| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
We already filter out -EOPNOTSUPP and return OK, but the message was
getting logged before the filtering so we'd spit out spurious error
messages on filesystems that don't support SELinux (RhBug:1777502)
(cherry picked from commit 4a71a3eccd7e9e14ee0e83b1cb300386a93622cd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor the custom exec context setting code to look like setexecfilecon()
in case the real one is not available to eliminate pesky behavioral
differences between the two cases.
This fixes a concrete bug of libselinux setexecfilecon() returning with
an error when security_getenforce() returns with -1 (such as a bare
chroot with no /sys mounts etc), causing us to spit out useless error
messages in that case ever since fixing the bogus if-logic in
commit ab601b882b9d9d8248250111317615db1aa7b7c6.
Fixes: #1077
(cherry picked from commit 153c5c219844f0f294862c9043b20f4d24f7fa69)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unlike plain "check", this will catch regressions to out-of-tree builds,
source files present in git but missing in tarballs, etc so they are
found when introduced instead of pre-release heat.
To make this work we need to move the working dir inside docker away
from /opt, the combination of root user and distcheck blows the our whole
directory away at some point and things dont work so well after that.
In addition, rpmtests.log is no more in a nice and easy location
because it's failing somewhere inside the nested build thingie, so
try to find it...
We also need a few more packages installed now: git for the changelog
and doxygen for api docs. And ima-evm-utils-devel to build the plugin,
not the utils.
(cherry picked from commit 595c4f274084e1afff74c3211b0bee3bf6a9b3cd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There appears to be a some sort of race inside make distcheck where
the second run of the test-suite gets stuck trying to kill the gpg-agent
of previous run, it seems to close the connection but then gets
"connection reset by peer" error, drops into the gpg-connect-agent prompt
and refuses to die. My theory is that this has to do with distcheck
nuking the directory in between but that's just a theory, I can't
reproduce this locally to debug properly.
The simpler approach of "gpgconf --kill gpg-agent" appears to help
it not getting tangled up in its own feet, but lets not leave those
agents spying around after the test-suite completes to begin with.
Leaving the initial gpg-agent shutdown in place to cope with situations
where the test-suite is aborted (ctrl-c or such).
(cherry picked from commit 7e4472159b173e09c7e6758eac61036d12dddbf7)
|
|
|
|
| |
(cherry picked from commit 390befdae26a495696c5064fc76710c66a0acac9)
|
|
|
|
|
|
|
| |
Additionally run distcheck with --disable-dependency-tracking to speed
it up a little.
(cherry picked from commit a03350c8f72b3c39aac14e1c98f039ef2032efb8)
|
| |
|
|
|
|
|
|
| |
(cherry picked from commit a08ce7be1365f85577437242d91ec42c348c4f1f)
But still use make check instead of make distcheck
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CI has been running on latest stable Fedora and rawhide, both of which
can and do change outside our control and cause previously working
code to stop building overnight due to new compiler versions etc being
introduced. This is not a sane situation for mandatory CI, we need
to be able to validate the codebase on a given version *before* moving
to it. Setting the version in the Dockerfile instead of external scripts
ties the codebase and validated versions together as they should.
This still leaves us subject to updates breaking stuff, but that's
a lesser evil, updates are generally welcome.
(cherry picked from commit 9a7e8e15705e81661f58374fdd83ac5ce425d99b)
|
|
|
|
|
|
|
| |
Thanks to Igor for originally setting this up, but the project and
its contents are maintained by a team, not individuals.
(cherry picked from commit 2e33c79b13ff7cb983f7d72f6f202f4fc9aa6a22)
|
|
|
|
| |
Python tests fail otherwise
|
|
|
|
| |
This allows to reuse more of the container build
|
| |
|
| |
|
|
|
|
|
|
|
| |
Commit 0bd50344ba8c3dc13fe847048ba97c1490e321a9 broke the testsuite
due to us having all sorts of hysterical "for example" gunk in our specs.
Axe the cruft and adjust the one actually used obsolete to have a
version.
|
|
|
|
|
| |
Modern distributions have switch /usr/bin/python to be Python 3
This rpm version still needs to use Python 2 especially for the test suite.
|
|
|
|
| |
Oh the joys of Python 3 transition :(
|
|
|
|
|
|
|
|
|
|
|
|
| |
This essentially reverts commit ff43d03d1f9686c9ffa9232a64e253783309feb5
which made these all thread local. It might not be quite right, but then
using TLS is not sensible either - threads have their own signal *mask*,
but disposition is global, and most of what we do here is global anyway.
