- 

- [[sect-desktop-gnome3.24]]

- === GNOME 3.24: Portland

- 

- The GNOME 3 desktop environment has been upgraded to GNOME 3.24. This new version includes a number of major new features and enhancements, as well as many smaller improvements and bug fixes:

- 

- * Night Light is a new feature that subtly changes the screen color according to the time of day, which can help to reduce sleeplessness if you use your computer at night.

- 

- * Weather information is now included in the notifications area to show a simple summary of the day’s weather, and links to the Weather application.

- 

- * Other GNOME applications that have been improved for 3.24 include Web, Photos, Polari, Games, Calendar and the Calculator.

- 

- More detailed information about GNOME 3.24 can be found in the link:++https://help.gnome.org/misc/release-notes/3.24/++[release notes].

- 

- [[sect-desktop-lxqt-spin]]

- === New Spin: LXQt Desktop

- 

- Fedora LXQt provides a lightweight, well-integrated LXQt desktop environment. In addition to LXQt itself, it provides a small, well selected collection of applications, such as the [application]*QupZilla* browser, which combines the rendering engine frtom [application]*Chromium* with a nice Qt experience. As all applications use the same Qt5 toolkit and the Breeze theme known from KDE, the desktop provides a unified and well-integrated style and theming. In addition, [package]*breeze-gtk* is provided to allow the user to integrate GTK applications too.

- 

- The LXQt Desktop spin is available for download from link:++http://spins.fedoraproject.org/++[http://spins.fedoraproject.org/].

- 

- To contact other LXQt users and maintainers of the LXQt spin, connect to the `#fedora-lxqt` IRC channel on irc.freenode.net or send an email to the LXQt List at link:++https://admin.fedoraproject.org/mailman/listinfo/users++[users@lists.fedoraproject.org].

- 

- [[sect-desktop-fontconfig-cache]]

- === Fontconfig Cache Moved to /usr

- 

- Prior to this update, the [package]*fontconfig* cache files were placed in the `/var/cache/fontconfig` directory. This location was incompatible with the `OStree` model used by Fedora Atomic, which prevented using the same package for Atomic and other Fedora variants. To fix this incompatibility, the cache files have been moved to `/usr/lib/fontconfig/cache`.

- 

- [[sect-i18n-pinyin]]

- === libpinyin 2.0

- 

- libpinyin 2.0 helps Chinese Pinyin users to increase their input speed by needing fewer key presses. ibus-libpinyin with libpinyin 2.0 provides 1-3 sentence candidates and improves the dictionary. Also the libpinyin license has changed to GPLv3+.

- 

- [[sect-networking-openvpn]]

- === OpenVPN Rebased to Version 2.4.3

- 

- [application]*OpenVPN* has been rebased to version 2.4.3. This update adds many improvements, notably improved elliptic curve cryptography support (`ECDH`), support for `AES-GCM`, and additional encryption layer of the control channel (the [option]`--tls-crypt` option), and a type of cipher negotiation which allows for gradually upgrading client ciphers to stronger ones without significant added complexity. Additionally, there is now a seamless client IP and port available, allowing clients to change their IP address or port without having to fully renegotiate an established tunnel.

- 

- For a full list of changes in this version, see the link:++https://github.com/OpenVPN/openvpn/blob/v2.4.3/Changes.rst++[upstream changelog on GitHub].

- 

- Overall integration with [application]*systemd* has also improved, and systemd can now better manage OpenVPN processes. This update ships with brand new systemd unit files, which add additional security hardening. These new unit files are preferred over the old `openvpn@.service` file. The same unit files are used in other Linux distributions which use systemd, ensuring a more consistent behavior and usage between different systemd-based systems. See installed documentation in `/usr/share/doc/openvpn/README.systemd` for more information about this topic.

- 

- .Additional Notes

- In other changes, Certificate Revocation List (`CRL`) checking is now done by [command]`SSL` libraries directly. These libraries have a far more strict acceptance policy than the approach previously used in OpenVPN. For example, if your CRL file has expired, this will have an impact on every user, regardless of whether their certificates are revoked or not.

- 

- Additionally, OpenVPN in Fedora 26 currently use the [package]*compat-openssl10* and [package]*compat-openssl10-pkcs11-helper* compatibility packages, which are considered to be a workaround until more thorough testing can be done on OpenSSL 1.1, which has only been introduced in OpenVPN recently. In a later update, the OpenVPN package is expected to be upgraded to make use of the newer [package]*openssl-1.1* library.

- [[sect-containers]]

- 

- [[overlay2-for-docker]]

- === OverlayFS is now default for Docker

- 

- The default storage option for Docker is now OverlayFS via the Overlay2 driver, which provides better performance. Overlay2 provides performance advantages in memory sharing compared to devicemapper. Additionally, support for SELinux for the Overlay file systems have been added.

- 

- [NOTE]

- ===

- Overlay is not a POSIX-compliant file system and there could be problems with running containers on Overlay. Therefore, you can easily switch back to devicemapper in these cases. For more information about switching storage options, check the documentation for the [command]`atomic storage` commands.

- ===

- 

- Upgraded systems will not be affected.

- 

- [[docker-sdk-for-python-version-2]]

- === Docker SDK for Python, version 2

- 

- A new version of Docker SDK for Python, the Python library which communicates with the Docker engine API, has been added to Fedora 26. It provides a new, high-level, user-focused API provided as `docker.DockerClient`. This obsoletes the existing [package]*python-docker-py* package. The functionality is now provided by the [package]*python2-docker* and [package]*python3-docker* packages. The `docker.Client` class has been renamed to `docker.APIClient`. Note that the version 2 of Docker SDK is not backwards compatible with the versions earlier than 1.10.6 of the library.

- 

- [[sect-boost-boost163]]

- === Boost 1.63

- 

- Boost has been upgraded to version 1.63. Apart from a number of bugfixes and improvements to existing libraries, this brings six new libraries compared to Fedora 25: Boost.Compute, Boost.DLL, Boost.Hana, Boost.Metaparse, Boost.Fiber and Boost.QVM.

- 

- For more information, see the link:++http://www.boost.org/users/history/version_1_63_0.html++[Boost 1.63 Release Notes].

- 

- [[sect-gcc-gcc7]]

- === GNU Compiler Collection (GCC) Rebased to 7.1

- 

- The [application]*GNU Compiler Collection (GCC)* has been rebased to version 7.1, a major new release that provides a number of new features as well as many improvements and bugfixes. In addition to offering the new GCC to developers, Fedora packages have been recompiled using the new version. See link:++http://gcc.gnu.org/gcc-7/changes.html++[Changes, New Features, and Fixes in the GCC 7 Release Series].

- 

- Developers should see link:++https://gcc.gnu.org/gcc-7/porting_to.html++[Porting to GCC 7] for detailed information on how to update their codebases to work with the new compilers.

- 

- [[sect-c-glibc-2-25]]

- === The GNU C Library Version 2.25

- 

- The GNU C Library in Fedora 26 has been rebased to version 2.25, which brings many improvements and bug fixes over the previous version. Notable changes include:

- 

- * Additional support for floating-point extensions for C (TS 18661-1:2014) including new functions like `strfromd`, `strfromf`, and `strfroml`.

- 

- * The function `explicit_bzero`, from OpenBSD, has been added to `libc`. It is intended to be used instead of `memset()` to erase sensitive data after use.

- 

- * The `getentropy` and `getrandom` functions, and the `<sys/random.h>` header file, have been added.

- 

- * GDB pretty printers have been added for `mutex` and `condition` variable structures in POSIX Threads.

- 

- * Tunables feature added to allow tweaking of the runtime for an application program.

- 

- * New improved algorithms for condition variables and read-write locks for POSIX Threads.

- 

- * Security fixes for link:++https://nvd.nist.gov/vuln/detail/CVE-2016-6323++[CVE-2016-6323], and link:++https://nvd.nist.gov/vuln/detail/CVE-2015-5180++[CVE-2015-5180].

- 

- Detailed release are available as part of the link:++https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html++[upstream release notice].

- 

- [[sect-d-ldc]]

- === LLVM-based D Compiler (LDC) v1.1.0

- 

- The LDC D compiler has been updated to version 1.1.0. More information about this release is contained in the link:++https://github.com/ldc-developers/ldc/releases/tag/v1.1.0++[LDC 1.1.0 release note].

- 

- [[sect-development-golang]]

- === Golang 1.8

- 

- The latest Go release, version 1.8, brings changes to the implementation of the toolchain, runtime, and libraries. There are also two minor changes to the language specification. This release maintains the Go v1 promise of compatibility and so the Go Project expects almost all Go programs to continue to compile and run as before.

- 

- More detail can be found in the link:++https://tip.golang.org/doc/go1.8++[Go 1.8 Release Notes].

- 

- [[sect-development-golang-pie]]

- === Golang Buildmode PIE

- 

- Fedora 26 changes the default build mode for golang in Fedora packaging macros to `buildmode=pie`, which results in the production of _Position Independent Executables_. Also, the Fedora hardned linker flags are passed to the external linker, reducing the vulnerability of the generated binaries.

- 

- [[sect-development-ghc80]]

- === Glasgow Haskell Complier v8.0

- 

- The Glasgow Haskell Compiler (GHC) has been upgraded from version 7.10 to version 8.0.2, all Haskell packages in Fedora have been rebuilt and many have been updated. This GHC release brings much improved support for aarch64, ppc64, and ppc64le as well as many new features, fixes, and improvements.

- 

- More information about the new features in GHC version 8 can be found in the release notes for versions link:++https://downloads.haskell.org/~ghc/8.0.2/docs/html/users_guide/8.0.1-notes.html++[8.0.1] and link:++https://downloads.haskell.org/~ghc/8.0.2/docs/html/users_guide/8.0.2-notes.html++[8.0.2].

- 

- [[sect-python-3-6]]

- === Python 3.6

- 

- Python 3.6 will be the default Python 3 stack in Fedora 26. This is an upgrade from 3.5 which was included in Fedora 25. All packages which depend on Python 3 must be rebuilt. User-written Python 3 scripts and applications may require a small amount of porting; however, Python 3.5 is forward compatible with Python 3.6 for the most part.

- 

- Notable new features include:

- 

- * Formatted string literals (f-strings): `f"This will be evaluated to foo's value: {foo}"`

- 

- * The order of elements in `+**kwargs: keyword+` arguments now preserve their order

- 

- * The new `secrets` module provides handy helpers for secure token generation in various formats

- 

- * Underscores in numeric literals let you break up magic constants to make them easier to read: `1_000_000`

- 

- * File system path protocol: Many more standard library APIs, including the builtin `open()`, now support `pathlib.Path` and `pathlib.PurePath` objects

- 

- * A range of performance improvements.

- 

- For more detailed information see the link:++https://fedoramagazine.org/python-3-6-0-fedora-26/++[Fedora Magazine announcement article] or the link:++https://docs.python.org/3.6/whatsnew/3.6.html++[upstream release notes]. Note the link:++https://docs.python.org/3.6/whatsnew/3.6.html#porting-to-python-3-6++[Porting to Python 3.6] section, which lists important information for developers who need to port their Python 3.5 applications.

- 

- [[sect-python-classrom]]

- === Python Classroom Lab

- 

- Fedora 26 brings in a new Python Classroom Lab. A variant of Fedora targeted at teachers and students of the Python programming langugae. A ready to use environment with Python, PyPy 3, virtualenv, tox, git, Jupyter Notebook and more. It's ready in three variants: as a GNOME powered desktop or headless for Vagrant and Docker.

- 

- Find out more about the Python Classroom Lab on the link:++https://labs.fedoraproject.org/en/python-classroom/++[Fedora Labs] website.

- 

- [[sect-python-cutf8-locale]]

- === Python 3 C.UTF-8 locale

- 

- An ongoing challenge within the Python 3 series has been determining a sensible default strategy for handling the “7-bit ASCII” text encoding assumption currently implied by the use of the default C locale.

- 

- Starting with Fedora 26, the Fedora system Python includes a backport of Python 3.7's upcoming link:++https://docs.python.org/dev/whatsnew/3.7.html#pep-538-legacy-c-locale-coercion++[locale coercion] feature, which means the Python 3 stack will automatically coerce the C locale to C.UTF-8 by setting the `LC_CTYPE` environment variable (if neither it nor `LC_ALL` are already set) before configuring the process locale. Automatically setting `LC_CTYPE` this way means that both the core interpreter and locale-aware C extensions (such as `readline`) will assume the use of UTF-8 as the default text encoding, rather than ASCII.

- 

- Full details of this new Python feature are contained in link:++https://www.python.org/dev/peps/pep-0538/++[PEP 538 -- Coercing the legacy C locale to a UTF-8 based local].

- 

- [[sect-ruby-ruby24]]

- === Ruby 2.4

- 

- Ruby 2.4 is the latest stable version of Ruby. Many new features and improvements are included, for example:

- 

- * hash table improvements

- 

- * unify Fixnum and Bignum into Integer

- 

- * String supports Unicode case mappings

- 

- * performance and debugging improvements

- 

- Ruby 2.4 includes updates to soname and so Ruby packages that use binary extensions should be rebuilt. Nevertheless, since the Ruby community paid great attention to source compatibility, no changes to your code are needed.

- 

- More information about Ruby 2.4 can be found in the Ruby community's link:++https://www.ruby-lang.org/en/news/2016/12/25/ruby-2-4-0-released/++[ Ruby 2.4.0 Release Notes].

- 

- [[sect-pkgconf]]

- === pkgconf as System pkg-config Implementation

- 

- In Fedora 26, the pkg-config implementation has been switched to pkgconf. This is a newer, actively-maintained implementation of pkg-config that offers more advanced support for `.pc` files and provides a library interface for developers to integrate pkg-config processing into their applications.

- 

- More information about pkgconf can be found at link:++http://pkgconf.org/++[pkgconf.org].

- 

- [[sect-development-tools-coredumpctl]]

- === Enable systemd-coredump by Default

- 

- By default, core dumps from crashing programs are now stored by systemd-coredump, rather than created in the crashing process's current working directory by ABRT. They may be extracted using the `coredumpctl` tool. For example, simply run `coredumpctl{nbsp}gdb` to view a backtrace for the most recent crash in gdb. For more information on this change, refer to the manpages `coredumpctl(1)`, `systemd-coredump(8)`, and `coredump.conf(5)`.

- 

- [[webdev_php]]

- === PHP 7.1

- 

- The popular web development language PHP has been upgraded from 7.0 to 7.1 for Fedora 26. Pacakges providing extensions to PHP have been rebuilt to use the new release; developers using extensions from non-packaged sources should update them. While most common PHP applications should be able to use the new release without issue, impacted developers should review the links below for information provided by upstream PHP about the upgrade.

- 

- * link:++http://php.net/manual/en/migration71.php++[Migrating from PHP 7.0.x to PHP 7.1.x]

- 

- * link:++https://raw.githubusercontent.com/php/php-src/PHP-7.1/UPGRADING++[PHP 7.1 UPGRADE NOTES]

- 

- * link:++https://raw.githubusercontent.com/php/php-src/PHP-7.1/UPGRADING.INTERNALS++[PHP 7.1 INTERNALS UPGRADE NOTES]

- 

- [[webdev_zend]]

- === Zend Framework 3.0

- 

- Fedora 26 offers the latest version 3 of the popular PHP framework, `Zend`. Zend 3 offers increased performance, support for PHP 7, improved link:++https://docs.zendframework.com/++[project documentation], and more. For detailed information, refer to the upstream release announcement at link:++https://framework.zend.com/blog/2016-06-28-zend-framework-3.html++[Zend Framework 3 Released!] or their link:++https://docs.zendframework.com/tutorials/migration/to-v3/overview/++[migration guides].

- 

- [[sect-installation-anaconda]]

- === Anaconda Changes

- 

- This section covers changes in the [application]*Anaconda* installer, including changes in the graphical and text mode interactive installers, Kickstart, and installer boot options.

- 

- [[sect-installation-anaconda-gui]]

- ==== Changes in the Graphical Interface

- 

- * A new, alternate partitioning interface provided by the the [application]*blivet-gui* tool is now available in the manual partitioning screen. Unlike the existing partitioning interface, [application]*blivet-gui* allows you to configure partitioning from the "bottom up": for example, in case of LVM you first create physical volumes, then a volume group, and then logical volumes, while in the old interface, you start with logical volumes and everything else is created automatically at first.

