Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
What MD5? Besides being hopelessly outdated and vulnerable, nothing besides rpm -K actually verifies it. Yum/dnf certainly does not. And it lives in the signature header so you can just modify it at will. Repository formats are just not relevant here, at all, no matter which way they're signed. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283562982___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.
On Wed, 2017-03-01 at 15:28 +0100, Mark Wielaard wrote: > From: Mark Wielaard > > Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and > Commit bbfe1f8 (Make it possible to have unique build-ids across build > versions/releases) Sorry, copy/paste error in commit IDs. Correct IDs in the fixed up commit. From 509059d3c2ecfb969ec020dae04e7e335dd5bafc Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Wed, 1 Mar 2017 15:24:41 +0100 Subject: [PATCH] Include new test data spec files in EXTRA_DIST. Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and Commit 5ef1166 (Make it possible to have unique build-ids across build versions/releases) Introduced new test spec files (hello-r2.spec, hello2cp.spec and hello2ln.spec). Make sure they are added to EXTRA_DIST so the testcases pass again with make distcheck. Signed-off-by: Mark Wielaard --- tests/Makefile.am | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/Makefile.am b/tests/Makefile.am index 8c036d6..815a390 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -35,8 +35,11 @@ EXTRA_DIST += $(TESTSUITE_AT) ## testsuite data EXTRA_DIST += data/SPECS/attrtest.spec EXTRA_DIST += data/SPECS/hello.spec +EXTRA_DIST += data/SPECS/hello-r2.spec EXTRA_DIST += data/SPECS/hello-script.spec EXTRA_DIST += data/SPECS/hello2.spec +EXTRA_DIST += data/SPECS/hello2cp.spec +EXTRA_DIST += data/SPECS/hello2ln.spec EXTRA_DIST += data/SPECS/hello2-suid.spec EXTRA_DIST += data/SPECS/foo.spec EXTRA_DIST += data/SPECS/globtest.spec -- 1.8.3.1 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
Okay, but that'd also be caught by MD5, right? So...do we expect every package system to verify *both* the rpm-md checksum and this one? Running SHA256 or whatever *is* pretty cheap, I know. Perhaps enough people rely on "untrusted rpm-md fetched over http + GPG signed RPMs" that we have to fix this. But I think greater security comes from pushing everyone to do [cert pinned rpm-md](https://pagure.io/fedora-infrastructure/issue/5372). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283363152___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.
From: Mark Wielaard Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and Commit bbfe1f8 (Make it possible to have unique build-ids across build versions/releases) Introduced new test spec files (hello-r2.spec, hello2cp.spec and hello2ln.spec). Make sure they are added to EXTRA_DIST so the testcases pass again with make distcheck. Signed-off-by: Mark Wielaard --- tests/Makefile.am | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/Makefile.am b/tests/Makefile.am index 8c036d6..815a390 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -35,8 +35,11 @@ EXTRA_DIST += $(TESTSUITE_AT) ## testsuite data EXTRA_DIST += data/SPECS/attrtest.spec EXTRA_DIST += data/SPECS/hello.spec +EXTRA_DIST += data/SPECS/hello-r2.spec EXTRA_DIST += data/SPECS/hello-script.spec EXTRA_DIST += data/SPECS/hello2.spec +EXTRA_DIST += data/SPECS/hello2cp.spec +EXTRA_DIST += data/SPECS/hello2ln.spec EXTRA_DIST += data/SPECS/hello2-suid.spec EXTRA_DIST += data/SPECS/foo.spec EXTRA_DIST += data/SPECS/globtest.spec -- 1.8.3.1 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
What on earth does rpm-md have to do with this? It exists on an entirely different level, and has checksums on the entire package file, at the time of repository generation. Files can get corrupted and truncated in transit from rpmbuild to a repository. That has happened in Fedora repos, people were not so happy when a malformed Thunderbird package found its way through all the alleged signature checking etc. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283347048___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [PATCH] Add option to have unique debug source dirs across version/release/arch.
On Tue, 2017-02-28 at 21:34 +0100, Mark Wielaard wrote: > @@ -305,7 +317,18 @@ do_file() >if [ ! -z "$ver_rel" ]; then > build_id_seed="--build-id-seed=$ver_rel" >fi > - id=$(${lib_rpm_dir}/debugedit -b "$RPM_BUILD_DIR" -d /usr/src/debug \ > + # See also cpio SOURCEFILE copy. Directories must match up. > + debug_base_name="$RPM_BUILD_DIR" > + debug_dest_name="/usr/src/debug" > + if [ ! -z "$unique_debug_src_base" ]; then > +debug_base_name="$BUILDDIR" > + > debug_dest_name="/usr/src/debug/${unique_debug_src_base}-${ver_rel}.${unique_debug_arch}" > + fi > +echo "RPM_BUILD_DIR: $RPM_BUILD_DIR" > +echo "BUILDDIR: $BUILDDIR" > + echo ${lib_rpm_dir}/debugedit -b $debug_base_name -d $debug_dest_name \ > + -i $build_id_seed -l "$SOURCEFILE" "$f" > + id=$(${lib_rpm_dir}/debugedit -b $debug_base_name -d $debug_dest_name \ > -i $build_id_seed -l "$SOURCEFILE" "$f") || exit >if [ -z "$id" ]; then > echo >&2 "*** ${strict_error}: No build ID note found in $f" Sorry, those three extra echo lines before the actual debugedit invocation obviously shouldn't have been there. They were just for debugging and I forgot to remove them in the final patch. ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
In practice though, people shouldn't be using raw `rpm` to install RPMs. They should (and 90% of the time are) using a higher level system like zypper, yum, or rpm-ostree. These systems all consume "rpm-md/yum" metadata, which obviously today has a checksum over the content, which can be verified without opening the RPM. I know they're not the same - having a checksum just over the content as opposed to header+content should (AIUI) allow us to GPG sign without invalidating the content checksum (right?). But it's surprising to me that we'd do something here without (apparently) considering how it interacts with rpm-md. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283343716___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
Closed #163. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#event-981848847___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
Initial implementation in commit 91aa0786cf3b2e34de01c586427952de6d0d9b40. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283342239___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint