Monday, August 26, 2019

rpminspect-0.4 released, now with changed file reporting

rpminspect-0.4 is now out.  I have built it on rawhide and for F-31.  My Copr repo has builds for previous releases.  There are a number of fixes and improvements in this release.

Issues fixed:
  • Support multiple buildhost subdomains in rpminspect.conf (#25).
In Fedora, the s390x packages are built on hosts provided by Red Hat's internal mainframe. These have a buildhost subdomain of .bos.redhat.com while the other architectures carry .fedoraproject.org. The buildhost_subdomain parameter in rpminspect.conf now supports multiple subdomains separated by spaces.
  • Add more usage information to the README (#24)
Give more examples on how to use rpminspect at the command line.
  • Add support for specifying a list of architectures on the command line (#27)
This is similar to the koji command line option to restrict builds to a subset of architectures. List architectures as a string separated by commas. "noarch" is valid since RPM recognizes that. To note the SRPM, use "src" as the architecture. An example: -a x86_64,ppc64le,src
  • Split the -T option out in to -T and -E options (#28)
The biggest issue here was my use of '!' to specify excluded tests. I have now split the option out in to -T to specify tests to run -or- the -E option to specify tests to not run. The options are mutually exclusive and the default mode for rpminspect is to run all applicable tests. If you specify -T, rpminspect disables all tests except the ones you specify with this option. You can use 'ALL' with the -T option if you want to, but that is the default behavior. If you specify -E, rpminspect enables all tests except the ones you specify with this option. If you use 'ALL' with the -E option, all tests are disabled and rpminspect becomes a no-op.
New functionality:
  • The 'changedfiles' inspection is new and does quite a bit. More on that below.
  • The rpminspect.conf file now carries the security_path_prefix setting to list path prefixes where security related files reside.
  • The fetch only mode writes the downloaded Koji build to an NVR subdirectory rather than the temporary directory structure rpminspect would use internally.
The changefiles inspection first has some restrictions:
  • It skips non-regular files.
  • It skips any files lacking a peer.  There are separate inspections that will handle new, removed, and moved files.
  • It skips Java class files and jar files (these will be handled by other inspections).
With those conditions met, it does this:
  • If a file is gzip'ed, it runs zcmp(1) on the peers and reports if there are changes.
  • If a file is bzip2'ed, it runs bzcmp(1) on the peers and reports if there are changes.
  • If a file is xz'ed, it runs xzcmp(1) on the peers and reports if there are changes.
  • If the file is an ELF object, it runs eu-elfcmp(1) on the peers and reports changes.
  • If the file is a gettext message catalog, it unpacks the catalogs to temporary files and runs 'diff -u' on the output and reports changes.
  • If the file is a C or C++ header file, it preprocesses the peers to remove comments and runs 'diff -uw' on the output and reports changes.
  • Not meeting any of the above special cases, rpminspect compares the SHA-256 digests of the peers and reports if they are different.
There are some additional checks in place, such as reporting changed files that a prefixed by a security path prefix as defined in the configuration file.  This is meant to catch files that change between packages and need approval from a security team or group.  rpminspect reports these changes with WAIVABLE_BY_SECURITY_TEAM and RESULT_BAD.  Other changes are reported as RESULTS_VERIFY.

This inspection does more than its ancestor did.  For one, the compressed file check was interesting because I like how it works for changing compression levels and just looks at the uncompressed content.  However, only gzip was handled so I added the others.  Also, the digest check occurred before any of the special case handling which resulted in no detailed feedback for those changes.

I look forward to hearing feedback as well as bug reports.  I am continuing on the file comparison inspections to get that rounded out.

Builds are available in Copr, rawhide, and F-31.

No comments: