Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@Conan-Kudo commented on this pull request. > + +mkdir -p "$BUILDINFO_DIR" + +cat > "$BUILDINFO" <> "$BUILDINFO" I'm fine with another filename. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#discussion_r728462928___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@Conan-Kudo commented on this pull request. > + +printf 'Installed-Build-Depends:\n' >> "$BUILDINFO" +rpm -qa --queryformat '%{epoch}:%{name}-%{version}-%{release}.%{arch}\n' \ +| LC_ALL=C sort -t: -k2 \ +| sed -e 's/^(none)://; /\.(none)$/d; s/^/ /' >> "$BUILDINFO" + +printf 'Environment:\n' >> "$BUILDINFO" + +# Whitelist from Debian's Dpkg: +# https://anonscm.debian.org/git/dpkg/dpkg.git/tree/scripts/Dpkg/Build/Info.pm#n50 +ENV_WHITELIST= + +# Toolchain. +ENV_WHITELIST="$ENV_WHITELIST CC CPP CXX OBJC OBJCXX PC FC M2C AS LD AR RANLIB MAKE AWK LEX YACC" +# Toolchain flags. +ENV_WHITELIST="$ENV_WHITELIST CFLAGS CPPFLAGS CXXFLAGS OBJCFLAGS OBJCXXFLAGS GCJFLAGS FFLAGS LDFLAGS ARFLAGS MAKEFLAGS" What @voxik is saying is that you will not be able to capture the variables because they only exist in the `%build` step. We'd need a hook to export it from there. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#discussion_r728462636___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
Koji has a similar build environment record, though it's stored in the Koji database rather than as a file. We do archive environment artifacts from Mock with builds too, though. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#issuecomment-942735441___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@woju commented on this pull request. > + +mkdir -p "$BUILDINFO_DIR" + +cat > "$BUILDINFO" <> "$BUILDINFO" If you really insist on a different format for RPM, I'd suggest the file suffix be changed to something else than `.buildinfo` (maybe `.rpmbuildinfo`?). This will at least make distinguishing the files easier. Archlinux has `.BUILDINFO` (all caps) I think. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#discussion_r728443050___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@woju commented on this pull request. > +Format: 1.0-rpm +Build-Architecture: $(uname -m) +Source: $RPM_PACKAGE_NAME +Epoch: $RPM_PACKAGE_EPOCH +Version: ${RPM_PACKAGE_VERSION} +Release: ${RPM_PACKAGE_RELEASE} +Architecture: $RPM_ARCH +Build-Origin: $(getos) +Build-Path: $RPM_BUILD_DIR > I don't think that is valuable for us, given that we have properties in RPM > that don't exist in Debian Can you please suggest which properties those are exactly, and specifically how differences in their content might affect reproducibility of the packages? The buildinfo file was purposefully designed to *not* include all available information, only the relevant to reproducible builds, because recording too much would not actually be useful when analysing (un)reproducibility. The underlying assumption is that the build process of a package will be made as robust as possible, that is, allow as much variability in environment as reasonably possible, which in theory should allow to record less information in buildinfo. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#discussion_r728440187___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
Interested in something like this for openSUSE. We already have something comparable called `_buildenv` (XML) e.g. in https://build.opensuse.org/package/binaries/openSUSE:Factory/bash/standard - but that is created on the obs_worker level. [ArchLinux](https://archlinux.org/pacman/BUILDINFO.5.html) seems to have their own format with = as delimiter. In most places, the buildinfo files can probably be handled as opaque files and just things like source,binary,version would be interesting outside. That is not hard to extract in either format, so there is no strong reason to follow Debian here. OTOH, this is not a .spec file, but just another output from the build process, similar to the build log, so it does not need to follow rpm conventions either. So from my view, using either the Debian or ArchLinux (marshalling) format has some advantage over making up a third format. Though, I would not keep confusing Debianisms in keys that will not be meaningful outside of the respective distribution. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#issuecomment-942694178___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@fepitre commented on this pull request. > + +mkdir -p "$BUILDINFO_DIR" + +cat > "$BUILDINFO" <> "$BUILDINFO" @Conan-Kudo thank you for your feedback and comments. Generally I would have loved to have a generic format not being one distro specific to ease manipulating this file among several rebuild tools but I guess it would not be straightforward. I'm waiting some feedback from @bmwiedemann too then I would propose to adapt the work according to your comments. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#discussion_r728399795___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@bmwiedemann do you have some feedback to give from several comments here? As you work on reproducible builds for openSUSE you are certainly interested by this new feature. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#issuecomment-942664681___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@fepitre commented on this pull request. > + +printf 'Installed-Build-Depends:\n' >> "$BUILDINFO" +rpm -qa --queryformat '%{epoch}:%{name}-%{version}-%{release}.%{arch}\n' \ +| LC_ALL=C sort -t: -k2 \ +| sed -e 's/^(none)://; /\.(none)$/d; s/^/ /' >> "$BUILDINFO" + +printf 'Environment:\n' >> "$BUILDINFO" + +# Whitelist from Debian's Dpkg: +# https://anonscm.debian.org/git/dpkg/dpkg.git/tree/scripts/Dpkg/Build/Info.pm#n50 +ENV_WHITELIST= + +# Toolchain. +ENV_WHITELIST="$ENV_WHITELIST CC CPP CXX OBJC OBJCXX PC FC M2C AS LD AR RANLIB MAKE AWK LEX YACC" +# Toolchain flags. +ENV_WHITELIST="$ENV_WHITELIST CFLAGS CPPFLAGS CXXFLAGS OBJCFLAGS OBJCXXFLAGS GCJFLAGS FFLAGS LDFLAGS ARFLAGS MAKEFLAGS" I don't understand your point. This is not to set with %configure. It's the job of rebuilder like https://github.com/fepitre/rpmreproduce -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#discussion_r728396243___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Require package names to be valid provides (#1778)
