Hey, On 3/6/25 19:02, Dmitry Belyavskiy wrote:
Dear colleagues, I see that Fedora gating tests for OpenSSH fail because of, among others, ownership/permission tests failure [1]. We have a ssh-keysign binary, that has sgid permissions deviating from upstream, we changed it in F38 [2] (and rolled back the corresponding patch) but the checks still expect sgid bits. I believe that I asked some people how to update the data to make the checks relevant, and I got a response that I should submit a PR to some repo, and probably I even submitted the PR to the repo - but I unfortunately don't remember the details at all (and looks like the PR was not processed). Could anybody please remind me the proper procedure?
I believe the PR you mentioned is https://github.com/rpminspect/rpminspect-data-fedora/pull/57 and I _think_ the reason for the fail is that there's no "fileinfo" file for F43 (yet), so it's not picking up the changes from the PR. If I run rpminspect locally, the permission check fails with --release=f43, but passes with --release=f42, which would confirm this theory: $ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64 --tests=permissions --verbose --release=fc43 --profile=rawhide openssh-9.9p1.tbOmLI ... permissions: ------------ 1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries insecure mode 4555, Security Team review may be required Result: BAD Waiver Authorization: Security 2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries insecure mode 4555, Security Team review may be required Result: BAD Waiver Authorization: Security $ rpminspect-fedora --keep --debug --keep --workdir . --arches x86_64 --tests=permissions --verbose --release=fc42 --profile=rawhide openssh-9.9p1.tbOmLI ... permissions: ------------ 1) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries expected mode 4555 Result: INFO Waiver Authorization: Not Waivable 2) /usr/libexec/openssh/ssh-keysign in openssh-keysign on x86_64 carries expected mode 4555 Result: INFO Waiver Authorization: Not Waivable
Thank you! [1] https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/ <https://artifacts.dev.testing-farm.io/7a6fef07-41f3-40a2-8ee8-c327934eddcd/> [2] https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit <https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit> -- Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
