*.py packaging, again

Tomasz Pala gotar at polanet.pl
Thu Jul 14 17:04:02 CEST 2011 

On Thu, Jul 14, 2011 at 10:43:56 -0400, Jeff Johnson wrote:

> Well its *IS* you "unfortunate" choice to use --repackage (or not).
> You have none but yourself to blame for your misfortunes.

No, there are idiots from many many software devel teams to blame
(last time Xorg xinput and Intel drivers, firefox since many years).

> Hint: Repackage packages were _DELIBERATELY_ poisoned by
> adding RPMTAG_REMOVETID in order to prevent morons from
> 	install -> modify -> re-package -> re-publish -> blame @redhat
> a *.rpm as if it were built "reproducibly" and "official".
> 
> Your "unfortunately" is likely mostly alleviated by simply
> 	Don't poison repackaged *.rpm by adding RPMTAG_REMOVETID.
> I.e -- for most packages that are never ever modified --
> you will find that repackaged *.rpm packages start to pass
> 	rpm -Kvv repackaged*.rpm

You didn't understand me - I don't have any problems with failing
digests. I don't have any problems with repackage at all.
The only problem is that I _need_ to use them, because some morons break
their software in regular way - you've asked _if_ I use it and _for what_,
that's the answer, no complaining on rpm itself.

The one feature I miss:

> This is/was by intent: the advantage to RPM packaging is that _EVERYTHING_
> necessary to perform an install is encapsulated in a digitally signed
> blob that is essentially immutable. Any/all modifications to that blob
> are detectable.

is that it only detects modification and can't point the files modified
(which could be done by comparing files stored in cpio against
informations in header).

> recompilation != immutable
> 
> And only immutable will do: there's lots of TOCTTOU issues with
> rebuilding as well, honking about time stamps is a mere fig leaf.

If you downgrade a package to repackaged version with (by any way) newer
timestamps you need to ensure, that python actually does rebuild the
cache. In short: you must ensure cached files are _removed_ everytime
package is modified (replaced, removed, whatever).

>> *  I had an idea once upon a time to verify content of repackaged files
>>   against original digest, I really miss this feature in rpm (rpm -Vp
>>   verifies package against filesystem not internal cpio).
> 
> Remove the RPMTAG_REMOVETID poisoning and repackaging (for most packages)
> becomes an exact inverse and file digests can then be verified just
> like any other package.

By rpm binary? How?

-- 
Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list