PR#13: Merge remote-tracking branch 'gitlab/c9s' into c9s-sig-hyperscale - rpms/rpm

rpms / rpm

#13 Merge remote-tracking branch 'gitlab/c9s' into c9s-sig-hyperscale

Merged 8 months ago by chantra. Opened 8 months ago by richardphibel.

rpms/ richardphibel/rpm c9s-sig-hyperscale into c9s-sig-hyperscale

Merge remote-tracking branch 'gitlab/c9s' into c9s-sig-hyperscale

Richard Phibel • 8 months ago

71eb79

0001-Macroize-find-debuginfo-script-location.patch

file added

+51

		`@@ -0,0 +1,51 @@`
		`+ From 1a2554da434548e916240796fe7ca9689c5771fe Mon Sep 17 00:00:00 2001`
		`+ From: Panu Matilainen <pmatilai@redhat.com>`
		`+ Date: Thu, 27 May 2021 13:58:58 +0300`
		`+ Subject: [PATCH] Macroize find-debuginfo script location`
		`+`
		`+ Makes it easier to handle varying paths, mainly in preparation for the`
		`+ next step.`
		`+`
		`+ (cherry picked from commit ce48167f37af59b6366083fb78a314f7931c0c6b)`
		`+ ---`
		`+ configure.ac \| 1 +`
		`+ macros.in \| 4 +++-`
		`+ 2 files changed, 4 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/configure.ac b/configure.ac`
		`+ index 39f9a0e5b..35b4dff4c 100644`
		`+ --- a/configure.ac`
		`+ +++ b/configure.ac`
		`+ @@ -113,6 +113,7 @@ AC_PATH_PROG(__NM, nm, /usr/bin/nm, $MYPATH)`
		`+ AC_PATH_PROG(__OBJCOPY, objcopy, /usr/bin/objcopy, $MYPATH)`
		`+ AC_PATH_PROG(__OBJDUMP, objdump, /usr/bin/objdump, $MYPATH)`
		`+ AC_PATH_PROG(__STRIP, strip, /usr/bin/strip, $MYPATH)`
		`+ +AC_PATH_PROG(__FIND_DEBUGINFO, find-debuginfo, /usr/bin/find-debuginfo, $MYPATH)`
		`+`
		`+ AC_PATH_PROG(__GIT, git, /usr/bin/git, $MYPATH)`
		`+ AC_PATH_PROG(__HG, hg, /usr/bin/hg, $MYPATH)`
		`+ diff --git a/macros.in b/macros.in`
		`+ index 24b124702..2bcf07ef8 100644`
		`+ --- a/macros.in`
		`+ +++ b/macros.in`
		`+ @@ -80,6 +80,8 @@`
		`+ %__remsh %{__rsh}`
		`+ %__strip @__STRIP@`
		`+`
		`+ +%__find_debuginfo @__FIND_DEBUGINFO@`
		`+ +`
		`+ #==============================================================================`
		`+ # Conditional build stuff.`
		`+`
		`+ @@ -149,7 +151,7 @@`
		`+ # _find_debuginfo_vendor_opts to pass options to the script.`
		`+ #`
		`+ %__debug_install_post \`
		`+ - %{_rpmconfigdir}/find-debuginfo.sh \\\`
		`+ + %{__find_debuginfo} \\\`
		`+ %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\`
		`+ %{?_missing_build_ids_terminate_build:--strict-build-id} \\\`
		`+ %{?_no_recompute_build_ids:-n} \\\`
		`+ --`
		`+ 2.41.0`
		`+`

