Bug 1333964 - ioprocess-0.15.0 tarball md5sum changed between -3 and -4
Summary: ioprocess-0.15.0 tarball md5sum changed between -3 and -4
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ioprocess
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ovirt-4.0.0-beta
: 4.0.0
Assignee: Nir Soffer
QA Contact: Aharon Canan
URL:
Whiteboard:
Depends On: 1287946
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-06 20:07 UTC by Nir Soffer
Modified: 2016-07-21 07:46 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1287946
Environment:
Last Closed: 2016-07-21 07:46:31 UTC
oVirt Team: Storage
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1703 0 normal SHIPPED_LIVE ioprocess bug fix and enhancement update for RHV 4.0 2016-08-24 00:35:20 UTC
oVirt gerrit 50301 0 None None None 2016-05-06 20:07:39 UTC

Description Nir Soffer 2016-05-06 20:07:39 UTC 
+++ This bug was initially created as a clone of Bug #1287946 +++

Description of problem:
http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
introduced a new upstream tarball with different md5sum stating fixes in changelog.
The spec file doesn't explain how the tarball has been generated.
Being 0.15.0 released lot of time ago (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't be changed.

Marking this as security violation.

--- Additional comment from Nir Soffer on 2016-01-02 11:15:25 EST ---

(In reply to Sandro Bonazzola from comment #0)
> Description of problem:
> http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/

Which commit?

> introduced a new upstream tarball with different md5sum stating fixes in
> changelog.
> The spec file doesn't explain how the tarball has been generated.

How the spec file can explain the generation of the tarball?

> Being 0.15.0 released lot of time ago
> (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> be changed.

Can you explain the issue with the md5? Obviously every release must have
unique md5sum?

> Marking this as security violation.

How is this security violation?

The attached patch looks like a mix of unrelated changes.

--- Additional comment from Sandro Bonazzola on 2016-01-19 11:09:02 EST ---

(In reply to Nir Soffer from comment #1)
> (In reply to Sandro Bonazzola from comment #0)
> > Description of problem:
> > http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
> 
> Which commit?

Sorry, http://pkgs.fedoraproject.org/cgit/rpms/ioprocess.git/commit/?id=56373a4a8827019505695e45d5f6208d2634ac4b


> 
> > introduced a new upstream tarball with different md5sum stating fixes in
> > changelog.
> > The spec file doesn't explain how the tarball has been generated.
> 
> How the spec file can explain the generation of the tarball?

Please read https://fedoraproject.org/wiki/Packaging:SourceURL


> 
> > Being 0.15.0 released lot of time ago
> > (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> > be changed.
> 
> Can you explain the issue with the md5? Obviously every release must have
> unique md5sum?

it's supposed that an upstream tarball once release doesn't change it's mdt5sum.
if it's changed it may have been compromised by someone introducing malicious code.


> > Marking this as security violation.
> 
> How is this security violation?

Please read https://docs.engineering.redhat.com/display/HTD/rpmdiff-upstream


> 
> The attached patch looks like a mix of unrelated changes.

Attached patch was what was required in order to bump version and make the spec file compliant.

Now, need to release the new version upstream and get the package rebuild in koji.

Yaniv, do you need assistance releasing upstream and building in koji?

--- Additional comment from Yaniv Bronhaim on 2016-02-08 10:06:15 EST ---

nsoffer is responsible for this package since last month

--- Additional comment from Allon Mureinik on 2016-02-11 09:14:56 EST ---

Patch seems to be merged.
Do we need anything else there?

--- Additional comment from Nir Soffer on 2016-02-20 14:51:40 EST ---

Sandro, do we need to do anything else to close this bug?

--- Additional comment from Jan Kurik on 2016-02-24 10:29:34 EST ---

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

--- Additional comment from Sandro Bonazzola on 2016-02-26 01:57:34 EST ---

(In reply to Nir Soffer from comment #5)
> Sandro, do we need to do anything else to close this bug?

Tag ioprocess 0.15.1, release it and build from 0.15.1 tarball.

--- Additional comment from Mike McCune on 2016-03-28 19:14:23 EDT ---

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

--- Additional comment from Fedora Update System on 2016-05-06 15:41:22 EDT ---

ioprocess-0.15.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce259a07cc
Comment 1 Aharon Canan 2016-07-19 13:48:06 UTC 
Sandro, Can I close this one like we did on https://bugzilla.redhat.com/show_bug.cgi?id=1287946#c22 ?
Comment 2 Sandro Bonazzola 2016-07-20 14:42:03 UTC 
Yes, I think so.
Note You need to log in before you can comment on or make changes to this bug.