Bug 1287946 - ioprocess-0.15.0 tarball md5sum changed between -3 and -4
ioprocess-0.15.0 tarball md5sum changed between -3 and -4
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: ioprocess (Show other bugs)
24
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Nir Soffer
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 1333964
  Show dependency treegraph
 
Reported: 2015-12-03 00:50 EST by Sandro Bonazzola
Modified: 2016-07-19 05:00 EDT (History)
10 users (show)

See Also:
Fixed In Version: ioprocess-0.15.1-1.fc24 ioprocess-0.15.1-1.fc22 ioprocess-0.15.1-1.fc23 ioprocess-0.15.1-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1333964 (view as bug list)
Environment:
Last Closed: 2016-05-11 21:29:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 50301 None None None 2015-12-17 09:44 EST

  None (edit)
Description Sandro Bonazzola 2015-12-03 00:50:09 EST
Description of problem:
http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
introduced a new upstream tarball with different md5sum stating fixes in changelog.
The spec file doesn't explain how the tarball has been generated.
Being 0.15.0 released lot of time ago (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't be changed.

Marking this as security violation.
Comment 1 Nir Soffer 2016-01-02 11:15:25 EST
(In reply to Sandro Bonazzola from comment #0)
> Description of problem:
> http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/

Which commit?

> introduced a new upstream tarball with different md5sum stating fixes in
> changelog.
> The spec file doesn't explain how the tarball has been generated.

How the spec file can explain the generation of the tarball?

> Being 0.15.0 released lot of time ago
> (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> be changed.

Can you explain the issue with the md5? Obviously every release must have
unique md5sum?

> Marking this as security violation.

How is this security violation?

The attached patch looks like a mix of unrelated changes.
Comment 2 Sandro Bonazzola 2016-01-19 11:09:02 EST
(In reply to Nir Soffer from comment #1)
> (In reply to Sandro Bonazzola from comment #0)
> > Description of problem:
> > http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
> 
> Which commit?

Sorry, http://pkgs.fedoraproject.org/cgit/rpms/ioprocess.git/commit/?id=56373a4a8827019505695e45d5f6208d2634ac4b


> 
> > introduced a new upstream tarball with different md5sum stating fixes in
> > changelog.
> > The spec file doesn't explain how the tarball has been generated.
> 
> How the spec file can explain the generation of the tarball?

Please read https://fedoraproject.org/wiki/Packaging:SourceURL


> 
> > Being 0.15.0 released lot of time ago
> > (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> > be changed.
> 
> Can you explain the issue with the md5? Obviously every release must have
> unique md5sum?

it's supposed that an upstream tarball once release doesn't change it's mdt5sum.
if it's changed it may have been compromised by someone introducing malicious code.


> > Marking this as security violation.
> 
> How is this security violation?

Please read https://docs.engineering.redhat.com/display/HTD/rpmdiff-upstream


> 
> The attached patch looks like a mix of unrelated changes.

Attached patch was what was required in order to bump version and make the spec file compliant.

Now, need to release the new version upstream and get the package rebuild in koji.

Yaniv, do you need assistance releasing upstream and building in koji?
Comment 3 Yaniv Bronhaim 2016-02-08 10:06:15 EST
nsoffer is responsible for this package since last month
Comment 4 Allon Mureinik 2016-02-11 09:14:56 EST
Patch seems to be merged.
Do we need anything else there?
Comment 5 Nir Soffer 2016-02-20 14:51:40 EST
Sandro, do we need to do anything else to close this bug?
Comment 6 Jan Kurik 2016-02-24 10:29:34 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 7 Sandro Bonazzola 2016-02-26 01:57:34 EST
(In reply to Nir Soffer from comment #5)
> Sandro, do we need to do anything else to close this bug?

Tag ioprocess 0.15.1, release it and build from 0.15.1 tarball.
Comment 8 Mike McCune 2016-03-28 19:14:23 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 9 Fedora Update System 2016-05-06 15:41:22 EDT
ioprocess-0.15.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce259a07cc
Comment 10 Fedora Update System 2016-05-06 16:21:34 EDT
ioprocess-0.15.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-609627f8f5
Comment 11 Fedora Update System 2016-05-06 17:06:44 EDT
ioprocess-0.15.1-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d049ad1118
Comment 12 Fedora Update System 2016-05-06 17:14:04 EDT
ioprocess-0.15.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-68a9b02b43
Comment 13 Fedora Update System 2016-05-07 12:21:43 EDT
ioprocess-0.15.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-68a9b02b43
Comment 14 Fedora Update System 2016-05-07 12:51:20 EDT
ioprocess-0.15.1-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d049ad1118
Comment 15 Fedora Update System 2016-05-07 12:55:23 EDT
ioprocess-0.15.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-609627f8f5
Comment 16 Fedora Update System 2016-05-07 13:26:35 EDT
ioprocess-0.15.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce259a07cc
Comment 17 Fedora Update System 2016-05-11 21:29:21 EDT
ioprocess-0.15.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2016-05-16 18:23:38 EDT
ioprocess-0.15.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-05-16 18:26:37 EDT
ioprocess-0.15.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2016-05-23 10:17:10 EDT
ioprocess-0.15.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Elad 2016-07-14 07:48:15 EDT
Hi Nir, can you please elaborate on verification flow here? Thanks
Comment 22 Nir Soffer 2016-07-14 10:40:57 EDT
(In reply to Elad from comment #21)
> Hi Nir, can you please elaborate on verification flow here? Thanks

I don't think any verification is needed.

Sandro, can you explain how to verify this change?
Comment 23 Sandro Bonazzola 2016-07-19 05:00:55 EDT
(In reply to Nir Soffer from comment #22)
> (In reply to Elad from comment #21)
> > Hi Nir, can you please elaborate on verification flow here? Thanks
> 
> I don't think any verification is needed.
> 
> Sandro, can you explain how to verify this change?

0.15.1 has been released so nothing to check here.

Note You need to log in before you can comment on or make changes to this bug.