From gotar at polanet.pl  Mon Aug  1 10:07:07 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Mon, 1 Aug 2016 10:07:07 +0200
Subject: /usr/lib/udev -> /lib/udev
In-Reply-To: <20160731152622.GB7191@home>
References: <20160731131138.GA7863@polanet.pl>
 <20160731152622.GB7191@home>
Message-ID: <20160801080707.GA9227@polanet.pl>

On Sun, Jul 31, 2016 at 17:26:22 +0200, Jan R?korajski wrote:

>> What is the purpose of this symlink? It was introduced here:
[...]
> Probably some compatibility symlink, remove, and check if nothing breaks
> (systemd and geninitrd) before committing.

I got it removed when writing this mail, no problems after reboot with
dracut initramfs. I might check geninitrd as well, but this system is
totally fresh and there might be some older dependencies. AFAIR Fedora
used to have /usr/lib/systemd instead of /lib/systemd, from etckeeper
doc/news/version_1.18.5.mdwn:
* Move systemd files to /lib/systemd; /usr/lib/systemd is not used on Debian

However we have always followed/supported /usr as a separate filesystem,
so we shouldn't have had /usr/lib/udev in use ever.

So if anyone wants to help, please remove this symlink on your system
and report if anything breaks. If nothing, we should schedule this for
removal.


One more thing - in:
http://git.pld-linux.org/gitweb.cgi?p=packages/rpm-build-macros.git;a=commitdiff;h=22fb5d900a49ed86c1a8bb621831a8e2b0557b61;hp=0996175992b34613ba51b5e66a12cfc36ed7a997
and it's counterpart:
http://git.pld-linux.org/gitweb.cgi?p=packages/rpm.git;a=commitdiff;h=b2f9977a12d0bf116c3dc9c5a20c59e6e86676ba

you've introduced RPM_ENABLE_SYSV_SERVICE and RPM_ENABLE_SYSTEMD_SERVICE.
What actually uses RPM_ENABLE_SYSV_SERVICE? Can't find it anywhere...
There is an older note (that I've been messing with), but apparently nothing
uses that. Fine to remove?


As for rc-scripts/systemd integration, there is also some problem with service command:

# service --status-all
 S:[+] allowlogin:                                                  running
 S:[+] console:                                                     running
 S:[+] cpusets:                                                     running
 S:[+] timezone:                                                    running
 S:[+] nfsfs:                                                       running

- not entirely true, they are provided masked, as there are
  replacements, but it doesn't mean it's running. BTW what's the
  difference between:

 S:[-] netfs:                                                       NOT running 
 S:[+] nfsfs:                                                       running

?

 D:[+] gssd:                                                        running
 D:[+] nfslock:                                                     running

- actually not running:

# service gssd status
Redirecting to /bin/systemctl --output=cat status gssd.service 
* gssd.service - NFS client GSSAPI daemon
   Loaded: loaded (/lib/systemd/system/gssd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
#  service nfslock status
Redirecting to /bin/systemctl --output=cat status nfslock.service 
* nfslock.service - NFS file locking service
   Loaded: loaded (/lib/systemd/system/nfslock.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

-- 
Tomasz Pala <gotar at pld-linux.org>


From glen at pld-linux.org  Mon Aug  1 10:31:44 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Mon, 1 Aug 2016 11:31:44 +0300
Subject: /usr/lib/udev -> /lib/udev
In-Reply-To: <20160801080707.GA9227@polanet.pl>
References: <20160731131138.GA7863@polanet.pl> <20160731152622.GB7191@home>
 <20160801080707.GA9227@polanet.pl>
Message-ID: <579F08F0.3060504@pld-linux.org>

On 01.08.2016 11:07, Tomasz Pala wrote:
> # service --status-all
>   S:[+] allowlogin:                                                  running
>   S:[+] console:                                                     running
>   S:[+] cpusets:                                                     running
>   S:[+] timezone:                                                    running
>   S:[+] nfsfs:                                                       running
>
> - not entirely true, they are provided masked, as there are
>    replacements, but it doesn't mean it's running. BTW what's the
>    difference between:

"service" command handles only sysv stuff. the only systemd support is 
when working with specific service (redirecting to systemd messages). 
see the script source

>   S:[-] netfs:                                                       NOT running
>   S:[+] nfsfs:                                                       running
>
> ?

it uses the lockfile to test state:

# ls -ld /var/lock/subsys/{netfs,nfsfs}
ls: cannot access '/var/lock/subsys/netfs': No such file or directory
ls: cannot access '/var/lock/subsys/nfsfs': No such file or directory

note: this command is also sysv-only.

-- 
glen



From glen at pld-linux.org  Tue Aug  2 10:34:05 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Tue, 2 Aug 2016 11:34:05 +0300
Subject: [packages/gnupg2] Check if /proc/pid/exe is symlink to
 /usr/bin/gpg-agent. That way we are 100% sure that this is gpg-
In-Reply-To: <131032f063eb5da404ab75ac9f0e68d6fbdf60e0_refs_heads_master@pld-linux.org>
References: <178303086dcc17923b78da106f3bb622e8886595_refs_heads_master@pld-linux.org>
 <131032f063eb5da404ab75ac9f0e68d6fbdf60e0_refs_heads_master@pld-linux.org>
Message-ID: <57A05AFD.6020408@pld-linux.org>

On 01.08.2016 18:17, arekm wrote:
> commit 131032f063eb5da404ab75ac9f0e68d6fbdf60e0
> Author: Arkadiusz Mi?kiewicz <arekm at maven.pl>
> Date:   Mon Aug 1 17:17:07 2016 +0200
>
>      Check if /proc/pid/exe is symlink to /usr/bin/gpg-agent. That way we are 100% sure that this is gpg-agent. Prevents script from failing if there is other process running with the same pid as stored in .gnupg/GPG_AGENT_INFO.
...
> +			[ "$(resolvesymlink "/proc/$pid/exe")" = "/usr/bin/gpg-agent" ]; then
>

be aware that if the binary is renamed (rpm upgrade) the "exe" will not 
be exactly "/usr/bin/gpg-agent"

# l /proc/505/exe
lrwxrwxrwx 1 glen glen 0 Jun  6 20:17 /proc/505/exe -> /usr/bin/gpg-agent*

# cp -a /usr/bin/gpg-agent /usr/bin/gpg-agent.save

# rm /usr/bin/gpg-agent
rm: remove regular file '/usr/bin/gpg-agent'? y

# l /proc/505/exe
lrwxrwxrwx 1 glen glen 0 Jun  6 20:17 /proc/505/exe -> 
/usr/bin/gpg-agent (deleted)

#


-- 
glen



From arekm at maven.pl  Tue Aug  2 14:34:30 2016
From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=)
Date: Tue, 2 Aug 2016 14:34:30 +0200
Subject: [packages/gnupg2] Check if /proc/pid/exe is symlink to
 /usr/bin/gpg-agent. That way we are 100% sure that this is gpg-
In-Reply-To: <57A05AFD.6020408@pld-linux.org>
References: <178303086dcc17923b78da106f3bb622e8886595_refs_heads_master@pld-linux.org>
 <131032f063eb5da404ab75ac9f0e68d6fbdf60e0_refs_heads_master@pld-linux.org>
 <57A05AFD.6020408@pld-linux.org>
Message-ID: <201608021434.30772.arekm@maven.pl>

On Tuesday 02 of August 2016, Elan Ruusam?e wrote:

> 
> # rm /usr/bin/gpg-agent
> rm: remove regular file '/usr/bin/gpg-agent'? y
> 
> # l /proc/505/exe
> lrwxrwxrwx 1 glen glen 0 Jun  6 20:17 /proc/505/exe ->
> /usr/bin/gpg-agent (deleted)
> 
> #

Doh and resolvesymlink will return empty string in such case :-/

-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )


From glen at pld-linux.org  Tue Aug  2 15:37:41 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Tue, 2 Aug 2016 16:37:41 +0300
Subject: [packages/gnupg2] Check if /proc/pid/exe is symlink to
 /usr/bin/gpg-agent. That way we are 100% sure that this is gpg-
In-Reply-To: <201608021434.30772.arekm@maven.pl>
References: <178303086dcc17923b78da106f3bb622e8886595_refs_heads_master@pld-linux.org>
 <131032f063eb5da404ab75ac9f0e68d6fbdf60e0_refs_heads_master@pld-linux.org>
 <57A05AFD.6020408@pld-linux.org> <201608021434.30772.arekm@maven.pl>
Message-ID: <57A0A225.9050202@pld-linux.org>

On 02.08.2016 15:34, Arkadiusz Mi?kiewicz wrote:
> On Tuesday 02 of August 2016, Elan Ruusam?e wrote:
>
>> >
>> ># rm /usr/bin/gpg-agent
>> >rm: remove regular file '/usr/bin/gpg-agent'? y
>> >
>> ># l /proc/505/exe
>> >lrwxrwxrwx 1 glen glen 0 Jun  6 20:17 /proc/505/exe ->
>> >/usr/bin/gpg-agent (deleted)
>> >
>> >#
> Doh and resolvesymlink will return empty string in such case :-/
do not use such custom crap (resolvesymlink.c from rc-scripts), use 
readlink(1) from coreutils:

$ readlink /proc/505/exe
/usr/bin/gpg-agent (deleted)

full code (posix compliant):

$ exe=$(readlink /proc/505/exe)
$ echo ${exe% (deleted)}
/usr/bin/gpg-agent



-- 
glen



From jajcus at jajcus.net  Thu Aug 11 14:35:17 2016
From: jajcus at jajcus.net (Jacek Konieczny)
Date: Thu, 11 Aug 2016 14:35:17 +0200
Subject: Icedtea8 and x32
Message-ID: <574589ec-ad9c-86a2-84a1-f4880a428674@jajcus.net>

Hi,

I have updated the openjdk8.spec for more recent update? and the x32 
binaries stopped working. I have no idea how to debug it or what could 
go wrong, as I have very little experience with x32 and the JVM 
implementation is not some simple code.

I have tried two different code versions, I have tried dropping 
PLD-specific CFLAGS. The 'x32.patch' seems to match what Debian does (in 
fact it even uses dpkg right now to detect x32 architecture, which 
should probably be changed to something less exotic or included in the 
dependencies).

The freshly built 'java' binary crashes on some NULL pointer 
dereference, but I was not able to locate any obvious reason.

i686 and x86_64 builds work, but they use a bit different code 
(architecture-specific JIT instead of the 'zero assembly' JVM).

Can anyone here look into that? Having old JDK is no good.

We could also switch to Icedtea again, as Icedtea for JDK8 is now 
available, but that would require preparing the new package.

Jacek


From glen at pld-linux.org  Tue Aug 16 13:18:46 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Tue, 16 Aug 2016 14:18:46 +0300
Subject: php segfaults
Message-ID: <57B2F696.4020609@pld-linux.org>

hi

current state of pld-th-main is broken due the openssl related crash 
that arekm worked on

i've been reported php 5.5.37-1curl and mysql packages being installed 
cause segfault

# php55 -v
PHP 5.5.37 (cli) (built: Jun 27 2016 01:30:44)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
*** Error in `php55': double free or corruption (out): 
0x0000000001fd4980 ***


please resolve this asap!

for example all packages th-test->th-main move if it's too difficult to 
figure out which package exactly needs to be moved


-- 
glen



From arekm at maven.pl  Tue Aug 16 13:22:04 2016
From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=)
Date: Tue, 16 Aug 2016 13:22:04 +0200
Subject: php segfaults
In-Reply-To: <57B2F696.4020609@pld-linux.org>
References: <57B2F696.4020609@pld-linux.org>
Message-ID: <201608161322.05072.arekm@maven.pl>

On Tuesday 16 of August 2016, Elan Ruusam?e wrote:
> hi
> 
> current state of pld-th-main is broken due the openssl related crash
> that arekm worked on
> 
> i've been reported php 5.5.37-1curl and mysql packages being installed
> cause segfault

Try mysql-libs >= 5.6.31, maybe it will work (works for me).

-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )


From qboosh at pld-linux.org  Mon Aug 22 17:39:10 2016
From: qboosh at pld-linux.org (Jakub Bogusz)
Date: Mon, 22 Aug 2016 17:39:10 +0200
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
In-Reply-To: <ea034156cbf566949e1034b66f5f06499acd1dea_refs_heads_master@pld-linux.org>
References: <753e4574a9e3d0e09c021afce64521c20e0d87ba_refs_heads_master@pld-linux.org>
 <ea034156cbf566949e1034b66f5f06499acd1dea_refs_heads_master@pld-linux.org>
Message-ID: <20160822153910.GB13488@mail>

On Mon, Aug 08, 2016 at 06:06:19PM +0200, mmazur wrote:
> commit ea034156cbf566949e1034b66f5f06499acd1dea
> Author: Mariusz Mazur <mmazur at axeos.com>
> Date:   Mon Aug 8 18:02:59 2016 +0200
> 
>     rel 2; Systemd support, usable for system boot
>     
>     teamd is still buggy af, so don't be surprised if your system hangs on
>     reboot because teamd doesn't want to die
> 
>  libteam.spec                 | 36 +++++++++++++++++++++++++++++++++---

either:
%files daemon  or  %files -n teamd (daemon + init files)
%files init (just init files)

to avoid having service only because of installed library (unused or
just for development).


-- 
Jakub Bogusz    http://qboosh.pl/


From gotar at polanet.pl  Tue Aug 23 06:51:58 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 23 Aug 2016 06:51:58 +0200
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
In-Reply-To: <20160822153910.GB13488@mail>
References: <753e4574a9e3d0e09c021afce64521c20e0d87ba_refs_heads_master@pld-linux.org>
 <ea034156cbf566949e1034b66f5f06499acd1dea_refs_heads_master@pld-linux.org>
 <20160822153910.GB13488@mail>
Message-ID: <20160823045158.GA31927@polanet.pl>

On Mon, Aug 22, 2016 at 17:39:10 +0200, Jakub Bogusz wrote:

>>     rel 2; Systemd support, usable for system boot
>>     
>>     teamd is still buggy af, so don't be surprised if your system hangs on
>>     reboot because teamd doesn't want to die
>> 
>>  libteam.spec                 | 36 +++++++++++++++++++++++++++++++++---
> 
> either:
> %files daemon  or  %files -n teamd (daemon + init files)
> %files init (just init files)
> 
> to avoid having service only because of installed library (unused or
> just for development).

Or simply comment out %systemd_post.
Or better, provide /lib/systemd/system-preset/50-libteam.preset:

disable teamd*


It's XXI century now, we don't need to use medieval packet splicing
method for that. Unless SysV-compat mode kicks in and starts via init.d.

