Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package build for openSUSE:Factory checked in at 2026-03-11 20:49:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/build (Old) and /work/SRC/openSUSE:Factory/.build.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "build" Wed Mar 11 20:49:19 2026 rev:182 rq:1337927 version:20260219 Changes: -------- --- /work/SRC/openSUSE:Factory/build/build.changes 2026-02-12 17:25:59.207777342 +0100 +++ /work/SRC/openSUSE:Factory/.build.new.8177/build.changes 2026-03-11 20:49:36.171864633 +0100 @@ -1,0 +2,10 @@ +Tue Mar 10 09:44:26 UTC 2026 - Adrian Schröter <[email protected]> + +- Implement cmssign support in signdummy +- pbuild: mark git assets with a fixed commit as immutable +- mkosi + * check if old parameters are supported before passing them + * support old bash version +- Do not crash on small files that start with the PE magic + +------------------------------------------------------------------- Old: ---- obs-build-20260202.tar.gz New: ---- obs-build-20260219.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ build.spec ++++++ --- /var/tmp/diff_new_pack.M7jWNe/_old 2026-03-11 20:49:37.127903393 +0100 +++ /var/tmp/diff_new_pack.M7jWNe/_new 2026-03-11 20:49:37.127903393 +0100 @@ -28,7 +28,7 @@ Summary: A Script to Build SUSE Linux RPMs License: GPL-2.0-only OR GPL-3.0-only Group: Development/Tools/Building -Version: 20260202 +Version: 20260219 Release: 0 Source: obs-build-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ PKGBUILD ++++++ --- /var/tmp/diff_new_pack.M7jWNe/_old 2026-03-11 20:49:37.187905826 +0100 +++ /var/tmp/diff_new_pack.M7jWNe/_new 2026-03-11 20:49:37.187905826 +0100 @@ -1,5 +1,5 @@ pkgname=build -pkgver=20260202 +pkgver=20260219 pkgrel=0 pkgdesc="Build packages in sandbox" arch=('i686' 'x86_64') ++++++ _service ++++++ --- /var/tmp/diff_new_pack.M7jWNe/_old 2026-03-11 20:49:37.223907285 +0100 +++ /var/tmp/diff_new_pack.M7jWNe/_new 2026-03-11 20:49:37.231907609 +0100 @@ -1,7 +1,7 @@ <services> <service name="tar_scm" mode="manual"> - <param name="revision">20260202</param> - <param name="version">20260202</param> + <param name="revision">20260219</param> + <param name="version">20260219</param> <param name="url">https://github.com/openSUSE/obs-build.git</param> <param name="scm">git</param> <param name="extract">dist/build.changes</param> ++++++ build.dsc ++++++ --- /var/tmp/diff_new_pack.M7jWNe/_old 2026-03-11 20:49:37.259908745 +0100 +++ /var/tmp/diff_new_pack.M7jWNe/_new 2026-03-11 20:49:37.263908907 +0100 @@ -1,6 +1,6 @@ Format: 1.0 Source: build -Version: 20260202 +Version: 20260219 Binary: build Maintainer: Adrian Schroeter <[email protected]> Architecture: all ++++++ debian.changelog ++++++ --- /var/tmp/diff_new_pack.M7jWNe/_old 2026-03-11 20:49:37.291910042 +0100 +++ /var/tmp/diff_new_pack.M7jWNe/_new 2026-03-11 20:49:37.299910366 +0100 @@ -1,4 +1,4 @@ -build (20260202) unstable; urgency=low +build (20260219) unstable; urgency=low * Update to current git trunk - add sles11sp2 build config and adapt autodetection ++++++ obs-build-20260202.tar.gz -> obs-build-20260219.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/obs-build-20260202/PBuild/RemoteAssets.pm new/obs-build-20260219/PBuild/RemoteAssets.pm --- old/obs-build-20260202/PBuild/RemoteAssets.pm 2026-02-02 15:46:01.000000000 +0100 +++ new/obs-build-20260219/PBuild/RemoteAssets.pm 2026-03-10 10:46:11.000000000 +0100 @@ -67,15 +67,21 @@ for my $s (@{$p->{'remoteassets'} || []}) { my $url = $s->{'url'}; my $file = $s->{'file'}; - if ($url && $url =~ /^git(?:\+https?)