Hello community, here is the log from the commit of package rubygem-chef for openSUSE:Factory checked in at 2013-06-28 11:55:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-chef (Old) and /work/SRC/openSUSE:Factory/.rubygem-chef.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-chef" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-chef/rubygem-chef.changes 2013-06-17 10:18:06.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-chef.new/rubygem-chef.changes 2013-06-28 11:55:17.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Jun 25 14:53:33 UTC 2013 - [email protected] + +- /etc/chef/chef.rb got dropped and replaced by client.rb +- Fixed bnc#809159 VUL-0: rubygem-chef: disables security checks incorrectly +- Secure default in /etc/chef/client.rb + +------------------------------------------------------------------- New: ---- CHEF-3938-dont-disable-gpg-checks-in-zypper-commands.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-chef.spec ++++++ --- /var/tmp/diff_new_pack.JW14jx/_old 2013-06-28 11:55:18.000000000 +0200 +++ /var/tmp/diff_new_pack.JW14jx/_new 2013-06-28 11:55:18.000000000 +0200 @@ -38,6 +38,8 @@ Source3: chef-client.service # PATCH-FIX-UPSTREAM: fix the group provider in openSUSE 12.3 Patch0: CHEF-4015-group.patch +# PATCH-FIX-UPSTREAM +Patch1: CHEF-3938-dont-disable-gpg-checks-in-zypper-commands.patch Summary: A systems integration framework, built to bring the benefits of License: Apache-2.0 Group: Development/Languages/Ruby @@ -66,6 +68,7 @@ %prep %gem_unpack %patch0 -p1 +%patch1 -p1 %gem_build %build @@ -75,7 +78,7 @@ mkdir -p %{buildroot}/etc/chef mkdir -p %{buildroot}%{_sbindir} -install -m 0640 %{S:1} %{buildroot}/etc/chef/chef.rb +install -m 0640 %{S:1} %{buildroot}/etc/chef/client.rb %if %{with_systemd} mkdir -p %{buildroot}%{_unitdir} cp %{S:3} %{buildroot}%{_unitdir} @@ -129,7 +132,7 @@ %files %defattr(-,root,root,-) -%config(noreplace) %attr(0640, root, chef) /etc/chef/chef.rb +%config(noreplace) %attr(0640, root, chef) /etc/chef/client.rb %{_bindir}/chef-client %{_bindir}/chef-solo %{_bindir}/knife ++++++ CHEF-3938-dont-disable-gpg-checks-in-zypper-commands.patch ++++++ diff --git a/lib/chef/config.rb b/lib/chef/config.rb index ca912b6..eba8972 100644 --- a/lib/chef/config.rb +++ b/lib/chef/config.rb @@ -297,6 +297,12 @@ def self.formatters signing_ca_domain "opensource.opscode.com" signing_ca_email "[email protected]" + # Zypper package provider gpg checks. Set to true to enable package + # gpg signature checking. This will be default in the + # future. Setting to false disables the warnings. + # Leaving this set to nil or false is a security hazard! + zypper_check_gpg nil + # Report Handlers report_handlers [] diff --git a/lib/chef/provider/package/zypper.rb b/lib/chef/provider/package/zypper.rb index 4372746..f547e56 100644 --- a/lib/chef/provider/package/zypper.rb +++ b/lib/chef/provider/package/zypper.rb @@ -91,11 +91,11 @@ def install_package(name, version) ) elsif version run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}" + :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}" ) else run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}" + :command => "zypper -n#{gpg_checks} install -l #{name}" ) end end @@ -107,11 +107,11 @@ def upgrade_package(name, version) ) elsif version run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}" + :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}" ) else run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}" + :command => "zypper -n#{gpg_checks} install -l #{name}" ) end end @@ -123,21 +123,33 @@ def remove_package(name, version) ) elsif version run_command( - :command => "zypper -n --no-gpg-checks remove #{name}=#{version}" + :command => "zypper -n#{gpg_checks} remove #{name}=#{version}" ) else run_command( - :command => "zypper -n --no-gpg-checks remove #{name}" + :command => "zypper -n#{gpg_checks} remove #{name}" ) end - - end def purge_package(name, version) remove_package(name, version) end - + + private + def gpg_checks() + case Chef::Config[:zypper_check_gpg] + when true + "" + when false + " --no-gpg-checks" + when nil + Chef::Log.warn("Chef::Config[:zypper_check_gpg] was not set. " + + "All packages will be installed without gpg signature checks. " + + "This is a security hazard.") + " --no-gpg-checks" + end + end end end end diff --git a/spec/unit/provider/package/zypper_spec.rb b/spec/unit/provider/package/zypper_spec.rb index fab78f4..c0b2fe4 100644 --- a/spec/unit/provider/package/zypper_spec.rb +++ b/spec/unit/provider/package/zypper_spec.rb @@ -92,8 +92,24 @@ describe "install_package" do it "should run zypper install with the package name and version" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true) @provider.should_receive(:run_command).with({ - :command => "zypper -n --no-gpg-checks install -l emacs=1.0", + :command => "zypper -n install -l emacs=1.0", + }) + @provider.install_package("emacs", "1.0") + end + it "should run zypper install without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks install -l emacs=1.0", + }) + @provider.install_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper install" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks install -l emacs=1.0", }) @provider.install_package("emacs", "1.0") end @@ -101,6 +117,22 @@ describe "upgrade_package" do it "should run zypper update with the package name and version" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true) + @provider.should_receive(:run_command).with({ + :command => "zypper -n install -l emacs=1.0", + }) + @provider.upgrade_package("emacs", "1.0") + end + it "should run zypper update without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks install -l emacs=1.0", + }) + @provider.upgrade_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper upgrade" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) @provider.should_receive(:run_command).with({ :command => "zypper -n --no-gpg-checks install -l emacs=1.0", }) @@ -110,8 +142,24 @@ describe "remove_package" do it "should run zypper remove with the package name" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true) + @provider.should_receive(:run_command).with({ + :command => "zypper -n remove emacs=1.0", + }) + @provider.remove_package("emacs", "1.0") + end + it "should run zypper remove without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks remove emacs=1.0", + }) + @provider.remove_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper remove" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) @provider.should_receive(:run_command).with({ - :command => "zypper -n --no-gpg-checks remove emacs=1.0", + :command => "zypper -n --no-gpg-checks remove emacs=1.0", }) @provider.remove_package("emacs", "1.0") end @@ -122,6 +170,21 @@ @provider.should_receive(:remove_package).with("emacs", "1.0") @provider.purge_package("emacs", "1.0") end + it "should run zypper purge without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks remove emacs=1.0", + }) + @provider.purge_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper purge" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks remove emacs=1.0", + }) + @provider.purge_package("emacs", "1.0") + end end describe "on an older zypper" do ++++++ chef.rb ++++++ --- /var/tmp/diff_new_pack.JW14jx/_old 2013-06-28 11:55:18.000000000 +0200 +++ /var/tmp/diff_new_pack.JW14jx/_new 2013-06-28 11:55:18.000000000 +0200 @@ -30,6 +30,8 @@ solr_home_path File.join(supportdir, 'solr', 'home') solr_heap_size '256M' +zypper_check_gpg true + umask 0022 Mixlib::Log::Formatter.show_time = false -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
