Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package post-build-checks for
openSUSE:Factory checked in at 2022-03-25 21:54:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/post-build-checks (Old)
and /work/SRC/openSUSE:Factory/.post-build-checks.new.1900 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "post-build-checks"
Fri Mar 25 21:54:24 2022 rev:105 rq:963962 version:84.87+git20220322.48f07a0
Changes:
--------
--- /work/SRC/openSUSE:Factory/post-build-checks/post-build-checks.changes
2022-01-31 22:56:43.109825345 +0100
+++
/work/SRC/openSUSE:Factory/.post-build-checks.new.1900/post-build-checks.changes
2022-03-25 21:54:27.402265830 +0100
@@ -1,0 +2,16 @@
+Tue Mar 22 13:52:13 UTC 2022 - dmuel...@suse.com
+
+- Update to version 84.87+git20220322.48f07a0:
+ * Remove errneous whitespaces
+ * fix comparison name
+
+-------------------------------------------------------------------
+Mon Mar 21 17:40:44 UTC 2022 - lnus...@suse.de
+
+- Update to version 84.87+git20220321.9651edb:
+ * Restore secure permissions in build environment (bsc#1159963)
+ * Handle default being easy
+ * Various speedups around invoking rpm
+- change service file from disabled to manual
+
+-------------------------------------------------------------------
Old:
----
post-build-checks-84.87+git20220128.77a97b9.tar.xz
New:
----
post-build-checks-84.87+git20220322.48f07a0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ post-build-checks.spec ++++++
--- /var/tmp/diff_new_pack.8neR9T/_old 2022-03-25 21:54:28.026266424 +0100
+++ /var/tmp/diff_new_pack.8neR9T/_new 2022-03-25 21:54:28.034266431 +0100
@@ -16,13 +16,13 @@
#
-%define version_unconverted 84.87+git20220128.77a97b9
+%define version_unconverted 84.87+git20220322.48f07a0
Name: post-build-checks
Summary: post checks for build after rpms have been created
License: GPL-2.0-or-later
Group: Development/Tools/Building
-Version: 84.87+git20220128.77a97b9
+Version: 84.87+git20220322.48f07a0
Release: 0
PreReq: aaa_base
PreReq: permissions
++++++ _service ++++++
--- /var/tmp/diff_new_pack.8neR9T/_old 2022-03-25 21:54:28.070266466 +0100
+++ /var/tmp/diff_new_pack.8neR9T/_new 2022-03-25 21:54:28.074266469 +0100
@@ -1,17 +1,17 @@
<services>
- <service name="tar_scm" mode="disabled">
+ <service name="tar_scm" mode="manual">
<param name="version">84.87</param>
<param name="versionformat">84.87+git%cd.%h</param>
- <param name="url">git://github.com/openSUSE/post-build-checks.git</param>
+ <param name="url">https://github.com/openSUSE/post-build-checks.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="exclude">.gitreview</param>
<param name="changesgenerate">enable</param>
</service>
- <service name="recompress" mode="disabled">
+ <service name="recompress" mode="manual">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
- <service name="set_version" mode="disabled"/>
+ <service name="set_version" mode="manual"/>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.8neR9T/_old 2022-03-25 21:54:28.110266504 +0100
+++ /var/tmp/diff_new_pack.8neR9T/_new 2022-03-25 21:54:28.110266504 +0100
@@ -2,6 +2,8 @@
<service name="tar_scm">
<param name="url">git://github.com/openSUSE/post-build-checks.git</param>
<param
name="changesrevision">9a72096c56008474c812a087e25d6e84eb357297</param></service>
-</servicedata>
+<service name="tar_scm">
+ <param
