Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yast2-installation for openSUSE:Factory checked in at 2022-11-18 15:42:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-installation (Old) and /work/SRC/openSUSE:Factory/.yast2-installation.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-installation" Fri Nov 18 15:42:55 2022 rev:511 rq:1036353 version:4.5.9 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-installation/yast2-installation.changes 2022-10-22 14:12:34.632665505 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-installation.new.1597/yast2-installation.changes 2022-11-18 15:43:17.842499944 +0100 @@ -1,0 +2,29 @@ +Tue Nov 15 13:43:41 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com> + +- Fixed the help in the installation summary to include the texts + from the corresponding proposals (related to jsc#SLE-24764). +- 4.5.9 + +------------------------------------------------------------------- +Tue Nov 15 13:42:41 UTC 2022 - José Iván López González <jlo...@suse.com> + +- Write config for ssg-apply script according to the enabled + security policy (part of jsc#SLE-24764). + +------------------------------------------------------------------- + Tue Nov 15 13:41:41 UTC 2022 - Knut Anderssen <kanders...@suse.com> + +- Fix copy of entropy pool during installation (bsc#1204559). + +------------------------------------------------------------------- +Tue Nov 15 13:40:41 UTC 2022 - Ladislav Slezák <lsle...@suse.cz> + +- Do not use "xrdb" for setting the "Xft.dpi" value, use a specific + YaST tool from the yast2-x11 package (bsc#1201532) + (xrdb depends on the C pre-processor increasing the dependencies + about of 22MB) +- Install yast2-x11 only when GUI (libyui-qt) is installed, + avoid installing the dependent X libraries in minimal (text mode) + installation (bsc#1201966) + +------------------------------------------------------------------- Old: ---- yast2-installation-4.5.8.tar.bz2 New: ---- yast2-installation-4.5.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-installation.spec ++++++ --- /var/tmp/diff_new_pack.HpqpKe/_old 2022-11-18 15:43:18.550503055 +0100 +++ /var/tmp/diff_new_pack.HpqpKe/_new 2022-11-18 15:43:18.554503072 +0100 @@ -17,7 +17,7 @@ Name: yast2-installation -Version: 4.5.8 +Version: 4.5.9 Release: 0 Summary: YaST2 - Installation Parts License: GPL-2.0-only @@ -43,8 +43,8 @@ BuildRequires: yast2-packager >= 4.4.13 # yast/rspec/helpers.rb BuildRequires: yast2-ruby-bindings >= 4.4.7 -# For LSM classes -BuildRequires: yast2-security +# Support for SecurityPolicies +BuildRequires: yast2-security >= 4.5.3 # using /usr/bin/udevadm BuildRequires: yast2-storage-ng >= 4.2.71 # Y2Users @@ -97,6 +97,8 @@ Requires: yast2-storage-ng >= 4.0.175 # Y2Users Requires: yast2-users >= 4.4.2 +# Support for SecurityPolicies +Requires: yast2-security >= 4.5.3 PreReq: %fillup_prereq Recommends: yast2-add-on Recommends: yast2-firewall @@ -119,8 +121,6 @@ Conflicts: yast2-pkg-bindings < 2.17.25 # Registration#get_updates_list does not handle exceptions Conflicts: yast2-registration < 3.2.3 -# Added support for selecting the desired LSM during installation -Conflicts: yast2-security < 4.4.2 # Top bar with logo Conflicts: yast2-ycp-ui-bindings < 3.1.7 Obsoletes: yast2-installation-devel-doc ++++++ yast2-installation-4.5.8.tar.bz2 -> yast2-installation-4.5.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/README.md new/yast2-installation-4.5.9/README.md --- old/yast2-installation-4.5.8/README.md 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/README.md 2022-11-17 06:58:31.000000000 +0100 @@ -25,6 +25,11 @@ More subject-specific pieces of information can be found in the [doc](doc) directory. +- [URL handling in the installer](doc/url.md) for an overview of the URLs + supported in various places, including `cd:`, `cifs:`, `device:`, `disk:`, + `dvd:`, `file:`, `ftp:`, `hd:`, `http:`, `https:`, `iso:`, `label:`, `nfs:`, + `rel:`, `relurl:`, `repo:`, `slp:`, `smb:`, `tftp:`, `usb:`. + Live Installation ----------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/doc/url.md new/yast2-installation-4.5.9/doc/url.md --- old/yast2-installation-4.5.8/doc/url.md 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-installation-4.5.9/doc/url.md 2022-11-17 06:58:31.000000000 +0100 @@ -0,0 +1,210 @@ +# URL handling in the installer + +*For a general description of URL formats see [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3).