In addition, the signal queue is only enabled in places where threads
are not used (or would not be safe anyhow) so reverting for now seems
the lesser evil.
(cherry picked from commit 453e7afa406168b83b1f3244db4a096f247a76b9)
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6487e873f3169c2bffbd52808b6c749e6c104ff5 introduced a thread local
BUFSIZ static buffer for header format error reporting but thread local
storage is apparently a rather scarce resource (on some architectures more
so than others) and a static buffer is highly excessive use of that resource.
Use a thread local pointer to dynamically (re)allocated buffer instead.
(cherry picked from commit 0fd720b1f0d3ec733dc1592bb3a7131e899c246b)
|
|
|
|
|
|
|
| |
Every now and then you need the v-version instead, and now rasprintf()
implementation comes practically free on top.
(cherry picked from commit d9dbd6ece3ba94d41c1b720565a26e50ac6757e8)
|
|
|
|
| |
(cherry picked from commit b9ee269fba54a4a7c91e594f907eef3c8c6c76c0)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some old v4.0 era packages have RPMTAG_HEADERIMAGE in the signature
header region trailer, instead of the expected RPMTAG_HEADERSIGNATURES.
This was fixed in 4.4.x in commit 21818c6c8f3d4fe7836326d27f38421c29c22db7
but regressed in the commit 85a5b004306fe8486424142cdc98575c25142776
refactoring / cleanup.
Reported at https://bugzilla.altlinux.org/show_bug.cgi?id=33710, original
patch by Vladimir D. Seleznev.
(cherry picked from commit 7a2f891d25d78cf797c789ac6859b5f2c589d296)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit a239ddefa90575ce80ed4436beb4005a97e32644 changed rpmpkgVerifySigs()
to accept fine-grained vsflags instead of query/verify style
nosignature/nodigest hammers, but rpmVerifySignatures() didn't get
updated accordingly. This will cause most unexpect behavior (in particular
in 4.14.x), for example QUERY_DIGEST which was used for disabling all
digest verification was defined as (1 << 19), which happens to be the same
as RPMVSF_NORSA which is how it would now be treated. Similarly confusion
with VERIFY_SCRIPT becoming RPMVSF_NODSA etc.
Just use the transaction verify flags instead, and mark the qva argument
as unused. It's an API change but that's okay in 4.15, and it's also an
explicit breakage at compile time (due to those DIGEST/SIGNATURE symbols
removal). In 4.14.x this is a regression but can be fixed within the API.
(cherry picked from commit 929c61e7507d2132c5263f567ccce89f2090f8a3)
|
|
|
|
|
|
|
|
|
| |
The generic case was reported in #270 and fixed quite a while ago in
commit 34c2ba3c6a80a778cdf2e42a9193b3264e08e1b3, but signing uses a
different code path and require the same treatment.
Fixes: #1002
(cherry picked from commit bb30f997c4b22c0d5cf6752f15d2af17538f91f0)
|
|
|
|
|
|
|
|
| |
Introduced in commit 27ea3f8624560bd158fc7bc801639310a0ffab10, the
wrong header is being added in case of v3 packages.
Fixes: #1017
(cherry picked from commit 85e5a70368854da0537099128530b0df69ca2216)
|
|
|
|
|
|
|
|
|
|
| |
Oops, all this time our most important build-dependency had been missing.
Add a version recommendation too - while rpm almost certainly works with
1.12 and 1.11 too, those are getting *really* long in the tooth, and 1.13
has an important type fix in poptGetOptArg() return value so might as
well use that as the base.
(cherry picked from commit 2c5794469188ab7a6e7e930ff167bfa0e08f2415)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the code in the rpmio sub directory was split out of the lib sub dir
it is already under LGPL as "code derived from" "the source code in the
lib subdirectory" according to the license. But not having the sub directory
mentioned in the license confuses users and contributers.
The original release tarballs in http://ftp.rpm.org/releases/historical/ show
the license was changed into the existing dual one between rpm 2.4.3 and 2.4.4,
and that no rpmio/ directory exists at that time. Our git repo disagrees with
the time of rpmio/ split due to some conversion artifacts (cvs to mercury to
git), as it shows rpmio/ directory existing from the first commit, but this was
not actually the case.
