Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rpmlint for openSUSE:Factory checked in at 2025-11-04 18:40:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpmlint (Old) and /work/SRC/openSUSE:Factory/.rpmlint.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint" Tue Nov 4 18:40:24 2025 rev:514 rq:1315303 version:2.8.0+git20251103.f505f80e Changes: -------- --- /work/SRC/openSUSE:Factory/rpmlint/rpmlint.changes 2025-10-30 17:10:11.095564277 +0100 +++ /work/SRC/openSUSE:Factory/.rpmlint.new.1980/rpmlint.changes 2025-11-04 18:40:29.308707282 +0100 @@ -1,0 +2,25 @@ +Mon Nov 03 13:34:34 UTC 2025 - Filippo Bonazzi <[email protected]> + +- Update to version 2.8.0+git20251103.f505f80e: + * sysctl-whitelist: Support old aaa_base whitelisting + +------------------------------------------------------------------- +Mon Nov 03 10:50:55 UTC 2025 - Filippo Bonazzi <[email protected]> + +- Update to version 2.8.0+git20251103.a49f9de0: + * Drop dir-or-file-outside-snapshot badness to zero for now (bsc#1253008) + +------------------------------------------------------------------- +Fri Oct 31 09:45:54 UTC 2025 - Filippo Bonazzi <[email protected]> + +- Update to version 2.8.0+git20251031.69a6412f: + * lint: Fix rpmlintrc option parsing + * sysctl-whitelist: whitelist new default hiding of dmesg (bsc#1249686) + * test: Add some tests for AtomicUpdateCheck + * Add checks for atomic update compatibility + * sysctl-whitelist: add health-checker panic=5 (bsc#1252778) + * cli: Remove double check of rpmlintrc file + * Permit repeating --rpmlintrc + * Fix typo + +------------------------------------------------------------------- Old: ---- rpmlint-2.8.0+git20251027.5075e84c.tar.xz New: ---- rpmlint-2.8.0+git20251103.f505f80e.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpmlint.spec ++++++ --- /var/tmp/diff_new_pack.7pAtsS/_old 2025-11-04 18:40:30.748767906 +0100 +++ /var/tmp/diff_new_pack.7pAtsS/_new 2025-11-04 18:40:30.756768242 +0100 @@ -1,7 +1,6 @@ # # spec file for package rpmlint # -# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -24,7 +23,7 @@ %define name_suffix -%{flavor} %endif Name: rpmlint%{name_suffix} -Version: 2.8.0+git20251027.5075e84c +Version: 2.8.0+git20251103.f505f80e Release: 0 Summary: RPM file correctness checker License: GPL-2.0-or-later ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.7pAtsS/_old 2025-11-04 18:40:30.836771610 +0100 +++ /var/tmp/diff_new_pack.7pAtsS/_new 2025-11-04 18:40:30.840771778 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/rpm-software-management/rpmlint.git</param> - <param name="changesrevision">5075e84cbbc802f5faf7cc860b084e96688074d3</param></service></servicedata> + <param name="changesrevision">f505f80e0bb2377d6a893b030ce0bb144faa1e1e</param></service></servicedata> (No newline at EOF) ++++++ rpmlint-2.8.0+git20251027.5075e84c.tar.xz -> rpmlint-2.8.0+git20251103.f505f80e.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/configs/openSUSE/opensuse.toml new/rpmlint-2.8.0+git20251103.f505f80e/configs/openSUSE/opensuse.toml --- old/rpmlint-2.8.0+git20251027.5075e84c/configs/openSUSE/opensuse.toml 2025-10-27 16:14:42.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/configs/openSUSE/opensuse.toml 2025-11-03 14:34:02.000000000 +0100 @@ -6,6 +6,10 @@ UseVersionInChangelog = false BadnessThreshold = 999 +# Set to true to issue a warning for ghost entries outside snapshots +# when checking for atomic update compatibility +AtomicCheckGhosts = false + # Enabled checks for the rpmlint to be run (besides the default set) Checks = [ "BashismsCheck", @@ -24,6 +28,7 @@ "SystemdTmpfilesCheck", "SUIDPermissionsCheck", "WorldWritableCheck", + "AtomicUpdateCheck", ] # List of directory prefixes that are not allowed in packages @@ -31,6 +36,25 @@ "/etc/NetworkManager/dispatcher.d", ] +# Only these directories may be used by packages compatible with +# atomic updates +AtomicAllowedDirs = [ + "/etc/", + "/usr/", + "/bin/", + "/lib/", + "/lib64/", + "/sbin/", + "/boot/", +] + +# List of subdirectories which are disallowed for atomic updates +# despite being within otherwise allowed directories +AtomicDisallowedSubdirs = [ + "/usr/local/", + "/boot/efi/", +] + FilterErrorTitles = [ 'cross-directory-hard-link', ] @@ -83,6 +107,7 @@ '^filesystem\..