-- 
Tomasz Pala <gotar at pld-linux.org>


From mariusz.g.mazur at gmail.com  Tue Aug 23 11:25:04 2016
From: mariusz.g.mazur at gmail.com (Mariusz Mazur)
Date: Tue, 23 Aug 2016 11:25:04 +0200
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
Message-ID: <CAGzuT_1HDSS3hdYjPoEA1L=7kb+p2=+v=XBOzawU6GdCxrdzOg@mail.gmail.com>

The service files I've added don't actually start anything by default, so
that's not an issue. Though it does seem to me teamd should be a separate
package. I see Fedora does that that way (they have both 'libteam' and
'teamd' rpms). Any volunteers for doing the split? :)

2016-08-22 17:39 GMT+02:00 Jakub Bogusz <qboosh at pld-linux.org>:

> On Mon, Aug 08, 2016 at 06:06:19PM +0200, mmazur wrote:
> > commit ea034156cbf566949e1034b66f5f06499acd1dea
> > Author: Mariusz Mazur <mmazur at axeos.com>
> > Date:   Mon Aug 8 18:02:59 2016 +0200
> >
> >     rel 2; Systemd support, usable for system boot
> >
> >     teamd is still buggy af, so don't be surprised if your system hangs
> on
> >     reboot because teamd doesn't want to die
> >
> >  libteam.spec                 | 36 +++++++++++++++++++++++++++++++++---
>
> either:
> %files daemon  or  %files -n teamd (daemon + init files)
> %files init (just init files)
>
> to avoid having service only because of installed library (unused or
> just for development).
>
>
> --
> Jakub Bogusz    http://qboosh.pl/
>


From glen at pld-linux.org  Wed Aug 24 09:15:10 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Wed, 24 Aug 2016 10:15:10 +0300
Subject: Fwd: [packages/rpm-build-macros] (2 commits) ...Merge commit 'origin'
In-Reply-To: <147199912305.16812.12657230624838686153@pld-linux.org>
References: <147199912305.16812.12657230624838686153@pld-linux.org>
Message-ID: <57BD497E.5020300@pld-linux.org>

omg, you who are right of everything are unable to rebase commits before 
pushing to master!? omg omg.

some solutions for you:

git config --global branch.autosetuprebase always


git config --global alias.up "pull --rebase"





-------- Forwarded Message --------
Subject: 	[packages/rpm-build-macros] (2 commits) ...Merge commit 'origin'
Date: 	Wed, 24 Aug 2016 02:38:43 +0200
From: 	gotar <gotar at pld-linux.org>
Reply-To: 	pld-devel-en at lists.pld-linux.org, 
pld-devel-pl at lists.pld-linux.org
To: 	pld-cvs-commit at lists.pld-linux.org



Summary of changes:

   cfd0538... stop INSANE delay
   0129db8... Merge commit 'origin'
_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit at lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit





From glen at pld-linux.org  Thu Aug 25 20:13:21 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Thu, 25 Aug 2016 21:13:21 +0300
Subject: Fwd: [openssl-announce] OpenSSL version 1.1.0 published
In-Reply-To: <20160825164645.GA30454@openssl.org>
References: <20160825164645.GA30454@openssl.org>
Message-ID: <57BF3541.2000703@pld-linux.org>

what's our idea of openssl version in th?

# 1.0.2 is LTS release
# Version 1.0.2 will be supported until 2019-12-31.
# https://www.openssl.org/about/releasestrat.html

do we stay with 1.0.2 or proceed with any version like 1.1.0?


-------- Forwarded Message --------
Subject: 	[openssl-announce] OpenSSL version 1.1.0 published
Date: 	Thu, 25 Aug 2016 16:46:45 +0000
From: 	OpenSSL <openssl at openssl.org>
Reply-To: 	openssl-users at openssl.org, openssl at openssl.org
Organization: 	OpenSSL Project
To: 	OpenSSL Developer ML <openssl-dev at openssl.org>, OpenSSL User 
Support ML <openssl-users at openssl.org>, OpenSSL Announce ML 
<openssl-announce at openssl.org>



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


    OpenSSL version 1.1.0 released
    ===============================

    OpenSSL - The Open Source toolkit for SSL/TLS
    https://www.openssl.org/

    The OpenSSL project team is pleased to announce the release of
    version 1.1.0 of our open source toolkit for SSL/TLS. For details
    of changes and known issues see the release notes at:

         https://www.openssl.org/news/openssl-1.1.0-notes.html

    OpenSSL 1.1.0 is available for download via HTTP and FTP from the
    following master locations (you can find the various FTP mirrors under
    https://www.openssl.org/source/mirror.html):

      * https://www.openssl.org/source/
      * ftp://ftp.openssl.org/source/

    The distribution file name is:

     o openssl-1.1.0.tar.gz
       Size: 5146831
       SHA1 checksum: 15e651c40424abdaeba5d5c1a8658e8668e798c8
       SHA256 checksum: f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82

    The checksums were calculated using the following commands:

     openssl sha1 openssl-1.1.0.tar.gz
     openssl sha256 openssl-1.1.0.tar.gz

    Yours,

    The OpenSSL Project Team.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXvw7WAAoJENnE0m0OYESRmhkH/1UTJ3I1v52w3NDWKK5XGyxH
HKr/EMgjo05IdmtmY3lLB0aPwN50am5Y9w8SmFnXA8+bsKwH61+G5Sr9L+ABuhI2
95QQzxAyQBHf0IxH1hYBLZxI0Hr46O9qefphr7lcBIh/XrFu6Hg96s8lo/87UEEC
LUzOAGAEpM6kicBA4bxrLdXSV+IR+j/2mRrkGvw4Ecb9aQYxWJ6daWxJcvXKKy8N
S8Gw4DNJH2636UyKsbY/6bMGlBWbjmL9GLzbD1YT+NxvSsWPPRkrdDhMKxkxDrP4
gIBBSE4C7mZgqvSxVIo2GQszQgTUdroyd9UStUDsBF/xYK2a8bvoL0PtihZF+0E=
=Zq4E
-----END PGP SIGNATURE-----
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce





From arekm at maven.pl  Thu Aug 25 20:24:07 2016
From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=)
Date: Thu, 25 Aug 2016 20:24:07 +0200
Subject: Fwd: [openssl-announce] OpenSSL version 1.1.0 published
In-Reply-To: <57BF3541.2000703@pld-linux.org>
References: <20160825164645.GA30454@openssl.org>
 <57BF3541.2000703@pld-linux.org>
Message-ID: <201608252024.07669.arekm@maven.pl>

On Thursday 25 of August 2016, Elan Ruusam?e wrote:
> what's our idea of openssl version in th?
> 
> # 1.0.2 is LTS release
> # Version 1.0.2 will be supported until 2019-12-31.
> # https://www.openssl.org/about/releasestrat.html
> 
> do we stay with 1.0.2 or proceed with any version like 1.1.0?

1.1.0 is AFAIK heavily incompatibile, so it's better to wait until others do 
porting job :-)

Can it be installed in parallel with 1.0?

Are symbols versioned so binary using other libraries linked to 1.0 and 1.1 
will work and symbols won't clash?


> -------- Forwarded Message --------
> Subject: 	[openssl-announce] OpenSSL version 1.1.0 published
> Date: 	Thu, 25 Aug 2016 16:46:45 +0000
> From: 	OpenSSL <openssl at openssl.org>
> Reply-To: 	openssl-users at openssl.org, openssl at openssl.org
> Organization: 	OpenSSL Project
> To: 	OpenSSL Developer ML <openssl-dev at openssl.org>, OpenSSL User
> Support ML <openssl-users at openssl.org>, OpenSSL Announce ML
> <openssl-announce at openssl.org>
> 
> 
> 
> 
>     OpenSSL version 1.1.0 released
>     ===============================
> 
>     OpenSSL - The Open Source toolkit for SSL/TLS
>     https://www.openssl.org/
> 
>     The OpenSSL project team is pleased to announce the release of
>     version 1.1.0 of our open source toolkit for SSL/TLS. For details
>     of changes and known issues see the release notes at:
> 
>          https://www.openssl.org/news/openssl-1.1.0-notes.html
> 
>     OpenSSL 1.1.0 is available for download via HTTP and FTP from the
>     following master locations (you can find the various FTP mirrors under
>     https://www.openssl.org/source/mirror.html):
> 
>       * https://www.openssl.org/source/
>       * ftp://ftp.openssl.org/source/
> 
>     The distribution file name is:
> 
>      o openssl-1.1.0.tar.gz
>        Size: 5146831
>        SHA1 checksum: 15e651c40424abdaeba5d5c1a8658e8668e798c8
>        SHA256 checksum:
> f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82
> 
>     The checksums were calculated using the following commands:
> 
>      openssl sha1 openssl-1.1.0.tar.gz
>      openssl sha256 openssl-1.1.0.tar.gz
> 
>     Yours,
> 
>     The OpenSSL Project Team.


-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )


From glen at pld-linux.org  Thu Aug 25 21:46:59 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Thu, 25 Aug 2016 22:46:59 +0300
Subject: Fwd: [openssl-announce] OpenSSL version 1.1.0 published
In-Reply-To: <201608252024.07669.arekm@maven.pl>
References: <20160825164645.GA30454@openssl.org>
 <57BF3541.2000703@pld-linux.org> <201608252024.07669.arekm@maven.pl>
Message-ID: <57BF4B33.5080106@pld-linux.org>

On 25.08.2016 21:24, Arkadiusz Mi?kiewicz wrote:
> On Thursday 25 of August 2016, Elan Ruusam?e wrote:
>> >what's our idea of openssl version in th?
>> >
>> ># 1.0.2 is LTS release
>> ># Version 1.0.2 will be supported until 2019-12-31.
>> >#https://www.openssl.org/about/releasestrat.html
>> >
>> >do we stay with 1.0.2 or proceed with any version like 1.1.0?
> 1.1.0 is AFAIK heavily incompatibile, so it's better to wait until others do
> porting job:-)
>
> Can it be installed in parallel with 1.0?
>
> Are symbols versioned so binary using other libraries linked to 1.0 and 1.1
> will work and symbols won't clash?

new soname, so yes
but our current packaging uses unversioned paths, so no without 
packaging changes

-devel still has libssl.so, and i haven't seen any package using any 
other library name than that. luckily there are pkgconfig files, but it 
would still need patch every program that uses openssl to force 
versioned pkg-config files

there's dev-1.1 branch on openssl package in pld repo updating to 1.1 branch

-- 
glen



From qboosh at pld-linux.org  Fri Aug 26 16:56:16 2016
From: qboosh at pld-linux.org (Jakub Bogusz)
Date: Fri, 26 Aug 2016 16:56:16 +0200
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
In-Reply-To: <CAGzuT_1HDSS3hdYjPoEA1L=7kb+p2=+v=XBOzawU6GdCxrdzOg@mail.gmail.com>
References: <CAGzuT_1HDSS3hdYjPoEA1L=7kb+p2=+v=XBOzawU6GdCxrdzOg@mail.gmail.com>
Message-ID: <20160826145616.GA29237@mail>

On Tue, Aug 23, 2016 at 11:25:04AM +0200, Mariusz Mazur wrote:
> The service files I've added don't actually start anything by default, so
> that's not an issue. Though it does seem to me teamd should be a separate
> package. I see Fedora does that that way (they have both 'libteam' and
> 'teamd' rpms). Any volunteers for doing the split? :)

Should some other parts beside teamd and systemd stuff (some binaries?)
be moved to teamd package?


-- 
Jakub Bogusz    http://qboosh.pl/


From mariusz.g.mazur at gmail.com  Fri Aug 26 17:30:16 2016
From: mariusz.g.mazur at gmail.com (Mariusz Mazur)
Date: Fri, 26 Aug 2016 17:30:16 +0200
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
In-Reply-To: <20160826145616.GA29237@mail>
References: <CAGzuT_1HDSS3hdYjPoEA1L=7kb+p2=+v=XBOzawU6GdCxrdzOg@mail.gmail.com>
 <20160826145616.GA29237@mail>
Message-ID: <CAGzuT_0Dkv3h3Wk_4ry8SBUKJQvO0TK2=jZau-qLRcVHKcf58g@mail.gmail.com>

It's done, teamd is completely separate.

2016-08-26 16:56 GMT+02:00 Jakub Bogusz <qboosh at pld-linux.org>:

> On Tue, Aug 23, 2016 at 11:25:04AM +0200, Mariusz Mazur wrote:
> > The service files I've added don't actually start anything by default, so
> > that's not an issue. Though it does seem to me teamd should be a separate
> > package. I see Fedora does that that way (they have both 'libteam' and
> > 'teamd' rpms). Any volunteers for doing the split? :)
>
> Should some other parts beside teamd and systemd stuff (some binaries?)
> be moved to teamd package?
>
>
> --
> Jakub Bogusz    http://qboosh.pl/
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
>


From glen at pld-linux.org  Sun Aug 28 16:36:33 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Sun, 28 Aug 2016 17:36:33 +0300
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
In-Reply-To: <CAGzuT_0Dkv3h3Wk_4ry8SBUKJQvO0TK2=jZau-qLRcVHKcf58g@mail.gmail.com>
References: <CAGzuT_1HDSS3hdYjPoEA1L=7kb+p2=+v=XBOzawU6GdCxrdzOg@mail.gmail.com>
 <20160826145616.GA29237@mail>
 <CAGzuT_0Dkv3h3Wk_4ry8SBUKJQvO0TK2=jZau-qLRcVHKcf58g@mail.gmail.com>
Message-ID: <57C2F6F1.2060200@pld-linux.org>

On 26.08.2016 18:30, Mariusz Mazur wrote:
> It's done, teamd is completely separate.
well. the goal seems still broken

the -devel contains libteamdctl.so which is a symlink owned by teamd not 
libteamd package

so, that library should be also moved to base package, or rm 
libteamdctl.so (not package it at all)

-- 
glen



From qboosh at pld-linux.org  Sun Aug 28 22:02:11 2016
From: qboosh at pld-linux.org (Jakub Bogusz)
Date: Sun, 28 Aug 2016 22:02:11 +0200
Subject: [packages/libteam] rel 2; Systemd support, usable for system boot
In-Reply-To: <57C2F6F1.2060200@pld-linux.org>
References: <CAGzuT_1HDSS3hdYjPoEA1L=7kb+p2=+v=XBOzawU6GdCxrdzOg@mail.gmail.com>
 <20160826145616.GA29237@mail>
 <CAGzuT_0Dkv3h3Wk_4ry8SBUKJQvO0TK2=jZau-qLRcVHKcf58g@mail.gmail.com>
 <57C2F6F1.2060200@pld-linux.org>
Message-ID: <20160828200211.GA20389@mail>

On Sun, Aug 28, 2016 at 05:36:33PM +0300, Elan Ruusam?e wrote:
> On 26.08.2016 18:30, Mariusz Mazur wrote:
> >It's done, teamd is completely separate.
> well. the goal seems still broken
> 
> the -devel contains libteamdctl.so which is a symlink owned by teamd not 
> libteamd package
> 
> so, that library should be also moved to base package, or rm 
> libteamdctl.so (not package it at all)

libteam and libteamdctl libraries are independent of each other and
libteamdctl also has exported API - so I decided to separate
libteamdctl-* packages too.


