date:20170301

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

2017-03-01 Thread Panu Matilainen

What MD5? Besides being hopelessly outdated and vulnerable, nothing besides rpm 
-K actually verifies it. Yum/dnf certainly does not. And it lives in the 
signature header so you can just modify it at will.

Repository formats are just not relevant here, at all, no matter which way 
they're signed.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283562982___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.

2017-03-01 Thread Mark Wielaard

On Wed, 2017-03-01 at 15:28 +0100, Mark Wielaard wrote:
> From: Mark Wielaard 
> 
> Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and
> Commit bbfe1f8 (Make it possible to have unique build-ids across build
> versions/releases)

Sorry, copy/paste error in commit IDs. Correct IDs in the fixed up
commit.

From 509059d3c2ecfb969ec020dae04e7e335dd5bafc Mon Sep 17 00:00:00 2001
From: Mark Wielaard 
Date: Wed, 1 Mar 2017 15:24:41 +0100
Subject: [PATCH] Include new test data spec files in EXTRA_DIST.

Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and
Commit 5ef1166 (Make it possible to have unique build-ids across build
versions/releases)
Introduced new test spec files (hello-r2.spec, hello2cp.spec and
hello2ln.spec). Make sure they are added to EXTRA_DIST so the testcases
pass again with make distcheck.

Signed-off-by: Mark Wielaard 
---
 tests/Makefile.am | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8c036d6..815a390 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -35,8 +35,11 @@ EXTRA_DIST += $(TESTSUITE_AT)
 ## testsuite data
 EXTRA_DIST += data/SPECS/attrtest.spec
 EXTRA_DIST += data/SPECS/hello.spec
+EXTRA_DIST += data/SPECS/hello-r2.spec
 EXTRA_DIST += data/SPECS/hello-script.spec
 EXTRA_DIST += data/SPECS/hello2.spec
+EXTRA_DIST += data/SPECS/hello2cp.spec
+EXTRA_DIST += data/SPECS/hello2ln.spec
 EXTRA_DIST += data/SPECS/hello2-suid.spec
 EXTRA_DIST += data/SPECS/foo.spec
 EXTRA_DIST += data/SPECS/globtest.spec
-- 
1.8.3.1

___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

2017-03-01 Thread Colin Walters

Okay, but that'd also be caught by MD5, right?  So...do we expect every package 
system to verify *both* the rpm-md checksum and this one?  Running SHA256 or 
whatever *is* pretty cheap, I know.

Perhaps enough people rely on "untrusted rpm-md fetched over http + GPG signed 
RPMs" that we have to fix this.  But I think greater security comes from 
pushing everyone to do [cert pinned 
rpm-md](https://pagure.io/fedora-infrastructure/issue/5372).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283363152___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

[Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.

2017-03-01 Thread Mark Wielaard

From: Mark Wielaard 

Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and
Commit bbfe1f8 (Make it possible to have unique build-ids across build
versions/releases)
Introduced new test spec files (hello-r2.spec, hello2cp.spec and
hello2ln.spec). Make sure they are added to EXTRA_DIST so the testcases
pass again with make distcheck.

Signed-off-by: Mark Wielaard 
---
 tests/Makefile.am | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8c036d6..815a390 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -35,8 +35,11 @@ EXTRA_DIST += $(TESTSUITE_AT)
 ## testsuite data
 EXTRA_DIST += data/SPECS/attrtest.spec
 EXTRA_DIST += data/SPECS/hello.spec
+EXTRA_DIST += data/SPECS/hello-r2.spec
 EXTRA_DIST += data/SPECS/hello-script.spec
 EXTRA_DIST += data/SPECS/hello2.spec
+EXTRA_DIST += data/SPECS/hello2cp.spec
+EXTRA_DIST += data/SPECS/hello2ln.spec
 EXTRA_DIST += data/SPECS/hello2-suid.spec
 EXTRA_DIST += data/SPECS/foo.spec
 EXTRA_DIST += data/SPECS/globtest.spec
-- 
1.8.3.1

___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

2017-03-01 Thread Panu Matilainen

What on earth does rpm-md have to do with this? It exists on an entirely 
different level, and has checksums on the entire package file, at the time of 
repository generation. Files can get corrupted and truncated in transit from 
rpmbuild to a repository. That has happened in Fedora repos, people were not so 
happy when a malformed Thunderbird package found its way through all the 
alleged signature checking etc.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283347048___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [PATCH] Add option to have unique debug source dirs across version/release/arch.

2017-03-01 Thread Mark Wielaard

On Tue, 2017-02-28 at 21:34 +0100, Mark Wielaard wrote:
> @@ -305,7 +317,18 @@ do_file()
>if [ ! -z "$ver_rel" ]; then
>  build_id_seed="--build-id-seed=$ver_rel"
>fi
> -  id=$(${lib_rpm_dir}/debugedit -b "$RPM_BUILD_DIR" -d /usr/src/debug \
> +  # See also cpio SOURCEFILE copy. Directories must match up.
> +  debug_base_name="$RPM_BUILD_DIR"
> +  debug_dest_name="/usr/src/debug"
> +  if [ ! -z "$unique_debug_src_base" ]; then
> +debug_base_name="$BUILDDIR"
> +
> debug_dest_name="/usr/src/debug/${unique_debug_src_base}-${ver_rel}.${unique_debug_arch}"
> +  fi
> +echo "RPM_BUILD_DIR: $RPM_BUILD_DIR"
> +echo "BUILDDIR: $BUILDDIR"
> +  echo ${lib_rpm_dir}/debugedit -b $debug_base_name -d $debug_dest_name \
> +   -i $build_id_seed -l "$SOURCEFILE" "$f"
> +  id=$(${lib_rpm_dir}/debugedit -b $debug_base_name -d $debug_dest_name \
> -i $build_id_seed -l "$SOURCEFILE" "$f") || exit
>if [ -z "$id" ]; then
>  echo >&2 "*** ${strict_error}: No build ID note found in $f"

Sorry, those three extra echo lines before the actual debugedit
invocation obviously shouldn't have been there. They were just for
debugging and I forgot to remove them in the final patch.


___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

2017-03-01 Thread Colin Walters

In practice though, people shouldn't be using raw `rpm` to install RPMs.  They 
should (and 90% of the time are) using a higher level system like zypper, yum, 
or rpm-ostree.  

These systems all consume "rpm-md/yum" metadata, which obviously today has a 
checksum over the content, which can be verified without opening the RPM.

I know they're not the same - having a checksum just over the content as 
opposed to header+content should (AIUI) allow us to GPG sign without 
invalidating the content checksum (right?).

But it's surprising to me that we'd do something here without (apparently) 
considering how it interacts with rpm-md.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283343716___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

2017-03-01 Thread Panu Matilainen

Closed #163.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#event-981848847___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

2017-03-01 Thread Panu Matilainen

Initial implementation in commit 91aa0786cf3b2e34de01c586427952de6d0d9b40.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283342239___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Re: [Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

[Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Re: [Rpm-maint] [PATCH] Add option to have unique debug source dirs across version/release/arch.

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

9 matches

Site Navigation

Mail list logo

Footer information