November 2019 - openSUSE Factory - openSUSE Mailing Lists

[opensuse-factory] Can we assume that /bin/sh is bash?
by Martin Wilck 21 Mar '22

21 Mar '22

Hi Jan, all, I'd like to carry our OBS dicussion to a wider audience (https://build.opensuse.org/request/show/672510). The question is whether we can assume that "/bin/sh" links to bash, in particular whether rpm scriptlets without explicit -p interpreter can be assumed to interpreted by bash. I'm aware that, in principle, /bin/sh is supposed to be the Bourne shell on Unix systems. But as a matter of fact, on current openSUSE, it is not. Unless it's tampered with, /bin/sh is a symlink to /bin/bash. bash is not started in full POSIX mode if invoked as /bin/sh, and even if it's in POSIX mode, it supports some extensions over the POSIX shell spec (e.g. the [[ ]] construct), which makes it behave differently than another shell not supporting [[ ]] would (*). Problably there are more differences, I can't claim to know them all. Here are some arguments why I think it'd be reasonable to assume that /bin/sh is bash on openSUSE: 1. patterns-base-minimal_base depends on bash, and the /bin/sh symlink is a non-configurable part of the "bash" package. 2. we could handle /bin/sh via /etc/alternatives, but we don't. 3. our Wiki suggests testing failing scriplets using "bash -xv" (https://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets) 4. /bin/sh has pointed to bash for a long time (not sure how long exactly). FTR, Fedora basically guarantees (sh == bash) for the purpose of rpm scriptlets (https://fedoraproject.org/wiki/Packaging:Scriptlets). So Fedora <-> openSUSE portability may also be an issue to consider. If we can't assume that /bin/sh is bash, what else can we assume? I recall from earlier work that writing really 100% compatible shell code for all kinds of environments is really hard. E.g., "[" isn't 100% portable either, even though it's part of the POSIX "test" standard (http://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html). We should have clear rules which syntax expressions can be used in rpm scriptlets, and which can't. IMO we should define one of the various existing shells as a reference by saying "if it's supported by this shell, it's valid scriptlet code". That'd be easier (especially for testing compliance) than referring to a spec. That reference shell doesn't have to be bash, of course. Thanks Martin (*) For example: # ln -s /usr/bin/echo '/usr/bin/[[' # ls -l /bin/sh lrwxrwxrwx 1 root root 4 Feb 8 10:38 /bin/sh -> bash # /bin/sh --posix -c '[[ 2 = 1 ]] && echo yes' # dash -c '[[ 2 = 1 ]] && echo yes' 2 -eq 1 ]] yes -- Dr. Martin Wilck <mwilck(a)suse.com>, Tel. +49 (0)911 74053 2107 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

25 147

[opensuse-factory] openSUSE:Factory git mirror update
by Bernhard M. Wiedemann 04 Oct '21

04 Oct '21

Hi, our experimental git mirror of openSUSE:Factory got a new feature: It now makes single commits from most individual updates with some useful info in the commit message. This makes the whole history much nicer to read: https://github.com/bmwiedemann/openSUSE/commits/master In the usual case of SRs it links back to the SR on OBS, because that is where most of the discussion might have happened: https://github.com/bmwiedemann/openSUSE/commit/d1afc9699 but sometimes direct commits happen and they are shown with the commit message and a link to the OBS change https://github.com/bmwiedemann/openSUSE/commit/b2786e5c8 Ideas for future work: In theory we could also track these packages' devel projects on a 'devel' branch In a similar fashion we could also track openSUSE:Leap:15.* on stable/leap15_N branches to allow offline diff We could try to enable osc build to work from such git dirs. Either this uses the OBS server-side logic to resolve dependencies to get the usual .osc/_buildinfo* and .osc/_buildconfig* files or we re-implement or re-use OBS server logic to allow builds when offline. And then (in the foggy far future) it would be possible to make a gateway back from github pull-requests or gitlab merge-requests to submitting SRs in OBS. Or we re-think how OBS handles its source files until then. See https://www.youtube.com/watch?v=iY_ADUQiiQI&t=787 Ciao Bernhard M.