-- 
Jakub Bogusz    http://qboosh.pl/


From arekm at maven.pl  Mon Aug 29 07:02:04 2016
From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=)
Date: Mon, 29 Aug 2016 07:02:04 +0200
Subject: Vulnerability scanner based on vulners.com audit API
Message-ID: <201608290702.04216.arekm@maven.pl>


Interesting

https://github.com/videns/vulners-scanner

TODO: incorporate that (API) into our infrastructure to check ftp contents

-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )


From glen at pld-linux.org  Mon Aug 29 09:26:29 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Mon, 29 Aug 2016 10:26:29 +0300
Subject: Vulnerability scanner based on vulners.com audit API
In-Reply-To: <201608290702.04216.arekm@maven.pl>
References: <201608290702.04216.arekm@maven.pl>
Message-ID: <57C3E3A5.406@pld-linux.org>

On 29.08.2016 08:02, Arkadiusz Mi?kiewicz wrote:
> Interesting
>
> https://github.com/videns/vulners-scanner
>
> TODO: incorporate that (API) into our infrastructure to check ftp contents

i've seen such projects in the past.

but i lost interest to them after i found that they compare just 
package-db versions, not actual file blob contents.

-- 
glen



From arekm at maven.pl  Mon Aug 29 09:43:55 2016
From: arekm at maven.pl (Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?=)
Date: Mon, 29 Aug 2016 09:43:55 +0200
Subject: Vulnerability scanner based on vulners.com audit API
In-Reply-To: <57C3E3A5.406@pld-linux.org>
References: <201608290702.04216.arekm@maven.pl> <57C3E3A5.406@pld-linux.org>
Message-ID: <201608290943.55382.arekm@maven.pl>

On Monday 29 of August 2016, Elan Ruusam?e wrote:
> On 29.08.2016 08:02, Arkadiusz Mi?kiewicz wrote:
> > Interesting
> > 
> > https://github.com/videns/vulners-scanner
> > 
> > TODO: incorporate that (API) into our infrastructure to check ftp
> > contents
> 
> i've seen such projects in the past.
> 
> but i lost interest to them after i found that they compare just
> package-db versions, not actual file blob contents.

Right, that will be a problem.

If these provide CVE info then maybe we could check changelog contents of our 
packages and skip these with info about cve fixed.

-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )


From glen at pld-linux.org  Mon Aug 29 12:07:11 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Mon, 29 Aug 2016 13:07:11 +0300
Subject: glibc upgrade log under docker
Message-ID: <57C4094F.8070201@pld-linux.org>

glibc 2.23 -> 2.24 logs:


ldconfig: Cannot lstat /lib64/ld-2.23.so: No such file or directory

those are always shown with FIRST upgrade to 2.24
second ldconfig already is silent (no dead links)

this is visible in docker env. aufs fun?

$ uname -r
4.4.6-1

$ rpm -q rpm poldek glibc
rpm-5.4.15-33.x86_64
poldek-0.32.1-3.x86_64
glibc-2.23-5.x86_64

$ poldek -u glibc
glibc-2.23-5.x86_64 obsoleted by glibc-2.24-1.x86_64
   greedy upgrade glibc-libcrypt-2.23-5.x86_64 to 2.24-1.x86_64 
(unresolved glibc = 6:2.23-5)
    glibc-libcrypt-2.23-5.x86_64 obsoleted by glibc-libcrypt-2.24-1.x86_64
      greedy upgrade glibc-devel-2.23-5.x86_64 to 2.24-1.x86_64 
(unresolved glibc-libcrypt(x86_64) = 6:2.23-5)
       glibc-devel-2.23-5.x86_64 obsoleted by glibc-devel-2.24-1.x86_64
       glibc-devel-2.24-1.x86_64 marks glibc-devel-utils-2.24-1.x86_64 
(cap glibc-devel-utils = 6:2.24-1)
        glibc-devel-utils-2.23-5.x86_64 obsoleted by 
glibc-devel-utils-2.24-1.x86_64
       glibc-devel-2.24-1.x86_64 marks glibc-headers-2.24-1.x86_64 (cap 
glibc-headers = 6:2.24-1)
        glibc-headers-2.23-5.x86_64 obsoleted by glibc-headers-2.24-1.x86_64
glibc-2.24-1.x86_64 marks ldconfig-2.24-1.x86_64 (cap ldconfig = 6:2.24-1)
  ldconfig-2.23-5.x86_64 obsoleted by ldconfig-2.24-1.x86_64
There are 6 packages to install (5 marked by dependencies), 6 to remove:
I glibc-2.24-1.x86_64
D glibc-devel-2.24-1.x86_64  glibc-devel-utils-2.24-1.x86_64
D glibc-headers-2.24-1.x86_64  glibc-libcrypt-2.24-1.x86_64
D ldconfig-2.24-1.x86_64
R glibc-2.23-5.x86_64  glibc-devel-2.23-5.x86_64
R glibc-devel-utils-2.23-5.x86_64  glibc-headers-2.23-5.x86_64
R glibc-libcrypt-2.23-5.x86_64  ldconfig-2.23-5.x86_64
This operation will free 9.7KB of disk space.
Need to get 3.6MB of archives (3.6MB to download).