?:.*\/([^\/]+?)(?:\#[^\#\/]+)?$/) { + if ($url && $url =~ /^git(?:\+https?)?:.*\/([^\/]+?)(?:\#([^\#\/]+))?$/) { + my $tag = $2; if (!defined($file)) { $file = $1; $file =~ s/\?.*//; $file =~ s/\.git$//; } next unless defined($file) && $file =~ /^([^\.\/][^\/]+)$/s; - next if $p->{'files'}->{$file}; - push @assets, { 'file' => $file, 'url' => $url, 'type' => 'url', 'isdir' => 1 }; + next if $p->{'files'}->{$file}; # die() instead? + my $asset = { 'file' => $file, 'url' => $url, 'type' => 'url', 'isdir' => 1 }; + if ($tag =~ /^[0-9a-fA-F]{40,}$/) { + $asset->{'immutable'} = 1; + $asset->{'assetid'} = Digest::MD5::md5_hex($url); + } + push @assets, $asset; next; } if (($s->{'type'} || '' eq 'webcache')) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/obs-build-20260202/build-recipe-mkosi new/obs-build-20260219/build-recipe-mkosi --- old/obs-build-20260202/build-recipe-mkosi 2026-02-02 15:46:01.000000000 +0100 +++ new/obs-build-20260219/build-recipe-mkosi 2026-03-10 10:46:11.000000000 +0100 @@ -41,7 +41,30 @@ } recipe_build_mkosi() { - local ARCH DIST RELEASE_ARG + local ARCH DIST + local mkosi_args=( + "--output-dir=$TOPDIR/OTHER" + "--checksum=yes" + "--repository-key-check=no" + "--local-mirror=file:///.build.binaries/" + ) + + if mkosi --help | grep -w -- "--default " >/dev/null 2>&1; then + mkosi_args[${#mkosi_args[@]}]="--default=${RECIPEFILE}" + fi + + if mkosi --help | grep -w -- "--nspawn-keep-unit " >/dev/null 2>&1; then + mkosi_args[${#mkosi_args[@]}]="--nspawn-keep-unit" + fi + + if mkosi --help | grep -w -- "--with-network " >/dev/null 2>&1; then + mkosi_args[${#mkosi_args[@]}]="--with-network=never" + fi + + if mkosi --help | grep -w -- "--cache " >/dev/null 2>&1; then + mkosi_args[${#mkosi_args[@]}]="--cache=/.build.binaries/" + fi + if [ -x "$BUILD_ROOT/bin/rpm" ]; then ARCH=$(chroot "$BUILD_ROOT" sh -c "rpm --eval '%{_target_cpu}'") elif [ -x "$BUILD_ROOT/usr/bin/dpkg-architecture" ]; then @@ -61,7 +84,7 @@ fi # Pass it to mkosi, so that the configured mirror is the same as the repository created below - RELEASE_ARG="--release ${DIST}" + mkosi_args[${#mkosi_args[@]}]="--release=${DIST}" test -z "${ARCH}" -o -z "${DIST}" && cleanup_and_exit 1 elif [ ! -x "$BUILD_ROOT/usr/bin/repo-add" ]; then @@ -98,28 +121,16 @@ workdir="$d" break done + mkosi_args[${#mkosi_args[@]}]="--directory=${workdir}" - local image_version="" if [ -n "$RELEASE" ]; then - image_version="--image-version=${RELEASE}" + mkosi_args[${#mkosi_args[@]}]="--image-version=${RELEASE}" else # Provide some fallback value for %v specifiers - image_version="--image-version=0" + mkosi_args[${#mkosi_args[@]}]="--image-version=0" fi - set -- mkosi \ - --directory "$workdir" \ - --default \ - "$RECIPEFILE" \ - $RELEASE_ARG \ - $image_version \ - --nspawn-keep-unit \ - --output-dir "$TOPDIR/OTHER" \ - --checksum=yes \ - --repository-key-check=no \ - --with-network=never \ - --local-mirror file:///.build.binaries/ \ - --cache /.build.binaries/ \ - build + + set -- mkosi "${mkosi_args[@]}" build echo "running $*" chroot "$BUILD_ROOT" "$@" || cleanup_and_exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/obs-build-20260202/dist/build.changes new/obs-build-20260219/dist/build.changes --- old/obs-build-20260202/dist/build.changes 2026-02-02 15:46:01.000000000 +0100 +++ new/obs-build-20260219/dist/build.changes 2026-03-10 10:46:11.000000000 +0100 @@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Tue Mar 10 09:44:26 UTC 2026 - Adrian Schröter <[email protected]> + +- Implement cmssign support in signdummy +- pbuild: mark git assets with a fixed commit as immutable +- mkosi + * check if old parameters are supported before passing them + * support old bash version +- Do not crash on small files that start with the PE magic + +------------------------------------------------------------------- Mon Feb 2 14:41:36 UTC 2026 - Adrian Schröter <[email protected]> - pbuild: support for _manifest files @@ -6,7 +16,7 @@ - config: * tumbleweed syncing * slfo 1.2 updates - * Re-create SLE 15 SP7 config + * Re-create SLE 15 SP7 config (bsc#1251920) - oci-archive * Support package list introspection * Support sbom generation @@ -190,7 +200,7 @@ obs work detection, documention, SBOM) - Support slsa v1 in unpack_slsa_provenance - generate_sbom: do not clobber spdx supplier -- Harden export_debian_orig_from_git (boo#1230469) +- Harden export_debian_orig_from_git (CVE-2024-22038, boo#1230469) ------------------------------------------------------------------- Fri Sep 13 08:18:51 UTC 2024 - Adrian Schröter <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/obs-build-20260202/generate_sbom new/obs-build-20260219/generate_sbom --- old/obs-build-20260202/generate_sbom 2026-02-02 15:46:01.000000000 +0100 +++ new/obs-build-20260219/generate_sbom 2026-03-10 10:46:11.000000000 +0100 @@ -205,7 +205,7 @@ if ($first == 0xfeedface || $first == 0xfeedfacf || $first == 0xcefaedfe || $first == 0xcffaedfe) { return 'application/x-mach-binary'; } - if (($first & 0xffff0000) == 0x4d5a0000) { + if (($first & 0xffff0000) == 0x4d5a0000 && length($prefix) >= 64) { my $o = unpack('@60V', $prefix); my $type = ''; if (seek($fd, $o, 0) && read($fd, $type, 4) == 4 && unpack('N', $type) == 0x50450000) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/obs-build-20260202/signdummy new/obs-build-20260219/signdummy --- old/obs-build-20260202/signdummy 2026-02-02 15:46:01.000000000 +0100 +++ new/obs-build-20260219/signdummy 2026-03-10 10:46:11.000000000 +0100 @@ -24,7 +24,7 @@ # write a 2048 byte file with a fixed signature. # sign is used in kiwi builds to sign repositories -my $mode; +my $mode = ''; while (@ARGV) { if ($ARGV[0] =~ /^-([cdrp])$/) { @@ -32,6 +32,16 @@ shift @ARGV; next; } + if ($ARGV[0] eq '--cmssign') { + $mode = 'cmssign'; + shift @ARGV; + splice(@ARGV, 0, 2) if @ARGV >= 2 && $ARGV[0] eq '--cert'; + next; + } + if ($ARGV[0] eq '-h' && @ARGV >= 2) { + splice(@ARGV, 0, 2); + next; + } if ($ARGV[0] eq '--') { shift @ARGV; last; @@ -47,9 +57,16 @@ (syswrite(STDOUT, $block) || 0) == 8192 || die("pubkey write: $!\n"); exit 0; } -die("only detached mode possible\n") if !$mode || $mode ne 'd'; + +my $suf; +$suf = '.asc' if $mode eq 'd'; +$suf = '.p7s' if $mode eq 'cmssign'; + +die("only detached mode possible\n") unless $suf; die("filter mode not supported\n") unless @ARGV; +my $dummylength = $mode eq 'cmssign' ? 8192 : 2048; # allow extra space for certs + for my $file (@ARGV) { local *F; open(F, '<', $file) || die("$file: $!\n"); @@ -58,8 +75,9 @@ close(F) || die("$file: $!\n"); my $block = "sIGnMe!\n"; $block .= sprintf("%08x%08x\n", length($buf), unpack("%32C*", $buf)); - $block .= "\0" x (2048 - length($block)); - open(F, '>', "$file.asc") || die("$file.asc: $!\n"); - (syswrite(F, $block) || 0) == 2048 || die("$file.asc: $!\n"); - close(F) || die("$file.asc: $!\n"); + $block .= "\0" x ($dummylength - length($block)); + my $sigfile = "$file$suf"; + open(F, '>', $sigfile) || die("$sigfile: $!\n"); + (syswrite(F, $block) || 0) == $dummylength || die("$sigfile: $!\n"); + close(F) || die("$sigfile: $!\n"); }