name="url">https://github.com/openSUSE/post-build-checks.git</param>
+ <param
name="changesrevision">2d5b3de469b3bfe8b3aab101b9aff839258743f0</param></service></servicedata>
(No newline at EOF)
++++++ post-build-checks-84.87+git20220128.77a97b9.tar.xz ->
post-build-checks-84.87+git20220322.48f07a0.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/post-build-checks-84.87+git20220128.77a97b9/checks/50-check-installtest
new/post-build-checks-84.87+git20220322.48f07a0/checks/50-check-installtest
--- old/post-build-checks-84.87+git20220128.77a97b9/checks/50-check-installtest
2022-01-28 16:00:03.000000000 +0100
+++ new/post-build-checks-84.87+git20220322.48f07a0/checks/50-check-installtest
2022-03-22 14:52:28.000000000 +0100
@@ -11,22 +11,24 @@
SCRIPT_ARG=-e
+RPM="chroot $BUILD_ROOT rpm --nodigest --nosignature"
+
# rpm needs /proc mounted - the build script handles that. just verify it did
test -d $BUILD_ROOT/proc/sys || { echo "proc is not mounted"; exit 1; }
export YAST_IS_RUNNING="instsys"
-for i in `find $BUILD_ROOT$TOPDIR/RPMS -name "*.rpm" | sort` ; do
- test -f $i || continue
- pre_p=`chroot $BUILD_ROOT rpm -qp --qf '%{PREINPROG}' ${i#$BUILD_ROOT}`
- post_p=`chroot $BUILD_ROOT rpm -qp --qf '%{POSTINPROG}' ${i#$BUILD_ROOT}`
- preun_p=`chroot $BUILD_ROOT rpm -qp --qf '%{PREUNPROG}' ${i#$BUILD_ROOT}`
- postun_p=`chroot $BUILD_ROOT rpm -qp --qf '%{POSTUNPROG}' ${i#$BUILD_ROOT}`
- pre=`chroot $BUILD_ROOT rpm -qp --qf '%{PREIN}' ${i#$BUILD_ROOT}`
- post=`chroot $BUILD_ROOT rpm -qp --qf '%{POSTIN}' ${i#$BUILD_ROOT}`
- preun=`chroot $BUILD_ROOT rpm -qp --qf '%{PREUN}' ${i#$BUILD_ROOT}`
- postun=`chroot $BUILD_ROOT rpm -qp --qf '%{POSTUN}' ${i#$BUILD_ROOT}`
+for i in $(find $BUILD_ROOT$TOPDIR/RPMS -type f -name "*.rpm" | sort) ; do
+ pre_p=$($RPM -qp --qf '%{PREINPROG}' ${i#$BUILD_ROOT})
+ post_p=$($RPM -qp --qf '%{POSTINPROG}' ${i#$BUILD_ROOT})
+ preun_p=$($RPM -qp --qf '%{PREUNPROG}' ${i#$BUILD_ROOT})
+ postun_p=$($RPM -qp --qf '%{POSTUNPROG}' ${i#$BUILD_ROOT})
+ pre=$($RPM -qp --qf '%{PREIN}' ${i#$BUILD_ROOT})
+ post=$($RPM -qp --qf '%{POSTIN}' ${i#$BUILD_ROOT})
+ preun=$($RPM -qp --qf '%{PREUN}' ${i#$BUILD_ROOT})
+ postun=$($RPM -qp --qf '%{POSTUN}' ${i#$BUILD_ROOT})
test "$pre" = "(none)" -a "$post" = "(none)" -a "$preun" = "(none)" -a
"$postun" = "(none)" && continue
- chroot $BUILD_ROOT rpm -Vp ${i#$BUILD_ROOT} >
$BUILD_ROOT/.build_patchrpmcheck1
+
+ $RPM -Vp --nodeps ${i#$BUILD_ROOT} > $BUILD_ROOT/.build_patchrpmcheck1
if test "$pre" != "(none)" -a "$pre_p" != "<lua>" ; then
echo "$pre" > $BUILD_ROOT/.build_patchrpmcheck_scr
chroot $BUILD_ROOT sh $SCRIPT_ARG /.build_patchrpmcheck_scr 2 || {
@@ -59,11 +61,11 @@
exit 1
}
fi
- chroot $BUILD_ROOT rpm -Vp ${i#$BUILD_ROOT} >
$BUILD_ROOT/.build_patchrpmcheck2
+ $RPM -Vp --nodeps ${i#$BUILD_ROOT} > $BUILD_ROOT/.build_patchrpmcheck2
if ! cmp -s $BUILD_ROOT/.build_patchrpmcheck1
$BUILD_ROOT/.build_patchrpmcheck2; then
echo "pre/postinstall/uninstall script of ${i##*/} modifies filelist!"
echo "filelist diff:"
- diff -u $BUILD_ROOT/.build_patchrpmcheck1
$BUILD_ROOT/.build_patchrpmcheck2 | grep -v '^ '
+ diff -u0 $BUILD_ROOT/.build_patchrpmcheck1
$BUILD_ROOT/.build_patchrpmcheck2
touch $BUILD_ROOT/not-ready
exit 1
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/post-build-checks-84.87+git20220128.77a97b9/checks/50-check-invalid-requires
new/post-build-checks-84.87+git20220322.48f07a0/checks/50-check-invalid-requires
---
old/post-build-checks-84.87+git20220128.77a97b9/checks/50-check-invalid-requires
2022-01-28 16:00:03.000000000 +0100
+++
new/post-build-checks-84.87+git20220322.48f07a0/checks/50-check-invalid-requires
2022-03-22 14:52:28.000000000 +0100
@@ -1,10 +1,12 @@
#!/bin/bash
# search for invalid requires.
#
-export UNVALID_FILE_FOUND=false
+export INVALID_FILE_FOUND=false
TOPDIR=/usr/src/packages
test -d $BUILD_ROOT/.build.packages && TOPDIR=/.build.packages
+RPM="chroot $BUILD_ROOT rpm --nodigest --nosignature"
+
FORBIDDEN_REQ=`find $BUILD_ROOT$TOPDIR/RPMS -name "*.rpm" | \
xargs --no-run-if-empty rpm -qp --requires| \
egrep "/usr/local/|/usr/share/bin"`
@@ -15,21 +17,20 @@
;;
*)
echo \""$LINE"\" is not allowed as Requires.
- UNVALID_FILE_FOUND=true
+ INVALID_FILE_FOUND=true
;;
esac
done
-RPMLIST=`find $BUILD_ROOT$TOPDIR/RPMS -name "*.rpm"`
-for pack in $RPMLIST ; do
+for pack in $(find $BUILD_ROOT$TOPDIR/RPMS -type f -name "*.rpm") ; do
case $pack in
*-debuginfo-*|*-debugsource-*)
N=`rpm -qp --qf "%{NAME}" $pack`
echo "dependency check for "`basename $pack`":"
- for i in `chroot $BUILD_ROOT rpm -qp --qf
"[%{REQUIRENAME}\n]" ${pack##$BUILD_ROOT}` ; do
+ for i in $($RPM -qp --qf "[%{REQUIRENAME}\n]"
${pack##$BUILD_ROOT}) ; do
case $i in
rpmlib*|*-debuginfo|*-debugsource) ;;
- *) chroot $BUILD_ROOT rpm -q --whatprovides $i
|| UNVALID_FILE_FOUND=true
+ *) chroot $BUILD_ROOT rpm -q --whatprovides $i
|| INVALID_FILE_FOUND=true
;;
esac
done
@@ -37,6 +38,6 @@
*) ;;
esac
done
-test $UNVALID_FILE_FOUND = true && exit 1
+test $INVALID_FILE_FOUND = true && exit 1
exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/post-build-checks-84.87+git20220128.77a97b9/checks/50-check-permissions
new/post-build-checks-84.87+git20220322.48f07a0/checks/50-check-permissions
--- old/post-build-checks-84.87+git20220128.77a97b9/checks/50-check-permissions
2022-01-28 16:00:03.000000000 +0100
+++ new/post-build-checks-84.87+git20220322.48f07a0/checks/50-check-permissions
2022-03-22 14:52:28.000000000 +0100
@@ -3,37 +3,54 @@
echo "... testing for modified permissions"
TOPDIR=/usr/src/packages
test -d $BUILD_ROOT/.build.packages && TOPDIR=/.build.packages
+test -f $BUILD_ROOT/etc/sysconfig/security || exit 0
-SCRIPT_ARG=-e
HAD_ERRORS=0
-for i in `find $BUILD_ROOT$TOPDIR/RPMS -name "*.rpm" | sort` ; do
- test -f $i || continue
- NAME=`rpm -qp --qf "%{NAME}" $i`
- test -f $BUILD_ROOT/etc/sysconfig/security || continue
- chroot $BUILD_ROOT rpm -Vp ${i#$BUILD_ROOT} >
$BUILD_ROOT/.build_patchrpmcheck1
- sed -e "s@^PERMISSION_SECURITY\(.*\)secure@PERMISSION_SECURITY\1easy@" \
- $BUILD_ROOT/etc/sysconfig/security >
$BUILD_ROOT/etc/sysconfig/security.tmp
- mv $BUILD_ROOT/etc/sysconfig/security
$BUILD_ROOT/etc/sysconfig/security.bak
- mv $BUILD_ROOT/etc/sysconfig/security.tmp
$BUILD_ROOT/etc/sysconfig/security
- chroot $BUILD_ROOT /usr/bin/chkstat --system >/dev/null 2>&1
- chroot $BUILD_ROOT rpm -Vp ${i#$BUILD_ROOT} >
$BUILD_ROOT/.build_patchrpmcheck2
+grep -q "secure local" $BUILD_ROOT/etc/sysconfig/security || {
+ echo "ERROR: expected permission level to be set to secure ?!"
