Bug 1535596

Summary: python3: Possibly serious rpmlint issues
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: python3Assignee: Iryna Shcherbina <ishcherb>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: a.badger, bkabrda, cheimes, cstratak, dmalcolm, ishcherb, lzachar, mcyprian, mhroncok, pviktori, python-sig, rkuska, tomspur, torsava
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 15:33:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1489816    
Bug Blocks:    

Description Miro Hrončok 2018-01-17 17:21:27 UTC
Actual spelling errors:
python3-debug.x86_64: W: spelling-error %description -l en_US verisons -> versions, orisons, venison
python3.src: W: spelling-error %description -l en_US readibility -> readability, credibility, reliability
python3.x86_64: W: spelling-error %description -l en_US readibility -> readability, credibility, reliability

May be dangerous:
python3-debug.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/python3.6/lib-dynload/_ssl.cpython-36dm-x86_64-linux-gnu.so SSL_CTX_set_cipher_list
python3-libs.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/python3.6/lib-dynload/_ssl.cpython-36m-x86_64-linux-gnu.so SSL_CTX_set_cipher_list
python3-debug.x86_64: E: library-without-ldconfig-postin /usr/lib64/libpython3.6dm.so.1.0
python3-debug.x86_64: E: library-without-ldconfig-postun /usr/lib64/libpython3.6dm.so.1.0
python3.src:398: W: unversioned-explicit-obsoletes python%{pyshortver}

No idea:
python3-debug.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libpython3.6dm.so.1.0
python3-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libpython3.6m.so.1.0
python3-debug.x86_64: W: read-error /usr/lib64/pkgconfig/python-3.6dm.pc [Errno 2] No such file or directory: '/tmp/rpmlint.python3-debug-3.6.4-3.fc28.x86_64.rpm.jk21bauv/usr/lib64/pkgconfig/python-3.6dm.pc'
python3-libs.x86_64: W: devel-file-in-non-devel-package /usr/include/python3.6m/pyconfig-64.h

Probably bogus but worth looking:
python3.x86_64: W: self-obsoletion python36 obsoletes python36 = 3.6.4-3.fc28

Not that important, but right:
python3.src:812: W: macro-in-comment %{_pyconfig32_h}
python3.src:814: W: macro-in-comment %{_pyconfig64_h}
python3.src:1731: W: macro-in-%changelog %py_byte_compile
python3.src:130: W: mixed-use-of-spaces-and-tabs (spaces: line 15, tab: line 130)



Those are all from python3-3.6.4-3.fc28. However, when fixing/workarounding, please consider python37 first and backport to current python3 only if important.

Comment 1 Toshio Ernie Kuratomi 2018-01-17 20:12:46 UTC
* This one is a false positive: python3-libs.x86_64: W: devel-file-in-non-devel-package /usr/include/python3.6m/pyconfig-64.h

Python uses the pyconfig.h file as a data file for runtime information so it has to be shipped with python-libs.

* I'm not sure about this one: python3-libs.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/python3.6/lib-dynload/_ssl.cpython-36m-x86_64-linux-gnu.so SSL_CTX_set_cipher_list

but it may be needed to conform to upstream's API for SSL.  Python's stdlib is providing an SSL API for other software to use.  This may be a case where the API is able to make use of this for good or ill... but it is the application's choice, not Python's.).  You probably should get Christian Heimes' input on whether this is a problem or not as he deals with the security concerns in CPython quite heavily.

Comment 2 Petr Viktorin (pviktori) 2018-01-18 13:12:57 UTC
These are bogus (a C header apparently parsed as Bash):
python3.src:812: W: macro-in-comment %{_pyconfig32_h}
python3.src:814: W: macro-in-comment %{_pyconfig64_h}

Comment 3 Charalampos Stratakis 2018-01-18 13:26:31 UTC
(In reply to Toshio Ernie Kuratomi from comment #1)
> * This one is a false positive: python3-libs.x86_64: W:
> devel-file-in-non-devel-package /usr/include/python3.6m/pyconfig-64.h
> 
> Python uses the pyconfig.h file as a data file for runtime information so it
> has to be shipped with python-libs.
> 
> * I'm not sure about this one: python3-libs.x86_64: W:
> crypto-policy-non-compliance-openssl
> /usr/lib64/python3.6/lib-dynload/_ssl.cpython-36m-x86_64-linux-gnu.so
> SSL_CTX_set_cipher_list
> 
> but it may be needed to conform to upstream's API for SSL.  Python's stdlib
> is providing an SSL API for other software to use.  This may be a case where
> the API is able to make use of this for good or ill... but it is the
> application's choice, not Python's.).  You probably should get Christian
> Heimes' input on whether this is a problem or not as he deals with the
> security concerns in CPython quite heavily.