4 8

[opensuse-factory] Too many packages to process
by Vojtěch Zeisek 12 Mar '21

12 Mar '21

I'm not sure, if this is bug or feature... After few days, update applet (TW, KDE) says there are 6843 new updates (TeX, R, ... ;-). When I click to "Install updates" error "Too many packages to process (6843/5200)" appears. Zypper handles it well. Is it worth of bug report? To b.o.o? Yours, V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/

8 10

[opensuse-factory] Default browser: chromium?
by Tomas Chvatal 09 Jan '20

09 Jan '20

Hi, Let the flamewar begin! No really I was now watching the people rightfully complaining I've sent a borked chromium to latest TW snapshot and was wondering how popular the browsers are and whether we should not set the chromium instead of firefox as default or to keep them both on the dvd tested... In order to even start some process lets all vote in a poll for what is your default browser between the two (yes yes you can use the Vivaldi or even w3m, but honestly the chromium or ff are the two used by the majority of the people around). So if I could get you to vote in my lovely poll: https://doodle.com/poll/nnn53kkryghdvc84 I will make the results hidden so people won't start to game the system too much and the results will be announced here at the beginning of the October. Cheers Tom

27 49

[opensuse-factory] Default Java
by Bernd Ritter 08 Jan '20

08 Jan '20

Hi there, just wanted to let you guysome days ago I wondered what the default java version would be. It should be Java 11. So I've installed a clean leap beta installation. I've installed java-openjdk-10, java-openjdk-11, java-openjdk-1_8_0. Same with the equivalent devel packages. The default java version is Java 11 both with "java" and "javac" via update-alternatives. So everything's fine. I've updated the wiki page accordingly (https://en.opensuse.org/Features_15.1#Java). Does anyone know why there is no Apache Maven available in the default packages? There is this "maven-local", which I think is not the maven program itself. Cheers, Bernd -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

4 3

[opensuse-factory] openSUSE reproducible builds status 2019-01
by Bernhard M. Wiedemann 23 Dec '19

