Bug 1404194 - fedpkg new-sources complains about 302 to https://src.fedoraproject.org/repo/pkgs/upload.cgi
Summary: fedpkg new-sources complains about 302 to https://src.fedoraproject.org/repo/...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: fedpkg
Version: 24
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
Assignee: cqi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-13 10:02 UTC by Jan Pazdziora
Modified: 2017-03-02 12:07 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-02 12:07:18 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora 2016-12-13 10:02:35 UTC
Description of problem:

On freshly installed fedpkg setup (with fresh /etc/rpkg/fedpkg.conf), attempt to run

   fedpkg new-sources name-version.tar.gz

fails with

Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://src.fedoraproject.org/repo/pkgs/upload.cgi">here</a>.</p>
</body></html>

Version-Release number of selected component (if applicable):

fedpkg-1.25-1.fc24.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have some file around that you want to upload to the lookaside cache.
2. Run fedpkg new-sources name-version.tar.gz

Actual results:

Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://src.fedoraproject.org/repo/pkgs/upload.cgi">here</a>.</p>
</body></html>

Expected results:

No error.

Additional info:

If the code cannot or does not want to handle the redirect, I should likely ship

lookaside_cgi = https://src.fedoraproject.org/repo/pkgs/upload.cgi

in etc/rpkg/fedpkg.conf.

Comment 1 Lubomír Sedlář 2016-12-13 10:36:17 UTC
Please try with fedpkg-1.26-3 and pyrpkg-1.47-5 from updates-testing.

This is related to using well known SSL certificate:
https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016

Comment 2 Jan Pazdziora 2016-12-13 10:59:54 UTC
Thanks, that changed the response to

Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

which I assume is a good thing.

Comment 3 Antonio T. (sagitter) 2016-12-13 11:15:47 UTC
Same problem on fedora 25.

Version-Release number of selected component (if applicable):
fedpkg-1.25-1.fc25.noarch

Comment 4 Lubomír Sedlář 2016-12-13 11:17:08 UTC
That is on it's way to be a good thing. It means you most likely don't have a kerberos ticket. It can be obtained by
    kinit <your_fas_login>@FEDORAPROJECT.ORG

Also, to be sure building works correctly, make sure you have koji-1.11.0-1 installed and /etc/koji.conf is up-to-date.

Comment 5 Michal Schorm 2016-12-15 11:22:48 UTC
(In reply to Lubomír Sedlář from comment #1)
> Please try with fedpkg-1.26-3 and pyrpkg-1.47-5 from updates-testing.

I encountered the same issue.
I confirm, that I updated those 2 packages and it works fine now.

Comment 6 Karel Volný 2016-12-15 15:51:43 UTC
(In reply to Lubomír Sedlář from comment #4)
> That is on it's way to be a good thing. It means you most likely don't have
> a kerberos ticket. It can be obtained by
>     kinit <your_fas_login>@FEDORAPROJECT.ORG

hmmmmm ....

$ kinit kvolny
Password for kvolny: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials

> Also, to be sure building works correctly, make sure you have koji-1.11.0-1

$ rpm -q koji
koji-1.11.0-1.fc25.noarch

> installed and /etc/koji.conf is up-to-date.

which means ...?

$ stat -c %y /etc/koji.conf
2016-12-09 15:55:40.000000000 +0100

... raising priority/severity, hope someone can resolve this quickly, it blocks me from fixing security vulnerability (arbitrary code execution) :-(

Comment 7 Jan Pazdziora 2016-12-15 15:59:24 UTC
Make sure you have

$ rpm -qf /etc/krb5.conf.d/fedoraproject_org 
fedora-packager-0.6.0.0-1.fc25.noarch

Also, check that your /etc/krb5.conf has

includedir /etc/krb5.conf.d/

in it. If you've tweaked /etc/krb5.conf, the stock might be in /etc/krb5.conf.rpmnew.

Comment 8 Karel Volný 2016-12-15 16:23:35 UTC
(In reply to Jan Pazdziora from comment #7)
> Make sure you have

thanks, but:

> $ rpm -qf /etc/krb5.conf.d/fedoraproject_org 
> fedora-packager-0.6.0.0-1.fc25.noarch

$ rpm -qf /etc/krb5.conf.d/fedoraproject_org
fedora-packager-0.6.0.0-1.fc25.noarch

> Also, check that your /etc/krb5.conf has
> 
> includedir /etc/krb5.conf.d/
> 
> in it. If you've tweaked /etc/krb5.conf, the stock might be in
> /etc/krb5.conf.rpmnew.

$ grep includedir /etc/krb5.conf
includedir /etc/krb5.conf.d/

... other suggestions?

Comment 9 Lubomír Sedlář 2016-12-16 08:07:39 UTC
You could try going through Kerberos information from Fedora Infrastructure team.
https://fedoraproject.org/wiki/Infrastructure/Kerberos
This is not a bug in fedpkg, so please follow up on #fedora-infra on IRC or file a ticket at
https://pagure.io/fedora-infrastructure/

Comment 10 Karel Volný 2016-12-16 08:20:58 UTC
sorry, but throwing html source at the user, as described in comment #2, really is not a nice thing to do, no matter what configuration did the user omit

Comment 11 cqi 2016-12-16 08:23:16 UTC
Hi Karel, how about use another bug to track this improvement?

Comment 12 Karel Volný 2016-12-16 08:27:28 UTC
why? - look at the description again, this one started exactly with the same problem, fedpkg outputting html source instead of handling that more gracefully

Comment 13 Fedora Admin XMLRPC Client 2017-02-21 16:41:56 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 14 cqi 2017-02-28 08:08:32 UTC
Hi Karel, could you please have a look at the problem you mentioned in comment 12? Currently, fedpkg is able to handle the error and not throw HTML source to user.

Comment 15 Karel Volný 2017-03-02 11:48:07 UTC
(In reply to cqi from comment #14)
> Hi Karel, could you please have a look at the problem you mentioned in
> comment 12? Currently, fedpkg is able to handle the error and not throw HTML
> source to user.

well, obviously I cannot reproduce the original problem, however trying new-sources without valid ticket, I'm now getting

Could not execute new_sources: Request is unauthorized.

which looks much better than the output in comment #2, thanks

Comment 16 cqi 2017-03-02 12:07:18 UTC
Thanks for you feedback.


Note You need to log in before you can comment on or make changes to this bug.