@ffesti pushed 1 commit. 2019abae2439c5d3d4e250098b093e648a1f72d7 Require package names to be valid provides -- You are receiving this because you are subscribed to this thread. View it on GitHub: https://github.com/rpm-software-management/rpm/pull/1778/files/c1d631c94bf078936fcfe07b136344f924a112cd..2019abae2439c5d3d4e250098b093e648a1f72d7 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Require package names to be valid provides (#1778)
@ffesti commented on this pull request. > @@ -19,6 +19,7 @@ #undef HTDATATYPE #define ALLOWED_CHARS_NAME ".-_+%{}" +#define ALLOWED_FIRSTCHARS_NAME "_%{}" Ok, after reading `rpmCharCheck()` 3 more times: Looks like `%{}`are actually legal in dependency names and only create a warning. So they must not be in the first character. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1778#discussion_r728107288___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)
@DemiMarie requested changes on this pull request. This needs #1705 or equivalent to ensure that non-`PGPSIGTYPE_BINARY` signatures are not accepted as package signatures. > + if (sigalg->setmpi(sigalg, i, p)) + break; This requires a corresponding change in the package signature checking code to ensure that package signatures are `PGPSIGTYPE_BINARY`. #1705 is one implementation, and I can replace it with a better one that uses proper accessor functions. > + 0x99, + (pkt->blen >> 8), + (pkt->blen ), This is inconsistent (at best) for keys larger than 0x bytes. Not sure if such keys should just be rejected. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1795#pullrequestreview-778605073___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Require package names to be valid provides (#1778)
@pmatilai commented on this pull request. > @@ -19,6 +19,7 @@ #undef HTDATATYPE #define ALLOWED_CHARS_NAME ".-_+%{}" +#define ALLOWED_FIRSTCHARS_NAME "_%{}" Doh, missed the actual beef of the change there (once again...) While we need to accept %{} from macro leakage in the names, { and } are not actually valid as the first characters. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1778#pullrequestreview-778391079___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Require package names to be valid provides (#1778)
@ffesti pushed 1 commit. c1d631c94bf078936fcfe07b136344f924a112cd Require package names to be valid provides -- You are receiving this because you are subscribed to this thread. View it on GitHub: https://github.com/rpm-software-management/rpm/pull/1778/files/74c5dc783fbeef4f2495368ae727890187da3cc0..c1d631c94bf078936fcfe07b136344f924a112cd ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)
@pmatilai pushed 3 commits. 7b399fcb8f52566e6f3b4327197a85facd08db91 Process MPI's from all kinds of signatures 236b802a4aa48711823a191d1b7f753c82a89ec5 Refactor pgpDigParams construction to helper function e233fb844adda74a5199057d1fd7fa20d994564d Validate and require subkey binding signatures on PGP public keys -- You are receiving this because you are subscribed to this thread. View it on GitHub: https://github.com/rpm-software-management/rpm/pull/1795/files/6a5ac9dd1330f304130985171666e261a31dd6c6..e233fb844adda74a5199057d1fd7fa20d994564d ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Require package names to be valid provides (#1778)
@pmatilai commented on this pull request. > @@ -19,6 +19,7 @@ #undef HTDATATYPE #define ALLOWED_CHARS_NAME ".-_+%{}" +#define ALLOWED_CHARS_NAME_FIRST "_%{}" Ditto here, ALLOWED_FIRSTCHARS_NAME will be more obvious to the reader and easier to grep for. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1778#pullrequestreview-778278691___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Require package names to be valid provides (#1778)
@pmatilai commented on this pull request. > @@ -643,17 +643,27 @@ static void specLog(rpmSpec spec, int lvl, const char > *line, const char *msg) * @param allowedchars string of permitted characters * @return RPMRC_OK if OK */ -rpmRC rpmCharCheck(rpmSpec spec, const char *field, const char *allowedchars) +rpmRC rpmCharCheck(rpmSpec spec, const char *field, + const char *allowedchars, + const char *allowedcharsfirst) I'd call this `allowedfirstchars` instead, after which code will read more like English. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1778#pullrequestreview-77828___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Make brp-strip-static-archive multi process (#1787)
I was close to hitting merge but stopped to see whether brp-strip-static-archive is even used, only much to my surprise it was already converted this way. Fix the commit message to talk about brp-strip-comment-note instead :sweat_smile: -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1787#issuecomment-942072540___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Allow an optional argument for the %verbose macro (#1791)