rpm-4.16.1.3-IMA-without-xattr.patch

file added

+41

		`@@ -0,0 +1,41 @@`
		`+ Based on`
		`+`
		`+ From 7db2efa95d859cebda2b095ffdffac42812bd6d9 Mon Sep 17 00:00:00 2001`
		`+ From: Darren Kenny <darren.kenny@oracle.com>`
		`+ Date: Tue, 22 Feb 2022 16:57:00 +0000`
		`+ Subject: [PATCH] ima: Install on filesystems without xattr support without`
		`+ failing`
		`+`
		`+ If an RPM contains IMA signed digests and rpm-plugin-ima is installed,`
		`+ then any attempt to install to a filesystem that doesn't support`
		`+ extended attributes will cause the RPM installation to fail.`
		`+`
		`+ This can be seen, for example, if installing a file /boot, which is`
		`+ usually a vFAT filesystem.`
		`+`
		`+ The rpm-plugin for selinux fixed this some time back, and that same`
		`+ logic can be applied to IMA too - where, if a failure to set an extended`
		`+ attribute results in an errno that is set to EOPNOTSUPP, then this`
		`+ should not cause a complete failure, but should instead just be logged`
		`+ at a debug level.`
		`+`
		`+ Signed-off-by: Darren Kenny <darren.kenny@oracle.com>`
		`+`
		`+ --- rpm-4.16.1.3/plugins/ima.c.orig 2023-05-02 18:19:25.095992859 +0200`
		`+ +++ rpm-4.16.1.3/plugins/ima.c 2023-05-02 18:21:46.032941008 +0200`
		`+ @@ -69,10 +69,13 @@`
		`+ fsig = rpmfiFSignature(fi, &len);`
		`+ if (fsig && (check_zero_hdr(fsig, len) == 0)) {`
		`+ if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {`
		`+ - rpmlog(RPMLOG_ERR,`
		`+ + int is_err = errno != EOPNOTSUPP;`
		`+ + rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,`
		`+ "ima: could not apply signature on '%s': %s\n",`
		`+ path, strerror(errno));`
		`+ - rc = RPMRC_FAIL;`
		`+ + if (is_err) {`
		`+ + rc = RPMRC_FAIL;`
		`+ + }`
		`+ }`
		`+ }`
		`+`

rpm-4.16.1.3-external-debugedit.patch

file added

+11

		`@@ -0,0 +1,11 @@`
		`+ --- rpm-4.16.1.3/tests/Makefile.am.orig 2023-05-03 12:44:36.287582896 +0200`
		`+ +++ rpm-4.16.1.3/tests/Makefile.am 2023-05-03 12:46:34.182938006 +0200`
		`+ @@ -170,7 +170,7 @@`
		`+ for d in dev etc magic tmp var; do if [ ! -d testing/$${d} ]; then mkdir testing/$${d}; fi; done`
		`+ for node in urandom stdin stderr stdout null full; do ln -s /dev/$${node} testing/dev/$${node}; done`
		`+ for cf in hosts resolv.conf passwd shadow group gshadow mtab ; do [ -f /etc/$${cf} ] && ln -s /etc/$${cf} testing/etc/$${cf}; done`
		+ - for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done
		+ + for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs debugedit find-debuginfo find-debuginfo.sh ; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done
		`+ for d in /proc /sys /selinux /etc/selinux; do if [ -d $${d} ]; then ln -s $${d} testing/$${d}; fi; done`
		`+ (cd testing/magic && file -C)`
		`+ chmod -R u-w testing/`

rpm.spec

file modified

+35 -3

		`@@ -42,7 +42,7 @@`

		`%global rpmver 4.16.1.3`
		`#global snapver rc1`
		`- %global rel 22.5`
		`+ %global rel 25.1`
		`%global sover 9`

		`%global srcver %{rpmver}%{?snapver:-%{snapver}}`
		`@@ -108,12 +108,14 @@`
		`Patch122: rpm-4.16.1.3-Support-long-languages-names-for-QT.patch`
		`Patch123: rpm-4.14.3-rpm2archive-parse-popt-options.patch`
		`Patch124: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch`
		`+ Patch125: rpm-4.16.1.3-IMA-without-xattr.patch`