* + +## Absolute URLs + +There are a number of places where URLs are processed in the installer. But +all can be traced to one of three backends: + +1. [Linuxrc](https://en.opensuse.org/SDB:Linuxrc#Parameter_Reference) +2. [Zypp](https://doc.opensuse.org/projects/libzypp/HEAD/classzypp_1_1media_1_1MediaManager.html#MediaAccessUrl) +3. [YaST/AutoYaST](https://doc.opensuse.org/projects/autoyast/#Commandline-ay) itself in [`Yast::Transfer::FileFromUrl.get_file_from_url`](https://github.com/yast/yast-installation/blob/b950b062729d98d11d98609cba829bbc39355143/src/lib/transfer/file_from_url.rb#L76-L92) + +> There was additionally a 4th one hidden in AutoYaST: +> +> 4. [`Yast::ProfileLocationClass.Process`](https://github.com/yast/yast-autoinstallation/blob/SLE-15-SP4/src/modules/ProfileLocation.rb#L101-L116) +> took care of the `label` scheme in AutoYaST context. It's been added to `Yast::Transfer::FileFromUrl` now. + +## Relative URLs + +On top of the above three locations there is special handling for `relurl` +and `repo` URLs throughout the Linuxrc and YaST code - mostly concerned constructing the absolute URL. + +`relurl` is a relative URL where the location it is relative to varies on +context. It can be relative to the installation repository, relative to the +AutoYaST profile, or relative to the main product in the context of add-on +or product descriptions. + +`repo` is a URL that is always relative to the installation repository. + +## URL formats + +All three backends have a collection of their own URL formats. Not so much for +standardized URL schemes as `http` or `ftp` - but schemes referring to local +media vary. + +Some standarization attempts have been made in the past. As a result Linuxrc +supports also Zypp and (Auto)YaST formats. Note that Linuxrc always uses the Zypp format +when passing URLs to YaST in `install.inf`. + +`FileFromUrl` has been extended in SLE15-SP5 to work also with Zypp formats. The +rationale is that extending Zypp is out of scope for YaST and we have no +control over the URL parsing there. So consolidating on Zypp syntax seems +the best approach. + +## URL format reference + +This is a brief overview with examples. For a full reference, see the documentation links provided above. + +### Linuxrc + +- network URLs: `ftp`, `http`, `https`, `tftp`, `nfs`, `cifs`, `smb` - with usual syntax +- `slp:/`, `slp:/?descr=*openSUSE*&url=ftp:*` +- `file:/foo`, `file:///foo`, (`file://foo` also works) +- `cd:/`, `cd:/?device=/dev/sr0` +- `hd:/foo`, `hd:/foo?device=/dev/sda`, `hd:/foo.iso` +- `disk:/foo`, `disk:/foo?device=/dev/sda` - `disk` can mean either CDROM or hard disk +- `rel:/foo`, `rel:///foo` +- `relurl://foo` +- `repo:/foo`, `repo:///foo` + +### (Auto)YaST via FileFromUrl + +- network URLs: `ftp`, `http`, `https`, `tftp`, `nfs`, `cifs` - with usual syntax (note: **not** `smb`) +- `file:/foo`, `file:///foo`, (`file://foo` also works) +- `device://sda/foo`, `device://disk/by-id/some_id/foo` +- `hd:/foo?device=/dev/sda` +- `cd:/?devices=/dev/sr0` +- `dvd:/?devices=/dev/sr0` +- `usb:///foo` +- `label://some_label/foo` +- `relurl://foo` +- `repo:/foo`, `repo:///foo` + +Note that `file` looks on the local file system **and** installation medium for the file. + +### Zypp + +- network URLs: `ftp`, `http`, `https`, `tftp`, `nfs`, `cifs`, `smb` - with usual syntax +- `file:/foo`, `file:///foo` +- `dir:/foo`, `dir:///foo` +- `hd:/foo?device=/dev/sda` +- `cd:/?devices=/dev/sr0` +- `dvd:/?devices=/dev/sr0` +- `iso:/?iso=/foo.iso&url=hd:/?device=/dev/sda` + +## Going forward + +There are still issues with the existing URL handling in YaST. I'll present +code examples to illustrate the point. Note that this is not meant as picking at the code in any way. + +### 1. Wrong number of slashes + +The [description](https://doc.opensuse.org/projects/autoyast/#Commandline-ay) of some URL schemes (e.g. `relurl` - and historically `file` +had been documented this way) +demand the URL to start with two slashes (`//`) - which is not what one would expect according to the URI RFC cited at the beginning. + +This leads to all kinds of issues when processing URLs as the real path has +to be reconstructed by merging the hostname component