Retrieving [1/6] th::ldconfig-2.24-1.x86_64.rpm...
..............................done
Retrieving [2/6] th::glibc-2.24-1.x86_64.rpm...
..............................done
Retrieving [3/6] th::glibc-devel-utils-2.24-1.x86_64.rpm...
..............................done
Retrieving [4/6] th::glibc-headers-2.24-1.x86_64.rpm...
..............................done
Retrieving [5/6] th::glibc-libcrypt-2.24-1.x86_64.rpm...
..............................done
Retrieving [6/6] th::glibc-devel-2.24-1.x86_64.rpm...
..............................done
Executing pm-command.sh --upgrade -vh --root / --define 
_check_dirname_deps 1...
Preparing... ##################################################
Repackaging...
glibc-devel ##################################################
glibc-libcrypt ##################################################
glibc-devel-utils ##################################################
glibc-headers ##################################################
glibc ##################################################
ldconfig ##################################################
Upgrading...
ldconfig ##################################################
glibc-headers ##################################################
glibc ##################################################
glibc-devel-utils ##################################################
glibc-libcrypt ##################################################
glibc-devel ##################################################
/sbin/ldconfig: Cannot lstat /lib64/libcrypt-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/ld-2.23.so: No such file or directory
/sbin/ldconfig: Cannot lstat /lib64/libBrokenLocale-2.23.so: No such 
file or directory
/sbin/ldconfig: Cannot lstat /lib64/libanl-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libc-2.23.so: No such file or directory
/sbin/ldconfig: Cannot lstat /lib64/libcidn-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libdl-2.23.so: No such file or directory
/sbin/ldconfig: Cannot lstat /lib64/libm-2.23.so: No such file or directory
/sbin/ldconfig: Cannot lstat /lib64/libmvec-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libnsl-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libnss_db-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libnss_dns-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libnss_files-2.23.so: No such file 
or directory
/sbin/ldconfig: Cannot lstat /lib64/libpthread-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libresolv-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/librt-2.23.so: No such file or directory
/sbin/ldconfig: Cannot lstat /lib64/libutil-2.23.so: No such file or 
directory
/sbin/ldconfig: Cannot lstat /lib64/libcrypt-2.23.so: No such file or 
directory
$ ls -l /lib64
ls: cannot access '/lib64/ld-2.23.so': No such file or directory
ls: cannot access '/lib64/libBrokenLocale-2.23.so': No such file or 
directory
ls: cannot access '/lib64/libanl-2.23.so': No such file or directory
ls: cannot access '/lib64/libc-2.23.so': No such file or directory
ls: cannot access '/lib64/libcidn-2.23.so': No such file or directory
ls: cannot access '/lib64/libdl-2.23.so': No such file or directory
ls: cannot access '/lib64/libm-2.23.so': No such file or directory
ls: cannot access '/lib64/libmvec-2.23.so': No such file or directory
ls: cannot access '/lib64/libnsl-2.23.so': No such file or directory
ls: cannot access '/lib64/libnss_db-2.23.so': No such file or directory
ls: cannot access '/lib64/libnss_dns-2.23.so': No such file or directory
ls: cannot access '/lib64/libnss_files-2.23.so': No such file or directory
ls: cannot access '/lib64/libpthread-2.23.so': No such file or directory
ls: cannot access '/lib64/libresolv-2.23.so': No such file or directory
ls: cannot access '/lib64/librt-2.23.so': No such file or directory
ls: cannot access '/lib64/libutil-2.23.so': No such file or directory
ls: cannot access '/lib64/libcrypt-2.23.so': No such file or directory
total 24804
?????????? ? ?    ?          ?            ? ld-2.23.so
-rwxr-xr-x 1 root root  166616 Aug  6 09:31 ld-2.24.so
lrwxrwxrwx 1 root root      10 Aug 29 10:04 ld-linux-x86-64.so.2 -> 
ld-2.24.so
?????????? ? ?    ?          ?            ? libBrokenLocale-2.23.so
-rwxr-xr-x 1 root root    6176 Aug  6 09:31 libBrokenLocale-2.24.so
lrwxrwxrwx 1 root root      23 Aug 29 10:04 libBrokenLocale.so.1 -> 
libBrokenLocale-2.24.so
-rwxr-xr-x 1 root root   18608 Aug  6 09:31 libSegFault.so
lrwxrwxrwx 1 root root      15 Jun 17 23:01 libacl.so.1 -> libacl.so.1.1.0
-rwxr-xr-x 3 root root   35288 Feb 24  2015 libacl.so.1.1.0
?????????? ? ?    ?          ?            ? libanl-2.23.so
-rwxr-xr-x 1 root root   14888 Aug  6 09:31 libanl-2.24.so
lrwxrwxrwx 1 root root      14 Aug 29 10:04 libanl.so.1 -> libanl-2.24.so
lrwxrwxrwx 1 root root      16 Jun 19 10:23 libasn1.so.8 -> libasn1.so.8.0.0
-rwxr-xr-x 1 root root  663288 Feb 25  2015 libasn1.so.8.0.0
lrwxrwxrwx 1 root root      16 Jun 17 23:01 libattr.so.1 -> libattr.so.1.1.0
-rwxr-xr-x 3 root root   18640 Feb 24  2015 libattr.so.1.1.0
lrwxrwxrwx 1 root root      17 Jun 17 23:01 libaudit.so.1 -> 
libaudit.so.1.0.0
-rwxr-xr-x 3 root root  105064 May 11 19:58 libaudit.so.1.0.0
lrwxrwxrwx 1 root root      19 Jun 17 23:01 libauparse.so.0 -> 
libauparse.so.0.0.0
-rwxr-xr-x 3 root root   96928 May 11 19:58 libauparse.so.0.0.0
lrwxrwxrwx 1 root root      20 Jun 17 23:01 libbeecrypt.so.7 -> 
libbeecrypt.so.7.0.0
-rwxr-xr-x 3 root root  205360 Nov 28  2015 libbeecrypt.so.7.0.0
lrwxrwxrwx 1 root root      17 Jun 19 10:24 libblkid.so.1 -> 
libblkid.so.1.1.0
-rwxr-xr-x 1 root root  266888 Apr 29 18:15 libblkid.so.1.1.0
lrwxrwxrwx 1 root root      15 Jun 17 23:01 libbz2.so.1 -> libbz2.so.1.0.0
lrwxrwxrwx 1 root root      15 Jun 17 23:01 libbz2.so.1.0 -> libbz2.so.1.0.0
-rwxr-xr-x 3 root root   70952 Feb 25  2015 libbz2.so.1.0.0
?????????? ? ?    ?          ?            ? libc-2.23.so
-rwxr-xr-x 1 root root 1701488 Aug  6 09:31 libc-2.24.so
lrwxrwxrwx 1 root root      12 Aug 29 10:04 libc.so.6 -> libc-2.24.so
lrwxrwxrwx 1 root root      18 Jun 19 10:24 libcap-ng.so.0 -> 
libcap-ng.so.0.0.0
-rwxr-xr-x 1 root root   22760 Nov 29  2015 libcap-ng.so.0.0.0
lrwxrwxrwx 1 root root      14 Jun 17 23:01 libcap.so.2 -> libcap.so.2.25
-rwxr-xr-x 3 root root   23040 Mar 30 21:02 libcap.so.2.25
?????????? ? ?    ?          ?            ? libcidn-2.23.so
-rwxr-xr-x 1 root root  190752 Aug  6 09:31 libcidn-2.24.so
lrwxrwxrwx 1 root root      15 Aug 29 10:04 libcidn.so.1 -> libcidn-2.24.so
lrwxrwxrwx 1 root root      17 Jun 19 10:23 libcom_err.so.2 -> 
libcom_err.so.2.1
-rwxr-xr-x 1 root root   14536 Oct 25  2015 libcom_err.so.2.1
?????????? ? ?    ?          ?            ? libcrypt-2.23.so
-rwxr-xr-x 1 root root   47368 Aug  6 09:31 libcrypt-2.24.so
lrwxrwxrwx 1 root root      16 Aug 29 10:04 libcrypt.so.1 -> 
libcrypt-2.24.so
-rwxr-xr-x 3 root root 2451024 May  3 18:25 libcrypto.so.1.0.0
-rwxr-xr-x 3 root root 1774808 Feb 25  2015 libdb-5.2.so
-rwxr-xr-x 3 root root 2310424 Feb 25  2015 libdb_sql-5.2.so
?????????? ? ?    ?          ?            ? libdl-2.23.so
-rwxr-xr-x 1 root root   14512 Aug  6 09:31 libdl-2.24.so
lrwxrwxrwx 1 root root      13 Aug 29 10:04 libdl.so.2 -> libdl-2.24.so
-rwxr-xr-x 3 root root   96760 Apr  5 16:03 libelf-0.166.so
lrwxrwxrwx 1 root root      15 Jun 17 23:01 libelf.so.1 -> libelf-0.166.so
lrwxrwxrwx 1 root root      22 Jun 19 10:24 libevent-2.0.so.5 -> 
libevent-2.0.so.5.1.10
-rwxr-xr-x 1 root root  291992 Sep  6  2015 libevent-2.0.so.5.1.10
lrwxrwxrwx 1 root root      17 Jun 19 10:24 libfdisk.so.1 -> 
libfdisk.so.1.1.0
-rwxr-xr-x 1 root root  360264 Apr 29 18:15 libfdisk.so.1.1.0
-rw-r--r-- 1 root root     899 Mar  5 19:04 libfreebl3.chk
-rwxr-xr-x 1 root root  502808 Mar  5 19:06 libfreebl3.so
lrwxrwxrwx 1 root root      13 Jun 19 10:24 libgcc_s.so -> libgcc_s.so.1
-rwxr-xr-x 1 root root   89880 Dec  5  2015 libgcc_s.so.1
lrwxrwxrwx 1 root root      19 Jun 19 10:24 libgcrypt.so.20 -> 
libgcrypt.so.20.1.0
-rwxr-xr-x 1 root root 1104224 Apr 18 15:57 libgcrypt.so.20.1.0
lrwxrwxrwx 1 root root      35 Jun 17 23:01 
libgomp-plugin-host_nonshm.so.1 -> libgomp-plugin-host_nonshm.so.1.0.0
-rwxr-xr-x 3 root root   10104 Dec  5  2015 
libgomp-plugin-host_nonshm.so.1.0.0
lrwxrwxrwx 1 root root      16 Jun 17 23:01 libgomp.so.1 -> libgomp.so.1.0.0
-rwxr-xr-x 3 root root  138304 Dec  5  2015 libgomp.so.1.0.0
lrwxrwxrwx 1 root root      22 Jun 19 10:24 libgpg-error.so.0 -> 
libgpg-error.so.0.18.0
-rwxr-xr-x 1 root root   80400 May 11 17:51 libgpg-error.so.0.18.0
lrwxrwxrwx 1 root root      18 Jun 19 10:23 libgssapi.so.3 -> 
libgssapi.so.3.0.0
-rwxr-xr-x 1 root root  256440 Feb 25  2015 libgssapi.so.3.0.0
lrwxrwxrwx 1 root root      19 Jun 19 10:23 libhcrypto.so.4 -> 
libhcrypto.so.4.1.0
-rwxr-xr-x 1 root root  213280 Feb 25  2015 libhcrypto.so.4.1.0
lrwxrwxrwx 1 root root      20 Jun 19 10:23 libheimbase.so.1 -> 
libheimbase.so.1.0.0
-rwxr-xr-x 1 root root   19120 Feb 25  2015 libheimbase.so.1.0.0
lrwxrwxrwx 1 root root      20 Jun 19 10:23 libheimntlm.so.0 -> 
libheimntlm.so.0.1.0
-rwxr-xr-x 1 root root   27592 Feb 25  2015 libheimntlm.so.0.1.0
lrwxrwxrwx 1 root root      17 Jun 17 23:01 libhistory.so.6 -> 
libhistory.so.6.3
-rwxr-xr-x 3 root root   35120 Feb 25  2015 libhistory.so.6.3
lrwxrwxrwx 1 root root      17 Jun 19 10:23 libhx509.so.5 -> 
libhx509.so.5.0.0
-rwxr-xr-x 1 root root  304928 Feb 25  2015 libhx509.so.5.0.0
lrwxrwxrwx 1 root root      15 Jun 19 10:24 libitm.so.1 -> libitm.so.1.0.0
-rwxr-xr-x 1 root root  112920 Dec  5  2015 libitm.so.1.0.0
lrwxrwxrwx 1 root root      16 Jun 19 10:23 libkafs.so.0 -> libkafs.so.0.5.1
-rwxr-xr-x 1 root root   31520 Feb 25  2015 libkafs.so.0.5.1
lrwxrwxrwx 1 root root      17 Jun 19 10:23 libkrb5.so.26 -> 
libkrb5.so.26.0.0
-rwxr-xr-x 1 root root  526752 Feb 25  2015 libkrb5.so.26.0.0
lrwxrwxrwx 1 root root      16 Jun 17 23:01 liblzma.so.5 -> liblzma.so.5.2.2
-rwxr-xr-x 3 root root  154176 Oct 13  2015 liblzma.so.5.2.2
?????????? ? ?    ?          ?            ? libm-2.23.so
-rwxr-xr-x 1 root root 1067280 Aug  6 09:31 libm-2.24.so
lrwxrwxrwx 1 root root      12 Aug 29 10:04 libm.so.6 -> libm-2.24.so
lrwxrwxrwx 1 root root      17 Jun 17 23:01 libmagic.so.1 -> 
libmagic.so.1.0.0
-rwxr-xr-x 3 root root  138288 May 13 17:02 libmagic.so.1.0.0
lrwxrwxrwx 1 root root      17 Jun 19 10:24 libmount.so.1 -> 
libmount.so.1.1.0
-rwxr-xr-x 1 root root  304712 Apr 29 18:15 libmount.so.1.1.0
?????????? ? ?    ?          ?            ? libmvec-2.23.so
-rwxr-xr-x 1 root root  170240 Aug  6 09:31 libmvec-2.24.so
lrwxrwxrwx 1 root root      15 Aug 29 10:04 libmvec.so.1 -> libmvec-2.24.so
lrwxrwxrwx 1 root root      18 Jun 17 23:01 libncursesw.so.6 -> 
libncursesw.so.6.0
-rwxr-xr-x 3 root root  448752 Apr 13 20:58 libncursesw.so.6.0
?????????? ? ?    ?          ?            ? libnsl-2.23.so
-rwxr-xr-x 1 root root   88936 Aug  6 09:31 libnsl-2.24.so
lrwxrwxrwx 1 root root      14 Aug 29 10:04 libnsl.so.1 -> libnsl-2.24.so
?????????? ? ?    ?          ?            ? libnss_db-2.23.so
-rwxr-xr-x 1 root root   31024 Aug  6 09:31 libnss_db-2.24.so
lrwxrwxrwx 1 root root      17 Aug 29 10:04 libnss_db.so.2 -> 
libnss_db-2.24.so
?????????? ? ?    ?          ?            ? libnss_dns-2.23.so
-rwxr-xr-x 1 root root   22800 Aug  6 09:31 libnss_dns-2.24.so
lrwxrwxrwx 1 root root      18 Aug 29 10:04 libnss_dns.so.2 -> 
libnss_dns-2.24.so
?????????? ? ?    ?          ?            ? libnss_files-2.23.so
-rwxr-xr-x 1 root root   47504 Aug  6 09:31 libnss_files-2.24.so
lrwxrwxrwx 1 root root      20 Aug 29 10:04 libnss_files.so.2 -> 
libnss_files-2.24.so
-rwxr-xr-x 1 root root   67824 Feb 20  2016 libnss_myhostname.so.2
lrwxrwxrwx 1 root root      23 Jun 17 23:01 libossp-uuid.so.16 -> 
libossp-uuid.so.16.0.22
-rwxr-xr-x 3 root root   48520 Dec 24  2015 libossp-uuid.so.16.0.22
lrwxrwxrwx 1 root root      16 Jun 19 10:23 libpam.so.0 -> libpam.so.0.84.1
-rwxr-xr-x 1 root root   60016 May  1 18:52 libpam.so.0.84.1
lrwxrwxrwx 1 root root      21 Jun 19 10:23 libpam_misc.so.0 -> 
libpam_misc.so.0.82.1
-rwxr-xr-x 1 root root   14512 May  1 18:52 libpam_misc.so.0.82.1
lrwxrwxrwx 1 root root      17 Jun 19 10:23 libpamc.so.0 -> 
libpamc.so.0.82.1
-rwxr-xr-x 1 root root   14512 May  1 18:52 libpamc.so.0.82.1
lrwxrwxrwx 1 root root      16 Jun 17 23:01 libpcre.so.1 -> libpcre.so.1.2.6
-rwxr-xr-x 3 root root  456848 Nov 24  2015 libpcre.so.1.2.6
lrwxrwxrwx 1 root root      21 Jun 17 23:01 libpcreposix.so.0 -> 
libpcreposix.so.0.0.3
-rwxr-xr-x 3 root root   10208 Nov 24  2015 libpcreposix.so.0.0.3
lrwxrwxrwx 1 root root      16 Jun 17 23:01 libpopt.so.0 -> libpopt.so.0.0.0
-rwxr-xr-x 3 root root   52328 Feb 25  2015 libpopt.so.0.0.0
?????????? ? ?    ?          ?            ? libpthread-2.23.so
-rwxr-xr-x 1 root root  135320 Aug  6 09:31 libpthread-2.24.so
lrwxrwxrwx 1 root root      18 Aug 29 10:04 libpthread.so.0 -> 
libpthread-2.24.so
lrwxrwxrwx 1 root root      18 Jun 17 23:01 libreadline.so.6 -> 
libreadline.so.6.3
-rwxr-xr-x 3 root root  296936 Feb 25  2015 libreadline.so.6.3
?????????? ? ?    ?          ?            ? libresolv-2.23.so
-rwxr-xr-x 1 root root   88808 Aug  6 09:31 libresolv-2.24.so
lrwxrwxrwx 1 root root      17 Aug 29 10:04 libresolv.so.2 -> 
libresolv-2.24.so
lrwxrwxrwx 1 root root      18 Jun 19 10:23 libroken.so.18 -> 
libroken.so.18.1.0
-rwxr-xr-x 1 root root   86056 Feb 25  2015 libroken.so.18.1.0
-rwxr-xr-x 3 root root  446608 May 11 20:22 librpm-5.4.so
-rwxr-xr-x 3 root root  169760 May 11 20:22 librpmbuild-5.4.so
-rwxr-xr-x 3 root root   64016 May 11 20:22 librpmconstant-5.4.so
-rwxr-xr-x 3 root root  355264 May 11 20:22 librpmdb-5.4.so
-rwxr-xr-x 3 root root 1555120 May 11 20:22 librpmio-5.4.so
-rwxr-xr-x 3 root root  317600 May 11 20:22 librpmmisc-5.4.so
?????????? ? ?    ?          ?            ? librt-2.23.so
-rwxr-xr-x 1 root root   31616 Aug  6 09:31 librt-2.24.so
lrwxrwxrwx 1 root root      13 Aug 29 10:04 librt.so.1 -> librt-2.24.so
-rwxr-xr-x 3 root root  130456 Apr  1 00:29 libselinux.so.1
-rwxr-xr-x 3 root root  236800 Nov 29  2015 libsemanage.so.1
-rwxr-xr-x 3 root root  536304 Oct 25  2015 libsepol.so.1
lrwxrwxrwx 1 root root      21 Jun 19 10:24 libsmartcols.so.1 -> 
libsmartcols.so.1.1.0
-rwxr-xr-x 1 root root  151400 Apr 29 18:15 libsmartcols.so.1.1.0
lrwxrwxrwx 1 root root      19 Jun 19 10:23 libsqlite3.so.0 -> 
libsqlite3.so.0.8.6
-rwxr-xr-x 1 root root  862544 May 11 17:57 libsqlite3.so.0.8.6
-rwxr-xr-x 3 root root  480448 May  3 18:25 libssl.so.1.0.0
lrwxrwxrwx 1 root root      15 Jun 19 10:24 libssp.so.0 -> libssp.so.0.0.0
-rwxr-xr-x 1 root root   10288 Dec  5  2015 libssp.so.0.0.0
lrwxrwxrwx 1 root root      27 Jun 19 10:24 libsystemd-daemon.so.0 -> 
libsystemd-daemon.so.0.0.12
-rwxr-xr-x 1 root root   24408 Feb 20  2016 libsystemd-daemon.so.0.0.12
lrwxrwxrwx 1 root root      26 Jun 19 10:24 libsystemd-id128.so.0 -> 
libsystemd-id128.so.0.0.28
-rwxr-xr-x 1 root root   23616 Feb 20  2016 libsystemd-id128.so.0.0.28
lrwxrwxrwx 1 root root      28 Jun 19 10:24 libsystemd-journal.so.0 -> 
libsystemd-journal.so.0.11.5
-rwxr-xr-x 1 root root  135304 Feb 20  2016 libsystemd-journal.so.0.11.5
lrwxrwxrwx 1 root root      25 Jun 19 10:24 libsystemd-login.so.0 -> 
libsystemd-login.so.0.9.3
-rwxr-xr-x 1 root root   58104 Feb 20  2016 libsystemd-login.so.0.9.3
lrwxrwxrwx 1 root root      19 Jun 19 10:24 libsystemd.so.0 -> 
libsystemd.so.0.8.0
-rwxr-xr-x 1 root root  536184 Feb 20  2016 libsystemd.so.0.8.0
-rwxr-xr-x 1 root root   35624 Aug  6 09:31 libthread_db-1.0.so
lrwxrwxrwx 1 root root      19 Aug 29 10:04 libthread_db.so.1 -> 
libthread_db-1.0.so
lrwxrwxrwx 1 root root      18 Jun 19 10:23 libtirpc.so.1 -> 
libtirpc.so.1.0.10
-rwxr-xr-x 1 root root  184984 Sep 17  2015 libtirpc.so.1.0.10
lrwxrwxrwx 1 root root      16 Jun 19 10:24 libudev.so.1 -> libudev.so.1.6.4
-rwxr-xr-x 1 root root  126592 Feb 20  2016 libudev.so.1.6.4
lrwxrwxrwx 1 root root      20 Jun 17 23:01 libustr-1.0.so.1 -> 
libustr-1.0.so.1.0.4
-rwxr-xr-x 3 root root  224544 Oct 26  2015 libustr-1.0.so.1.0.4
?????????? ? ?    ?          ?            ? libutil-2.23.so
-rwxr-xr-x 1 root root   10560 Aug  6 09:31 libutil-2.24.so
lrwxrwxrwx 1 root root      15 Aug 29 10:04 libutil.so.1 -> libutil-2.24.so
lrwxrwxrwx 1 root root      16 Jun 19 10:24 libuuid.so.1 -> libuuid.so.1.3.0
-rwxr-xr-x 1 root root   18880 Apr 29 18:15 libuuid.so.1.3.0
lrwxrwxrwx 1 root root      16 Jun 19 10:23 libwind.so.0 -> libwind.so.0.0.0
-rwxr-xr-x 1 root root  166024 Feb 25  2015 libwind.so.0.0.0
lrwxrwxrwx 1 root root      18 Jun 19 10:23 libxcrypt.so.2 -> 
libxcrypt.so.2.0.0
-rwxr-xr-x 1 root root   18608 Feb 25  2015 libxcrypt.so.2.0.0
lrwxrwxrwx 1 root root      13 Jun 17 23:01 libz.so.1 -> libz.so.1.2.8
-rwxr-xr-x 3 root root   86584 Feb 26  2015 libz.so.1.2.8
drwxr-xr-x 3 root root    4096 Jun 19 10:23 security
drwxr-xr-x 2 root root    4096 Jun 19 10:23 xcrypt

-- 
glen



From gotar at polanet.pl  Tue Aug 30 00:53:49 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 00:53:49 +0200
Subject: rpm --nosignature reversed meaning
Message-ID: <20160829225349.GA12506@polanet.pl>

Should this work this way? Is it upstream bug or PLD-specific? How about RH-rpm?


~: strace -erecvfrom rpm -qp keepassx-2.0.2-2.x86_64.rpm
keepassx-2.0.2-2.x86_64
+++ exited with 0 +++


~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
keepassx-2.0.2-2.x86_64
+++ exited with 0 +++

-- 
Tomasz Pala <gotar at pld-linux.org>


From draenog at pld-linux.org  Tue Aug 30 04:19:01 2016
From: draenog at pld-linux.org (Kacper Kornet)
Date: Tue, 30 Aug 2016 04:19:01 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160829225349.GA12506@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
Message-ID: <20160830021901.GA8194@camk.edu.pl>

On Tue, Aug 30, 2016 at 12:53:49AM +0200, Tomasz Pala wrote:
> Should this work this way? Is it upstream bug or PLD-specific? How about RH-rpm?


> ~: strace -erecvfrom rpm -qp keepassx-2.0.2-2.x86_64.rpm
> keepassx-2.0.2-2.x86_64
> +++ exited with 0 +++


> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
> keepassx-2.0.2-2.x86_64
> +++ exited with 0 +++

According to Jeff it's a feature. See his answer:

http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2015-June/024405.html

-- 
  Kacper Kornet


From n3npq at me.com  Tue Aug 30 09:05:36 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 03:05:36 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830021901.GA8194@camk.edu.pl>
References: <20160829225349.GA12506@polanet.pl>
 <20160830021901.GA8194@camk.edu.pl>
Message-ID: <CF879338-82C5-41DC-AA1F-A69F32A524B1@me.com>


> On Aug 29, 2016, at 10:19 PM, Kacper Kornet <draenog at pld-linux.org> wrote:
> 
> On Tue, Aug 30, 2016 at 12:53:49AM +0200, Tomasz Pala wrote:
>> Should this work this way? Is it upstream bug or PLD-specific? How about RH-rpm?
> 
> 
>> ~: strace -erecvfrom rpm -qp keepassx-2.0.2-2.x86_64.rpm
>> keepassx-2.0.2-2.x86_64
>> +++ exited with 0 +++
> 
> 
>> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
>> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
>> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
>> keepassx-2.0.2-2.x86_64
>> +++ exited with 0 +++
> 
> According to Jeff it's a feature. See his answer:
> 
> http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2015-June/024405.html
> 

MANDATORY signature checking (using the non-repudiable signature that has been
generated since 2010 or so) is the feature.