- +

- The previous partitioning interface continues to be available as alongside the new one. For additional information, see the link:++https://fedoraproject.org/wiki/Changes/AnacondaBlivetGUI++[Fedora Project Wiki].

- 

- * The installer now shows more detailed indication of current progress during all phases of the installation.

- 

- [[sect-installation-anaconda-tui]]

- ==== Changes in the Text Mode Interface

- 

- * The text mode interface now supports setting up IP over Inifiniband IPoIB connections in the Networking screen.

- 

- * The built-in help system, which was previously available in the graphical installation interface, has been extended to the text mode interface.

- 

- * The [application]*Initial Setup* post-setup text mode interface now runs on all available consoles.

- 

- [[sect-installation-kickstart]]

- ==== Kickstart Changes

- 

- * A new command, [command]`snapshot`, has been added to provide LVM snapshot support for devices in an LVM thin pool. The command has the following syntax:

- +

- [subs="macros"]

- ----

- snapshot pass:quotes[_vg/lv_] --name pass:quotes[_snapshot_name_] --when [post-install|pre-install]

- ----

- +

- Available options are:

- 

- ** [option]`--name=` - provide a name for the snapshot.

- 

- ** [option]`--when=` - controls when the snapshot will be created. Use `pre-install` to create the snapshot before the installation begins, but after commands in the [command]`%pre` part of the Kickstart are executed, or use `post-install` to create the snapshot after the installation and after commands in the [command]`%post` part of the Kickstart are executed.

- 

- * Three new options are now available for the [command]`autopart` command:

- 

- ** [option]`--nohome` - do not create a separate `/home` partition or volume if one would be created under partitioning rules

- 

- ** [option]`--noboot` - do not create a separate `/boot` partition or volume

- 

- ** [option]`--noswap` - do not create any swap space

- 

- [[sect-installation-anaconda-boot-options]]

- ==== Changes in Anaconda Boot Options

- 

- * The [option]`inst.waitfornet=` boot option is now available. Use it to force the installer to wait for network connectivity before starting the installer interface for a specified number of seconds - for example, [option]`inst.waitfornet=30` to wait 30 seconds.

- 

- * A new option named [option]`inst.ksstrict` is available. You can use it during a Kickstart-based installation to treat Kickstart warnings and error, meaning they will be printed on the output and the installation will terminate. Without specifying this option, warnings are printed to the log and the installation proceeds.

- 

- [[sect-installation-anaconda-other]]

- ==== Other Anaconda Changes

- 

- * Driver Update Disks can now be loaded from local disk devices.

- 

- * `Installclass` can now modify rules for storage checks and their constraints.

- 

- [[sect-installation-fmw]]

- === ARM Support in Fedora Media Writer

- 

- Fedora Media Writer has gained the ability to write ARM images to SD cards and other portable media. Users, including those on Windows and macOS as well as on Fedora, will now be able to write Fedora images easily for Raspberry Pi 2 and above and for other supported ARM devices. Please note that this applies only for ARM devices where there are no changes or tweaks that need to be done to the Fedora image.

- 

- More information about this latest release of Fedora Media Writer can be found in the link:++https://github.com/MartinBriza/MediaWriter/releases/tag/4.1.0++[FMW 4.1.0 Release Notes].

- 

- [[sect-installation-dnf-20]]

- === DNF Rebased to 2.0

- 

- [application]*DNF*, Fedora's package manager, has been rebased to version 2.0, which brings many bugfixes and improvements over [application]*DNF 1.x*, as well as changes required to fix incompatibilities with [application]*Yum*, the predecessor of DNF. This required the introduction of certain incompatibilities between DNF 2.0 and DNF 1.x. See link:++http://dnf.readthedocs.io/en/latest/dnf-1_vs_dnf-2.html++[Changes in DNF-2 compared to DNF-1] for details.

- 

- DNF 2.0 provides usability improvements, including better messages during resolution errors, showing whether a package was installed as a weak dependency, better handling of obsolete packages, fewer tracebacks, and others.