and the path fragment you get after parsing the URL. + +Typically something like [this](https://github.com/yast/yast-autoinstallation/blob/695bc29ac79dae970dae63da55b624ec03a04e16/src/modules/AutoinstConfig.rb#L364-L379): + +```ruby +if @scheme == "relurl" || @scheme == "file" + # "relurl": No host information has been given here. So a part of the path or the + # complete path has been stored in the host variable while parsing it. + # This will be reverted. + # + # "file": Normally the file is defined with 3 slashes like file:///autoinst.xml + # in order to define an empty host entry. But that will be often overseen + # by the user. So we will support file://autoinst.xml too: + log.info "correcting #{@scheme}://#{@host}/#{@filepath} to empty host entry" + if !@host.empty? && !@filepath.empty? + @filepath = File.join(@host, @filepath) + else + @filepath = @host unless @host.empty? + end + @host = "" +end +``` + +Note that the existing code will tolerate using one or three slashes even +when only two are documented in most cases. `file` should be fairly safe, +for example. `relurl` not always, though. The next section has an example +where the code is not forgiving. + +It's probably not a good idea to change the documentation at this point but +maybe we should tolerate differing number of slashes in some cases. + +### 2. Regexp parsing of URLs + +For example this (https://github.com/yast/yast-packager/blob/SLE-15-SP4/src/modules/AddOnProduct.rb#L409-L412): + +```ruby +if !Builtins.regexpmatch(url, "^relurl://") + Builtins.y2debug("Not a relative URL: %1", URL.HidePassword(url)) + return url +end +``` + +There are often hidden assumptions in these regexps (e.g. that `relurl` starts with at least two slashes) +that might break things at some point. + +But there is a perfectly fine [`URI`](https://docs.ruby-lang.org/en/master/URI.html) class +in ruby that can do this better. For example: + +```ruby +if URI(url).scheme != "relurl" + ... +end +``` + +And there is also the +[`Yast::URLClass`](https://github.com/yast/yast-yast2/blob/master/library/types/src/modules/URL.rb) +class for handling URLs. On the negative side this is old YCP code but on the +positive side it deals with idiosyncrasies like varying number of slashes. + +### 3. Manually converting relative URLs to absolute URLs + +The conversion of relative to absolute URLs has been programmed several times. For example [here](https://github.com/yast/yast-autoinstallation/blob/695bc29ac79dae970dae63da55b624ec03a04e16/src/lib/autoinstall/script.rb#L149-L168): + +```ruby +def resolve_location + return if location.empty? + + log.info "Resolving location #{location.inspect}" + location.strip! + return unless location.start_with?("relurl://") + + path = location[9..-1] # 9 is relurl:// size + + if Yast::AutoinstConfig.scheme == "relurl" + log.info "autoyast profile was relurl too" + newloc = Yast::SCR.Read(Yast::Path.new(".etc.install_inf.ayrelurl")) + tok = Yast::URL.Parse(newloc) + @location = "#{tok["scheme"]}://#{File.join(tok["host"], File.dirname(tok["path"]), path)}" + else + config = Yast::AutoinstConfig + @location = "#{config.scheme}://#{File.join(config.host, config.directory, path)}" + end + log.info "resolved location #{@location.inspect}" +end +``` + +There is a [`Yast2::RelURL`](https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/yast2/rel_url.rb) class that can do exactly that. + +```ruby +Yast2::RelURL.new("http://example.com";, "relurl://foo/bar").absolute_url.to_s +# "http://example.com/foo/bar"; + +``` + +### 4. URLs (absolute and relative) referring to the installation ISO + +You can use the unpacked installation ISO as installation source. For example: + +``` + hd:/foo/tw.iso?device=/dev/sda # Linuxrc syntax + iso:/?iso=/foo/tw.iso&url=hd:/?device=/dev/sda" # Zypp syntax + -- unsupported -- # (Auto)YaST syntax +``` + +`FileFromUrl` does not support this. This means you cannot reference an +AutoYaST profile this way. Neither directly nor indirectly via `relurl` or +`repo`. + +It is in fact an interesting question what you would want +`autoyast=repo:/bar.xml` to mean in this context. Maybe not that `bar.xml` +is inside the ISO alongside the repository but **outside** alongside the ISO. That is, +`autoyast=hd:/foo/bar.xml` - which would also be more easily implemented, btw. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/package/yast2-installation.changes new/yast2-installation-4.5.9/package/yast2-installation.changes --- old/yast2-installation-4.5.8/package/yast2-installation.changes 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/package/yast2-installation.changes 2022-11-17 06:58:31.000000000 +0100 @@ -1,4 +1,33 @@ ------------------------------------------------------------------- +Tue Nov 15 13:43:41 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com> + +- Fixed the help in the installation summary to include the texts + from the corresponding proposals (related to jsc#SLE-24764). +- 4.5.9 + +------------------------------------------------------------------- +Tue Nov 15 13:42:41 UTC 2022 - José Iván López González <jlo...@suse.com> + +- Write config for ssg-apply script according to the enabled + security policy (part of jsc#SLE-24764). + +------------------------------------------------------------------- + Tue Nov 15 13:41:41 UTC 2022 - Knut Anderssen <kanders...@suse.com> + +- Fix copy of entropy pool during installation (bsc#1204559). + +------------------------------------------------------------------- +Tue Nov 15 13:40:41 UTC 2022 - Ladislav Slezák <lsle...@suse.cz> + +- Do not use "xrdb" for setting the "Xft.dpi" value, use a specific + YaST tool from the yast2-x11 package (bsc#1201532) + (xrdb depends on the C pre-processor increasing the dependencies + about of 22MB) +- Install yast2-x11 only when GUI (libyui-qt) is installed, + avoid installing the dependent X libraries in minimal (text mode) + installation (bsc#1201966) + +------------------------------------------------------------------- Thu Oct 20 13:53:14 UTC 2022 - Steffen Winterfeldt <snw...@suse.com> - add 'repo', 'cd', 'dvd', 'hd', and 'label' schemes to @@ -49,7 +78,7 @@ - Do not restart services when updating the package (bsc#1199480, bsc#1200274) --4.5.3 +- 4.5.3 ------------------------------------------------------------------- Mon May 23 15:42:10 UTC 2022 - Knut Anderssen <kanders...@suse.com> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/package/yast2-installation.spec new/yast2-installation-4.5.9/package/yast2-installation.spec --- old/yast2-installation-4.5.8/package/yast2-installation.spec 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/package/yast2-installation.spec 2022-11-17 06:58:31.000000000 +0100 @@ -16,7 +16,7 @@ # Name: yast2-installation -Version: 4.5.8 +Version: 4.5.9 Release: 0 Summary: YaST2 - Installation Parts License: GPL-2.0-only @@ -42,8 +42,8 @@ BuildRequires: yast2-packager >= 4.4.13 # yast/rspec/helpers.rb BuildRequires: yast2-ruby-bindings >= 4.4.7 -# For LSM classes -BuildRequires: yast2-security +# Support for SecurityPolicies +BuildRequires: yast2-security >= 4.5.3 # using /usr/bin/udevadm BuildRequires: yast2-storage-ng >= 4.2.71 # Y2Users @@ -96,6 +96,8 @@ Requires: yast2-storage-ng >= 4.0.175 # Y2Users Requires: yast2-users >= 4.4.2 +# Support for SecurityPolicies +Requires: yast2-security >= 4.5.3 PreReq: %fillup_prereq Recommends: yast2-add-on Recommends: yast2-firewall @@ -118,8 +120,6 @@ Conflicts: yast2-pkg-bindings < 2.17.25 # Registration#get_updates_list does not handle exceptions Conflicts: yast2-registration < 3.2.3 -# Added support for selecting the desired LSM during installation -Conflicts: yast2-security < 4.4.2 # Top bar with logo Conflicts: yast2-ycp-ui-bindings < 3.1.7 Obsoletes: yast2-installation-devel-doc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/src/lib/installation/clients/pre_umount_finish.rb new/yast2-installation-4.5.9/src/lib/installation/clients/pre_umount_finish.rb --- old/yast2-installation-4.5.8/src/lib/installation/clients/pre_umount_finish.rb 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/src/lib/installation/clients/pre_umount_finish.rb 2022-11-17 06:58:31.000000000 +0100 @@ -98,7 +98,8 @@ poolsize = Builtins.regexpsub(poolsize, "^([[:digit:]]+).