*: dir-or-file-in-tmp', '^filesystem\..*: dir-or-file-in-mnt', '^filesystem\..*: dir-or-file-in-home', + '^filesystem\..*: dir-or-file-outside-snapshot', '^filesystem\..*: hidden-file-or-dir /root/.gnupg', '^filesystem\..*: hidden-file-or-dir /root/.gnupg', '^filesystem\..*: hidden-file-or-dir /etc/skel/.config', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/configs/openSUSE/scoring.toml new/rpmlint-2.8.0+git20251103.f505f80e/configs/openSUSE/scoring.toml --- old/rpmlint-2.8.0+git20251027.5075e84c/configs/openSUSE/scoring.toml 2025-10-27 16:14:42.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/configs/openSUSE/scoring.toml 2025-11-03 14:34:02.000000000 +0100 @@ -100,3 +100,7 @@ zypperplugin-file-unauthorized = 10 patch-macro-old-format = 10000 logrotate-user-writable-log-dir = 10000 + +# Set to 10000 once affected packages have been updated +# for atomic update compatibility +dir-or-file-outside-snapshot = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/configs/openSUSE/sysctl-whitelist.toml new/rpmlint-2.8.0+git20251103.f505f80e/configs/openSUSE/sysctl-whitelist.toml --- old/rpmlint-2.8.0+git20251027.5075e84c/configs/openSUSE/sysctl-whitelist.toml 2025-10-27 16:14:42.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/configs/openSUSE/sysctl-whitelist.toml 2025-11-03 14:34:02.000000000 +0100 @@ -66,6 +66,27 @@ [[FileDigestGroup.digests]] path = "/usr/lib/sysctl.d/50-default.conf" digester = "shell" +hash = "c440fe069ee0bdfa77e5c3c594b473aa379788717e1ac55bb4cc5dc74812dc0e" +[[FileDigestGroup.digests]] +path = "/usr/lib/sysctl.d/50-pid-max.conf" +digester = "shell" +hash = "dd590458104d1bc68b9233e018575925d3c14e667217cfb69a410cbdf4cde9a7" +[[FileDigestGroup.digests]] +path = "/usr/lib/sysctl.d/51-network.conf" +digester = "shell" +hash = "4292c83e211bc30c928712a25708edf1cbeb94cf39d4d17b6594ad5559eef2e0" + +# Support the old aaa_base sysctl whitelisting until the changes in +# SR#1314569 can be merged without breaking other packages in Factory. +# TODO: drop this and keep the previous FileDigestGroup +[[FileDigestGroup]] +package = "aaa_base" +type = "sysctl" +note = "some base hardenings of networking, (sym)link protection etc." +bugs = ["bsc#1174722", "bsc#1219656", "bsc#1226464", "bsc#1228731"] +[[FileDigestGroup.digests]] +path = "/usr/lib/sysctl.d/50-default.conf" +digester = "shell" hash = "83d76eec651d08ddf758989962ad62084885440d83b4ea0355bc838e7cf6eecc" [[FileDigestGroup.digests]] path = "/usr/lib/sysctl.d/50-pid-max.conf" @@ -185,3 +206,13 @@ path = "/usr/lib/sysctl.d/90-traefik.conf" digester = "shell" hash = "fa6168516d46bc00f6d0cccc4470fa0e2beea74396490d3466b1640f8e312bd2" + +[[FileDigestGroup]] +package = "health-checker" +note = "helper which checks system health after updates with potential rollback; sets kernel reboot timeout after panic" +bug = "bsc#1252778" +type = "sysctl" +[[FileDigestGroup.digests]] +path = "/usr/lib/sysctl.d/health-checker.conf" +digester = "shell" +hash = "40838811f1f8ec4f4b19ce8f049f63ab616f92a1d0a8190e29d0bbf6fe43e66a" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/checks/AtomicUpdateCheck.py new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/checks/AtomicUpdateCheck.py --- old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/checks/AtomicUpdateCheck.py 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/checks/AtomicUpdateCheck.py 2025-11-03 14:34:02.000000000 +0100 @@ -0,0 +1,44 @@ +from rpmlint.checks.AbstractCheck import AbstractCheck + + +class AtomicUpdateCheck(AbstractCheck): + + """ + Requirements for atomic updates: + * All files must be stored inside the snapshot, which is in our case /etc and /usr, not /var, + /opt, /srv, /usr/local or anything else. + * (Re)starting daemons is not possible. + * Modifying files outside of /usr and /etc is not possible. + * Modifications outside the snapshot have to be done via systemd-tmpfiles and systemd services. + This check currently only implements checking for files at illegal paths. + """ + + def __init__(self, config, output): + super().