Thursday, September 19, 2019

rpminspect-0.6 released with new inspections and bug fixes

There are three new inspections implemented in rpminspect-0.6:
  • The upstream inspection compares SRPMs between before and after builds to determine if the Source archives changed, were removed, or new ones added.  Anything listed as a Source file in the spec file is examined and not just tarballs.  Source file changes when the package Epoch and Version do not change are considered suspect and need review.
  • The shellsyntax inspection looks at shell scripts in source and binary packages and runs them through the syntax validator for the indicated shell (the -n option on the shell command).  The shells that rpminspect cares about are in the shells list in the rpminspect.conf file.  This inspection reports scripts that fail the syntax validator or scripts that were good but are now bad.  If you had a bad one and it's now good, you are notified only.
  • The ownership inspection enforces some file owner and group policies across builds.  The rpminspect.conf settings of bin_owner, bin_group, forbidden_owners, and forbidden_groups are all used by this inspection.  A typical use of this inspection is to ensure executables are correctly owned and that nothing is owned by mockbuild.
This release also includes a lot of bug fixes.  I really appreciate all of the feedback users have been providing.  It is really helping round out the different inspections and ensure it works across all types of builds.

For details on what is new in rpminspect-0.6, see the release page.

There is also a new release of rpminspect-data-fedora which includes changes necessary for the new inspections.  See its release page for more information.

Both packages are available in my Copr repo.  I am doing Fedora builds now, which includes Fedora 31.  If you want another release of Fedora to have builds, let me know.

Sunday, September 8, 2019

github notifications

I have noticed that a number of projects I have on github have stopped notifying me.  I have not yet found a pattern or missed setting, but it is possible I am looking in the wrong place.  I do get notifications for some projects, just not all.  And this goes across projects that are under my personal account as well as projects that I am a member of but exist elsewhere.

Has anyone seen this with github?  Any tips on receiving consistent notifications?  I am wanting to receive notifications of Issues (both new issues and comments posted), Pull Requests, commits, tags, and releases.

Friday, September 6, 2019

rpminspect-0.5 released, two new inspections and some bug fixes

[I would have posted this roughly 18 hours ago when I made the release, but the fire alarm went off in the office and, well, that sort of had this wait until today.]

rpminspect-0.5 is now available.  The releases are noted on the github project page.  I uploaded the tarball there.  I have done builds in Fedora rawhide and the f31 branch.  For other releases, you will need to use the Copr repos.

Bug fixes and general improvements:
  • Support running rpminspect on local RPM packages (#23). You may now specify a local RPM or SRPM as the input for rpminspect. If you specify a before and after file, rpminspect will assume they are peers and will perform applicable inspections.
  • Adjust the 'text' output mode by adding some extra blank lines for readability.
  • For the 'changedfiles' inspection, get the list of possible C and C++ header file endings from the header_file_extensions setting in rpminspect.conf.
  • Add dnf instructions to the README file to help get the development packages installed on Fedora or RHEL.
  • Prevent a crash in get_product_release() when the build specification lacks enough information to infer a product release (e.g., a Koji build ID).
  • Start an integration test suite in the tests/ subdirectory.
  • Adopt a Code of Conduct for the project, see CODE_OF_CONDUCT.md
  • Move the data/setuid subdirectory to data/stat-whitelist. The files will be installed to /usr/share/rpminspect and the stat-whitelist subdirectory provides information on file modes, owners, and groups for known setuid/setgid files.
  • Process a [vendor-data] section in the configuration file which contains paths to locations provided by the rpminspect data package.
  • Fix configuration file detection in rpminspect.
New inspections:
  • removedfiles

    Only runs when you are comparing a before and after build.  The general inspection is to report when files were removed from a package.  That is, it was present in the before build, but gone in the after build.  There are some additional checks and reporting:

    • If the removed file was an ELF shared object, rpminspect reports it as a RESULT_BAD noting it may be a potential ABI break.
    • Files removed from a security path prefix are also marked as RESULT_BAD and as WAIVABLE_BY_SECURITY. All other removals are reported as RESULT_VERIFY.