At that point ?no signature has very limited usage cases:
1) packages _NOT_ generated by RPM5, or not signed:
	=> Sign the package and import the pubkey used.
2) pubkeys not imported and/or hkp:// disabled
	==> devise your own pubkey distribution

If ? as claimed ? that ?nosignature now has inverted meaning,
then that is a bug with POPT option processing (which likely is doing XOR
on a static bit that has now changed from 1 -> 0)

The path I am on is eliminating ?nosignature entirely permitting
signing and pubkey management through any means you choose,
where RPM supplies a non-repudiable signature fallback sufficiently
to attempt MANDATORY signature verification.

hth

73 de Jeff
> -- 
>  Kacper Kornet
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From n3npq at me.com  Tue Aug 30 09:24:02 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 03:24:02 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160829225349.GA12506@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
Message-ID: <ED559684-333A-4932-8ECF-10993496E46C@me.com>


> On Aug 29, 2016, at 6:53 PM, Tomasz Pala <gotar at polanet.pl> wrote:
> 
> Should this work this way? Is it upstream bug or PLD-specific? How about RH-rpm?
> 

I need more info if you think its an RPM bug.

The implementations in RH-rpm and RPM5 are significantly different.
For starters, RPM5 abandoned header+payload signatures, which
started to be phased out in RHEL3 more than a decade ago.

RPM5 also verifies self-certification signatures on pubkeys, permits
ECDSA, and more, that RH-rpm does not attempt.

> 
> ~: strace -erecvfrom rpm -qp keepassx-2.0.2-2.x86_64.rpm
> keepassx-2.0.2-2.x86_64
> +++ exited with 0 +++
> 
> 
> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
> keepassx-2.0.2-2.x86_64
> +++ exited with 0 +++
> 


The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup

Use -vv to see signature verification (which is likely disabled w ?nosignature).

AFAIK, PLD has also reenabled the ?nosignature in ?system.h? ? the
code will be removed in rpm-5.4.18 (and rpm-5.4.17 was distributed with MANDATORY signatures).

I will send that patch to PLD if you choose to continue supporting a ?nosignature option.

hth

73 de Jeff

From gotar at polanet.pl  Tue Aug 30 10:52:12 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 10:52:12 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <CF879338-82C5-41DC-AA1F-A69F32A524B1@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <20160830021901.GA8194@camk.edu.pl>
 <CF879338-82C5-41DC-AA1F-A69F32A524B1@me.com>
Message-ID: <20160830085212.GB18894@polanet.pl>

On Tue, Aug 30, 2016 at 03:05:36 -0400, Jeffrey Johnson wrote:

> If ??? as claimed ??? that ???nosignature now has inverted meaning,
> then that is a bug with POPT option processing (which likely is doing XOR
> on a static bit that has now changed from 1 -> 0)

OK, anyone close/familiar enough to/with our patched code to check it please?

-- 
Tomasz Pala <gotar at pld-linux.org>


From gotar at polanet.pl  Tue Aug 30 11:17:01 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 11:17:01 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <ED559684-333A-4932-8ECF-10993496E46C@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
Message-ID: <20160830091701.GC18894@polanet.pl>

On Tue, Aug 30, 2016 at 03:24:02 -0400, Jeffrey Johnson wrote:

>> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
>> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
>> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
>> keepassx-2.0.2-2.x86_64
>> +++ exited with 0 +++
> 
> The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup

Thanks, that did the trick - it interferes with my network-restricted
environment. I need all the verification to happen locally, and preferably
FAIL BADLY when not possible (i.e. no networked key-server available and no GPG pubkey imported).

Is there any macro/option that prevents me from installing any unsigned/unverified package?
Warning is not enough, I want to be totally sure the verification was done and succeeded.

> Use -vv to see signature verification (which is likely disabled w ???nosignature).
> 
> AFAIK, PLD has also reenabled the ???nosignature in ???system.h??? ??? the
> code will be removed in rpm-5.4.18 (and rpm-5.4.17 was distributed with MANDATORY signatures).
> 
> I will send that patch to PLD if you choose to continue supporting a ???nosignature option.

Apparently noone here uses this...

http://ftp.th.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc

~: rpm -qp --nosignature  keepassx-2.0.2-2.x86_64.rpm	(reversed meaning in query mode bug)
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found

~: rpm -K keepassx-2.0.2-2.x86_64.rpm             
keepassx-2.0.2-2.x86_64.rpm: (SHA1) DSA sha1 md5 NOT_OK

~: rpm -qa gpg-pubkey\*
gpg-pubkey-e4f1bc2d-47b351f0

~: diff PLD-3.0-Th-GPG-key.asc /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc 

(BTW this key is not automatically imported to rpm database).

-- 
Tomasz Pala <gotar at pld-linux.org>


From gotar at polanet.pl  Tue Aug 30 11:38:07 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 11:38:07 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830091701.GC18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
Message-ID: <20160830093807.GD18894@polanet.pl>

On Tue, Aug 30, 2016 at 11:17:01 +0200, Tomasz Pala wrote:

>> The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup
> 
> Thanks, that did the trick - it interferes with my network-restricted
> environment. I need all the verification to happen locally, and preferably
> FAIL BADLY when not possible (i.e. no networked key-server available and no GPG pubkey imported).
> 
> Is there any macro/option that prevents me from installing any unsigned/unverified package?
> Warning is not enough, I want to be totally sure the verification was done and succeeded.

OK, we have a problem here... After disabling %_hkp_keyserver it works
as expected (BUT reversed!):

~: rpm -ivh --test --nosignature keepassx-2.0.2-2.x86_64.rpm
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found

~: rpm -ivh --test keepassx-2.0.2-2.x86_64.rpm              
Preparing...                ########################################### [100%]
error: Install/Erase problems:
        package keepassx-2.0.2-2.x86_64 is already installed


The question is: why didn't this worked like this before importing GPG key?

~: rpm -qpvv --nosignature keepassx-2.0.2-2.x86_64.rpm
[...]
D: pool u:      created size 288 limit -1 flags 0
D:   PUB: AF3F93BC E4F1BC2D V4 DSA
D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D:   UID: DSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
D: ========== DSA pubkey id af3f93bc e4f1bc2d (keyserver)
D: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: OK, key ID e4f1bc2d

How is that possible? Using keyserver - OK, using imported key - BAD:

D:   PUB: AF3F93BC E4F1BC2D V4 DSA
D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#968[0])
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d

Am I simply wrong, or is it the same DSA key signature with different results?

-- 
Tomasz Pala <gotar at pld-linux.org>


From gotar at polanet.pl  Tue Aug 30 11:50:45 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 11:50:45 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830093807.GD18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <20160830093807.GD18894@polanet.pl>
Message-ID: <20160830095045.GE18894@polanet.pl>

On Tue, Aug 30, 2016 at 11:38:07 +0200, Tomasz Pala wrote:

> D:   PUB: AF3F93BC E4F1BC2D V4 DSA
> D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
> D:   UID: DSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
> D: ========== DSA pubkey id af3f93bc e4f1bc2d (keyserver)
> D: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: OK, key ID e4f1bc2d
> 
> How is that possible? Using keyserver - OK, using imported key - BAD:
> 
> D:   PUB: AF3F93BC E4F1BC2D V4 DSA
> D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
> D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
> D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
> D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
> D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#968[0])
> error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
> 
> Am I simply wrong, or is it the same DSA key signature with different results?

http://ha.pool.sks-keyservers.net/pks/lookup?op=hget&search=5B9E545012899D925DE92F364995E354

mQGiBEezUfARBACXCHHN8F35uES1o+FhB7op/804RVJw59Jv3UGDubv4x8SPHGNNb2WFLLMm
W5MUucB+VSS3Xm33U27HFfg9OaeJsSJu3b5RE+UnPTZihV5+vENdtsfIDJBOjgTcbEXYW75O
V9Qnxczx4fGUOfEU23a3q/yXXXnarjbTLRizBCJkBwCgrJvTzbDuECHrs74gm84E7unI26kD
/1Kd1Qm3QEsOkcuIW75zq6GiQE4S+jEEqKwyyVxENPN+o3+MRG3J/s3XV0hCnczueQZrEQu/
PNTm0t2d0rSlQg/Pm6Z46IpZ50UY2/CPIB3GaRT505Q4+gk15RulIQjR/4zUN/NB9P8ijo3p
4yAqhvPqDXhcigH94WH+NDsvC4+uA/90oyzRpnT1qSmReTwcmseU2mm/l6Uxl+LMtlBNTkrv
Ws9aBpFCK1j27ngIG4xdhDqNYMIwUv8C3FH6wh4nwa/o70gu4Hnr0Dezz+WZxHcg6VWyBuu0
NpBftCvwS1YLWQ3tRMnNhuok1Ulur9ocW//wby+5z7qj49AnzpxxrRXJ3rRBRFNBcHViIChQ
TEQgTGludXggRGlzdHJpYnV0aW9uIDMuMCAoVGgpKSA8dGgtYWRtaW5AcGxkLWxpbnV4Lm9y
Zz6IYAQTEQIAIAUCR7NR8AIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEK8/k7zk8bwt
hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2weg==

from this place rpm -qi gpg-pubkey follows (additional lines):

hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x

-- 
Tomasz Pala <gotar at pld-linux.org>


From n3npq at me.com  Tue Aug 30 11:56:43 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 05:56:43 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830091701.GC18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
Message-ID: <D29D1A62-B309-470C-B919-2380691959C6@me.com>


> On Aug 30, 2016, at 5:17 AM, Tomasz Pala <gotar at polanet.pl> wrote:
> 
> On Tue, Aug 30, 2016 at 03:24:02 -0400, Jeffrey Johnson wrote:
> 
>>> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
>>> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
>>> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
>>> keepassx-2.0.2-2.x86_64
>>> +++ exited with 0 +++
>> 
>> The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup
> 
> Thanks, that did the trick - it interferes with my network-restricted
> environment. I need all the verification to happen locally, and preferably
> FAIL BADLY when not possible (i.e. no networked key-server available and no GPG pubkey imported).
> 

The 2 line snippet is DNS to port 53 ? disabling hkp:// is an entirely different
functionality than disabling signature verification.

> Is there any macro/option that prevents me from installing any unsigned/unverified package?

The question as asked cannot be answered: all (RPM5 built) packages are signed
and (w/o ?nosignatures) the signature will be verified.

> Warning is not enough, I want to be totally sure the verification was done and succeeded.
> 

All BAD signatures will stop RPM (unless ?no signatures has been used).

>> Use -vv to see signature verification (which is likely disabled w ???nosignature).
>> 
>> AFAIK, PLD has also reenabled the ???nosignature in ???system.h??? ??? the
>> code will be removed in rpm-5.4.18 (and rpm-5.4.17 was distributed with MANDATORY signatures).
>> 
>> I will send that patch to PLD if you choose to continue supporting a ???nosignature option.
> 
> Apparently noone here uses this...
> 
> http://ftp.th.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc
> 
> ~: rpm -qp --nosignature  keepassx-2.0.2-2.x86_64.rpm	(reversed meaning in query mode bug)
> error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
> error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found
> 

Um, I believe I?ve used that pubkey ? see if there isn?t a report from
spring 2015 on pld-devel ? the issue was that the RSA fingerprint was
fixed and so that pubkey had to be reimported. I?ve forgotten ?

What version of rpm is this?

> ~: rpm -K keepassx-2.0.2-2.x86_64.rpm             
> keepassx-2.0.2-2.x86_64.rpm: (SHA1) DSA sha1 md5 NOT_OK
> 

FWIW, -K ?checksig  is mostly historical remnant as well: rpm always verifies *.rpm
header-only signatures. The option remains solely because I don?t feel like
explaining why -K isn?t necessary ...

> ~: rpm -qa gpg-pubkey\*
> gpg-pubkey-e4f1bc2d-47b351f0
> 
> ~: diff PLD-3.0-Th-GPG-key.asc /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc 
> 

Try removing and reimporting.

> (BTW this key is not automatically imported to rpm database).
> 

No pubkey is automatically imported by RPM, particularly those retrieved from hkp://
or externally generated signatures.

Meanwhile, all imported pubkeys (including for the non-repudiable pubkey
present in all RPM5 built *.rpm packages) are indexed in /var/lib/rpm/pubkeys
for retrieval. If the keyed goes off the rails

The flaw with the PLD-Th-GPG-key.asc (from memory) was that RSA (but not DSA/ECDSA)
does not guarantee that the most significant bit is set, and so an assumption that bit
count == 8 * byte count fails.

There is also a 1-in-256 chance that all 8 leading bits are zero, in which case the no. of
bytes is wrong as well.

Adding the bit count properly (as specified in RFC 4880) changes the RSA pubkey fingerprint
because the bit count is part of the key material.

Anyways if you give me a URL to the pubkey and a package signed with that pubkey, I?ll
(again) sort out the details.

I can?t quite tell what to do with ?nosignature because PLD <-> rpm5.org are headed
in different directions and not working with the same source code.

But I believe the PLD-Th-GPG issue was discussed in spring 2015 on pld-devel.

73 de Jeff

> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From gotar at polanet.pl  Tue Aug 30 11:57:28 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 11:57:28 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830095045.GE18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <20160830093807.GD18894@polanet.pl>
 <20160830095045.GE18894@polanet.pl>
Message-ID: <20160830095728.GF18894@polanet.pl>

On Tue, Aug 30, 2016 at 11:50:45 +0200, Tomasz Pala wrote:

>> D:   PUB: AF3F93BC E4F1BC2D V4 DSA
>> D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
>> D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
>> D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
>> D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
>> D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#968[0])
>> error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
>> 
>> Am I simply wrong, or is it the same DSA key signature with different results?
> 
> http://ha.pool.sks-keyservers.net/pks/lookup?op=hget&search=5B9E545012899D925DE92F364995E354
[...]
> from this place rpm -qi gpg-pubkey follows (additional lines):
> 
> hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
> BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
> gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
> 1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
> dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
> AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
> Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
> eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x

Apparently rpm concatenated DSA with RSA and uses it as a single key:

~: rpm -qi gpg-pubkey
Summary     : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)

while this is DSA+RSA.

