Hey,
On 3/6/25 19:02, Dmitry Belyavskiy wrote:
Dear colleagues,
I see that Fedora gating tests for OpenSSH fail because of, among others,
ownership/permission tests failure [1].
We have a ssh-keysign binary, that has sgid permissions deviating from
upstream, we changed it in F38 [2] (and rolled back the corresponding patch)
but the checks still expect sgid bits.
I believe that I asked some people how to update the data to make the checks
relevant, and I got a response that I should submit a PR to some repo, and
probably I even submitted the PR to the repo - but I unfortunately don't
remember the details at all (and looks like the PR was not processed). Could
anybody please remind me the proper procedure?
I believe the PR you mentioned is
https://github.com/rpminspect/rpminspect-data-fedora/pull/57 and I _think_ the reason for
the fail is that there's no "fileinfo" file for F43 (yet), so it's not picking
up the changes from the PR. If I run rpminspect locally, the permission check fails with
--release=f43, but passes with --release=f42, which would confirm this theory:
$ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64
--tests=permissions --verbose --release=fc43 --profile=rawhide
openssh-9.9p1.tbOmLI
...
permissions:
------------
1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries
insecure mode 4555, Security Team review may be required
Result: BAD
Waiver Authorization: Security
2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries
insecure mode 4555, Security Team review may be required
Result: BAD
Waiver Authorization: Security
$ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64
--tests=permissions --verbose --release=fc42 --profile=rawhide
openssh-9.9p1.tbOmLI
...
permissions:
------------
1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries
expected mode 4555
Result: INFO
Waiver Authorization: Not Waivable
2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries
expected mode 4555
Result: INFO
Waiver Authorization: Not Waivable
Thank you!
[1] https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/
<https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/>
[2] https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
<https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit>
--
Dmitry Belyavskiy
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
