 libidn2 2.0.0], which supports IDNA2008.


== Owner ==
== Owner ==
* Name: [[User:nmav|Nikos Mavrogiannopoulos]], [[User:robert|Robert Scheck]]
* Name: [[User:nmav|Nikos Mavrogiannopoulos]], [[User:robert|Robert Scheck]]
* Email:  nmav@redhat.com, robert@fedoraproject.org
* Email:  nmav@redhat.com, robert@fedoraproject.org
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/90 #90]
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 40: Line 40:


== Current status ==
== Current status ==
* Targeted release: [[Releases/27 | Fedora 27 ]]  
* Targeted release: [[Releases/28 | Fedora 28 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 50: Line 50:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1445151 #1445151]
 
* Package conversion tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1439723 #1439723]


== Detailed Description ==
== Detailed Description ==
Line 56: Line 58:
Internationalized domain names exist for quite some time (IDNA2003), although the protocols describing them have evolved in an incompatible way (IDNA2008). These incompatibilities will prevent applications written for IDNA2003 to access certain problematic domain names defined with IDNA2008, e.g., faß.de is translated to domain xn--fa-hia.de with IDNA2008, while in IDNA2003 it is translated to fass.de domain. That not only causes incompatibility problems, but may be used as an attack vector to redirect users to different web sites.
Internationalized domain names exist for quite some time (IDNA2003), although the protocols describing them have evolved in an incompatible way (IDNA2008). These incompatibilities will prevent applications written for IDNA2003 to access certain problematic domain names defined with IDNA2008, e.g., faß.de is translated to domain xn--fa-hia.de with IDNA2008, while in IDNA2003 it is translated to fass.de domain. That not only causes incompatibility problems, but may be used as an attack vector to redirect users to different web sites.


The proposed change is about deprecating libidn, which supports IDNA2003, and switch all applications using libidn, to libidn2 2.0, which supports IDNA2008. The switch should be transparent as the libidn2 library is API compatible.
The proposed change is about deprecating libidn, which supports IDNA2003, and switch all applications using libidn, to [https://gitlab.com/libidn/libidn2/tags/libidn2-2.0.0 libidn2 2.0.0], which supports IDNA2008. The switch should be transparent as the libidn2 library is API compatible.
 
Note that even in the web browsers, field there is much confusion on the topic. [https://bugs.chromium.org/p/chromium/issues/detail?id=505262 Chromium appears to use IDNA2008 transitional] (i.e., IDNA2003 mapping for the problematic characters), while Firefox and Safari have already moved to IDNA2008.  


For more information see:
For more information see:
https://www.plesk.com/blog/what-is-the-problem-with-s/
* http://nmav.gnutls.org/2017/04/the-mess-with-internationalized-domain.html
http://unicode.org/faq/idn.html#6
* https://www.plesk.com/blog/what-is-the-problem-with-s/
* http://unicode.org/faq/idn.html#6


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 74: Line 79:
  * Verify that their software is linked with the libidn library
  * Verify that their software is linked with the libidn library
  * Update the software from upstream if it already has been converted to libidn2
  * Update the software from upstream if it already has been converted to libidn2
* [https://libidn.gitlab.io/libidn2/manual/libidn2.html#Converting-from-libidn Check the libidn2 instructions on converting a package to libidn2.]
  * Propose patches (trivial task) to convert to libidn2, and notify upstream about it.
  * Propose patches (trivial task) to convert to libidn2, and notify upstream about it.


To switch software from libidn to libidn2, it is sufficient replacing idna.h header with idn2.h
In short switch software from libidn to libidn2, it is sufficient replacing idna.h header with idn2.h.