- 

- [[sect-kernel-aarch64-48bitva]]

- === aarch64 48-bit Virtual Address Space

- 

- Before Fedora 26, the aarch64 kernel in Fedora used a 42-bit process virtual address (VA) space and due to the way aarch64 paging works, this constrained the maximum physical address as well. The 42-bit VA was fairly limiting for some applications, but aarch64 processors also have support for 48-bit VAs.

- 

- For Fedora 26, Fedora has introduced a 48-bit VA and so larger aarch64 processes won't be constrained by the virtual or physical limitations of a 42-bit VA. This change also helps with things like hugetlb's and potentially provides a performace boost. Additionally, it allows Fedora to boot on a class of machines that have the majority of their RAM higher in the address space.

- 

- Its unlikely a desktop user will notice the change, except possibly that Fedora might now boot on additional hardware. A server user might find that there is more RAM available for in-memory databases etc.

- 

- [[sect-mail-servers-cyrus-imapd]]

- === Cyrus IMAP Server Upgraded to Version 3

- 

- In Fedora 26, the [application]*Cyrus IMAP server* (`cyrus-imapd`) has been upgraded to version 3. This version brings significant new functionality, but it also has some new internal database formats. It has also changed the defaults for some important configuration settings. For these reasons it is important that you read and follow link:++https://cyrusimap.org/imap/download/upgrade.html#shut-down-existing-cyrus++[upstream's upgrade documentation] before you initiate an update to Fedora 26.

- 

- Important changes to note:

- 

- * Cyrus version 3 has changed the defaults for two important configuration options: `unixhierarchysep` and `altnamespace`. You may need to add them with their previously default value of `0` if these are not present in your existing configuration.

- 

- * Cyrus version 3 no longer supports the `berkeley` database type. If you have essential databases in that format, it is important that you convert them to a different format before you update your system. However, if you have already updated, don't panic. The default Fedora configuration does use this format, but only for non-essential databases which you will rebuild while following the update documentation linked above.

- 

- Fedora Modularity is attempting to disconnect the lifecycles of applications from each other and also from that of the operating system, while still maintaining the ease of use of a typical Linux distribution. More information about this work is available in the link:++https://docs.pagure.org/modularity/++[Fedora Modularity documentation].

- 

- [[sect-modularity-server-preview]]

- === Modular Server Preview

- 

- Fedora 26 contains a "preview" release of a modular Fedora Server Edition.

- 

- .Not for production use

- [IMPORTANT]

- ===

- The Fedora 26 Modular Server Preview is a working version of the Server Edition but it is still a prototype and so it should not be used in a production environment.

- ===

- 

- The purpose of this preview release is to request feedback from the user community. The Modularity Working Group would like to hear from anyone experimenting with the preview about how it does or does not meet their expectations. Contact details for the Modularity Working Group are on the link:++https://docs.pagure.org/modularity/++[Fedora Modularity home page].

- 

- [[security-crypto]]

- === System-wide Crypto Policy

- 

- The security of network communications is a high priority for the Fedora project, with strong TLS providing the first line of defense against traffic inspection. Two systems negotiating a TLS connection must agree on a common cipher to encrypt their communications, and as ciphers become deprecated, it is important to exclude them.

- 

- The ciphers that an administrator might consider adequately secure are determined by vulnerabilities published against specific ciphers. The acceptable cipher suite applies to all communications on the internet, and is not specific to any one system or daemon. To ease administration and increase adminsitrator confidence in the system's security posture, Fedora has been configuring various software to use a system-global configuration so that TLS ciphers need only be updated in one place.

- 

- With Fedora 26, two more things will use the system-wide crypto policy, `OpenSSH` and `Java`.

- 

- .OpenSSH Crypto

- OpenSSH clients will use system preferred key exchange algorithms, encryption ciphers, and message authentication code (MAC) algorithms. This is enabled by an `Include` directive in `/etc/ssh/ssh_config` to include directives in `/etc/ssh/ssh_config.d/*.conf`, which pulls in `/etc/crypto-policies/back-ends/openssh.config`.