		`# These are not yet upstream`
		`Patch906: rpm-4.7.1-geode-i686.patch`
		`# Probably to be upstreamed in slightly different form`
		`Patch907: rpm-4.15.x-ldflags.patch`
		`Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch`
		`+ Patch909: rpm-4.16.1.3-external-debugedit.patch`

		`# Not yet (all) upstream, debugedit DWARF5`
		`# https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2`
		`@@ -127,8 +129,9 @@`
		`# Downstream-only patches`
		`Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch`
		`Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch`
		`+ Patch1002: 0001-Macroize-find-debuginfo-script-location.patch`
		`%if %{with zstd}`
		`- Patch1002: rpm-4.16.1.3-backport-multithreaded-zstd.patch`
		`+ Patch1003: rpm-4.16.1.3-backport-multithreaded-zstd.patch`
		`%endif`

		`# fsverity support`
		`@@ -211,7 +214,7 @@`
		`%endif`

		`%if %{with check}`
		`- BuildRequires: fakechroot gnupg2`
		`+ BuildRequires: fakechroot gnupg2 debugedit`
		`%endif`

		`# XXX generally assumed to be installed but make it explicit as rpm`
		`@@ -341,6 +344,7 @@`
		`# "just work" while allowing for alternatives, depend on a virtual`
		`# provide, typically coming from redhat-rpm-config.`
		`Requires: system-rpm-config`
		`+ Requires: debugedit`

		`%description build`
		`The rpm-build package contains the scripts and executable programs`
		`@@ -539,6 +543,19 @@`
		`%py3_install`
		`popd`

		`+ cat > $RPM_BUILD_ROOT/%{rpmhome}/debugedit << END`
		`+ #!/bin/sh`
		`+ /usr/bin/debugedit "\$@"`
		`+ END`
		`+ cat > $RPM_BUILD_ROOT/%{rpmhome}/sepdebugcrcfix << END`
		`+ #!/bin/sh`
		`+ /usr/bin/sepdebugcrcfix "\$@"`
		`+ END`
		`+ cat > $RPM_BUILD_ROOT/%{rpmhome}/find-debuginfo.sh << END`
		`+ #!/bin/sh`
		`+ /usr/bin/find-debuginfo.sh "\$@"`
		`+ END`
		`+`
		`mkdir -p $RPM_BUILD_ROOT%{_unitdir}`
		`install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}`
		`install -m 644 %{SOURCE20} $RPM_BUILD_ROOT/%{_unitdir}`
		`@@ -777,12 +794,27 @@`
		`%doc doc/librpm/html/*`

		`%changelog`
		`+ * Thu Aug 17 2023 Richard Phibel <richardphibel@meta.com> - 4.16.1.3-25.1`
		`+ - Merge upstream changes for Hyperscale`
		`+`
		`* Fri Aug 11 2023 Richard Phibel <richardphibel@meta.com> - 4.16.1.3-22.5`
		`- Fix issue for transaction with transcoded and non-transcoded packages`

		`+ * Fri Jun 30 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-25`
		`+ - Followup on #2166383`
		`+ - Add compat scripts calling external find-debug, sepdebugcrcfix and debugedit`
		`+ - Add %%__find_debuginfo macro`
		`+`
		`* Mon May 22 2023 Richard Phibel <richardphibel@meta.com> - 4.16.1.3-22.4`
		`- Fix stack overflow in rpm2extents and various memory leaks`

		`+ * Thu May 04 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-24`
		`+ - Use external find-debug and debugedit (#2166383)`
		`+`
		`+ * Wed May 03 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-23`
		`+ - Don't error out on IMA signatures on files not supporting them`
		`+ (#2157835, #2157836)`
		`+`
		`* Sat Feb 11 2023 Davide Cavalca <dcavalca@centosproject.org> - 4.16.1.3-22.3`
		`- Drop our selinux policy as it's been subsumed by the main one`