    The security path prefixes are set in the rpminspect.conf file in the security_path_prefix setting.  This is the sort of thing that changes over time as well as varying across similar products.
  • addedfiles

    Kind of like the opposite of removedfiles, but does a little more. The main thing is to catch any accidental additions to packages as well as additions to security path prefixes:

    • Ignore the debuginfo and debugsource paths.
    • Ignore anything with .build-id/ in the path.
    • Ignore Python .egg-info files since these come and go and sort of always change.
    • Report files added to /tmp or /var/tmp path prefixes as RESULT_BAD.  The forbidden_path_prefixes list can be set in the rpminspect.conf file.
    • Report files added that end with ~ or .orig as RESULT_BAD.  The forbidden_path_suffixes list can be set in the rpminspect.conf file.
    • Report any __MACOSX, CVS, .svn, .hg, or .git directory added as RESULT_BAD.  The forbidden_directories list can be set in the rpminspect.conf file.
    • Any files added to a security path prefix are reported as RESULT_VERIFY and WAIVABLE_BY_SECURITY.
    • Any setuid and/or setgid file added is reported as RESULT_INFO if the file is on the stat-whitelist and the expected permission mode matches.  If they do not match or the file is not on the stat-whitelist, it is reported as RESULT_VERIFY and WAIVABLE_BY_SECURITY.

    Most of the settings for this inspection are in rpminspect.conf, with the exception of the stat-whitelist which is per product release and comes from the data package.
There is also a new rpminspect-data-fedora release which contains an updated rpminspect.conf file with the new sections and settings.  It also contains the stat-whitelist subdirectory with files for recent Fedora releases.

In the addedfiles inspection, the check for __MACOSX subdirectories is deliberate and comes from the ancestor of rpminspect.  In theory, you could build noarch RPMs on MacOS X and then install those on Fedora.  In those cases, we want to make sure you do not accidentally package up a __MACOSX subdirectory.

Builds are available in Copr as well as the f31 and rawhide branches.

Monday, August 26, 2019

rpminspect-0.4 released, now with changed file reporting

rpminspect-0.4 is now out.  I have built it on rawhide and for F-31.  My Copr repo has builds for previous releases.  There are a number of fixes and improvements in this release.

Issues fixed:
  • Support multiple buildhost subdomains in rpminspect.conf (#25).
In Fedora, the s390x packages are built on hosts provided by Red Hat's internal mainframe. These have a buildhost subdomain of .bos.redhat.com while the other architectures carry .fedoraproject.org. The buildhost_subdomain parameter in rpminspect.conf now supports multiple subdomains separated by spaces.
  • Add more usage information to the README (#24)
Give more examples on how to use rpminspect at the command line.
  • Add support for specifying a list of architectures on the command line (#27)
This is similar to the koji command line option to restrict builds to a subset of architectures. List architectures as a string separated by commas. "noarch" is valid since RPM recognizes that. To note the SRPM, use "src" as the architecture. An example: -a x86_64,ppc64le,src
  • Split the -T option out in to -T and -E options (#28)
The biggest issue here was my use of '!' to specify excluded tests. I have now split the option out in to -T to specify tests to run -or- the -E option to specify tests to not run. The options are mutually exclusive and the default mode for rpminspect is to run all applicable tests. If you specify -T, rpminspect disables all tests except the ones you specify with this option. You can use 'ALL' with the -T option if you want to, but that is the default behavior. If you specify -E, rpminspect enables all tests except the ones you specify with this option. If you use 'ALL' with the -E option, all tests are disabled and rpminspect becomes a no-op.
New functionality:
  • The 'changedfiles' inspection is new and does quite a bit. More on that below.
  • The rpminspect.conf file now carries the security_path_prefix setting to list path prefixes where security related files reside.
  • The fetch only mode writes the downloaded Koji build to an NVR subdirectory rather than the temporary directory structure rpminspect would use internally.
The changefiles inspection first has some restrictions:
  • It skips non-regular files.
  • It skips any files lacking a peer.  There are separate inspections that will handle new, removed, and moved files.
  • It skips Java class files and jar files (these will be handled by other inspections).
With those conditions met, it does this:
  • If a file is gzip'ed, it runs zcmp(1) on the peers and reports if there are changes.
  • If a file is bzip2'ed, it runs bzcmp(1) on the peers and reports if there are changes.
  • If a file is xz'ed, it runs xzcmp(1) on the peers and reports if there are changes.
  • If the file is an ELF object, it runs eu-elfcmp(1) on the peers and reports changes.
  • If the file is a gettext message catalog, it unpacks the catalogs to temporary files and runs 'diff -u' on the output and reports changes.
  • If the file is a C or C++ header file, it preprocesses the peers to remove comments and runs 'diff -uw' on the output and reports changes.
  • Not meeting any of the above special cases, rpminspect compares the SHA-256 digests of the peers and reports if they are different.
There are some additional checks in place, such as reporting changed files that a prefixed by a security path prefix as defined in the configuration file.  This is meant to catch files that change between packages and need approval from a security team or group.  rpminspect reports these changes with WAIVABLE_BY_SECURITY_TEAM and RESULT_BAD.  Other changes are reported as RESULTS_VERIFY.