It's a bit strange perhaps but I don't have any better ideas for the compatibility either. Just update the docs and I'm fine with it. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1791#issuecomment-942066714___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate self-signatures and require subkey bindings on PGP public keys (#1788)
@pmatilai commented on this pull request. > if (pkttype == PGPTAG_SIGNATURE) break; + + if (alloced <= i) { + alloced *= 2; To elaborate on that a bit, the suggested change is simply absurd when you could simply place a simple upper bound and error out if exceeded. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1788#discussion_r727793623___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate self-signatures and require subkey bindings on PGP public keys (#1788)
@pmatilai commented on this pull request. > + /* ignore unknown types */ + rc = 0; No, rejecting types we cannot handle would only cause us to fail on perfectly legitimate keys. IIRC the PGP spec quite specifically tells you to ignore what you don't know, which generally is the key to future expandable standards. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1788#discussion_r727789654___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate self-signatures and require subkey bindings on PGP public keys (#1788)
@pmatilai commented on this pull request. > + 0xb4, + (pkt->blen >> 24), + (pkt->blen >> 16), + (pkt->blen >> 8), + (pkt->blen ), + }; + rpmDigestUpdate(hash, head, 5); + rpmDigestUpdate(hash, pkt->body, pkt->blen); + rc = 0; +} +return rc; +} + +static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig, + const struct pgpPkt *all, int i) +{ The point is that we don't sprinkle material like this around. This is just redundant clutter in the codebase which makes it unreadable. Whenever you feel the need to add a comment or an assert, it's more likely because the code in question is dumb and could be written in a better way. Such as here. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1788#discussion_r727785633___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate self-signatures and require subkey bindings on PGP public keys (#1788)
The subkey binding part simplified a bit and split to #1795, the user certification is more involved and has all manner of strange open questions, I don't have time to deal with that now. Thanks for the feedback so far. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1788#issuecomment-942014125___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Validate self-signatures and require subkey bindings on PGP public keys (#1788)
Closed #1788. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1788#event-5455103925___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)
All subkeys must be followed by a binding signature by the primary key as per the OpenPGP RFC, enforce the presence and validity in the parser. The implementation is as kludgey as they come to work around our simple-minded parser structure without touching API, to maximise backportability. Store all the raw packets internally as we decode them to be able to access previous elements at will, needed to validate ordering and access the actual data. Add testcases for manipulated keys whose import previously would succeed. Depends on the two previous commits: 55d5811a10d5a4c5d965373f5841280a5f43d7ef and d2fcd5380fe3390e695a016727a695829a0a3610 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1795 -- Commit Summary -- * https://github.com/rpm-software-management/rpm/pull/1795/commits/55d5811a10d5a4c5d965373f5841280a5f43d7ef;>Only set MPIs for signature types we can handle * https://github.com/rpm-software-management/rpm/pull/1795/commits/d2fcd5380fe3390e695a016727a695829a0a3610;>Refactor pgpDigParams construction to helper function * https://github.com/rpm-software-management/rpm/pull/1795/commits/6a5ac9dd1330f304130985171666e261a31dd6c6;>Validate and require subkey binding signatures on PGP public keys -- File Changes -- M rpmio/rpmpgp.c (125) M tests/Makefile.am (3) A tests/data/keys/CVE-2021-3521-badbind.asc (25) A tests/data/keys/CVE-2021-3521-nosubsig-last.asc (25) A tests/data/keys/CVE-2021-3521-nosubsig.asc (37) M tests/rpmsigdig.at (28) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1795.patch https://github.com/rpm-software-management/rpm/pull/1795.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1795 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)
@voxik commented on this pull request. > + +printf 'Installed-Build-Depends:\n' >> "$BUILDINFO" +rpm -qa --queryformat '%{epoch}:%{name}-%{version}-%{release}.%{arch}\n' \ +| LC_ALL=C sort -t: -k2 \ +| sed -e 's/^(none)://; /\.(none)$/d; s/^/ /' >> "$BUILDINFO" + +printf 'Environment:\n' >> "$BUILDINFO" + +# Whitelist from Debian's Dpkg: +# https://anonscm.debian.org/git/dpkg/dpkg.git/tree/scripts/Dpkg/Build/Info.pm#n50 +ENV_WHITELIST= + +# Toolchain. +ENV_WHITELIST="$ENV_WHITELIST CC CPP CXX OBJC OBJCXX PC FC M2C AS LD AR RANLIB MAKE AWK LEX YACC" +# Toolchain flags. +ENV_WHITELIST="$ENV_WHITELIST CFLAGS CPPFLAGS CXXFLAGS OBJCFLAGS OBJCXXFLAGS GCJFLAGS FFLAGS LDFLAGS ARFLAGS MAKEFLAGS" These will not provide any relevant information, unless you set them, which is typically done via call to `%configure` macro in `%build` section. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1532#pullrequestreview-778183386___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint