From atler at pld-linux.org Sun Mar 10 10:56:22 2024 From: atler at pld-linux.org (Jan Palus) Date: Sun, 10 Mar 2024 10:56:22 +0100 Subject: [packages/gobject-introspection] - updated to 1.80.0; added bootstrap bcond for glib 2.78->2.80 transition In-Reply-To: References:

Message-ID: On 09.03.2024 22:33, qboosh wrote: > commit a0c12f9cf03d0222dbb6357f6da0f70e72260664 > Author: Jakub Bogusz > Date: Sat Mar 9 22:31:00 2024 +0100 > > - updated to 1.80.0; added bootstrap bcond for glib 2.78->2.80 transition > > gobject-introspection.spec | 55 +++++++++++++++++++++++++++++----------------- > 1 file changed, 35 insertions(+), 20 deletions(-) > --- > diff --git a/gobject-introspection.spec b/gobject-introspection.spec > index 0055356..4719aa3 100644 > --- a/gobject-introspection.spec > +++ b/gobject-introspection.spec > @@ -2,27 +2,30 @@ > # Conditional build: > %bcond_without cairo # cairo support > %bcond_without apidocs # API documentation > +%bcond_with bootstrap # bootstrap from glib < 2.80 > > Summary: Introspection for GObject libraries > Summary(pl.UTF-8): Obserwacja bibliotek GObject > Name: gobject-introspection > -Version: 1.78.1 > +Version: 1.80.0 > Release: 1 > -License: LGPL v2+ (giscanner) and GPL v2+ (tools) > +License: LGPL v2+ (libraries, giscanner) and GPL v2+ (tools) > Group: Libraries > -Source0: https://download.gnome.org/sources/gobject-introspection/1.78/%{name}-%{version}.tar.xz > -# Source0-md5: da2677e6b9c91b33c036d2233a96cec3 > +Source0: https://download.gnome.org/sources/gobject-introspection/1.80/%{name}-%{version}.tar.xz > +# Source0-md5: 003cc22c45be5edf91911050bbcfbde6 > +Source1: https://download.gnome.org/sources/glib/2.80/glib-2.80.0.tar.xz > +# Source1-md5: 3a51e2803ecd22c2dadcd07d9475ebe3 > URL: https://wiki.gnome.org/Projects/GObjectIntrospection > BuildRequires: automake > BuildRequires: bison > %{?with_cairo:BuildRequires: cairo-gobject-devel} > BuildRequires: flex > BuildRequires: gcc >= 5:3.2 > -BuildRequires: glib2-devel >= 1:2.78.0 > +%{!?with_bootstrap:BuildRequires: glib2-devel >= 1:2.80.0} > BuildRequires: glibc-misc > %{?with_apidocs:BuildRequires: gtk-doc >= 1.19} > -BuildRequires: libffi-devel >= 3.0.0 > -BuildRequires: meson >= 0.60.0 > +BuildRequires: libffi-devel >= 7:3.4 > +BuildRequires: meson >= 1.2.0 > BuildRequires: ninja >= 1.5 > BuildRequires: pkgconfig > BuildRequires: python3 >= 1:3.6 > @@ -36,7 +39,8 @@ BuildRequires: rpmbuild(macros) >= 1.752 > BuildRequires: tar >= 1:1.22 > BuildRequires: xz > BuildRequires: zlib-devel > -Requires: glib2 >= 1:2.78.0 > +Requires: glib2 >= 1:2.80.0 Shouldn't it be the other way around -- "bootstrap" bcond in glib2 for building without introspection? Currently while gobject-introspection does not build-time depend on glib2-devel >= 2.80, it does runtime depend on glib2 >= 2.80 (both in rpm deps and linked dynamic library) which cannot be satisfied to build glib2 2.80. From qboosh at pld-linux.org Sun Mar 10 16:35:16 2024 From: qboosh at pld-linux.org (Jakub Bogusz) Date: Sun, 10 Mar 2024 16:35:16 +0100 Subject: [packages/gobject-introspection] - updated to 1.80.0; added bootstrap bcond for glib 2.78->2.80 transition In-Reply-To: References:

Message-ID: <20240310153516.GA678@mail> On Sun, Mar 10, 2024 at 10:56:22AM +0100, Jan Palus wrote: > Shouldn't it be the other way around -- "bootstrap" bcond in glib2 for > building without introspection? Currently while gobject-introspection > does not build-time depend on glib2-devel >= 2.80, it does runtime > depend on glib2 >= 2.80 (both in rpm deps and linked dynamic library) > which cannot be satisfied to build glib2 2.80. Oh, I wasn't aware of g-ir-scanner dependency to build introspection files in glib2 (I had gobject-introspection-devel 1.78 installed). So now I added "introspection" bcond to glib2.spec to allow bootstrapping from scratch. Previously I added "bootstrap" bcond in gobject-introspection as a way to cleanly build+upgrade on existing system (it's not possible to cleanly upgrade glib2 built with introspection without removing or upgrading to 1.80 existing gobject-introspection 1.78 package due to files conflict). So I could build whole glib2 2.80 and gobject-introspection 1.80 and upgrade them both simultaneously. -- Jakub Bogusz http://qboosh.pl/ From atler at pld-linux.org Mon Mar 25 10:22:00 2024 From: atler at pld-linux.org (Jan Palus) Date: Mon, 25 Mar 2024 10:22:00 +0100 Subject: [packages/python3] python points to python3 now In-Reply-To: References:

Message-ID: On 25.03.2024 11:05, arekm wrote: > commit d073fb40c26996aedc0c52fdea5af8b596e4f395 > Author: Arkadiusz Mi?kiewicz > Date: Mon Mar 25 09:58:15 2024 +0100 > > python points to python3 now > > python3.spec | 4 ++++ > 1 file changed, 4 insertions(+) > --- > diff --git a/python3.spec b/python3.spec > index 503d98b..686f876 100644 > --- a/python3.spec > +++ b/python3.spec > @@ -669,6 +669,9 @@ install -p Tools/patchcheck/reindent.py $RPM_BUILD_ROOT%{_bindir}/pyreindent%{py > %{__mv} $RPM_BUILD_ROOT%{py_incdir}/pyconfig.h $RPM_BUILD_ROOT%{py_libdir}/config-%{py_platform}/pyconfig.h > %{__sed} -e's#@PREFIX@#%{_prefix}#g;s#@PY_VER@#%{py_ver}#g;s#@PY_ABI@#%{py_platform}#g' %{SOURCE1} > $RPM_BUILD_ROOT%{py_incdir}/pyconfig.h > > +# python points to python3 now > +ln -s python3 $RPM_BUILD_ROOT%{_bindir}/python > + I guess all those packages that still meet `ipoldek what-requires /usr/bin/python` might not be happy about it. From arekm at maven.pl Mon Mar 25 10:48:08 2024 From: arekm at maven.pl (=?UTF-8?Q?Arkadiusz_Mi=C5=9Bkiewicz?=) Date: Mon, 25 Mar 2024 10:48:08 +0100 Subject: [packages/python3] python points to python3 now In-Reply-To: References:

Message-ID: <9fd267fb-629a-40fa-a64b-c1e255f607bd@maven.pl> On 25/03/2024 10:22, Jan Palus wrote: > On 25.03.2024 11:05, arekm wrote: >> commit d073fb40c26996aedc0c52fdea5af8b596e4f395 >> Author: Arkadiusz Mi?kiewicz >> Date: Mon Mar 25 09:58:15 2024 +0100 >> >> python points to python3 now >> >> python3.spec | 4 ++++ >> 1 file changed, 4 insertions(+) >> --- >> diff --git a/python3.spec b/python3.spec >> index 503d98b..686f876 100644 >> --- a/python3.spec >> +++ b/python3.spec >> @@ -669,6 +669,9 @@ install -p Tools/patchcheck/reindent.py $RPM_BUILD_ROOT%{_bindir}/pyreindent%{py >> %{__mv} $RPM_BUILD_ROOT%{py_incdir}/pyconfig.h $RPM_BUILD_ROOT%{py_libdir}/config-%{py_platform}/pyconfig.h >> %{__sed} -e's#@PREFIX@#%{_prefix}#g;s#@PY_VER@#%{py_ver}#g;s#@PY_ABI@#%{py_platform}#g' %{SOURCE1} > $RPM_BUILD_ROOT%{py_incdir}/pyconfig.h >> >> +# python points to python3 now >> +ln -s python3 $RPM_BUILD_ROOT%{_bindir}/python >> + > > I guess all those packages that still meet `ipoldek what-requires /usr/bin/python` > might not be happy about it. I'm not sending these changes to builders to see what other devs will say. (the intention was to break these packages and get them dropped (or fixed) on case by case basis, if problems occur) -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org ) From atler at pld-linux.org Sat Mar 30 13:57:22 2024 From: atler at pld-linux.org (Jan Palus) Date: Sat, 30 Mar 2024 13:57:22 +0100 Subject: [packages/xz] Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29 In-Reply-To: References:

Message-ID: On 30.03.2024 01:49, arekm wrote: > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436 > Author: Arkadiusz Mi?kiewicz > Date: Fri Mar 29 23:50:59 2024 +0100 > > Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29/4 > > xz.spec | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > --- > diff --git a/xz.spec b/xz.spec > index a36b5df..8094d11 100644 > --- a/xz.spec > +++ b/xz.spec > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder > Summary(pl.UTF-8): Koder/Dekoder LZMA > Name: xz > Version: 5.4.6 > -Release: 1 > -Epoch: 1 > +Release: 2 > +Epoch: 2 > License: LGPL v2.1+, helper scripts on GPL v2+ > Group: Applications/Archiving > Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Some notes from what I've gathered so far from a rather lengthy HN thread: - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma being pulled in as an indirect dependency. liblzma can be loaded by libsystemd if sshd was built with additional systemd patches which PLD does not use (unlike Debian and Fedora). So _possibly_ PLD is not affected - despite that some claims start to surface that going back to 5.4.6 might not be enough so let's see how this drama develops From shm at digitalsun.pl Sat Mar 30 17:04:13 2024 From: shm at digitalsun.pl (Mateusz Kocielski) Date: Sat, 30 Mar 2024 16:04:13 +0000 Subject: [packages/xz] Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29 In-Reply-To: References:

Message-ID: Dnia Sat, Mar 30, 2024 at 01:57:22PM +0100, Jan Palus napisa?(a): > On 30.03.2024 01:49, arekm wrote: > > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436 > > Author: Arkadiusz Mi?kiewicz > > Date: Fri Mar 29 23:50:59 2024 +0100 > > > > Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > xz.spec | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > --- > > diff --git a/xz.spec b/xz.spec > > index a36b5df..8094d11 100644 > > --- a/xz.spec > > +++ b/xz.spec > > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder > > Summary(pl.UTF-8): Koder/Dekoder LZMA > > Name: xz > > Version: 5.4.6 > > -Release: 1 > > -Epoch: 1 > > +Release: 2 > > +Epoch: 2 > > License: LGPL v2.1+, helper scripts on GPL v2+ > > Group: Applications/Archiving > > Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2 > > Some notes from what I've gathered so far from a rather lengthy HN > thread: > > - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma > being pulled in as an indirect dependency. liblzma can be loaded by > libsystemd if sshd was built with additional systemd patches which PLD > does not use (unlike Debian and Fedora). So _possibly_ PLD is not > affected > > - despite that some claims start to surface that going back to 5.4.6 > might not be enough so let's see how this drama develops Hi there, I checked manually that the 5.6.1 version from this build [1] seems not to be vulnerable (I verified it using the signature provided in the original post [2]). My suspicion regarding why it was not activated is due to the failure of the following check on the build machine. The check is a part of the malicious script which decides if backdoor should be planted. [...] if test "x$CC" != 'xgcc' > /dev/null 2>&1;then exit 0 fi [...] The condition fails because CC set during the build is different: 'CC=x86_64-pld-linux-gcc' However, please note that there might be additional components within the package unknown to us at present. Regards, Mateusz [1] http://buildlogs.pld-linux.org//index.php?dist=th&arch=x86_64&ok=1&ns=&cnt=50&off=0&name=xz&id=0a127d4c-eda2-4f14-aedf-4a69d79b5b80&action=text [2] https://seclists.org/oss-sec/2024/q1/268