__init__(config, output) + self.check_ghosts = self.config.configuration['AtomicCheckGhosts'] + self.allowed_dirs = self.config.configuration['AtomicAllowedDirs'] + self.disallowed_subdirs = self.config.configuration['AtomicDisallowedSubdirs'] + + def check(self, pkg): + if pkg.is_source: + return + + # Check for files stored outside the snapshot + self._check_paths(pkg, self.check_ghosts) + + def _check_paths(self, pkg, check_ghosts=False): + for file in pkg.files.keys(): + if file in pkg.ghost_files: + continue # Ghosts are only handled if explicitly desired + if not (self._check_single_path(file)): + self.output.add_info('E', pkg, 'dir-or-file-outside-snapshot', file) + if check_ghosts: + for ghost in pkg.ghost_files: + if not (self._check_single_path(ghost)): + self.output.add_info('W', pkg, 'ghost-outside-snapshot', ghost) + + def _check_single_path(self, file): + return ( + file.startswith(tuple(self.allowed_dirs)) and + not file.startswith(tuple(self.disallowed_subdirs)) + ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/cli.py new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/cli.py --- old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/cli.py 2025-10-27 16:14:42.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/cli.py 2025-11-03 14:34:02.000000000 +0100 @@ -75,7 +75,7 @@ parser.add_argument('-V', '--version', action='version', version=__version__, help='show package version and exit') parser.add_argument('-c', '--config', type=_validate_conf_location, help='load up additional configuration data from specified path (file or directory with *.toml files)') parser.add_argument('-e', '--explain', nargs='+', default='', help='provide detailed explanation for one specific message id') - parser.add_argument('-r', '--rpmlintrc', '--file', type=_is_file_path, help='load up specified rpmlintrc file') + parser.add_argument('-r', '--rpmlintrc', '--file', action='append', type=_is_file_path, help='load up specified rpmlintrc file (may be repeated)') parser.add_argument('-v', '--verbose', '--info', action='store_true', help='provide detailed explanations where available') parser.add_argument('-p', '--print-config', action='store_true', help='print the settings that are in effect when using the rpmlint') parser.add_argument('-i', '--installed', nargs='+', default='', help='installed packages to be validated by rpmlint') @@ -97,16 +97,7 @@ options = parser.parse_args(args=argv) - # make sure rpmlintrc exists - if options.rpmlintrc: - if not options.rpmlintrc.exists(): - print_warning(f"User specified rpmlintrc '{options.rpmlintrc}' does not exist") - sys.exit(2) - # make it a list - options.rpmlintrc = [options.rpmlintrc] - else: - options.rpmlintrc = [] - # validate all the rpmlfile options to be either file or folder + # validate all the rpmfile options to be either file or folder f_path = set() invalid_path = False for item in options.rpmfile: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/configdefaults.toml new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/configdefaults.toml --- old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/configdefaults.toml 2025-10-27 16:14:42.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/configdefaults.toml 2025-11-03 14:34:02.000000000 +0100 @@ -36,6 +36,9 @@ BlockedFilters = [] # Treshold where we should error out, by default single error is enough BadnessThreshold = -1 +# Set to true to issue a warning for ghost entries outside snapshots +# when checking for atomic update compatibility +AtomicCheckGhosts = false # When checking that various files that should be compressed are # indeed compressed, look for this filename extension CompressExtension = "bz2" @@ -213,6 +216,26 @@ "/var/run", "/var/tmp", ] + +# Only these directories may be used by packages compatible with +# atomic updates +AtomicAllowedDirs = [ + "/etc/", + "/usr/", + "/bin/", + "/lib/", + "/lib64/", + "/sbin/", + "/boot/", +] + +# List of subdirectories which are disallowed for atomic updates +# despite being within otherwise allowed directories +AtomicDisallowedSubdirs = [ + "/usr/local/", + "/boot/efi/", +] + # Standard OS groups StandardGroups = [ "root", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/descriptions/AtomicUpdateCheck.toml new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/descriptions/AtomicUpdateCheck.toml --- old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/descriptions/AtomicUpdateCheck.toml 