-- 
Tomasz Pala <gotar at pld-linux.org>


From n3npq at me.com  Tue Aug 30 12:01:35 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 06:01:35 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830095728.GF18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl> <20160830093807.GD18894@polanet.pl>
 <20160830095045.GE18894@polanet.pl> <20160830095728.GF18894@polanet.pl>
Message-ID: <0D66C71B-A22E-4F55-92FF-ED9A9A468662@me.com>


> On Aug 30, 2016, at 5:57 AM, Tomasz Pala <gotar at polanet.pl> wrote:
> 
> On Tue, Aug 30, 2016 at 11:50:45 +0200, Tomasz Pala wrote:
> 
>>> D:   PUB: AF3F93BC E4F1BC2D V4 DSA
>>> D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
>>> D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
>>> D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
>>> D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
>>> D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#968[0])
>>> error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
>>> 
>>> Am I simply wrong, or is it the same DSA key signature with different results?
>> 
>> http://ha.pool.sks-keyservers.net/pks/lookup?op=hget&search=5B9E545012899D925DE92F364995E354
> [...]
>> from this place rpm -qi gpg-pubkey follows (additional lines):
>> 
>> hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
>> BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
>> gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
>> 1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
>> dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
>> AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
>> Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
>> eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x
> 
> Apparently rpm concatenated DSA with RSA and uses it as a single key:
> 

Um, please stop guessing at the cause.

The lines displayed before are pubkey certification signatures, not package signatures.

> ~: rpm -qi gpg-pubkey
> Summary     : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)
> 
> while this is DSA+RSA.

And there is no ?DSA+RSA? signature scheme.

73 de Jeff
> 
> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From n3npq at me.com  Tue Aug 30 12:30:24 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 06:30:24 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <D29D1A62-B309-470C-B919-2380691959C6@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
Message-ID: <9B92BB88-EE74-47A2-BDA5-4C2D5FB17C8F@me.com>


> 
> But I believe the PLD-Th-GPG issue was discussed in spring 2015 on pld-devel.
> 

This was the issue I was remembering:

	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id

That specific issue was resolved by disabling
signature verification during ?verify, largely
to avoid reimporting PLD-Th-GPG which was
?unacceptable?.

(aside)
RPM traditionally never verified signatures with -Va.

I can refresh my memory of what the causes were: PLD-Th-GPG
is in one of my development trees. I don?t recall any significant
issues I had to repair (but damfino what I was doing 2+ years ago)

Meanwhile, many RSA issues were repaired between
rpm-5.4.14 and rpm-5.4.15.

So issues with RSA are ?expected?.

73 de Jeff

From gotar at polanet.pl  Tue Aug 30 12:32:46 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 12:32:46 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <0D66C71B-A22E-4F55-92FF-ED9A9A468662@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <20160830093807.GD18894@polanet.pl>
 <20160830095045.GE18894@polanet.pl>
 <20160830095728.GF18894@polanet.pl>
 <0D66C71B-A22E-4F55-92FF-ED9A9A468662@me.com>
Message-ID: <20160830103245.GG18894@polanet.pl>

On Tue, Aug 30, 2016 at 06:01:35 -0400, Jeffrey Johnson wrote:

> Um, please stop guessing at the cause.

Well, that is the actual content of PLD-3.0-Th-GPG-key.asc. Signatures
match:

pub  1024D/E4F1BC2D 2008-02-13
uid                            DSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
pub  1024R/EAE6F8B8 2008-02-13
uid                            RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>

so I see no other cause than some implementation bug. Since standalone DSA works fine:

~: btrfs sub snap / testgpg
~: systemd-nspawn -D testgpg
~: rpm -e gpg-pubkey
~: wget http://ha.pool.sks-keyservers.net/pks/lookup?op=hget&search=5B9E545012899D925DE92F364995E354
[remove HTML parts]
~: rpm --import lookup\?op\=hget\&search\=5B9E545012899D925DE92F364995E354
~: rpm -qi gpg-pubkey

Summary     : gpg(DSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)

~: rpm -qp --nosignature keepassx-2.0.2-2.x86_64.rpm
D:   PUB: AF3F93BC E4F1BC2D V4 DSA
D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D:   UID: DSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#969[0])
D: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: OK, key ID e4f1bc2d

that leaves us with some RSA part (secondary pubkey!) interference.

> The lines displayed before are pubkey certification signatures, not package signatures.

Let me guess for the last time: if handled properly,
	rpm --import PLD-3.0-Th-GPG-key.asc
should result in 2 gpg-pubkeys in rpm database. There is one, not working.

-- 
Tomasz Pala <gotar at pld-linux.org>


From n3npq at me.com  Tue Aug 30 12:41:39 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 06:41:39 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830103245.GG18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl> <20160830093807.GD18894@polanet.pl>
 <20160830095045.GE18894@polanet.pl> <20160830095728.GF18894@polanet.pl>
 <0D66C71B-A22E-4F55-92FF-ED9A9A468662@me.com>
 <20160830103245.GG18894@polanet.pl>
Message-ID: <D8709603-7ABE-4499-9BE7-FA0E9BD23392@me.com>


> 
> Let me guess for the last time: if handled properly,
> 	rpm --import PLD-3.0-Th-GPG-key.asc
> should result in 2 gpg-pubkeys in rpm database. There is one, not working.
> 

There are no circumstances that a single
	rpm ?import
will result in multiple pubkeys being imported into an rpmdb.

There is no support for subkeys in rpm, nor is there any
support for concatenated armored pub keys.

(aside)
There is/was a change in rpm to import entire pubkeys, including
certification signatures, photoid?s and whatever other gook
is present in what is called a pubkey.

Originally, RPM imported only the actual pubkey parameters (i.e.
the first packet in a pubkey).

The change was necessary to import certification and binding signatures.

73 de Jeff

From gotar at polanet.pl  Tue Aug 30 12:44:25 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 12:44:25 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <9B92BB88-EE74-47A2-BDA5-4C2D5FB17C8F@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
 <9B92BB88-EE74-47A2-BDA5-4C2D5FB17C8F@me.com>
Message-ID: <20160830104425.GH18894@polanet.pl>

On Tue, Aug 30, 2016 at 06:30:24 -0400, Jeffrey Johnson wrote:

>> But I believe the PLD-Th-GPG issue was discussed in spring 2015 on pld-devel.
> 
> This was the issue I was remembering:
> 
> 	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
> 
> That specific issue was resolved by disabling
> signature verification during ???verify, largely
> to avoid reimporting PLD-Th-GPG which was
> ???unacceptable???.
[...]
> Meanwhile, many RSA issues were repaired between
> rpm-5.4.14 and rpm-5.4.15.
> 
> So issues with RSA are ???expected???.

The same problem, but completely wrong diagnosis.

~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
~: rpm -q gpg-pubkey
gpg-pubkey-e4f1bc2d-47b351f0
gpg-pubkey-eae6f8b8-47b35206

That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
keys, DSA and RSA. As you see I split them manually and now it verifies
correctly, so rpm simply can't handle properly multi-key import.

Please stop guessing about my guessings, just do the commands.

-- 
Tomasz Pala <gotar at pld-linux.org>


From glen at pld-linux.org  Tue Aug 30 12:44:31 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Tue, 30 Aug 2016 13:44:31 +0300
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830091701.GC18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
Message-ID: <57C5638F.7080402@pld-linux.org>

On 30.08.2016 12:17, Tomasz Pala wrote:
> Apparently noone here uses this...
>
> http://ftp.th.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc
it is used to sign all packages in th...
> ~: rpm -qp --nosignature  keepassx-2.0.2-2.x86_64.rpm	(reversed meaning in query mode bug)
> error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
> error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found
>
> ~: rpm -K keepassx-2.0.2-2.x86_64.rpm
> keepassx-2.0.2-2.x86_64.rpm: (SHA1) DSA sha1 md5 NOT_OK

poldek seems to validate the signature ok. i have it enabled as it's 
default option.
> ~: rpm -qa gpg-pubkey\*
> gpg-pubkey-e4f1bc2d-47b351f0
>
> ~: diff PLD-3.0-Th-GPG-key.asc /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc
>
> (BTW this key is not automatically imported to rpm database).

yes, you need to rpm --import /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc 
when you first install your pld node.

-- 
glen



From gotar at polanet.pl  Tue Aug 30 12:49:37 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 12:49:37 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <D8709603-7ABE-4499-9BE7-FA0E9BD23392@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <20160830093807.GD18894@polanet.pl>
 <20160830095045.GE18894@polanet.pl>
 <20160830095728.GF18894@polanet.pl>
 <0D66C71B-A22E-4F55-92FF-ED9A9A468662@me.com>
 <20160830103245.GG18894@polanet.pl>
 <D8709603-7ABE-4499-9BE7-FA0E9BD23392@me.com>
Message-ID: <20160830104937.GI18894@polanet.pl>

On Tue, Aug 30, 2016 at 06:41:39 -0400, Jeffrey Johnson wrote:

>> Let me guess for the last time: if handled properly,
>> 	rpm --import PLD-3.0-Th-GPG-key.asc
>> should result in 2 gpg-pubkeys in rpm database. There is one, not working.
> 
> There are no circumstances that a single
> 	rpm ???import
> will result in multiple pubkeys being imported into an rpmdb.
> 
> There is no support for subkeys in rpm, nor is there any
> support for concatenated armored pub keys.

If so, rpm should either ignore secondary key or refuse to install such
joint at all.

On the PLD side - someone has to split the key on FTP (and then in
rpm.git). Or remove it completely, as apparently noone uses sigs anyway...

-- 
Tomasz Pala <gotar at pld-linux.org>


From n3npq at me.com  Tue Aug 30 12:56:11 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 06:56:11 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830104425.GH18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
 <9B92BB88-EE74-47A2-BDA5-4C2D5FB17C8F@me.com>
 <20160830104425.GH18894@polanet.pl>
Message-ID: <3F9D79BB-7382-494F-87FC-579BAC24849F@me.com>


> On Aug 30, 2016, at 6:44 AM, Tomasz Pala <gotar at polanet.pl> wrote:
> 
> On Tue, Aug 30, 2016 at 06:30:24 -0400, Jeffrey Johnson wrote:
> 
>>> But I believe the PLD-Th-GPG issue was discussed in spring 2015 on pld-devel.
>> 
>> This was the issue I was remembering:
>> 
>> 	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
>> 
>> That specific issue was resolved by disabling
>> signature verification during ???verify, largely
>> to avoid reimporting PLD-Th-GPG which was
>> ???unacceptable???.
> [...]
>> Meanwhile, many RSA issues were repaired between
>> rpm-5.4.14 and rpm-5.4.15.
>> 
>> So issues with RSA are ???expected???.
> 
> The same problem, but completely wrong diagnosis.
> 
> ~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
> ~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
> ~: rpm -q gpg-pubkey
> gpg-pubkey-e4f1bc2d-47b351f0
> gpg-pubkey-eae6f8b8-47b35206
> 
> That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
> keys, DSA and RSA. As you see I split them manually and now it verifies
> correctly, so rpm simply can't handle properly multi-key import.
> 

Yep: RPM has never handled subkeys nor concatenated armored pubkeys.

So
	Don?t do that!
(i.e. use separate imports for each pubkey instead) should suffice.

(aside)
Traditionally RPM truncated a pubkey to only a single packet, but
now imports the entire set of packets which ? if malformed ?
will lead to some surprises.

Note that there are many malformed/misused pubkeys even on sky key servers:
its not clear how to filter blobs appropriately. WYSIWYG is as good as random
pruning. Diagnosis is far more difficult with actively filtered packets as well.

> Please stop guessing about my guessings, just do the commands.
> 

Um, I?m not sure how an import into rpm-5.4.18 on El Capitan (what I have at hand)
has any relevance to a PLD issue. I don?t normally run PLD here.

73 de Jeff
> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From gotar at polanet.pl  Tue Aug 30 12:57:53 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 12:57:53 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <D29D1A62-B309-470C-B919-2380691959C6@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
Message-ID: <20160830105753.GJ18894@polanet.pl>

On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote:

> The 2 line snippet is DNS to port 53 ??? disabling hkp:// is an entirely different
> functionality than disabling signature verification.

I didn't want to disable it (on contrary, I need them to be
unconditional), just to make them local.

>> ~: rpm -qp --nosignature  keepassx-2.0.2-2.x86_64.rpm	(reversed meaning in query mode bug)
>> error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
>> error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found
>> 
> 
> Um, I believe I???ve used that pubkey ??? see if there isn???t a report from
> spring 2015 on pld-devel ??? the issue was that the RSA fingerprint was
> fixed and so that pubkey had to be reimported. I???ve forgotten ???
> 
> What version of rpm is this?

rpm-5.4.15-35.x86_64 - this is completely fresh system, commands run for
the first time, so no keys imported before, no leftovers.

>> ~: diff PLD-3.0-Th-GPG-key.asc /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc 
> 
> Try removing and reimporting.

Doesn't work until I manually split this into RSA and DSA.

>> (BTW this key is not automatically imported to rpm database).
> 
> No pubkey is automatically imported by RPM, particularly those retrieved from hkp://
> or externally generated signatures.

It would be nice to have some tool to import from hkp:// directly. I did
lynx/wget/vi magic to fetch them, how to do this straight from cmdline?

> Anyways if you give me a URL to the pubkey and a package signed with that pubkey, I???ll
> (again) sort out the details.

I'm using
ftp://ftp.th.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc
ftp://ftp.th.pld-linux.org/dists/th/PLD/x86_64/RPMS/keepassx-2.0.2-2.x86_64.rpm

-- 
Tomasz Pala <gotar at pld-linux.org>


From gotar at polanet.pl  Tue Aug 30 13:03:25 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 13:03:25 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <3F9D79BB-7382-494F-87FC-579BAC24849F@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
 <9B92BB88-EE74-47A2-BDA5-4C2D5FB17C8F@me.com>
 <20160830104425.GH18894@polanet.pl>
 <3F9D79BB-7382-494F-87FC-579BAC24849F@me.com>
Message-ID: <20160830110325.GK18894@polanet.pl>

Since we got the answer for this issue - th-admin, please publish separate GPG files.

As for the reversed meaning of --nosignature, assistance required.
Or RFC on enabling them unconditionally, following upstream rpm5.

On Tue, Aug 30, 2016 at 06:56:11 -0400, Jeffrey Johnson wrote:

>>> 	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
>> [...]
>> The same problem, but completely wrong diagnosis.
>> 
>> ~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
>> ~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
>> ~: rpm -q gpg-pubkey
>> gpg-pubkey-e4f1bc2d-47b351f0
>> gpg-pubkey-eae6f8b8-47b35206
>> 
>> That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
>> keys, DSA and RSA. As you see I split them manually and now it verifies
>> correctly, so rpm simply can't handle properly multi-key import.
>> 
> 
> Yep: RPM has never handled subkeys nor concatenated armored pubkeys.
> 
> So
> 	Don???t do that!
> (i.e. use separate imports for each pubkey instead) should suffice.

-- 
Tomasz Pala <gotar at pld-linux.org>


From n3npq at me.com  Tue Aug 30 13:04:42 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 07:04:42 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830104937.GI18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl> <20160830093807.GD18894@polanet.pl>
 <20160830095045.GE18894@polanet.pl> <20160830095728.GF18894@polanet.pl>
 <0D66C71B-A22E-4F55-92FF-ED9A9A468662@me.com>
 <20160830103245.GG18894@polanet.pl>
 <D8709603-7ABE-4499-9BE7-FA0E9BD23392@me.com>
 <20160830104937.GI18894@polanet.pl>
Message-ID: <F2F94F4D-C233-49AE-910C-A0E5AB75D620@me.com>


>> 
>> 
> 
> If so, rpm should either ignore secondary key or refuse to install such
> joint at all.
> 

RPM *does* ignore secondary keys.

