Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [SLE] ...packages/SOURCES: getting full?; prod588.spec vs prod.spec; security concerns
  • From: Linda Walsh <suse@xxxxxxxxx>
  • Date: Mon, 03 Apr 2006 21:22:02 -0700
  • Message-id: <4431F46A.7070100@xxxxxxxxx>
Philipp Thomas wrote:
It would cause major disruption as that change would have to be done
inside the rpm utility and SUSE is not going to deviate here from the
standard rpm.
---
How would it cause any disruption? Let alone, major?

I guess you're rather alone there as I've not seen others complain.
I'm usually one of the first to see potential conflicts that
could result in unnecessary headaches or security problems, but
then that's just my curse.

and significantly less of a security problem.
AFAICS, there is no security problem! So please tell me where you think
one exists.
It isn't unlikely that 2 different packages might have the same name
for some source
Wrong! It's *very* unlikely for 2 different packages having the same
name.
----
Here is where we differ.
In SuSE 9.3, I count 265 different names that are duplicated
in two or more packages. All told, 503 duplicate names.

In SuSE 10.0, that figure goes up: 430 unique names that are
duplicated, 969 duplications.

That many occurrences fits my definition of "not unlikely".

Unlikely != impossible. All you need is 1 duplicate source
filename with different contents in two different packages that
are built at the same time on the same machine and you will
end up with the wrong contents in one of the packages. If you
are lucky, the impact will be zero, if you are unlucky, the
patch will patch in code that compiles but has latent bugs waiting
to be exposed. At the very least, though, you end up with RPMs
built from wrong sources. It's a potential security concern,
waiting to happen.
If it is required to only unpackage the sources
for 1 RPM at a time, then RPM should clean out the SOURCES directory
before unpacking new sources into it, but this would prevent
parallel RPM builds would it not?

It seems common to build more than one RPM at a time on a
multi-cpu machine. Not using separate subdirs for SOURCES would
be only slightly more safe than not using separate subdirs in the
BUILD directory.

Yes, that's much more possible, but that's why most patches nowadays
*have* the name of the package prepended.
---
Some do, some don't. There is no enforcement or standard.

Try this (bash shell):

(for i in <sourcedir>/*.src.rpm; do
rpm -qlp "$i"
done) >allsources.txt

That should dump about 15,000+ source file names into
allsources.txt. From there you can use "sort" into "uniq -dc"
and you'll see plenty of source-filename duplications.

You also will not be able to tell which source rpm most of
the names come from.

If there is no parallelism in distribution builds, this may not
be an issue for those builds, but for anyone unwrapping, looking
at, and/or building more than one RPM at a time on the same
machine, it's a potential pitfall.

-linda walsh





< Previous Next >
Follow Ups