The license stating that the dual license is there to allow linking with librpm
from non-GPL code supports this interpretation as librpmio is required in order
to use librpm even if it is a separate library nowadays.
So this change does not change the license of any code but only clearifies the
current situation.
Resolves: #516
(cherry picked from commit d5c69756cf6cd16e7c2e8b81fba19bf81f3dd1ba)
|
|
|
|
|
|
|
|
| |
poptGetOptArg() returns malloced strings and caller needs to free.
This will still leak on error paths but at least normal use is covered.
(cherry picked from commit af73aba20f856de3ebc9751166a2364e795b199d)
(cherry picked from commit 3a65abde579abc8331de59e5c99e5acc0cf96427)
|
|
|
|
|
|
|
|
|
|
|
|
| |
-P can appear multiple times so a string arg pointer is not the right
thing here in any case. There are other similar and related leaks all
over the codebase but this is especially insulting as the leaked pointer
was never used for anything at all.
Thanks for Peter Jones for pointing this out.
(cherry picked from commit 29d70efb1d9b2161f3fcdbdf71945d6c7308432d)
(cherry picked from commit c0fbb408068b5e2757971f32338690365eb0933f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we assumed a backslash character would always be followed by
a character to be escaped, and advanced our "start" pointer by two
places before the next iteration. However, this assumption breaks if
the lonely backslash happens to be the last character in the query
string, in which case we would end up pointing beyond the \0 and let the
parser wander into the unknown, possibly crashing later.
This commit ensures we detect this corner case and error out gracefully
with a message.
(cherry picked from commit 1cb3be0009fbfd5549844ec361cc1ae5efa9c153)
(cherry picked from commit c634836db4dcbbf31cdc6b55224b3a95245ad744)
|
|
|
|
|
|
|
|
|
| |
Misplaced parenthesis introduced in commit 148e82833a.
Fixes #872
(cherry picked from commit ab601b882b9d9d8248250111317615db1aa7b7c6)
(cherry picked from commit 1c9b0fcda92dad419fb340c0dc2a840cb017f6a5)
|
|
|
|
|
|
|
|
| |
Commit 708e61307bc3fd027b016fdf5a1d1a5274c1843c introduced a memory leak
on the error object: if the message is suppressed then the error object
is never freed. Test for the suppression conditions separately to fix.
(cherry picked from commit 4ddab4fb7e1ccc7dc466534250177b7d2682a9e2)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The message may just confuse users if DBus is not running as default,
e.g. single-user mode. We suppress it when DBus is not available,
which is done by checking two cases:
socket does not exist (DBUS_ERROR_FILE_NOT_FOUND), or
unable to connect to server (DBUS_ERROR_NO_SERVER).
Note that this is an approximate but not an exact way to detect
whether DBus service should be running in the environment or not.
(cherry picked from commit 708e61307bc3fd027b016fdf5a1d1a5274c1843c)
(cherry picked from commit b1e85a9172b8f17fece8cb3882ae95a8937a9f13)
|
|
|
|
|
| |
(cherry picked from commit 655c4c72a3467037abd51aab29f0300e97caf54c)
(cherry picked from commit 8ac9af9d0a63c935e7eb7436f6d69fded7f7eb2b)
|
|
|
|
|
|
|
|
| |
Found during RhBug:1714657 QA testing.
In addition, add a comment to clarify the fallthrough as intentional.
(cherry picked from commit 5188a7b35eb3672c9b15e96433e033ee36f8e6a8)
(cherry picked from commit 307d608e98f78bfe17e79c53fcde56ba8917728f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hdrblobGet() introduced in commits acfde0d0e812e9f8e153ab6be8c9f2682bdd4763
and 9821de18811db97238c34a564221e315f5f35b44 has an off-by-one thinko
(perhaps the idea was to skip the first, region tag) which causes
the last entry to be unreachable. In typical packages, that is
RPMSIG_PAYLOADSIZE which is not used at all in this context so it doesn't
matter, but in large packages use RPMSIG_LONGARCHIVESIZE which has a lower
tag number and leaves either RPMSIGTAG_MD5 or RPMSIGTAG_GPG last,
unreachable and thus unverifiable. Oops.