*", "\\1") end - log.info "Using random/poolsize: #{poolsize}" + poolsize = (poolsize.to_i / 8).to_s + log.info "Using random/poolsize: #{poolsize} (Bytes)" poolsize end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/src/lib/installation/clients/security_finish.rb new/yast2-installation-4.5.9/src/lib/installation/clients/security_finish.rb --- old/yast2-installation-4.5.8/src/lib/installation/clients/security_finish.rb 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/src/lib/installation/clients/security_finish.rb 2022-11-17 06:58:31.000000000 +0100 @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------------ -# Copyright (c) 2017 SUSE LLC +# Copyright (c) [2017-2022] SUSE LLC # # # This program is free software; you can redistribute it and/or modify it under @@ -21,6 +21,7 @@ require "y2firewall/firewalld" require "installation/security_settings" require "installation/finish_client" +require "y2security/security_policies/manager" Yast.import "Mode" Yast.import "SignatureCheckDialogs" @@ -88,6 +89,8 @@ # Write down the Linux Security Module configuration settings.lsm_config.save + write_security_policies_config + true end @@ -182,6 +185,15 @@ Yast::Service.Enable("sshd") if @settings.enable_sshd configure_firewall if @firewalld.installed? end + + # Writes config for security policies + def write_security_policies_config + # write security policies config only during a fresh install + return if Yast::Mode.update + + manager = Y2Security::SecurityPolicies::Manager.instance + manager.write + end end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/src/lib/installation/proposal_store.rb new/yast2-installation-4.5.9/src/lib/installation/proposal_store.rb --- old/yast2-installation-4.5.8/src/lib/installation/proposal_store.rb 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/src/lib/installation/proposal_store.rb 2022-11-17 06:58:31.000000000 +0100 @@ -611,16 +611,16 @@ end def modules_help(current_tab) - modules_order = presentation_order - if tabs? && current_tab - modules_order = modules_order[current_tab] - - modules_order.each_with_object("") do |client, text| - description = description_for(client) - text << description["help"] if description && description["help"] + modules_order = + if tabs? && current_tab + presentation_order[current_tab] + else + presentation_order end - else - "" + + modules_order.each_with_object("") do |client, text| + description = description_for(client) + text << description["help"] if description && description["help"] end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/test/lib/clients/pre_umount_finish_test.rb new/yast2-installation-4.5.9/test/lib/clients/pre_umount_finish_test.rb --- old/yast2-installation-4.5.8/test/lib/clients/pre_umount_finish_test.rb 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/test/lib/clients/pre_umount_finish_test.rb 2022-11-17 06:58:31.000000000 +0100 @@ -7,8 +7,8 @@ describe ::Installation::PreUmountFinish do describe "#write" do before do - allow(Yast::WFM).to receive(:Execute).and_return("exit"=>0) - allow(Yast::SCR).to receive(:Execute).and_return("exit"=>0) + allow(Yast::WFM).to receive(:Execute).and_return("exit" => 0) + allow(Yast::SCR).to receive(:Execute).and_return("exit" => 0) # Set the target dir to /mnt allow(Yast::WFM).to receive(:Args).and_return("initial") end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-installation-4.5.8/test/lib/clients/security_finish_test.rb new/yast2-installation-4.5.9/test/lib/clients/security_finish_test.rb --- old/yast2-installation-4.5.8/test/lib/clients/security_finish_test.rb 2022-10-21 10:03:39.000000000 +0200 +++ new/yast2-installation-4.5.9/test/lib/clients/security_finish_test.rb 2022-11-17 06:58:31.000000000 +0100 @@ -2,12 +2,14 @@ require_relative "../../test_helper" require "installation/clients/security_finish" +require "y2security/security_policies/manager" Yast.import "Service" describe Installation::Clients::SecurityFinish do before do allow_any_instance_of(Y2Firewall::Firewalld::Api).to receive(:running?).and_return(false) + allow(Y2Security::SecurityPolicies::Manager.instance).to receive(:write) end let(:proposal_settings) { Installation::SecuritySettings.create_instance } @@ -46,6 +48,12 @@ subject.write end + it "writes the security policies config" do + expect(Y2Security::SecurityPolicies::Manager.instance).to receive(:write) + + subject.write + end + context "when firewalld is not installed" do let(:installed) { false } @@ -119,6 +127,12 @@ subject.write end + + it "skips writting the security policies config" do + expect(Y2Security::SecurityPolicies::Manager.instance).to_not receive(:write) + + subject.write + end end context "when policy kit default priviges is defined" do