- 

- .Java Crypto

- OpenJDK has been modified to read additional security properties from the generated crypto policies file at `/etc/crypto-policies/back-ends/java.config`

- 

- This change may affect connections to legacy systems that do not support more strict crypto policies. While it is possible to switch the system profile from DEFAULT to LEGACY, or to set `security.useSystemPropertiesFile=false` in a project's `java.security` file (refer to link:++https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html++[]), it would be best to also update legacy applications to modern security standards.

- 

- [[sect-security-openssl110]]

- === OpenSSL 1.1.0

- 

- The introduction of OpenSSL 1.1.0 in Fedora 26 brings many big improvements, new cryptographic algorithms, and API changes that allow for keeping the ABI stable in future upgrades. There is also now a compat-openssl10 package in Fedora that provides OpenSSL 1.0.2 for dependent applications that cannot move to 1.1.0 yet.

- 

- There is more information about OpenSSL 1.1.0 in the link:++https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes++[ OpenSSL wiki].

- 

- [[sect-security-opensc]]

- === OpenSC Replaces Coolkey

- 

- Fedora 26 is not shipping the Coolkey PKCS#11 module in the NSS database by default. Instead, there will be the OpenSC PKCS#11 module, which supports more different Smart Cards. The Coolkey package will be removed in Fedora 27. If other applications were using Coolkey, they should be able to switch to OpenSC.

- 

- In case you still need Coolkey in the NSS DB, you can add it manually using [command]`modutil -dbdir /etc/pki/nssdb -add "CoolKey PKCS #11 Module (manual)" -libfile libcoolkeypk11.so -force` (the different name is used to prevent automatic removals when updating coolkey package).

- 

- Soon (during F26 cycle) there will be fully-featured 0.17.0 update to OpenSC with all the tested features and cards that should serve as a complete replacement of Coolkey.

- 

- [[sect-security-sssd]]

- === SSSD fast cache for local users

- 

- SSSD has shipped with a very fast memory cache in the last couple of Fedora releases. However, using this cache conflicts with nscd's caching and nscd has been disabled by default. That degrades performance, because every user or group lookup must open the local files.

- 

- From Fedora 26, a new SSSD "files" provider will resolve users from the local files. That way, the "sss" NSS module can be configured before the files module in nsswitch.conf and the system can leverage sss_nss caching for both local and remote users. As a result, user and group resolution in Fedora will be much faster.

- 

- [[sect-security-authconfig-cleanup]]

- === Authconfig cleanup

- 

- Obsolete and unmaintainable code was removed from [command]`authconfig`. Notably:

- 

- * The graphical interface ([package]*system-config-authentication*) and the interactive text mode, which relied on old and unmaintained libraries (GTK+2 and Glade) have been removed from the distribution.

- 

- * The command line tool, which has been deprecated previously, continues to be part of the distribution for legacy reasons. However, some deprecated and obsolete functionality such as support for `WINS` and `HESIOD` has been removed in this release.

- 

- The removal effort is happening because current modern environments support automatic configuration of remote user identities using `Realmd` and `SSSD` and do not require manual configuration through an interactive interface such as [package]*system-config-authentication*. Some of the existing authconfig command line functionality is being preserved due to it still retaining some usefulness in certain environments, and to support the [command]`auth` command in Kickstart. Removing parts of the code base that are no longer maintainable makes it easier to continue providing this functionality.

- 

- [[sect-x-org-synaptics]]

- === Retire Synaptics Driver

- 

- [package]*xorg-x11-drv-synaptics* has been the main X.Org touchpad driver for over a decade. Since Fedora 22, it has been superseded by [package]*xorg-x11-drv-libinput* which aims to provide a better touchpad experience.

- 

- Starting with Fedora 26:

- 

- * a fresh installation of Fedora will install [package]*xorg-x11-drv-libinput* instead of [package]*xorg-x11-drv-synaptics*;

- 

- * an upgrade from an earlier Fedora will install [package]*xorg-x11-drv-libinput* and remove [package]*xorg-x11-drv-synaptics*;

- 

- * users that need the synaptics driver will need to manually install [package]*xorg-x11-drv-synaptics-legacy*, which will install the synaptics driver and give it precedence over the *libinput* driver;

- 

- * removing [package]*xorg-x11-drv-synaptics-legacy* will remove the synaptics driver and the system will automatically revert to the *libinput* driver.