1109960 – RPM by `make bkradd` does not correspond to the git tag

Bug 1109960 - RPM by `make bkradd` does not correspond to the git tag

Summary: RPM by `make bkradd` does not correspond to the git tag

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Beaker
Classification:	Retired
Component:	command line
Sub Component:
Version:	0.17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	0.18
Assignee:	Dan Callaghan
QA Contact:	tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-16 18:22 UTC by Alois Mahdal
Modified:	2018-02-06 00:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-08-27 06:52:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description Alois Mahdal 2014-06-16 18:22:55 UTC

Description:

`make bkradd` creates RPM based on what is currently in the working tree, instead of what has been committed / pushed / tagged in the Git repo.

This means that if you have local changes in the working tree (perhaps because you use slightly different paths / timing values / credentials etc. for local debugging), the final RPM will contain them, despite that these changes never existed in any repo and were never supposed to leave your machine.

Consequentially, this can lead to security risk: the "changes" could be something that shows up in the log, one hat you incidentally decided to publish in a bug report.  So in worst-case scenario, this could lead to leakage outside Red Hat(!).

And it is counter-intuitive enough:  Even in above scenario, in good faith, you might double-check that you did not push the "secret" to repo, but would you double-check that git ~ rpm, i.e. the mytest-1.0.1.rpm ~ mytest-1.0.1 tag?


Version-Release number of selected component (if applicable):
rhts-test-env-4.61-1.fc19.noarch


How reproducible:
Always


Steps to Reproduce:
 1. Clone a test repo
 2. Make a change, e.g. add a line to runtest.sh:
        rlLog "secret"
 3. `make tag; git push --tags; make bkradd`
 4. Deploy the RPM
 5. Compare the modified file with its tagged counterpart in git repo

Actual results:
The file is different, i.e. contains the "secret"

Expected results:
The file should be the same, i.e. not contain the "secret"

Additional info:

Comment 1 Alois Mahdal 2014-06-16 18:28:23 UTC

Relatvely easy and non-intrusive (unless the test repo is huge, I guess) workaround could be:

    Before starting to build RPM, clone the current repository to a temporary
    dir (note that you can use local path to `git clone` command) and cd to
    that path before collecting anything.

Comment 3 Dan Callaghan 2014-08-07 06:53:02 UTC

On Gerrit: http://gerrit.beaker-project.org/3235

Comment 4 Dan Callaghan 2014-08-07 06:55:23 UTC

Slightly less intrusive steps to reproduce (doesn't require committing and tagging):

1. Clone a task repo, for example http://git.beaker-project.org/cgit/beaker-core-tasks
2. Modify Makefile, for example change a Requires field to have some wrong value
3. Build the task RPM: make rpm
4. Check the contents of testinfo.desc inside the built RPM: rpm2cpio ./beaker-distribution-install-1.12-1.noarch.rpm | cpio --extract --to-stdout ./mnt/tests/distribution/install/testinfo.desc

Expected results:
Output should *not* show the uncommitted modifications.

Actual results:
Output shows uncommitted modifications.

Comment 7 Dan Callaghan 2014-08-27 06:52:31 UTC

rhts 4.64 has been released.

Note You need to log in before you can comment on or make changes to this bug.