And look carefully at this well-formed pubkey (scroll through the page)

	http://keys.niif.hu/pks/lookup?op=vindex&search=0x0B7F8B60E3EDFAE3

It is not at all clear how to filter crap like this out of pubkeys and refuse to
import.

What RPM does instead is exactly what is requested: It verifies
the CRC in the armor while converting the base64, and pushes
the blob into /var/lib/rpm/Pubkeys.

WYSIWYG.

> On the PLD side - someone has to split the key on FTP (and then in
> rpm.git). Or remove it completely, as apparently noone uses sigs anyway?
> 

Yes.

Glenn: and this is likely the cause for inability to verify signatures
while doing rpm ?verify, so the patch that disables can likely
be removed.

73 de Jeff



From n3npq at me.com  Tue Aug 30 13:19:11 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 07:19:11 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830105753.GJ18894@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
 <20160830105753.GJ18894@polanet.pl>
Message-ID: <C969B9ED-E8EB-4885-BBA1-7A14DC3002E8@me.com>


> 
> It would be nice to have some tool to import from hkp:// directly. I did
> lynx/wget/vi magic to fetch them, how to do this straight from codlin?

The tool already exists. E.g.

	rpm ?import 0x01234567

or

	rpm ?import 0x0123456789abcdef

But that won?t do you much good if you have disabled %_hkp_keyservers
on a network constrained system.

73 de Jeff




From gotar at polanet.pl  Tue Aug 30 13:35:34 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 13:35:34 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <C969B9ED-E8EB-4885-BBA1-7A14DC3002E8@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
 <20160830105753.GJ18894@polanet.pl>
 <C969B9ED-E8EB-4885-BBA1-7A14DC3002E8@me.com>
Message-ID: <20160830113534.GA19605@polanet.pl>

On Tue, Aug 30, 2016 at 07:19:11 -0400, Jeffrey Johnson wrote:

>> It would be nice to have some tool to import from hkp:// directly. I did
>> lynx/wget/vi magic to fetch them, how to do this straight from codlin?
> 
> The tool already exists. E.g.
> 
> 	rpm ???import 0x01234567
> 
> or
> 
> 	rpm ???import 0x0123456789abcdef
> 
> But that won???t do you much good if you have disabled %_hkp_keyservers
> on a network constrained system.

Nice:) thanks again. My systems do have network access during
bootstrapping (or I can give some temporarily), so it's not the problem
to import key once. The problem was with seeking network for every
package query, while rejecting with PLD-provided multikey installed
locally. Besides, I would rather not trust rpm.rpm-provided GPG key nor
FTP to verify packages I download at the same time from the same source,
using external keyserver at this very moment seems to be better choice.

-- 
Tomasz Pala <gotar at pld-linux.org>


From gotar at polanet.pl  Tue Aug 30 13:47:28 2016
From: gotar at polanet.pl (Tomasz Pala)
Date: Tue, 30 Aug 2016 13:47:28 +0200
Subject: rpm --nosignature reversed meaning
In-Reply-To: <D29D1A62-B309-470C-B919-2380691959C6@me.com>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
Message-ID: <20160830114728.GB19605@polanet.pl>

On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote:

>> Is there any macro/option that prevents me from installing any unsigned/unverified package?
> 
> The question as asked cannot be answered: all (RPM5 built) packages are signed
> and (w/o ???nosignatures) the signature will be verified.
> 
>> Warning is not enough, I want to be totally sure the verification was done and succeeded.
> 
> All BAD signatures will stop RPM (unless ???no signatures has been used).

And how about rejecting unsigned packages? At least without --force or sth.

Without this an attacker might put unsigned package ...and that's it.

With keyservers enabled, an attacked might sign a package with it's own
malicious key ...and that's it (that's another reason why I disable hks).

In other words: I want to be sure that each and every package is signed
with one of the locked keys. I can lock keys (disable keyservers), but
still need to enforce using *any* key somehow.

-- 
Tomasz Pala <gotar at pld-linux.org>


From n3npq at me.com  Tue Aug 30 14:01:53 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 08:01:53 -0400
Subject: rpm --nosignature reversed meaning
In-Reply-To: <20160830114728.GB19605@polanet.pl>
References: <20160829225349.GA12506@polanet.pl>
 <ED559684-333A-4932-8ECF-10993496E46C@me.com>
 <20160830091701.GC18894@polanet.pl>
 <D29D1A62-B309-470C-B919-2380691959C6@me.com>
 <20160830114728.GB19605@polanet.pl>
Message-ID: <7C4A3C7C-DA1E-4BD4-87FA-AB3D6909DDE0@me.com>


> On Aug 30, 2016, at 7:47 AM, Tomasz Pala <gotar at polanet.pl> wrote:
> 
> On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote:
> 
>>> Is there any macro/option that prevents me from installing any unsigned/unverified package?
>> 
>> The question as asked cannot be answered: all (RPM5 built) packages are signed
>> and (w/o ???nosignatures) the signature will be verified.
>> 
>>> Warning is not enough, I want to be totally sure the verification was done and succeeded.
>> 
>> All BAD signatures will stop RPM (unless ???no signatures has been used).
> 
> And how about rejecting unsigned packages? At least without --force or sth.
> 

Um, MANDATORY signature verification is where this started, Perhaps
it isn?t clear that that means
	No unsigned packages.

> Without this an attacker might put unsigned package ...and that's it.

And even with MANDATORY signatures, adding ?nosignature == that?s it.
One must VERIFY the signature as well as include.

> 
> With keyservers enabled, an attacked might sign a package with it's own
> malicious key ...and that's it (that's another reason why I disable his)

Nope: rpm uses a non-repudiable signature, basically a new key pair is generated for
every build, packages are signed with pubkey included, and the private key is discarded.

The non-repudiable signature (as well as the attacks and protocols to mitigate)
are described here:
	http://cacr.uwaterloo.ca/hac/about/chap13.pdf <http://cacr.uwaterloo.ca/hac/about/chap13.pdf>
in section 13.8.2 ?Non-repudiation and notarization of digital signatures? on p582

> In other words: I want to be sure that each and every package is signed
> with one of the locked keys. I can lock keys (disable keyservers), but
> still need to enforce using *any* key somehow.
> 

Resign all packages with whatever key you want before installing is
likely the easiest path to your goal.

My RPM problem moving to MANDATORY signatures needs non-repudiable
signatures solely to GUARANTEE that some signature ALWAYS exists.

Its taken YEARS to get to the point where I can remove ?nosignature and the
goose-loosey best effort of warning (but not erring) with unsigned packages or
missing pub keys.

73 de Jeff
> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From glen at pld-linux.org  Tue Aug 30 18:34:51 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Tue, 30 Aug 2016 19:34:51 +0300
Subject: %config loses
Message-ID: <57C5B5AB.9090408@pld-linux.org>

just reminder, that old bug never got resolved.

and i'm certain it happens if you upgrade packages %config %verify with 
multiple package names
i.e in the command below there were multiple matches for poldek, 
poldek-libs packages


19:31:40 root[load: 0.05]@jenkins-vm /vagrant# rpm -Fhv *.rpm
warning: poldek-0.32.1-2.i686.rpm: Header V4 DSA signature: NOKEY, key 
ID c0708994
warning: package poldek = 0:0.30.1-10 was already added, replacing with 
poldek >= 0.32.1-2
warning: package poldek = 0.32.1-2 was already added, replacing with 
poldek >= 0:0.32.1-3
warning: package poldek-libs = 0:0.30.1-10 was already added, replacing 
with poldek-libs >= 0.32.1-2
warning: package poldek-libs = 0.32.1-2 was already added, replacing 
with poldek-libs >= 0:0.32.1-3
Preparing... ########################################### [100%]
    1:poldek-libs ########################################### [ 50%]
warning: /etc/poldek/repos.d/pld.conf saved as 
/etc/poldek/repos.d/pld.conf.rpmsave
warning: /etc/poldek/poldek.conf saved as /etc/poldek/poldek.conf.rpmsave
    2:poldek                 warning: /etc/poldek/poldek.conf created as 
/etc/poldek/poldek.conf.rpmnew
########################################### [100%]
cp: cannot stat ?/etc/poldek/poldek.conf?: No such file or directory
/bin/sed: can't read /etc/poldek/poldek.conf: No such file or directory
cp: cannot stat ?/etc/poldek/repos.d/pld.conf?: No such file or directory
/bin/sed: can't read /etc/poldek/repos.d/pld.conf: No such file or directory
/bin/sed: can't read /etc/poldek/repos.d/pld.conf: No such file or directory
19:31:47 root[load: 0.12]@jenkins-vm /vagrant# poldek  --up -u icedtea7-jre
error: /etc/poldek/poldek.conf: No such file or directory
error: /etc/poldek/poldek.conf: No such file or directory
19:31:54 root[load: 0.11]@jenkins-vm /vagrant# cd /etc/poldek/
19:31:59 root[load: 0.10]@jenkins-vm /etc/poldek# l
total 36K
drwxr-xr-x 2 root root   19 aug   30 19:31 post-install.d/
drwxr-xr-x 2 root root   19 aug   30 19:31 pre-install.d/
drwxr-xr-x 2 root root 4,0K aug   30 19:31 repos.d/
-rw-r--r-- 1 root root  568 mai    3 10:21 cli.conf
-rw-r--r-- 1 root root 1,9K mai    3 10:34 fetch.conf
-rw-r--r-- 1 root root 6,2K mai    3 10:34 poldek.conf.rpmnew
-rw-r--r-- 1 root root 6,1K aug   27  2013 poldek.conf.rpmsave
-rw-r--r-- 1 root root 2,5K mai    3 10:34 source.conf
-rw-rw---- 1 root root 1,3K juuli 20  2010 witch.conf
19:31:59 root[load: 0.10]@jenkins-vm /etc/poldek# mv poldek.conf.rpmsave 
poldek.conf
19:32:06 root[load: 0.09]@jenkins-vm /etc/poldek#


19:33:37 root[load: 0.02]@jenkins-vm /vagrant# l *.rpm
-rw-r--r-- 1 vagrant vagrant 336K nov   13  2015 poldek-0.30.1-10.i686.rpm
-rw-r--r-- 1 vagrant vagrant 339K apr   26 16:04 poldek-0.32.1-2.i686.rpm
-rw-r--r-- 1 vagrant vagrant 339K mai    3 10:34 poldek-0.32.1-3.i686.rpm
-rw-r--r-- 1 vagrant vagrant 1,4M nov   13  2015 
poldek-debuginfo-0.30.1-10.i686.rpm
-rw-r--r-- 1 vagrant vagrant 1,4M apr   26 16:04 
poldek-debuginfo-0.32.1-2.i686.rpm
-rw-r--r-- 1 vagrant vagrant 1,4M mai    3 10:34 
poldek-debuginfo-0.32.1-3.i686.rpm
-rw-r--r-- 1 vagrant vagrant  41K nov   13  2015 
poldek-devel-0.30.1-10.i686.rpm
-rw-r--r-- 1 vagrant vagrant  42K apr   26 16:04 
poldek-devel-0.32.1-2.i686.rpm
-rw-r--r-- 1 vagrant vagrant  41K mai    3 10:34 
poldek-devel-0.32.1-3.i686.rpm
-rw-r--r-- 1 vagrant vagrant 282K nov   13  2015 
poldek-libs-0.30.1-10.i686.rpm
-rw-r--r-- 1 vagrant vagrant 310K apr   26 16:04 
poldek-libs-0.32.1-2.i686.rpm
-rw-r--r-- 1 vagrant vagrant 284K mai    3 10:34 
poldek-libs-0.32.1-3.i686.rpm
-rw-r--r-- 1 vagrant vagrant  33K nov   13  2015 
poldek-static-0.30.1-10.i686.rpm
-rw-r--r-- 1 vagrant vagrant  36K apr   26 16:04 
poldek-static-0.32.1-2.i686.rpm
-rw-r--r-- 1 vagrant vagrant  33K mai    3 10:34 
poldek-static-0.32.1-3.i686.rpm
-rw-r--r-- 1 vagrant vagrant  75K nov   13  2015 
python-poldek-0.30.1-10.i686.rpm
-rw-r--r-- 1 vagrant vagrant  85K apr   26 16:04 
python-poldek-0.32.1-2.i686.rpm
-rw-r--r-- 1 vagrant vagrant  83K mai    3 10:34 
python-poldek-0.32.1-3.i686.rpm


-- 
glen



From n3npq at me.com  Tue Aug 30 21:34:24 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 15:34:24 -0400
Subject: %config loses
In-Reply-To: <57C5B5AB.9090408@pld-linux.org>
References: <57C5B5AB.9090408@pld-linux.org>
Message-ID: <0423FB76-E6DA-488F-9167-D8AF7290BB49@me.com>


> On Aug 30, 2016, at 12:34 PM, Elan Ruusam?e <glen at pld-linux.org> wrote:
> 
> just reminder, that old bug never got resolved.
> 

I am reminded.

Fix the following flaws in your bug report (sic).

0) You refuse to report through recommended rpm5.org bug reporting, either
at http://launchpad.net/rpm, or discussing on <rpm-devel at rpm5.org>.


> and i'm certain it happens if you upgrade packages %config %verify with multiple package names
> i.e in the command below there were multiple matches for poldek, poldek-libs packages
> 
> 
> 19:31:40 root[load: 0.05]@jenkins-vm /vagrant# rpm -Fhv *.rpm

1) Add -vv so I have some prayer of being able to follow the logic path.
2) Don?t use -F ?freshen; instead use -U ?update.
3) Don?t use *.rpm because I have no idea what operation is being performed.

> warning: poldek-0.32.1-2.i686.rpm: Header V4 DSA signature: NOKEY, key ID c0708994

4) Remove extraneous warning messages. In addition to having no idea
to what operation is being performed, there is no indication of what is installed,
other than that you have _NOT_ imported some pubkey. You also have not reported
the version of rpm in use, nor what patches are applied.

> warning: package poldek = 0:0.30.1-10 was already added, replacing with poldek >= 0.32.1-2
> warning: package poldek = 0.32.1-2 was already added, replacing with poldek >= 0:0.32.1-3
> warning: package poldek-libs = 0:0.30.1-10 was already added, replacing with poldek-libs >= 0.32.1-2
> warning: package poldek-libs = 0.32.1-2 was already added, replacing with poldek-libs >= 0:0.32.1-3

5) Stop throwing multip[le instances of identical packages at rpm and expecting the right thing to happen.

> Preparing... ########################################### [100%]
>   1:poldek-libs ########################################### [ 50%]
> warning: /etc/poldek/repos.d/pld.conf saved as /etc/poldek/repos.d/pld.conf.rpmsave
> warning: /etc/poldek/poldek.conf saved as /etc/poldek/poldek.conf.rpmsave

>   2:poldek                 warning: /etc/poldek/poldek.conf created as /etc/poldek/poldek.conf.rpmnew
> ########################################### [100%]


6) These warnings are explicit confirmation that %config is saving your files, contrary
to your claims.

> cp: cannot stat ?/etc/poldek/poldek.conf?: No such file or directory
> /bin/sed: can't read /etc/poldek/poldek.conf: No such file or directory
> cp: cannot stat ?/etc/poldek/repos.d/pld.conf?: No such file or directory
> /bin/sed: can't read /etc/poldek/repos.d/pld.conf: No such file or directory
> /bin/sed: can't read /etc/poldek/repos.d/pld.conf: No such file or directory

7) In addition to _NOT_ reporting
  a) the packages that are being installed
  b) the debugging output with -vv
  c) the packages installed
add to your list
  d) what scripts are being run in what packages

> 19:31:47 root[load: 0.12]@jenkins-vm /vagrant# poldek  --up -u icedtea7-jre
> error: /etc/poldek/poldek.conf: No such file or directory
> error: /etc/poldek/poldek.conf: No such file or directory

8) Instead of cut-n-pasting some random command, try a simple statement like
        polled is broken afterwards.
    Your bug report will be shorter and more succinct.

> 19:31:54 root[load: 0.11]@jenkins-vm /vagrant# cd /etc/poldek/
> 19:31:59 root[load: 0.10]@jenkins-vm /etc/poldek# l
> total 36K
> drwxr-xr-x 2 root root   19 aug   30 19:31 post-install.d/
> drwxr-xr-x 2 root root   19 aug   30 19:31 pre-install.d/
> drwxr-xr-x 2 root root 4,0K aug   30 19:31 repos.d/
> -rw-r--r-- 1 root root  568 mai    3 10:21 cli.conf
> -rw-r--r-- 1 root root 1,9K mai    3 10:34 fetch.conf
> -rw-r--r-- 1 root root 6,2K mai    3 10:34 poldek.conf.rpmnew
> -rw-r--r-- 1 root root 6,1K aug   27  2013 poldek.conf.rpmsave
> -rw-r--r-- 1 root root 2,5K mai    3 10:34 source.conf
> -rw-rw---- 1 root root 1,3K juuli 20  2010 witch.conf
> 19:31:59 root[load: 0.10]@jenkins-vm /etc/poldek# mv poldek.conf.rpmsave poldek.conf
> 19:32:06 root[load: 0.09]@jenkins-vm /etc/poldek#
> 

7) Describe in words, not examples, what you are trying to show.

> 
> 19:33:37 root[load: 0.02]@jenkins-vm /vagrant# l *.rpm
> -rw-r--r-- 1 vagrant vagrant 336K nov   13  2015 poldek-0.30.1-10.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 339K apr   26 16:04 poldek-0.32.1-2.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 339K mai    3 10:34 poldek-0.32.1-3.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 1,4M nov   13  2015 poldek-debuginfo-0.30.1-10.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 1,4M apr   26 16:04 poldek-debuginfo-0.32.1-2.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 1,4M mai    3 10:34 poldek-debuginfo-0.32.1-3.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  41K nov   13  2015 poldek-devel-0.30.1-10.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  42K apr   26 16:04 poldek-devel-0.32.1-2.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  41K mai    3 10:34 poldek-devel-0.32.1-3.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 282K nov   13  2015 poldek-libs-0.30.1-10.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 310K apr   26 16:04 poldek-libs-0.32.1-2.i686.rpm
> -rw-r--r-- 1 vagrant vagrant 284K mai    3 10:34 poldek-libs-0.32.1-3.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  33K nov   13  2015 poldek-static-0.30.1-10.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  36K apr   26 16:04 poldek-static-0.32.1-2.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  33K mai    3 10:34 poldek-static-0.32.1-3.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  75K nov   13  2015 python-poldek-0.30.1-10.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  85K apr   26 16:04 python-poldek-0.32.1-2.i686.rpm
> -rw-r--r-- 1 vagrant vagrant  83K mai    3 10:34 python-poldek-0.32.1-3.i686.rpm
> 

I again suggest <rpm-devel at rpm5.org> as discussion forum, because I will
not change %config without discussion.

And I again suggest http://launchpad.net/rpm as a bug reporting system, so that
we do not have to repeat these exchanges every 3 months.

hth

73 de Jeff
> 
> -- 
> glen
> 
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From glen at pld-linux.org  Tue Aug 30 21:48:30 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Tue, 30 Aug 2016 22:48:30 +0300
Subject: %config loses
In-Reply-To: <0423FB76-E6DA-488F-9167-D8AF7290BB49@me.com>
References: <57C5B5AB.9090408@pld-linux.org>
 <0423FB76-E6DA-488F-9167-D8AF7290BB49@me.com>
Message-ID: <57C5E30E.20106@pld-linux.org>

On 30.08.2016 22:34, Jeffrey Johnson wrote:
> Fix the following flaws in your bug report (sic).
this is not bugreport. complete reproducer and expectations were sent in 
previous thread.

> 2) Don?t use -F ?freshen; instead use -U ?update.


-U will install any packages matched, -F installs only packages that are 
actually installed. come on, jbj doesn't know that difference?
> 3) Don?t use *.rpm because I have no idea what operation is being performed.

ah come on. because i can type rpm -Fhv foo-1.0-1.rpm foo-1.1-1.rpm via 
shell glob doesn't give excuse rpm to destroy data. i've already 
explained what is my expectations which rpm5 does not obey.

> 5) Stop throwing multip[le instances of identical packages at rpm and expecting the right thing to happen.
you even understand yourself that is the key to the reproducer. if rpm 
can't handle this it should abort(3), assert(3), not destroy systems.

> I again suggest<rpm-devel at rpm5.org>  as discussion forum, because I will
> not change %config without discussion.
i don't see it going any differently than it has in pld-devel-en. there 
was complete reproducer last time i reported this. you refused to even 
try to understand and make your own reproducer in your favourite distro.

i don't have time or wish to "discuss" this. i consider it flaw in rpm, 
you don't. obviously you *win*.

> And I again suggesthttp://launchpad.net/rpm  as a bug reporting system, so that
> we do not have to repeat these exchanges every 3 months.

done that in the past. no difference. not interested wasting my time.

all other 1-7) are answered in previous thread.

-- 
glen



From n3npq at me.com  Tue Aug 30 21:51:33 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 15:51:33 -0400
Subject: %config loses
In-Reply-To: <57C5E30E.20106@pld-linux.org>
References: <57C5B5AB.9090408@pld-linux.org>
 <0423FB76-E6DA-488F-9167-D8AF7290BB49@me.com> <57C5E30E.20106@pld-linux.org>
Message-ID: <E7DEC411-67B1-4579-A880-853D5120C63F@me.com>


> On Aug 30, 2016, at 3:48 PM, Elan Ruusam?e <glen at pld-linux.org> wrote:
> 
> On 30.08.2016 22:34, Jeffrey Johnson wrote:
>> Fix the following flaws in your bug report (sic).
> this is not bugreport. complete reproducer and expectations were sent in previous thread.
> 
>> 2) Don?t use -F ?freshen; instead use -U ?update.
> 
> 
> -U will install any packages matched, -F installs only packages that are actually installed. come on, jbj doesn't know that difference?
>> 3) Don?t use *.rpm because I have no idea what operation is being performed.
> 
> ah come on. because i can type rpm -Fhv foo-1.0-1.rpm foo-1.1-1.rpm via shell glob doesn't give excuse rpm to destroy data. i've already explained what is my expectations which rpm5 does not obey.
> 
>> 5) Stop throwing multip[le instances of identical packages at rpm and expecting the right thing to happen.
> you even understand yourself that is the key to the reproducer. if rpm can't handle this it should abort(3), assert(3), not destroy systems.
> 
>> I again suggest<rpm-devel at rpm5.org>  as discussion forum, because I will
>> not change %config without discussion.
> i don't see it going any differently than it has in pld-devel-en. there was complete reproducer last time i reported this. you refused to even try to understand and make your own reproducer in your favourite distro.
> 
> i don't have time or wish to "discuss" this. i consider it flaw in rpm, you don't. obviously you *win*.
> 
>> And I again suggesthttp://launchpad.net/rpm  as a bug reporting system, so that
>> we do not have to repeat these exchanges every 3 months.
> 
> done that in the past. no difference. not interested wasting my time.
> 
> all other 1-7) are answered in previous thread.
> 
> -- 
> glen
> 
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en



From n3npq at me.com  Tue Aug 30 21:53:07 2016
From: n3npq at me.com (Jeffrey Johnson)
Date: Tue, 30 Aug 2016 15:53:07 -0400
Subject: %config loses
In-Reply-To: <E7DEC411-67B1-4579-A880-853D5120C63F@me.com>
References: <57C5B5AB.9090408@pld-linux.org>
 <0423FB76-E6DA-488F-9167-D8AF7290BB49@me.com> <57C5E30E.20106@pld-linux.org>
 <E7DEC411-67B1-4579-A880-853D5120C63F@me.com>
Message-ID: <2D144653-F57E-4B62-A77D-68DAD1EDC684@me.com>


> On Aug 30, 2016, at 3:51 PM, Jeffrey Johnson <n3npq at me.com> wrote:
> 
> 
>> On Aug 30, 2016, at 3:48 PM, Elan Ruusam?e <glen at pld-linux.org> wrote:
>> 
>> On 30.08.2016 22:34, Jeffrey Johnson wrote:
>>> Fix the following flaws in your bug report (sic).
>> this is not bugreport. complete reproducer and expectations were sent in previous thread.
>> 

Yes this isn?t a bug report, and hence there isn?t anything for me to fix.

I?m not your PLD bitch.

73 de Jeff



From glen at pld-linux.org  Wed Aug 31 07:28:23 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Wed, 31 Aug 2016 08:28:23 +0300
Subject: udev rules help
Message-ID: <57C66AF7.6090302@pld-linux.org>

hi

i'm trying to write udev rule to start service when usb device is attached

here's what i got. yet it doesn't work

# grep add /etc/udev/rules.d/80-idcard.rules
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", 
ENV{ID_MODEL}=="*Smart*Card*Reader*", RUN+="/sbin/service pcscd start"


# udevadm info -a -e
...
P: /devices/pci0000:00/0000:00:06.0/usb4/4-2
N: bus/usb/004/006
E: BUSNUM=004
E: DEVNAME=/dev/bus/usb/004/006
E: DEVNUM=006
E: DEVPATH=/devices/pci0000:00/0000:00:06.0/usb4/4-2
E: DEVTYPE=usb_device
E: DRIVER=usb
E: ID_BUS=usb
E: ID_MODEL=Smart_Card_Reader_USB
E: ID_MODEL_ENC=Smart\x20Card\x20Reader\x20USB
E: ID_MODEL_FROM_DATABASE=CardMan 1021
E: ID_MODEL_ID=1021
E: ID_REVISION=0100
E: ID_SERIAL=OMNIKEY_Smart_Card_Reader_USB
E: ID_USB_INTERFACES=:0b0000:
E: ID_VENDOR=OMNIKEY
E: ID_VENDOR_ENC=OMNIKEY
E: ID_VENDOR_FROM_DATABASE=OmniKey AG
E: ID_VENDOR_ID=076b
E: MAJOR=189
E: MINOR=389
E: PRODUCT=76b/1021/100
E: SUBSYSTEM=usb
E: TYPE=0/0/0
E: USEC_INITIALIZED=98884670622


i even tried something very simple:
ACTION=="add", RUN+="/sbin/service pcscd start"

that also didn't work (attaching device did not start the service), how 
to debug this?

-- 
glen



From jajcus at jajcus.net  Wed Aug 31 09:47:30 2016
From: jajcus at jajcus.net (Jacek Konieczny)
Date: Wed, 31 Aug 2016 09:47:30 +0200
Subject: udev rules help
In-Reply-To: <57C66AF7.6090302@pld-linux.org>
References: <57C66AF7.6090302@pld-linux.org>
Message-ID: <6d9c71d7-8594-763a-aff5-6c58751cf890@jajcus.net>

On 2016-08-31 07:28, Elan Ruusam?e wrote:
> i'm trying to write udev rule to start service when usb device is attached
>
> here's what i got. yet it doesn't work
>
> # grep add /etc/udev/rules.d/80-idcard.rules
> SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device",
> ENV{ID_MODEL}=="*Smart*Card*Reader*", RUN+="/sbin/service pcscd start"

What init do you use. This _might_ work with systemd, as 'service' just 
shcedules a systemd job, but won't work with rc-scripts, as udev rules 
are not allowed to start long running processes.

udev rules are not a place for starting daemons, which is well 
documented thing.

> i even tried something very simple:
> ACTION=="add", RUN+="/sbin/service pcscd start"
>
> that also didn't work (attaching device did not start the service), how
> to debug this?

Just don't do this. Switch to systemd and use systemd device 
dependencies in the .service file to start the service.

If you want to stick with rc-scripts, then wait for the device in the 
init script.

Jacek


From glen at pld-linux.org  Wed Aug 31 09:51:16 2016
From: glen at pld-linux.org (=?UTF-8?Q?Elan_Ruusam=c3=a4e?=)
Date: Wed, 31 Aug 2016 10:51:16 +0300
Subject: udev rules help
In-Reply-To: <6d9c71d7-8594-763a-aff5-6c58751cf890@jajcus.net>
References: <57C66AF7.6090302@pld-linux.org>
 <6d9c71d7-8594-763a-aff5-6c58751cf890@jajcus.net>
Message-ID: <57C68C74.7070802@pld-linux.org>

On 31.08.2016 10:47, Jacek Konieczny wrote:
>> # grep add /etc/udev/rules.d/80-idcard.rules
>> SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device",
>> ENV{ID_MODEL}=="*Smart*Card*Reader*", RUN+="/sbin/service pcscd start"
>
> What init do you use. 

i mean the RUN+= part is never executed no matter what rules i write. 
even only the ACTION="add" part

-- 
glen



From jajcus at jajcus.net  Wed Aug 31 13:41:50 2016
From: jajcus at jajcus.net (Jacek Konieczny)
Date: Wed, 31 Aug 2016 13:41:50 +0200
Subject: udev rules help
In-Reply-To: <57C68C74.7070802@pld-linux.org>
References: <57C66AF7.6090302@pld-linux.org>
 <6d9c71d7-8594-763a-aff5-6c58751cf890@jajcus.net>
 <57C68C74.7070802@pld-linux.org>
Message-ID: <17a04dac-b746-572a-b94b-498f597fc181@jajcus.net>

On 2016-08-31 09:51, Elan Ruusam?e wrote:
> On 31.08.2016 10:47, Jacek Konieczny wrote:
>>> # grep add /etc/udev/rules.d/80-idcard.rules
>>> SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device",
>>> ENV{ID_MODEL}=="*Smart*Card*Reader*", RUN+="/sbin/service pcscd start"
>>
>> What init do you use.
>
> i mean the RUN+= part is never executed no matter what rules i write.
> even only the ACTION="add" part

Is the rule actually matched?
Maybe there is some other rule later with RUN= instead of RUN+=?
Have you tried "change" instead of "add"? Handling "add" only often 
causes problems (the device is not fully set up, or the "add" was 
handled long before the rule become available (e.g. in initramfs)).

Jacek