[opensuse-factory] E: badness 20000 exceeds threshold 1000, aborting.
I try to rebuild mailman with htdig patch but I get [ 149s] (none): E: badness 20000 exceeds threshold 1000, aborting. I compared build logs with devel project and it has the same amount of warnings; the only difference is /proc warnings [ 140s] warning: Failed to read auxiliary vector, /proc not mounted? [ 140s] warning: Failed to read auxiliary vector, /proc not mounted? but I normally always see them in build logs and so far they did not cause any harm. Could someone explain where this badness comes from? https://build.opensuse.org/package/rawlog/home:arvidjaar:branches:server:mai... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am 07.09.2013 08:31, schrieb Andrey Borzenkov:
I try to rebuild mailman with htdig patch but I get
[ 149s] (none): E: badness 20000 exceeds threshold 1000, aborting.
I compared build logs with devel project and it has the same amount of warnings; the only difference is /proc warnings
[ 140s] warning: Failed to read auxiliary vector, /proc not mounted? [ 140s] warning: Failed to read auxiliary vector, /proc not mounted?
but I normally always see them in build logs and so far they did not cause any harm.
Could someone explain where this badness comes from?
https://build.opensuse.org/package/rawlog/home:arvidjaar:branches:server:mai...
Reading the logfile, you can find: [ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/htdig is packaged with setuid/setgid bits (02755) [ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/mmsearch is packaged with setuid/setgid bits (02755) [ 149s] If the package is intended for inclusion in any SUSE product please open a bug [ 149s] report to request review of the program by the security team These two lines add to the badness of 20000. Factory builds break, when the badness is too high. This is made to ensure a minimum packaging-quality. See also: http://en.opensuse.org/openSUSE:Packaging_checks Thomas -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Sat, 07 Sep 2013 08:38:48 +0200 Thomas Leineweber <thomas@tleine.de> пишет:
Hello,
Am 07.09.2013 08:31, schrieb Andrey Borzenkov:
I try to rebuild mailman with htdig patch but I get
[ 149s] (none): E: badness 20000 exceeds threshold 1000, aborting.
I compared build logs with devel project and it has the same amount of warnings; the only difference is /proc warnings
[ 140s] warning: Failed to read auxiliary vector, /proc not mounted? [ 140s] warning: Failed to read auxiliary vector, /proc not mounted?
but I normally always see them in build logs and so far they did not cause any harm.
Could someone explain where this badness comes from?
https://build.opensuse.org/package/rawlog/home:arvidjaar:branches:server:mai...
Reading the logfile, you can find:
[ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/htdig is packaged with setuid/setgid bits (02755) [ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/mmsearch is packaged with setuid/setgid bits (02755) [ 149s] If the package is intended for inclusion in any SUSE product please open a bug [ 149s] report to request review of the program by the security team
All files under /usr/lib/mailman/cgi-bin are SGID. Why does it complaint about these two files only? Spec also has the line %verify(not mode) %attr(2755, root, mailman) /usr/lib/mailman/cgi-bin/* And I added these files to /usr/lib/mailman/sgidlist assuming that this goes wrong (but asfar as I understand it runs during installation): %verifyscript %verify_permissions -f /usr/lib/mailman/sgidlist
These two lines add to the badness of 20000. Factory builds break, when the badness is too high. This is made to ensure a minimum packaging-quality.
See also: http://en.opensuse.org/openSUSE:Packaging_checks
Thomas
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, Sep 07, 2013 at 11:39:46AM +0400, Andrey Borzenkov wrote:
В Sat, 07 Sep 2013 08:38:48 +0200 Thomas Leineweber <thomas@tleine.de> пишет:
Hello,
Am 07.09.2013 08:31, schrieb Andrey Borzenkov:
I try to rebuild mailman with htdig patch but I get
[ 149s] (none): E: badness 20000 exceeds threshold 1000, aborting.
I compared build logs with devel project and it has the same amount of warnings; the only difference is /proc warnings
[ 140s] warning: Failed to read auxiliary vector, /proc not mounted? [ 140s] warning: Failed to read auxiliary vector, /proc not mounted?
but I normally always see them in build logs and so far they did not cause any harm.
Could someone explain where this badness comes from?
https://build.opensuse.org/package/rawlog/home:arvidjaar:branches:server:mai...
Reading the logfile, you can find:
[ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/htdig is packaged with setuid/setgid bits (02755) [ 149s] mailman.i586: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib/mailman/cgi-bin/mmsearch is packaged with setuid/setgid bits (02755) [ 149s] If the package is intended for inclusion in any SUSE product please open a bug [ 149s] report to request review of the program by the security team
All files under /usr/lib/mailman/cgi-bin are SGID. Why does it complaint about these two files only?
Because the other ones have been audited and whitelisted already, these new ones have not.
Spec also has the line
%verify(not mode) %attr(2755, root, mailman) /usr/lib/mailman/cgi-bin/*
And I added these files to /usr/lib/mailman/sgidlist assuming that this goes wrong (but asfar as I understand it runs during installation):
%verifyscript %verify_permissions -f /usr/lib/mailman/sgidlist
Open a bug and assign to the security team requesting audit. Or do not ship them. ;) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Andrey Borzenkov -
Marcus Meissner -
Thomas Leineweber