+ HAD_ERRORS=1
+}
+
+RPM="chroot $BUILD_ROOT rpm --nodigest --nosignature -Vp --nofiledigest
--nodeps"
+
+for i in $(find $BUILD_ROOT$TOPDIR/RPMS -type f -name "*.rpm" | sort) ; do
+ case "$pkg" in
+ *-debuginfo-*|*-debugsource-*) continue ;;
+ esac
+ $RPM ${i#$BUILD_ROOT} > $BUILD_ROOT/.build_rpmVp_orig
+ sed -i.bak -e "s@^PERMISSION_SECURITY\(.*\)@PERMISSION_SECURITY = \"easy
local\"@" \
+ $BUILD_ROOT/etc/sysconfig/security
+ chroot $BUILD_ROOT /usr/bin/chkstat --set --system >/dev/null 2>&1
+ $RPM ${i#$BUILD_ROOT} > $BUILD_ROOT/.build_rpmVp_easy
+ sed -i -e "s@^PERMISSION_SECURITY\(.*\)@PERMISSION_SECURITY = \"paranoid
local\"@" \
+ $BUILD_ROOT/etc/sysconfig/security
+ chroot $BUILD_ROOT /usr/bin/chkstat --set --system >/dev/null 2>&1
+ $RPM ${i#$BUILD_ROOT} > $BUILD_ROOT/.build_rpmVp_paranoid
mv $BUILD_ROOT/etc/sysconfig/security.bak
$BUILD_ROOT/etc/sysconfig/security
- chroot $BUILD_ROOT /usr/bin/chkstat --system >/dev/null 2>&1
-
- if ! cmp -s $BUILD_ROOT/.build_patchrpmcheck1
$BUILD_ROOT/.build_patchrpmcheck2; then
+ chroot $BUILD_ROOT /usr/bin/chkstat --set --system >/dev/null 2>&1
+ if ! cmp -s $BUILD_ROOT/.build_rpmVp_orig $BUILD_ROOT/.build_rpmVp_easy;
then
+ echo
"--------------------------------------------------------------------"
+ echo "ERROR: chkstat --level secure modified package $(rpm --nodigest
--nosignature -qp --qf '%{NAME}' \"$i\")"
+ echo "Please add '%verify(not mode,...) for those to avoid listings in
rpm -V."
+ echo "diff for both runs of rpm -V:"
+ diff -u0 "$BUILD_ROOT/.build_rpmVp_orig" "$BUILD_ROOT/.build_rpmVp_easy"
echo
"--------------------------------------------------------------------"
- echo "package: $NAME"
- echo "/usr/bin/chkstat modified files that are not properly handled!"
- echo "this will break rpm -V, ask ro for details."
+ HAD_ERRORS=1
+ fi
+ if ! cmp -s $BUILD_ROOT/.build_rpmVp_orig
$BUILD_ROOT/.build_rpmVp_paranoid; then
+ echo
"--------------------------------------------------------------------"
+ echo "ERROR: chkstat --level paranoid modified package $(rpm
--nodigest --nosignature -qp --qf '%{NAME}' \"$i\")"
+ echo "Please add '%verify(not mode,...) for those to avoid listings in
rpm -V."
echo "diff for both runs of rpm -V:"
- diff -u $BUILD_ROOT/.build_patchrpmcheck1
$BUILD_ROOT/.build_patchrpmcheck2 | tail -n+4 | grep -v '^ '
+ diff -u0 "$BUILD_ROOT/.build_rpmVp_orig"
"$BUILD_ROOT/.build_rpmVp_paranoid"
echo
"--------------------------------------------------------------------"
HAD_ERRORS=1
fi
- rm -f $BUILD_ROOT/.build_patchrpmcheck1 $BUILD_ROOT/.build_patchrpmcheck2
done
+rm -f $BUILD_ROOT/.build_rpmVp_{orig,secure,paranoid}
+
if test "$HAD_ERRORS" = 1 ; then
touch $BUILD_ROOT/not-ready
exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/post-build-checks-84.87+git20220128.77a97b9/finalize-system/03-set-permissions-secure
new/post-build-checks-84.87+git20220322.48f07a0/finalize-system/03-set-permissions-secure
---
old/post-build-checks-84.87+git20220128.77a97b9/finalize-system/03-set-permissions-secure
1970-01-01 01:00:00.000000000 +0100
+++
new/post-build-checks-84.87+git20220322.48f07a0/finalize-system/03-set-permissions-secure
2022-03-22 14:52:28.000000000 +0100
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+test "$BUILD_USER" = "root" && exit 0 || true
+
+sed -i -e "s@^PERMISSION_SECURITY\(.*\)@PERMISSION_SECURITY=\"secure local\"@"
\
+ /etc/sysconfig/security
