Bug 1642844
| Summary: | Please make pm request safe for fedora packagers | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | mock | Assignee: | Miroslav Suchý <msuchy> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | jdisnard, jkeating, mebrown, mizdebsk, msuchy, praiskup, williams |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-19 18:14:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1641187, 1641191 | ||
|
Description
Nicolas Mailhot
2018-10-25 08:11:52 UTC
1) when bootstrap is used, then the pm_request should [*] use DNF from the bootstrap chroot. Which should be safe. [*] need to verify this claim in a code. 2) how I can restrict to only repos configured in the config? You can easily install rpm with repo file and then execute install and you will get a package from that new repo. I see no problem implementing "secure" mode, but this needs to be precisely defined on a low technical level. From a security POW, I think the dnf mock uses should only honor the repo definitions in the mock config, and ignore any repo definition dropped in the buildroot. At least I don't see why one would want it otherwise, both from a functional and security angle. Basically you want the dnf in the chroot to use only repo defs configured within mock by the mock admin, and ignore any repo addition or redefinition done by the env in the chroot, via dnf cli flags, repo definition files, or anything else I forget here. (In reply to Miroslav Suchý from comment #1) > 2) how I can restrict to only repos configured in the config? You can easily > install rpm with repo file and then execute install and you will get a > package from that new repo. AFAIK, `mock --install` doesn't use the repofiles installed inside the chroot (only those repofiles inside {dnf,yum}.conf). > only those repofiles inside {dnf,yum}.conf
I mean, mock only uses **repositories** specified in {dnf,yum}.conf.
To be honest - this and GH discussion shows that this feature would be very fragile and it can actually limit or break normal behaviour of mock. I would rather focus on https://github.com/rpm-software-management/rpm/issues/104 which make this (and several others) issues obsoletes. In fact, I find https://github.com/rpm-software-management/rpm/issues/104#issuecomment-433024163 very attractive. Just to be clear: I will drop pm request as soon a https://github.com/rpm-software-management/rpm/issues/104 lands in Fedora (though I may be stuck with it on el7, which means is still needs security fixing) Please do not give up on pm request before we have an ETA in https://github.com/rpm-software-management/rpm/issues/104 Last time https://github.com/rpm-software-management/rpm/issues/104 revived, there were lots of interesting comments, and then it all died out without any deployable solution. Fascinating as those discussions are, my primary objective is to do packages in Fedora! Closing in favor of Dynamic Build Dependencies, which just landed in Mock |