On Tue, 2024-10-08 at 12:14 +0300, Panu Matilainen wrote: > On 10/6/24 12:42 AM, Barry wrote: > > > > > > > On 5 Oct 2024, at 18:32, Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > > > On the other hand, the error message you're seeing is from the IMA plugin. So I assume you've enabled rpm-plugin-ima? > > > > This a f39 aarch64 upgraded to f40 then f41 with no customisations. > > (There are no f40 or f41 iso so i have to do this dance). > > > > I have never heard of ima plugin and did not install it deliberately. > > There's several things wrong in here. > > 1) The packaging around ima-evm-utils has changed recently it seems: the > library part was split to -libs subpackage which is good, but previously > since rpm-sign-libs dependency dragged the main package in, it's > installed on a lot of systems. And now the main ima-evm-utils added a > dependency on rpm-plugin-ima which has all manner of implications that > just having some tools or libraries installed does not, and should not > have. That dependency will need to be removed or further split off to > something people wont get installed by default. > > the library part was split to a -libs subpackage which is good, bu > 1) ima-evm-utils recently added a dependency on rpm-plugin-ima, and this > seems wrong because having the plugin installed implies all manner of > things that having ima-evm-utils does not. The > > 2) IMA signature don't make any sense on src.rpm files - so Fedora > shouldn't be signing them, and rpm shouldn't let them > > 3) Even if the assertions in 2 fail and you somehow end up with an > src.rpm with IMA signatures on it, rpm should not barf up on it like this. > > There's a bug for 2-3 at > https://bugzilla.redhat.com/show_bug.cgi?id=2316785, I'll need to file > another to sort the ima-evm-utils packaging. + Mimi I think the problem is that the IMA rpm plugin is trying to set the security.ima xattr for the file being installed, but it can't because this operation requires root privileges (CAP_SYS_ADMIN), and the SRPM is installed as regular user. Of course, it does not make too much sense to apply signatures on source files. Roberto -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue