Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tj00R-004iRC-7u for pgsql-hackers@arkaria.postgresql.org; Fri, 14 Feb 2025 18:01:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tj00P-00CiJr-CJ for pgsql-hackers@arkaria.postgresql.org; Fri, 14 Feb 2025 18:01:37 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tj00P-00CiJj-31 for pgsql-hackers@lists.postgresql.org; Fri, 14 Feb 2025 18:01:37 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tj00N-000oM2-1U for pgsql-hackers@lists.postgresql.org; Fri, 14 Feb 2025 18:01:36 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 51EI1WfL3880580; Fri, 14 Feb 2025 13:01:32 -0500 From: Tom Lane To: pgsql-hackers@lists.postgresql.org cc: buildfarm@enterprisedb.com Subject: New buildfarm animals with FIPS mode enabled MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3880578.1739556092.1@sss.pgh.pa.us> Date: Fri, 14 Feb 2025 13:01:32 -0500 Message-ID: <3880579.1739556092@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk I see that somebody decided to crank up some animals running RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals pass on v17 and master, but not older branches; the RHEL8 animals pass nowhere. This is unsurprising given that the v17-era commits that allowed our regression tests to pass under FIPS mode (795592865 and a bunch of others) explicitly targeted only OpenSSL 3: These new expected files currently cover the FIPS mode provided by OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g., Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g., Fedora 35). (The latter will have some error message wording differences.) I'm kind of disinclined to do all the work that'd be needed to turn these animals completely green, especially when the reason to do it seems to be that someone decided we should without any community consultation. Perhaps others have different opinions though. Thoughts? regards, tom lane