On Fri, Mar 7, 2025 at 12:04 PM František Šumšal <franti...@sumsal.cz> wrote:
> Hey, > > On 3/6/25 19:02, Dmitry Belyavskiy wrote: > > Dear colleagues, > > > > I see that Fedora gating tests for OpenSSH fail because of, among > others, ownership/permission tests failure [1]. > > > > We have a ssh-keysign binary, that has sgid permissions deviating from > upstream, we changed it in F38 [2] (and rolled back the corresponding > patch) but the checks still expect sgid bits. > > > > I believe that I asked some people how to update the data to make the > checks relevant, and I got a response that I should submit a PR to some > repo, and probably I even submitted the PR to the repo - but I > unfortunately don't remember the details at all (and looks like the PR was > not processed). Could anybody please remind me the proper procedure? > > I believe the PR you mentioned is > https://github.com/rpminspect/rpminspect-data-fedora/pull/57 and I > _think_ the reason for the fail is that there's no "fileinfo" file for F43 > (yet), so it's not picking up the changes from the PR. If I run rpminspect > locally, the permission check fails with --release=f43, but passes with > --release=f42, which would confirm this theory: > > $ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64 > --tests=permissions --verbose --release=fc43 --profile=rawhide > openssh-9.9p1.tbOmLI > ... > permissions: > ------------ > 1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries > insecure mode 4555, Security Team review may be required > > Result: BAD > Waiver Authorization: Security > > > 2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries > insecure mode 4555, Security Team review may be required > > Result: BAD > Waiver Authorization: Security > > > $ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64 > --tests=permissions --verbose --release=fc42 --profile=rawhide > openssh-9.9p1.tbOmLI > ... > permissions: > ------------ > 1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries > expected mode 4555 > > Result: INFO > Waiver Authorization: Not Waivable > > > 2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries > expected mode 4555 > > Result: INFO > Waiver Authorization: Not Waivable > > > > > Thank you! > > > > [1] > https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/ > < > https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/ > > > > [2] https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit < > https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit> > Thank you very much, it explains a lot
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
