Where can we find build logs for Leap 15.3?
I wanted to check and see if CVE-2021-4034 was patched in the polkit update that came today for 15.3 - I see on OBS that the patch is there for Tumbleweed and Factory, but Leap 15.3 isn't shown there. The patch comes from the SLE update repo (named "Update repository with updates from SUSE Linux Enterprise 15" on my system). Where can we look to see what's included in the build if not on OBS? This seems like it might be related to packages not showing up for Leap 15.3 on OBS, which I know a few people have asked about in various support venues - not sure if anyone has raised a ticket on that in bugzilla, though. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Wednesday 2022-01-26 00:43, Jim Henderson wrote:
I wanted to check and see if CVE-2021-4034 was patched in the polkit update that came today for 15.3 - I see on OBS that the patch is there for Tumbleweed and Factory, but Leap 15.3 isn't shown there. The patch comes from the SLE update repo (named "Update repository with updates from SUSE Linux Enterprise 15" on my system). Where can we look to see what's included in the build if not on OBS?
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result. osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
On Wed, 26 Jan 2022 00:47:16 +0100, Jan Engelhardt wrote:
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result.
osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
Cool, thanks. I think it would be nice if there was someplace to get a changelog rather than having to rebuild to see if it's in the patch. That's a definite disadvantage to using SLE code in Leap *if* we don't have that kind of visibility into the packages we've installed. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 26.01.22 00:49, Jim Henderson wrote:
On Wed, 26 Jan 2022 00:47:16 +0100, Jan Engelhardt wrote:
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result.
osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
Cool, thanks. I think it would be nice if there was someplace to get a changelog rather than having to rebuild to see if it's in the patch.
osc ls SUSE:SLE-15:Update/polkit # shows the code osc less SUSE:SLE-15:Update/polkit polkit.changes
That's a definite disadvantage to using SLE code in Leap *if* we don't have that kind of visibility into the packages we've installed.
The build log is not available, but how would you see the changes from the build log anyway? Everything else is similar to stuff built in build.o.o -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
Hi Jim, not really answering your question probably, but for specific CVEs you can use zypper list-patches -a --cve=CVE-2021-4034 Once you have the patch number, you can get more info using zypper info -t patch openSUSE-SLE-15.3-2022-190 Mischa On Wed, Jan 26, 2022 at 7:06 AM Stefan Seyfried <stefan.seyfried@googlemail.com> wrote:
On 26.01.22 00:49, Jim Henderson wrote:
On Wed, 26 Jan 2022 00:47:16 +0100, Jan Engelhardt wrote:
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result.
osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
Cool, thanks. I think it would be nice if there was someplace to get a changelog rather than having to rebuild to see if it's in the patch.
osc ls SUSE:SLE-15:Update/polkit # shows the code osc less SUSE:SLE-15:Update/polkit polkit.changes
That's a definite disadvantage to using SLE code in Leap *if* we don't have that kind of visibility into the packages we've installed.
The build log is not available, but how would you see the changes from the build log anyway?
Everything else is similar to stuff built in build.o.o -- Stefan Seyfried
"For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On Wed, 26 Jan 2022 17:40:59 +0100, Mischa Salle wrote:
Hi Jim,
not really answering your question probably, but for specific CVEs you can use zypper list-patches -a --cve=CVE-2021-4034
Once you have the patch number, you can get more info using zypper info -t patch openSUSE-SLE-15.3-2022-190
Cool, that's quite helpful. Thanks! -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Wed, 26 Jan 2022 07:06:09 +0100, Stefan Seyfried wrote:
On 26.01.22 00:49, Jim Henderson wrote:
On Wed, 26 Jan 2022 00:47:16 +0100, Jan Engelhardt wrote:
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result.
osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
Cool, thanks. I think it would be nice if there was someplace to get a changelog rather than having to rebuild to see if it's in the patch.
osc ls SUSE:SLE-15:Update/polkit # shows the code osc less SUSE:SLE-15:Update/polkit polkit.changes
That last piece is what I was looking for. Thanks for that.
That's a definite disadvantage to using SLE code in Leap *if* we don't have that kind of visibility into the packages we've installed.
