On Thu, Jan 21, 2021 at 12:39 PM Panu Matilainen <pmatilai@xxxxxxxxxx> wrote: > > On 1/21/21 1:27 PM, Fabio Valentini wrote: > > On Thu, Jan 21, 2021 at 12:22 PM Panu Matilainen <pmatilai@xxxxxxxxxx> wrote: > >> > >> On 1/21/21 9:56 AM, Florian Weimer wrote: > >>> With rpm-4.15.1-3.fc32.1.x86_64, I get this error: > >>> > >>> $ rpm -qip https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/m/ModemManager-debugsource-1.14.10-1.fc34.aarch64.rpm > >>> error: /var/tmp/rpm-tmp.6iU66n: signature hdr data: BAD, no. of bytes(88084) out of range > >>> error: https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/m/ModemManager-debugsource-1.14.10-1.fc34.aarch64.rpm: not an rpm package (or package manifest) > >>> > >>> Is this expected? > >>> > >> > >> Certainly not. > >> > >>> It seems that rpm-4.16.1.2-1.fc33.x86_64 can parse the RPM just fine. > >>> But rpm-4.14.3-4.el8.x86_64 does not like it, either. > >> > >> Based on a quick random sampling, this would appear to be a very recent > >> thing, the only affected packages I could find (which doesn't mean > >> others couldn't exist) were built in the last few days, such as the > >> above and these: > >> > >> https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/n/net-snmp-debugsource-5.9-4.fc34.aarch64.rpm > >> https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/n/NetworkManager-debugsource-1.30.0-0.2.fc34.aarch64.rpm > >> > >> ...which were all built on Jan 18th. The only recent change to rpm is > >> the DWARF-5 support but based on changelogs that seems to have landed > >> the day after, so I dunno. (snip) > > Is it possible that this was triggered by switching on signed RPM contents? > > If I understand the implementation correctly, it messes with the RPM headers. > > Oh, I wasn't aware the file signing proposal had been approved, much > less enabled. I thought I raised "some objections" on the enablement of > the feature from rpm maintainer perspective. It has *not* been approved (yet). Which is why I grumbled about enabling the signing in production infra during yesterday's FESCo meeting. > That would explain, certainly. It's not like this is a widely tested > feature, and the failing packages do indeed have file signatures enabled. > > And with that, looking at the error and the behavior pattern, it's > almost certainly down to this commit missing from older releases: > https://github.com/rpm-software-management/rpm/commit/486579912381ede82172dc6d0ff3941a6d0536b5 > > So the good news is that it's not mysterious corruption caused by the > signing, the bad news is that this signing makes packages incompatible > with ALL older releases. That's just not acceptable. Which means that signed RPM contents need to be postponed at least until all supported Fedora releases have an RPM version that can read those files. Panu, can you please comment on the FESCo ticket with your findings? Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