This inspection does more than its ancestor did.  For one, the compressed file check was interesting because I like how it works for changing compression levels and just looks at the uncompressed content.  However, only gzip was handled so I added the others.  Also, the digest check occurred before any of the special case handling which resulted in no detailed feedback for those changes.

I look forward to hearing feedback as well as bug reports.  I am continuing on the file comparison inspections to get that rounded out.

Builds are available in Copr, rawhide, and F-31.

Monday, August 19, 2019

rpminspect-0.3 released

Released rpminspect-0.3 today with bugs reported and fixed during Flock Budapest 2019.  Builds are in my Copr repository:

https://copr.fedorainfracloud.org/coprs/dcantrel/rpminspect/

I am building it in rawhide now.  This biggest fix in this release is the correct handling of hard links when extracting RPM payloads.

I have also moved all of the upstream rpminspect projects over to the rpminspect organization in github:

https://github.com/rpminspect/


rpminspect Presentation at Flock 2019

Flock in Budapest was a great event.  There were a lot of talks I wanted to attend, but could not make it to all of them.  I did give one talk on my project called rpminspect.

rpminspect is a project I started as a replacement for an internal Red Hat tool.  I am working on integrating it in to the build workflow for Fedora but also allow package maintainers to use it locally as a build linter of sorts.  Here is a link to the presentation I gave.  I think there is video, but I am not sure where those are.

You can find rpminspect on my github page, but I am moving it and related repos over to the rpminspect organization in github.

Feedback was great for rpminspect and while there I fixed a number of bugs.  I have automatic builds in Copr right now and I am also building released versions in rawhide.

I will do a number of other posts on rpminspect after this one, but I wanted to get this posted for two reasons.  First, to link to the rpminspect organization and presentation.  And second, to test my Fedora Planet connectivity.

Tuesday, April 30, 2019

USB Flash Media on Linux

USB flash media is one of the most useful devices to come along in recent computer history.  Gone are the days of floppy diskettes, CD-R media, and DVD-R media.  While those were fine, USB flash media has just made things much easier.  Our best interim solution in the 90s was the Iomega Zip drive (full disclosure: one still sits on my desk and I use it for sneaker-netting to vintage systems that have SCSI and a Zip drive).

OK, so there are some things to know when using USB flash media on Linux.  For me, the two common things I do are boot ISO images and copy files between systems.  Usually old Windows systems that I use for programming old two-way radio systems.

In the case of booting ISO images, you just need to dd the file to the block device.  Let's say I insert flash media and see in dmesg that it's /dev/sdc.  I would write out the ISO image using this command:

dd if=FUN_OPERATING_SYSTEM.iso of=/dev/sdc status=progress oflag=sync bs=4096

You may need to use the mkhybrid command on some Linux ISO images to make sure it loads from USB media.  Do that on the ISO file before running dd.  So what do the options do?
  • if is the "input file".  This is what I want to write to USB.
  • of is the "output file".  Where is it going?  In this case, a block device called /dev/sdc.
  • status=progress is a GNU feature that shows some status information during the transfer.
  • oflag=sync means "really write it to the block device".
  • bs=4096 means write 4k at a time.  By default, dd will just do one byte at a time.  For an 8GB ISO, that can take a while.  I have successfully set a 32k block size and dd performs just fine, so I do bs=32768
Great, now you can write out an ISO.  How about file transfer?  In my case, I stick with the FAT32 filesystem.  Even non-DOS operating systems can read and write it.  First, you need to partition the USB device and create a single partition as partition 1.  Alternatively you can format the device on Windows and it will do all of that for you.  Create a FAT32 filesystem on the first partition of the device with a command like:

mkfs.dos -F 32 /dev/sde1

Now mount it:

mount -o flush /dev/sde1 /mnt

What is "-o flush"?  This tells the kernel to sync data to the device when it's idle.  Other filesystems tend to call this "-o sync", but the distinction usually for FAT32 is that it will simply sync data earlier.  Usually the "sync" option for the filesystem means sync during the write which can cause it to take a long time to write.

The "-o flush" option also means when you unmount the device it will most likely be ready to remove.  This is also way faster than running sync before unmounting.  I've also heard urban legends of the sync command destroying the life of USB flash media, so I guess there's that.

If you have ever waited a long time to dd something to a USB flash device, try some of the above options for dd and mounting.  It makes the devices much nicer to work with on Linux.