On Wed, Oct 29, 2025 at 11:32:23AM +0100, Siteshwar Vashisht wrote: > On Wed, Oct 29, 2025 at 11:26 AM Daniel P. Berrangé via OpenScanHub > <[email protected]> wrote: > > > > On Wed, Oct 29, 2025 at 10:59:20AM +0100, Siteshwar Vashisht wrote: > > > TLDR: This report[1] contains a total of 47352 findings and 843 new > > > findings identified since Fedora 43. Please review the report and > > > provide feedback. False positives can now be recorded in the > > > known-false-positives[5] repository. > > > > snip > > > > > [1] > > > https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-28-Oct-2025/ > > > > This report only lists 300 packages, which seems shorter than I'd expect. > > It doesn't mention libvirt or qemu at all which I believe are critical > > path packages. > > > > > [3] https://openscanhub.fedoraproject.org/task/ > > > > Finding libvirt/QEMU here: > > > > libvirt: https://openscanhub.fedoraproject.org/task/78570/ > > qemu: https://openscanhub.fedoraproject.org/task/78767/ > > > > The scan is reported as failed, and in the stdout.log I find > > > > + /usr/lib/rpm/rpmuncompress -x /builddir/build/SOURCES/qemu-10.1.0.tar.xz > > /usr/bin/xz: Failed to enable the sandbox > > /usr/bin/tar: This does not look like a tar archive > > /usr/bin/tar: Exiting with failure status due to previous errors > > error: Bad exit status from /var/tmp/rpm-tmp.444pqA (%prep) > > Bad exit status from /var/tmp/rpm-tmp.444pqA (%prep) > > > > > > It looks like there's an infrastructure problem with the openscanhub > > environment that is breaking the xz command sandbox in some manner. > > Yes, I saw it but need to debug further. Thanks for pointing it out!
The problem is openscanhub appears to run on a RHEL-9 host and the RHEL-9 kernel doesn't support the sandboxing that xz just enabled: https://bugzilla.redhat.com/show_bug.cgi?id=2407105 IMHO that isn't a bug that openscanhub must solve. This needs to be addressed in xz. The widespread use of containers means code must not assume kernel features detected at build time are still valid at runtime. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