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/descriptions/AtomicUpdateCheck.toml 2025-11-03 14:34:02.000000000 +0100 @@ -0,0 +1,9 @@ +dir-or-file-outside-snapshot=""" +The package contains files outside the snapshot, e.g. outside /etc and /usr +or inside /usr/local. +""" +ghost-outside-snapshot=""" +The package contains ghosts outside the snapshot, e.g. outside /etc and /usr +or inside /usr/local. This might become an issue upon removal of this +package, but not during installation. +""" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/lint.py new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/lint.py --- old/rpmlint-2.8.0+git20251027.5075e84c/rpmlint/lint.py 2025-10-27 16:14:42.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/rpmlint/lint.py 2025-11-03 14:34:02.000000000 +0100 @@ -200,6 +200,7 @@ Load rpmlintrc from argument or load up from folder """ if not self.options['rpmlintrc']: + self.options['rpmlintrc'] = [] # Skip auto-loading when running under PYTEST if not os.environ.get('PYTEST_XDIST_TESTRUNUID'): # first load SUSE-specific locations @@ -214,11 +215,13 @@ pkg = pkg.parent self.options['rpmlintrc'] += self._find_rpmlintrc_files(pkg) - if len(self.options['rpmlintrc']) > 1: - # multiple rpmlintrcs are highly undesirable - print_warning('There are multiple items to be loaded: {}.'.format(' '.join(map(str, self.options['rpmlintrc'])))) - for rcfile in self.options['rpmlintrc']: - self.config.load_rpmlintrc(rcfile) + if len(self.options['rpmlintrc']) > 1: + # multiple rpmlintrcs are highly undesirable + print_warning('There are multiple items to be loaded: {}.'.format(' '.join(map(str, self.options['rpmlintrc'])))) + + if self.options['rpmlintrc']: + for rcfile in self.options['rpmlintrc']: + self.config.load_rpmlintrc(rcfile) def _print_header(self): """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251027.5075e84c/test/test_atomic_update.py new/rpmlint-2.8.0+git20251103.f505f80e/test/test_atomic_update.py --- old/rpmlint-2.8.0+git20251027.5075e84c/test/test_atomic_update.py 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-2.8.0+git20251103.f505f80e/test/test_atomic_update.py 2025-11-03 14:34:02.000000000 +0100 @@ -0,0 +1,67 @@ +import pytest +import rpm +from rpmlint.checks.AtomicUpdateCheck import AtomicUpdateCheck +from rpmlint.filter import Filter + +from Testing import CONFIG, get_tested_mock_package + + [email protected](scope='function', autouse=True) +def atomiccheck(): + CONFIG.info = True + CONFIG.configuration['AtomicCheckGhosts'] = True + output = Filter(CONFIG) + test = AtomicUpdateCheck(CONFIG, output) + yield output, test + + [email protected] +def output(atomiccheck): + output, _test = atomiccheck + yield output + + [email protected] +def test(atomiccheck): + _output, test = atomiccheck + yield test + + [email protected]('package', [ + get_tested_mock_package(files=('/var/lib/pipewire',)), + get_tested_mock_package(files=('/opt/bin/test',)), + get_tested_mock_package(files=('/usr/local/bin/test',)), + get_tested_mock_package(files=('/boot/efi/test',)), +]) +def test_not_atomic(package, output, test): + test.check(package) + out = output.print_results(output.results) + assert 'E: dir-or-file-outside-snapshot' in out + + [email protected]('package', [ + get_tested_mock_package(files=('/etc/custom.config',)), + get_tested_mock_package(files=('/usr/lib64/libc.so',)), + get_tested_mock_package(files=('/usr/etc/nfs.conf',)), + get_tested_mock_package(files=('/bin/test',)), + get_tested_mock_package(files=('/sbin/test',)), + get_tested_mock_package(files=('/lib/libc.so',)), + get_tested_mock_package(files=('/lib64/libc.so',)), + get_tested_mock_package(files=('/boot/grub2/grub.cfg',)), +]) +def test_atomic(package, output, test): + test.check(package) + out = output.print_results(output.results) + assert 'E: dir-or-file-outside-snapshot' not in out + assert 'W: ghost-outside-snapshot' not in out + + [email protected]('package', [ + get_tested_mock_package(files={ + '/var/lib/pipewire/ghost_file': {'metadata': {'flags': rpm.RPMFILE_GHOST}}, + }), +]) +def test_not_atomic_ghost(package, output, test): + test.check(package) + out = output.print_results(output.results) + assert 'W: ghost-outside-snapshot' in out
