Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1333964 - ioprocess-0.15.0 tarball md5sum changed between -3 and -4
ioprocess-0.15.0 tarball md5sum changed between -3 and -4
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ioprocess (Show other bugs)
4.0.0
Unspecified Unspecified
unspecified Severity urgent
: ovirt-4.0.0-beta
: 4.0.0
Assigned To: Nir Soffer
Aharon Canan
:
Depends On: 1287946
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-06 16:07 EDT by Nir Soffer
Modified: 2016-07-21 03:46 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1287946
Environment:
Last Closed: 2016-07-21 03:46:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Storage
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 50301 None None None 2016-05-06 16:07 EDT
Red Hat Product Errata RHBA-2016:1703 normal SHIPPED_LIVE ioprocess bug fix and enhancement update for RHV 4.0 2016-08-23 20:35:20 EDT

  None (edit)
Description Nir Soffer 2016-05-06 16:07:39 EDT 
+++ This bug was initially created as a clone of Bug #1287946 +++

Description of problem:
http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
introduced a new upstream tarball with different md5sum stating fixes in changelog.
The spec file doesn't explain how the tarball has been generated.
Being 0.15.0 released lot of time ago (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't be changed.

Marking this as security violation.

--- Additional comment from Nir Soffer on 2016-01-02 11:15:25 EST ---

(In reply to Sandro Bonazzola from comment #0)
> Description of problem:
> http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/

Which commit?

> introduced a new upstream tarball with different md5sum stating fixes in
> changelog.
> The spec file doesn't explain how the tarball has been generated.

How the spec file can explain the generation of the tarball?

> Being 0.15.0 released lot of time ago
> (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> be changed.

Can you explain the issue with the md5? Obviously every release must have
unique md5sum?

> Marking this as security violation.

How is this security violation?

The attached patch looks like a mix of unrelated changes.

--- Additional comment from Sandro Bonazzola on 2016-01-19 11:09:02 EST ---

(In reply to Nir Soffer from comment #1)
> (In reply to Sandro Bonazzola from comment #0)
> > Description of problem:
> > http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/
> 
> Which commit?

Sorry, http://pkgs.fedoraproject.org/cgit/rpms/ioprocess.git/commit/?id=56373a4a8827019505695e45d5f6208d2634ac4b


> 
> > introduced a new upstream tarball with different md5sum stating fixes in
> > changelog.
> > The spec file doesn't explain how the tarball has been generated.
> 
> How the spec file can explain the generation of the tarball?

Please read https://fedoraproject.org/wiki/Packaging:SourceURL


> 
> > Being 0.15.0 released lot of time ago
> > (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't
> > be changed.
> 
> Can you explain the issue with the md5? Obviously every release must have
> unique md5sum?

it's supposed that an upstream tarball once release doesn't change it's mdt5sum.
if it's changed it may have been compromised by someone introducing malicious code.


> > Marking this as security violation.
> 
> How is this security violation?

Please read https://docs.engineering.redhat.com/display/HTD/rpmdiff-upstream


> 
> The attached patch looks like a mix of unrelated changes.

Attached patch was what was required in order to bump version and make the spec file compliant.

Now, need to release the new version upstream and get the package rebuild in koji.

Yaniv, do you need assistance releasing upstream and building in koji?

--- Additional comment from Yaniv Bronhaim on 2016-02-08 10:06:15 EST ---

nsoffer is responsible for this package since last month

--- Additional comment from Allon Mureinik on 2016-02-11 09:14:56 EST ---

Patch seems to be merged.
Do we need anything else there?

--- Additional comment from Nir Soffer on 2016-02-20 14:51:40 EST ---

Sandro, do we need to do anything else to close this bug?

--- Additional comment from Jan Kurik on 2016-02-24 10:29:34 EST ---

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

--- Additional comment from Sandro Bonazzola on 2016-02-26 01:57:34 EST ---

(In reply to Nir Soffer from comment #5)
> Sandro, do we need to do anything else to close this bug?

Tag ioprocess 0.15.1, release it and build from 0.15.1 tarball.

--- Additional comment from Mike McCune on 2016-03-28 19:14:23 EDT ---

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

--- Additional comment from Fedora Update System on 2016-05-06 15:41:22 EDT ---

ioprocess-0.15.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce259a07cc
Comment 1 Aharon Canan 2016-07-19 09:48:06 EDT 
Sandro, Can I close this one like we did on https://bugzilla.redhat.com/show_bug.cgi?id=1287946#c22 ?
Comment 2 Sandro Bonazzola 2016-07-20 10:42:03 EDT 
Yes, I think so.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.