23 Dec '19

Hi, last month's status: https://lists.opensuse.org/opensuse-factory/2018-12/msg00171.html Last months' r-b project updates (including my work): https://reproducible-builds.org/blog/posts/195/ https://reproducible-builds.org/blog/posts/194/ https://reproducible-builds.org/blog/posts/193/ https://reproducible-builds.org/blog/posts/192/ I uploaded https://rb.zq1.de/compare.factory-20190125/ today and rbstats are: total-packages: 11298 build-tried: 11297 build-failed: 37 build-n-a: 107 build-succeeded: 11153 build-official-failed+na: 85 build-compare-failed: 283 build-compare-succeeded: 10870 bit-by-bit-identical: 10605 not-bit-by-bit-identical: 538 Fixed core packages since last month: breeze5-icons dolphin libqt5-qtwebkit wireshark syntax-highlighting: Qt rcc/qrc fix merged in Factory https://build.opensuse.org/request/show/663360 also fixed dozens others like bitcoin. opa-ff CPU-detection via -march=native https://build.opensuse.org/request/show/661771 gengetopt https://build.opensuse.org/request/show/661735 nearly fixed: pcre2 PGO/parallelism https://build.opensuse.org/request/show/668163 perl: ASLR-induced randomness https://build.opensuse.org/request/show/668211 --- ring0 --- acl gcc7 gcc8 --- ring1 --- MozillaFirefox MozillaThunderbird ant bsf colord emacs firebird gconf2-branding-openSUSE gdb gimp gnome-documents go1.10 go1.11 groff-full grub2 hamcrest installation-images java-11-openjdk java-1_8_0-openjdk jing-trang jtidy junit junitperf kernel-debug kernel-default kernel-vanilla kubernetes libkolabxml libqt5-qtscript libreoffice mono-core mozilla-nss pcp php7 python-base python3-base qdox release-notes-openSUSE ruby2.5 rubygem-gem2rpm rust scons transfig virtualbox xmlbeans yodl If you are interested in why they vary: acl: date+time in /usr/share/locale/en(a)boldquot/LC_MESSAGES/acl.mo -PO-Revision-Date: 2018-10-23 01:45+0000 +PO-Revision-Date: 2033-11-24 15:01+0000 gcc7 gcc8: indeterminism from PGO/parallelism + mtime. See also https://github.com/bmwiedemann/theunreproduciblepackage/tree/master/pgo MozillaFirefox MozillaThunderbird: date+time, rust, other has bug around update.locale symlink /usr/lib64/firefox/libxul.so varies from https://github.com/rust-lang/rust/issues/57041 .../browser/extensions/langpack-ca(a)xxxxxxxxxxxxxxxxxxx/manifest.json - "version": "20181009013946" + "version": "20331110172641" apache-commons-lang3 apache-pdfbox dom4j hsqldb icu4j javassist jing-trang jtidy junitperf jython objectweb-asm qdox tomcat xerces-j2 xpp2 xpp3: date + mtime in .jar + javadoc html can be normalized by strip-nondeterminism bsh2 cglib: /usr/share/maven-metadata/bsh2.xml has ASLR order issues date + mtime in .jar + javadoc html colord some randomness from uninitialized memory maybe from glib-compile-resources 16-byte random profileID in .icc files from cd-create-profile plus an uncommitted date/time fix in lib/colord/cd-it8.c: priv->enable_created = FALSE ecj ASLR + date? /usr/share/maven-metadata/ecj.xml has alias entries in random order emacs dumps lisp interpreter memory to create its binaries (similar to clisp) causes variations in /usr/bin/emacs-* firebird: ships unreproducible database http://tracker.firebirdsql.org/browse/CORE-5548 gconf2-branding-openSUSE embeds mtime values in /etc/gconf/gconf.xml.vendor/%gconf-tree.xml gdb contains testresults https://bugzilla.opensuse.org/show_bug.cgi?id=1110708 gimp ASLR 12 byte differ in bKGD header from gegl GEGL_USE_OPENCL=no GEGL_SWAP=ram /usr/bin/gegl ../../icons/Symbolic/64/gimp-texture.png -o 64/gimp-texture.png -- gegl:invert-gamma gnome-documents gnome-documents-getting-started.pdf has random ID from inkscape go1.10 go1.11: variations in /usr/lib64/go/1.10/pkg/obj/go-build/*/*-a groff-full date+time + unknown reason? .ps files vary .html files have CreationDate grub2 mtime + readdir https://savannah.gnu.org/bugs/index.php?54841 hamcrest java .class files vary from build/temp/hamcrest-core/generated-code /org/hamcrest/CoreMatchers.java written by ant javadoc html varies installation-images many variations from mtimes + filesys/readdir and %post scripts java-1_8_0-openjdk java-10-openjdk java-11-openjdk various .jar .zip .html .jmod ordering in /usr/lib64/jvm/java-10-openjdk-10/lib/classlist kernel-debug kernel-default kernel-vanilla date+time ; random keys? "Build time autogenerated kernel key0 ..181009012108Z..21180915012108Z0.1,0" kubernetes: fixed upstream: order in man-pages https://github.com/kubernetes/kubernetes/pull/68983 maybe fixed upstream: random build-ids libkolabxml unknown/ASLR? from build/kolabformat-xcal-schema.cxx created by compiled/xsdbin.cxx libqt5-qtscript filesys order libreoffice various .jar .so .dat/.bau (.zip) javadoc_log.txt mono-core date+time ; other mozilla-nss DSA random temp-key from shlibsign https://bugzilla.opensuse.org/show_bug.cgi?id=1081723 pcp /var/lib/pcp/testsuite/perfevent/perfevent_coverage has random diffs from gcov / .gcno files causing diff in .o ? php7 date / EPOCH timestamps e.g. in /usr/share/php7/PEAR/.channels/__uri.reg python-base python3-base: PGO varies .o files that go into /usr/lib64/libpython3.6m.so.1.0 .pyc files vary python-base shows influence from date+hostname (in PGO?) python-numpy 1 .pyc file varied release-notes-openSUSE partial fix in https://github.com/openSUSE/daps/issues/482 date+time in .pdf ; needs work on fop java code random id values in .html ruby2.5 2 gemspec files have date created.rid varies rubygem-gem2rpm mtime ? /usr/lib64/ruby/gems/2.5.0/cache/checksums.yaml varies rust asm diffs in cargo and others from llvm's llc - filed at https://github.com/rust-lang/rust/issues/57041 some progress made here with the switch to llvm7 scons hostname in various places tigervnc date+time+randomness in /usr/share/vnc/classes/META-INF/TIGERVNC.RSA from SignJar.cmake calling jarsigner with temporary private key partial fix merged https://github.com/TigerVNC/tigervnc/pull/765 transfig date+time in sample-presentation.pdf /CreationDate /ModDate from pdflatex virtualbox tar + random https://www.virtualbox.org/ticket/16854 .so files have random NT_GNU_BUILD_ID (unique build ID bitstring) maybe from out/linux.amd64/release/obj/webservice/gsoapH_from_gsoap.h that has date+time in comment /usr/share/virtualbox/extensions/VNC-5.2.16.vbox-extpack unhandled gzip content: POSIX tar archive (GNU) -13343137165.010505. 5... +16773576625.010527. 5... xmlbeans index.xsb varies from filesystem created in org.apache.xmlbeans.impl.tool.SchemaCompiler yodl pdf from latex/ghostscript/dvips/ps2pdf additionally, on the SLE15 list =============================== gnuplot date+time in pdf from pdflatex golang-github-prometheus-prometheus date+time+random build-id hawk2 https://bugzilla.opensuse.org/show_bug.cgi?id=1112159 ibus-libzhuyin libpinyin libzhuyin random bytes - maybe uninitialized memory perf random filesys order from nftw call in ./linux-*/tools/perf/pmu-events/jevents.c python-keystoneauth1 https://bugs.launchpad.net/keystoneauth/+bug/1796899

5 14

[opensuse-factory] network:ldap/openldap2 no builds for Tumbleweed
by Michael Ströder 22 Dec '19

22 Dec '19

HI! Can anybody enlighten me why package network:ldap/openldap2 currently does not build for Tumbleweed? OBS says: unresolvable (nothing provides krb5-mini) I tried to generate a local build of krb5 and krb5-mini in my home project but rpmlint seg faulted. Strange enough network/krb5-mini seems to build just fine. Ciao, Michael. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

3 4

[opensuse-factory] Backlog in legal review
by Axel Braun 06 Dec '19

06 Dec '19

Hello factory maintainers, is there a possibility to speed up legal review for new packages in the factory queue? Some of my submissions are stuck there for 4 weeks now, and I really dont want to light a x-mas candle for them while waiting for legal review.... Thanks Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

5 6

[opensuse-factory] new package python-prometheus-client for Factory
by Jan Fajerski 03 Dec '19

03 Dec '19

Hi, python-prometheus-client is a python client for the Prometheus monitoring system. Best, Jan -- Jan Fajerski Senior Software Engineer Enterprise Storage SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

3 5

[opensuse-factory] is Factory first still true for SLES code / Patches / fixes?
by Stefan Seyfried 02 Dec '19

02 Dec '19

Hi all, see $SUBJECT. Is there still a "Factory first" policy for SLES? The reason I'm asking is that I was surprised to find there is a bluez update for Leap 15.0 and 15.1 which comes from SLES15. I just found this by accident. This section of the changelog would also have been relevant for Factory: ---------------------------------------------------------------------- Thu Jan 24 10:18:23 UTC 2019 - Add:btmon: multiple memory management vulnerabilities fixed Multiple different memory management vulnerabilities were discovered in btmon while fuzzing it with American Fuzzy Lop. Purpose of this fuzzing effort was to find some bugs in btmon, analyse and fix them but also try to exploit them. Also goal was to prove that fuzzing is low effort way to find bugs that could end up being severe ones. Most common weakness appeared to be buffer over-read which was usually caused by missing boundary checks before accessing array. Integer underflows were also quite common. Most interesting bug was simple buffer overflow that was actually discovered already couple years ago by op7ic: https://www.spinics.net/lists/linux-bluetooth/msg68898.html but it was still not fixed. This particular vulnerability ended up being quite easily exploitable if certain mitigation technics were disabled.(bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802) 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch 0004-btmon-Fix-crash-caused-by-integer-underflow.patch 0005-btmon-fix-stack-buffer-overflow.patch 0006-btmon-fix-multiple-segfaults.patch 0007-btmon-fix-segfault-caused-by-integer-underflow.patch 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch 0011-btmon-fix-segfault-caused-by-integer-underflow.patch 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch ---------------------------------------------------------------------- In January 2019, factory had still bluez version 5.50, these fixes went upstream only in version 5.51 which was released in September 2019 (and which did not yet make it to factory, but that's a different issue). As the bluez package maintainer, I would somehow expect to be on the CC list of bluez related security bugs reported on bugzilla and not having to discover them by accident. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

11 17