Line 85: Line 91:


** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]:
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]:
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
This will bring:
This will bring:
  * An updated libidn2 library in Fedora 27 (2.0 or later)
  * <s>An updated libidn2 library in Fedora 27 (2.0.0 or later)</s> - already in F25
  * A switch of all applications to libidn2
  * A switch of all applications to libidn2
  * libidn will be deprecated but not removed as applications may explicitly require IDNA2003 support (e.g., for compatibility)
  * libidn will be deprecated but not removed as applications may explicitly require IDNA2003 support (e.g., for compatibility)
Line 102: Line 107:


== How To Test ==
== How To Test ==
  * Verify whether access to 'faß.de' resolves to 'xn--fa-hia.com'; that is application dependent
  * Verify whether access to 'faß.de' resolves to 'xn--fa-hia.de'; that is application dependent


== User Experience ==
== User Experience ==
Line 137: Line 142:
The Fedora system switches libidn users from IDNA2003 to IDNA2008.
The Fedora system switches libidn users from IDNA2003 to IDNA2008.


[[Category:ChangePageIncomplete]]
 
[[Category:ChangeAcceptedF28]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 14:51, 2 March 2018


Switch libidn-using applications to IDNA2008

Summary

The proposed change is about deprecating libidn, which supports IDNA2003, and switch all applications using libidn, to libidn2 2.0.0, which supports IDNA2008.

Owner

Current status

  • Package conversion tracker bug: #1439723

Detailed Description

Internationalized domain names exist for quite some time (IDNA2003), although the protocols describing them have evolved in an incompatible way (IDNA2008). These incompatibilities will prevent applications written for IDNA2003 to access certain problematic domain names defined with IDNA2008, e.g., faß.de is translated to domain xn--fa-hia.de with IDNA2008, while in IDNA2003 it is translated to fass.de domain. That not only causes incompatibility problems, but may be used as an attack vector to redirect users to different web sites.

The proposed change is about deprecating libidn, which supports IDNA2003, and switch all applications using libidn, to libidn2 2.0.0, which supports IDNA2008. The switch should be transparent as the libidn2 library is API compatible.

Note that even in the web browsers, field there is much confusion on the topic. Chromium appears to use IDNA2008 transitional (i.e., IDNA2003 mapping for the problematic characters), while Firefox and Safari have already moved to IDNA2008.

For more information see:

Benefit to Fedora

The transparent nature of the switch, ensures that application users, will benefit from the switch to the new protocol, avoid any incompatibilities with certain parts of the domain system, and prevent attacks to domain system related with IDNA2003 and IDNA2008 incompatibilities.

Scope

  • Proposal owners:

The proposal owner is expected to co-ordinate and fill the required bugs on the distribution.

  • Other developers:

Maintainers, should

* Verify that their software is linked with the libidn library
* Update the software from upstream if it already has been converted to libidn2
* Check the libidn2 instructions on converting a package to libidn2.
* Propose patches (trivial task) to convert to libidn2, and notify upstream about it.

In short switch software from libidn to libidn2, it is sufficient replacing idna.h header with idn2.h.


This feature requires not action from release engineering.

This will bring:

* An updated libidn2 library in Fedora 27 (2.0.0 or later) - already in F25
* A switch of all applications to libidn2
* libidn will be deprecated but not removed as applications may explicitly require IDNA2003 support (e.g., for compatibility)
  • Policies and guidelines:

Currently Fedora has no guidelines for IDNA support. With this change the recommended guideline for applications would be to support IDNA2008 by default.

  • Trademark approval:

N/A (not needed for this Change)

Upgrade/compatibility impact

This will not have any upgrade/compatibility impact.


How To Test

* Verify whether access to 'faß.de' resolves to 'xn--fa-hia.de'; that is application dependent

User Experience

This should not have noticeable user experience impact. Users impacted are the ones already using IDNA2003, though given the current state of the protocol, and the fact that registrars and NICs already support IDNA2008, this experience is already broken.

Dependencies

All packages depending on libidn: cone, echoping, fedfs-utils-lib, finch, freeDiameter, getdns, ghostscript-core, gloox, hesiod, iris, jabberd, kdelibs3, lftp, libcurl, libgsasl, libpsl, libpurple, loudmouth, perdition, php-pecl-http, swiften, systemd


Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes

The Fedora system switches libidn users from IDNA2003 to IDNA2008.