This fixes the regression introduced in rpm 4.14, affecting verification
of large packages (ie having RPMSIG_LONGARCHIVESIZE)
(cherry picked from commit e219c9548d16a3c18dd261f7043bb8d221b87c77)
(cherry picked from commit 0b0f4a1a3c3eca8801e624e68d025afbb6b6e86d)
|
|
|
|
|
|
|
| |
and the limitations in FIPS mode
(cherry picked from commit be3347b5bff6142e86e533174fe0ec352405d159)
(cherry picked from commit d615098e4ea8937dd63291f6b2008253733632b7)
|
|
|
|
|
| |
(cherry picked from commit 7a227533d1342dccc5b3717554a35dbe2baa9832)
(cherry picked from commit 07f565a13665347a7bb6dba3726c4a9248bc7bb1)
|
|
|
|
|
|
| |
Fixes https://github.com/rpm-software-management/rpm/issues/639
(cherry picked from commit 4c8b584074061c606883ce3f18c8c9024d8610f5)
|
|
|
|
|
|
|
|
|
|
|
| |
With the introduction of the annobin gcc plugin to the build process,
built binary files have become larger. Sometimes significantly so.
This is a patch that adds a new step to the post-link process performed
by rpmbuild, to run the objcopy program with the --merge-notes option
specified. This will reduce the size of the annobin notes in binary
files, thus alleviating the size growth.
(cherry picked from commit cc1965ce3acaa7d9356b7671050a15e2cda2f424)
|
|
|
|
| |
(cherry picked from commit 475af64f64cbc210c87588d425fa9a14cd9760b6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding update elements, we set the erase element to depend on the
install element, but if an API user adds the same erasure manually
after adding the update, we know its a duplicate erasure and filter
it out, BUT we zero out the dependent element in the process. And
if installing the update now fails, we end up removing the whole package
due to that missing dependent element.
This never happens with rpm itself so we can't easily test it, but is
100% reproducable with dnf (at least dnf 3-4). Apparently it adds all
erasures by itself (which is kind of understandable I guess, perhaps
we should better allow this in the API)
(cherry picked from commit a144c29831a39ed303d6ea8d2ae91e1c36d64c84)
|
|
|
|
|
|
|
|
|
|
|
| |
When called in spec context, the package structs are properly freed
but in rpmdeps context, commit 49f2bb7d8fd91f2d8b22bf7128fd3defe4ed5434
only added a "dirty kludgery" to make it not blow up. This causes
the rpmds structures created in rpmfcApplyInternal() to leak memory.
Make freePackage() internally available and use it for freeing the
dummy struct too to fix.
(cherry picked from commit df4f6a20c3bbf0d319643c17fb16364f64a1b10a)
|
|
|
|
|
|
|
| |
Fixes "warning: ‘rc’ may be used uninitialized in this function"
introduced in commit c73b0f34e32c299c87b7163352808d1071a05d2b.
(cherry picked from commit 57899bd3bfd8f310bde823df81db556b6fd606dc)
|
|
|
|
|
|
|
|
|
|
| |
If multiple arguments are passed to rpm2archive, convert them all to
tgz. (Previous behavior was to convert only the first one and
silently ignore the rest.)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Co-authored-by: Florian Festi <ffesti@redhat.com>
(cherry picked from commit c73b0f34e32c299c87b7163352808d1071a05d2b)
|
|
|
|
|
|
|
| |
Before the patch rpm treats the relative path as a full path.
The new behavior is similar to the "--root" option.
(cherry picked from commit d313baf1d3a4756447e398ee55f8c6760f942d50)
|
|
|
|
|
|
| |
Fixes https://github.com/rpm-software-management/rpm/issues/664
(cherry picked from commit 98d6b7bce028a7d6615a7c81c5a63d2b72825847)
|
|
|
|
|
|
|
|
|
| |
Use dwelf_elf_begin() for reading ELF files for build-id generation on
versions that have it to support compressed ELF files such as kernel
modules (RhBug:1650072,1650074). Note that debugedit still cannot handle
compressed files, this is only for build-id generation.
(cherry picked from commit d48981ad7e36abb3500161d823acf92345c94f5d)
|
|
|
|
|
|
|
|
|
| |
File extension based heuristics only work so far at best, and break
completely on compressed files with arbitrary .gz/.xz etc extension.
This isn't supposed to change any behavior as such, only provide more
reliable detection of kernel modules.
(cherry picked from commit 68d383c39cef8d58b80940b13dd132d3f41a03f0)
|