On Fri, Mar 7, 2025 at 12:04 PM František Šumšal <frantisek@xxxxxxxxx> wrote:
Hey,
On 3/6/25 19:02, Dmitry Belyavskiy wrote:
> Dear colleagues,
>
> I see that Fedora gating tests for OpenSSH fail because of, among others, ownership/permission tests failure [1].
>
> We have a ssh-keysign binary, that has sgid permissions deviating from upstream, we changed it in F38 [2] (and rolled back the corresponding patch) but the checks still expect sgid bits.
>
> I believe that I asked some people how to update the data to make the checks relevant, and I got a response that I should submit a PR to some repo, and probably I even submitted the PR to the repo - but I unfortunately don't remember the details at all (and looks like the PR was not processed). Could anybody please remind me the proper procedure?
I believe the PR you mentioned is https://github.com/rpminspect/rpminspect-data-fedora/pull/57 and I _think_ the reason for the fail is that there's no "fileinfo" file for F43 (yet), so it's not picking up the changes from the PR. If I run rpminspect locally, the permission check fails with --release=f43, but passes with --release=f42, which would confirm this theory:
$ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64 --tests=permissions --verbose --release=fc43 --profile="" openssh-9.9p1.tbOmLI
...
permissions:
------------
1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries insecure mode 4555, Security Team review may be required
Result: BAD
Waiver Authorization: Security
2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries insecure mode 4555, Security Team review may be required
Result: BAD
Waiver Authorization: Security
$ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64 --tests=permissions --verbose --release=fc42 --profile="" openssh-9.9p1.tbOmLI
...
permissions:
------------
1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries expected mode 4555
Result: INFO
Waiver Authorization: Not Waivable
2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries expected mode 4555
Result: INFO
Waiver Authorization: Not Waivable
>
> Thank you!
>
> [1] https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/ <https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/>
> [2] https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit <https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit>
Thank you very much, it explains a lot
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
