rpm5 package verification and md5sum of config files

Jan Rękorajski baggins at pld-linux.org
Mon Oct 22 15:56:52 CEST 2012 

On Mon, 22 Oct 2012, Jeffrey Johnson wrote:

> 
> On Oct 22, 2012, at 6:44 AM, Jan Rękorajski wrote:
> 
> > 
> > Rebuilding ~8500 packages is not an option, unfortunately :(
> > 
> 
> Um … you managed to *build* ~8500 packages using a buggy
> rpmbuild in rpm-5.4.10.
> 
> What makes *rebuilding* harder than building?
> 
> Note that not all 8500 packages are affected (only %config iirc).

rpm5 with hmac verification intact (notice package was built with rpm4):

$ rpm -q -yaml rc-scripts | grep Rpmversion
  Rpmversion: 4.5

$ rpm -V --nohmacs rc-scripts
.M......  g /var/log/dmesg

$ rpm -V rc-scripts
..5.....  c /etc/adjtime
..5.....  c /etc/sysconfig/cpusets/cpuset-test
..5.....  c /etc/sysconfig/hwprof
..5.....  c /etc/sysconfig/i18n
..5.....  c /etc/sysconfig/init-colors
..5.....  c /etc/sysconfig/interfaces/down.d/ppp/logger
..5.....  c /etc/sysconfig/interfaces/ifcfg-eth0
..5.....  c /etc/sysconfig/interfaces/up.d/ppp/logger
..5.....  c /etc/sysconfig/isapnp/isapnp-kernel.conf
..5.....  c /etc/rc.d/rc.local
..5.....  c /etc/crypttab
..5.....  c /etc/sysconfig/network
..5.....  c /etc/sysconfig/static-arp
..5.....  c /etc/sysconfig/static-nat
..5.....  c /etc/sysconfig/static-routes
..5.....  c /etc/sysconfig/static-routes6
..?.....  c /etc/sysconfig/system
..5.....  c /etc/init/allowlogin.conf
..5.....  c /etc/init/cpusets.conf
..5.....  c /etc/init/cryptsetup.conf
..5.....  c /etc/init/local.conf
..5.....  c /etc/init/modules.conf
..5.....  c /etc/init/random.conf
..5.....  c /etc/sysctl.conf
..5.....  c /etc/init/rc.conf
..5.....  c /etc/init/rcS-sulogin.conf
..5.....  c /etc/init/rcS.conf
..5.....  c /etc/init/sys-chroots.conf
..5.....  c /etc/init/udev.conf
..5.....  c /etc/initlog.conf
..5.....  c /etc/inittab
..5.....  c /etc/modules
.M......  g /var/log/dmesg

rpm5 with Adam's patch applied (i.e. hmac ripped out):

$ ./rpm -V rc-scripts
..5.....  c /etc/sysconfig/interfaces/ifcfg-eth0
..5.....  c /etc/adjtime
..5.....  c /etc/sysconfig/network
..5.....  c /etc/sysconfig/static-routes
..5.....  c /etc/sysconfig/static-routes6
..?.....  c /etc/sysconfig/system
..5.....  c /etc/sysctl.conf
..5.....  c /etc/inittab
..5.....  c /etc/modules
.M......  g /var/log/dmesg
..5.....  c /etc/sysconfig/i18n

> >> * second, fix the verification process only, drop hmac support and do it
> >>  the good old way.
> > 
> > Quick question, does passing '--nohmacs' option give the same effect as
> > your patch to lib/verify.c? In that case we could just make it default
> > and add '--hmacs' option.
> > 
> 
> Implementing --nohmac as a disabler was the intent.

It doesn't work as intended then as it disables file digest verification
entirely.
 
> Meanwhile adding --nohmac, or patching rpm or counting the no of pkgs isn't
> gointg to repair the headers that do not have the right flag bits.
> 
> And if you don't fix the metadata soon, then the problem will persist forever,
> and need to be dealt with again and again, because the affected packages
> will be deployed and nothing can change except wait 2-3y.

Metadata will fix itself over time. The problem here is broken file
digest verification.

-- 
Jan Rękorajski                                 | PLD/Linux
SysAdm                                         | http://www.pld-linux.org/
baggins<at>mimuw.edu.pl
baggins<at>pld-linux.org

More information about the pld-devel-en mailing list