This warning is for compliance with the recent changes in crypto policies [0][1]

There is already ongoing work to address the issue upstream but it will land for 3.7 so we'll have to backport it when it's merged [2].

[0] https://fedoraproject.org/wiki/Packaging:CryptoPolicies
[1] bug 1489816
[2] https://github.com/python/cpython/pull/3532

Comment 4 Iryna Shcherbina 2018-02-13 18:04:13 UTC
> Actual spelling errors:
> python3-debug.x86_64: W: spelling-error %description -l en_US verisons -> versions, orisons, venison
> python3.src: W: spelling-error %description -l en_US readibility -> readability, credibility, reliability
> python3.x86_64: W: spelling-error %description -l en_US readibility -> readability, credibility, reliability

Fixed within PR: https://src.fedoraproject.org/rpms/python37/pull-request/6

> May be dangerous:
> python3-debug.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/python3.6/lib-dynload/_ssl.cpython-36dm-x86_64-linux-gnu.so SSL_CTX_set_cipher_list
> python3-libs.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/python3.6/lib-dynload/_ssl.cpython-36m-x86_64-linux-gnu.so SSL_CTX_set_cipher_list

Fixed upstream in https://github.com/python/cpython/pull/3532 (as per Comment 3).
The warning though will still be present as per ticket description in https://bugs.python.org/issue31429: in case --with-ssl-default-suites option is not passed, Python shall set a default suite. In our Python 3 builds the option is now enabled, so the warning is not relevant.

> python3-debug.x86_64: E: library-without-ldconfig-postin /usr/lib64/libpython3.6dm.so.1.0
> python3-debug.x86_64: E: library-without-ldconfig-postun /usr/lib64/libpython3.6dm.so.1.0

Already fixed https://src.fedoraproject.org/rpms/python3/c/14deb52d02decabd7dda8bcfa01e628031f03414
Scriplets removed, this should be done automatically.

> Probably bogus but worth looking:
> python3.x86_64: W: self-obsoletion python36 obsoletes python36 = 3.6.4-3.fc28
> python3.src:398: W: unversioned-explicit-obsoletes python%{pyshortver}

The comment in the spec file explains why: 
"""
# Note that using Obsoletes without package version is not standard practice.
# Here we assert that *any* version of the system's default interpreter is
# preferable to an "extra" interpreter
"""

> No idea:
> python3-debug.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libpython3.6dm.so.1.0
> python3-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libpython3.6m.so.1.0

This is the implementation of os.chroot

> python3-debug.x86_64: W: read-error /usr/lib64/pkgconfig/python-3.6dm.pc [Errno 2] No such file or directory: '/tmp/rpmlint.python3-debug-3.6.4-3.fc28.x86_64.rpm.jk21bauv/usr/lib64/pkgconfig/python-3.6dm.pc'

python-3.6dm.pc is a link to python-3.6.pc which is in the python3-devel subpackage, which python3-debug requires.

> python3-libs.x86_64: W: devel-file-in-non-devel-package /usr/include/python3.6m/pyconfig-64.h

False positive as per Comment 1

> Not that important, but right:
> python3.src:812: W: macro-in-comment %{_pyconfig32_h}
> python3.src:814: W: macro-in-comment %{_pyconfig64_h}

False positive as per Comment 2

> python3.src:1731: W: macro-in-%changelog %py_byte_compile

Already fixed https://src.fedoraproject.org/rpms/python3/c/40b8f9ece20b5f9cbaf3d2fd78a39a3158dfa0c5

> python3.src:130: W: mixed-use-of-spaces-and-tabs (spaces: line 15, tab: line 130)

Fixed within PR: https://src.fedoraproject.org/rpms/python37/pull-request/6

Comment 5 Fedora End Of Life 2018-02-20 15:26:32 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 6 Iryna Shcherbina 2018-02-21 15:33:19 UTC
Backported to python3 in Rawhide: https://src.fedoraproject.org/rpms/python3/pull-request/24

Closing as Rawhide, please reopen if necessary.