The build log is not available, but how would you see the changes from the build log anyway?
Everything else is similar to stuff built in build.o.o
I wasn't really thinking about the build log there, more "here's the code that was specifically used to build this package so you can inspect it" - or "here's a changelog that shows what has changed and when" - while that's included in the polkit.changes output, it's not in the RPM itself, so users who want to make sure something is patched don't really have an obvious place to look to see if a security issue has been fixed. The usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue. Not being able to to search software.opensuse.org for packages for 15.3 is another (several people have reported issues with this - for example, searching for krita was one that someone had suggested), there is no package listed for 15.3. There's one for Tumbleweed and one for 15.2, but not for 15.3, and even for SLE-15-SP1, it's either 'experimental' or 'community'. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Jan 27 2022, Jim Henderson wrote:
The usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
You are supposed to be able to see the latest sources of all packages through openSUSE:Leap:15.3:Update, though due to https://bugzilla.opensuse.org/show_bug.cgi?id=1193413 this currently doesn't work for some packages. In case of polkit this shows that the sources actually come from SLE-15-SP2: $ osc meta pkg openSUSE:Leap:15.3:Update polkit | head -n1 <package name="polkit" project="SUSE:SLE-15-SP2:Update"> -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
On Thu, 27 Jan 2022 17:52:12 +0100, Andreas Schwab wrote:
On Jan 27 2022, Jim Henderson wrote:
The usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
You are supposed to be able to see the latest sources of all packages through openSUSE:Leap:15.3:Update, though due to https://bugzilla.opensuse.org/show_bug.cgi?id=1193413 this currently doesn't work for some packages.
In case of polkit this shows that the sources actually come from SLE-15-SP2:
$ osc meta pkg openSUSE:Leap:15.3:Update polkit | head -n1 <package name="polkit" project="SUSE:SLE-15-SP2:Update">
This is all good info, and I appreciate it. That's a lot to know to check to see if a particular patch is available. I've been using SUSE since 2003, and I've never had to look for this info previously, so wouldn't have had the faintest idea how to even start finding it. For someone with less experience than me with the platform, this would seem to be something that could be made easier. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Thu, Jan 27, 2022 at 04:24:06PM -0000, Jim Henderson wrote:
On Wed, 26 Jan 2022 07:06:09 +0100, Stefan Seyfried wrote:
On 26.01.22 00:49, Jim Henderson wrote:
On Wed, 26 Jan 2022 00:47:16 +0100, Jan Engelhardt wrote:
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result.
osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
Cool, thanks. I think it would be nice if there was someplace to get a changelog rather than having to rebuild to see if it's in the patch.
osc ls SUSE:SLE-15:Update/polkit # shows the code osc less SUSE:SLE-15:Update/polkit polkit.changes
That last piece is what I was looking for. Thanks for that.
That's a definite disadvantage to using SLE code in Leap *if* we don't have that kind of visibility into the packages we've installed.
The build log is not available, but how would you see the changes from the build log anyway?
Everything else is similar to stuff built in build.o.o
I wasn't really thinking about the build log there, more "here's the code that was specifically used to build this package so you can inspect it" - or "here's a changelog that shows what has changed and when" - while that's included in the polkit.changes output, it's not in the RPM itself, so users who want to make sure something is patched don't really have an obvious place to look to see if a security issue has been fixed.
the changes file is in the RPM though: rpm -q --changelog polkit
The usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
see andreas followup email.
Not being able to to search software.opensuse.org for packages for 15.3 is another (several people have reported issues with this - for example, searching for krita was one that someone had suggested), there is no package listed for 15.3. There's one for Tumbleweed and one for 15.2, but not for 15.3, and even for SLE-15-SP1, it's either 'experimental' or 'community'.
software.o.o might need some love, yes. Ciao, Marcus
On Thu, 27 Jan 2022 17:54:32 +0100, Marcus Meissner wrote:
or "here's a changelog that shows what has changed and when" - while that's included in the polkit.changes output, it's not in the RPM itself, so users who want to make sure something is patched don't really have an obvious place to look to see if a security issue has been fixed.
the changes file is in the RPM though:
rpm -q --changelog polkit
I never knew that command existed. Thank you for that (I'm used to looking for a changelog file in the docs directory).
The usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
see andreas followup email.
Not being able to to search software.opensuse.org for packages for 15.3 is another (several people have reported issues with this - for example, searching for krita was one that someone had suggested), there is no package listed for 15.3. There's one for Tumbleweed and one for 15.2, but not for 15.3, and even for SLE-15-SP1, it's either 'experimental' or 'community'.
software.o.o might need some love, yes.
Thanks for confirming that. I've had a couple of folks in the openSUSE Facebook group complain about this, and I've suggested that they open bugzilla tickets so they can interact directly with whomever would be working to resolve it, but I don't know if they did (I hadn't run into the package issue myself, since I tend to have everything installed that I need at this point anyways), but we have had a couple of very vocal folks actively telling new users to stay away from 15.3 because of this issue. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Thu, 2022-01-27 at 16:24 +0000, Jim Henderson wrote:
I wasn't really thinking about the build log there, more "here's the code that was specifically used to build this package so you can inspect it" - or "here's a changelog that shows what has changed and when" - while that's included in the polkit.changes output, it's not in the RPM itself, so users who want to make sure something is patched don't really have an obvious place to look to see if a security issue has been fixed.
the .changes file IS in the rpm: rpm -q --changelog polkit (to inspect the installed one) or rpm -qp --changelog /path/to/polkit.rpm (to inspect a not yet installed rpm)
he usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
osc ls openSUSE:Leap:15.3:Update polkit
With 15.3 being your target, this seems much more intuitive and works too. osc less openSUSE:Leap:15.3:Update polkit polkit.changes (or any other file osc ls showed before) then works too to closer inspect things. Cheers, Dominique
On Thu, 27 Jan 2022 17:58:34 +0100, Dominique Leuenberger / DimStar wrote:
On Thu, 2022-01-27 at 16:24 +0000, Jim Henderson wrote:
the .changes file IS in the rpm:
rpm -q --changelog polkit (to inspect the installed one) or rpm -qp --changelog /path/to/polkit.rpm (to inspect a not yet installed rpm)
As I mentioned elsewhere, I'm used to seeing a changelog file somewhere in /usr/share/docs - I wasn't aware of the --changelog switch to see that info. Learned something new today. :)
he usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
osc ls openSUSE:Leap:15.3:Update polkit
With 15.3 being your target, this seems much more intuitive and works too.
That's also good to know - though it does seem a little esoteric and involved for someone who's not an advanced user (I'm fine with using that myself, but for someone who's not a CLI guru who wants to know, this is a lot of information to know that they just wouldn't use on a regular basis). Seems like there should be a simpler way for the average end- user to get at this information, preferably even without using the CLI at all. Those of us who use osc (and I use it on occasion, but I'm by no means an expert on using it) tend to be building stuff, and the average end user has no need to even have the tool installed. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Thu, 2022-01-27 at 17:13 +0000, Jim Henderson wrote:
On Thu, 27 Jan 2022 17:58:34 +0100, Dominique Leuenberger / DimStar wrote:
On Thu, 2022-01-27 at 16:24 +0000, Jim Henderson wrote:
the .changes file IS in the rpm:
rpm -q --changelog polkit (to inspect the installed one) or rpm -qp --changelog /path/to/polkit.rpm (to inspect a not yet installed rpm)
As I mentioned elsewhere, I'm used to seeing a changelog file somewhere in /usr/share/docs - I wasn't aware of the --changelog switch to see that info. Learned something new today. :)
Yep, I've seen Marcus writing the same - my mail was already in transit though :)
he usage of SLE packages is a good thing and does make sense, but it seems there are some things that are less than ideal with this arrangement. Not being able to easily find the code for packages like this (I would never have thought to look under SUSE:SLE-15:Update even though I know SLE packages are used) is one such issue.
osc ls openSUSE:Leap:15.3:Update polkit
With 15.3 being your target, this seems much more intuitive and works too.
That's also good to know - though it does seem a little esoteric and involved for someone who's not an advanced user (I'm fine with using that myself, but for someone who's not a CLI guru who wants to know, this is a lot of information to know that they just wouldn't use on a regular basis). Seems like there should be a simpler way for the average end- user to get at this information, preferably even without using the CLI at all.
Those of us who use osc (and I use it on occasion, but I'm by no means an expert on using it) tend to be building stuff, and the average end user has no need to even have the tool installed.
https://build.opensuse.org/package/show/openSUSE:Leap:15.3/polkit Browser works too. But I agree, Things could be easier yast software management also shows the changelogs, but only of the already installed packages, not for the 'to beinstalled' versions (unless this changed recently and I missed it) Alternatively, there are always the .src.rpm provided as well (we have to provide the sources, as this is, after all, GPL). They should be part of the update channel and you could use zypper to 'install' the sources using: zypper si -D polkit This does produce a bit of mess in /usr/src/packages/SOURCES though, as all packages you install like this are all 'flat extracted there' (as it's the structure wanted by rpmbuild IIRC) 'uninstallation' of src.rpm is not 'possible' using rpm though; they are not listed in the rpm database to my knowledge (so rm it is) Cheers, Dominique
On Thu, 2022-01-27 at 18:26 +0100, Dominique Leuenberger / DimStar wrote:
https://build.opensuse.org/package/show/openSUSE:Leap:15.3/polkit
Browser works too. But I agree, Things could be easier
yast software management also shows the changelogs, but only of the already installed packages, not for the 'to beinstalled' versions (unless this changed recently and I missed it)
We need "zypper info --changelog". It doesn't have to print the entire changelog (which would cause the metadata to explode I suppose). The last few entries would suffice. Martin
On 28.01.22 17:52, Martin Wilck wrote:
We need "zypper info --changelog". It doesn't have to print the entire changelog (which would cause the metadata to explode I suppose). The last few entries would suffice.
we could compensate for that by omitting appdata from each and every metadata download even though it will be unused by most ;-) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On Fri, 28 Jan 2022 17:52:07 +0100, Martin Wilck wrote:
We need "zypper info --changelog". It doesn't have to print the entire changelog (which would cause the metadata to explode I suppose). The last few entries would suffice.
I could see that working; I see that the data is in the changelog for the RPM itself (using rpm -qi --changelog polkit), so zypper having an option to show that would probably suffice, since it can pull metadata for packages that aren't installed. I think an option on 'list-updates' to see what the most recent update is for any updated packages might be useful as well, though it would definitely be more network-intensive to query metadata for all updates, especially if there were a lot queued. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 27.01.22 17:24, Jim Henderson wrote:
On Wed, 26 Jan 2022 07:06:09 +0100, Stefan Seyfried wrote:
On 26.01.22 00:49, Jim Henderson wrote:
Cool, thanks. I think it would be nice if there was someplace to get a changelog rather than having to rebuild to see if it's in the patch.
osc ls SUSE:SLE-15:Update/polkit # shows the code osc less SUSE:SLE-15:Update/polkit polkit.changes
That last piece is what I was looking for. Thanks for that.
I wasn't really thinking about the build log there, more "here's the code that was specifically used to build this package so you can inspect it" - or "here's a changelog that shows what has changed and when" - while that's included in the polkit.changes output, it's not in the RPM itself, so users who want to make sure something is patched don't really have an obvious place to look to see if a security issue has been fixed.
rpm -q --changelog polkit the newest entries of polkit.changes (either a fixed time interval or after a cut-off date configured somewhere, I'm not sure) are embedded into the RPM. If you want to know before installing if it is worth the hassle, you can do zypper up --download-only polkit rpm -qp --changelog /var/cache/zypp/<....>/polkit-<xxx.yyy>.<arch>.rpm Yes, it's not easily available before installation, but at least you know that's what will be installed. If you look into OBS, you still are not 100% sure that's what you get from your local mirror ;-) Best regards, -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On Sat, 29 Jan 2022 02:36:32 +0100, Stefan Seyfried wrote:
rpm -q --changelog polkit
the newest entries of polkit.changes (either a fixed time interval or after a cut-off date configured somewhere, I'm not sure) are embedded into the RPM.
If you want to know before installing if it is worth the hassle, you can do
zypper up --download-only polkit rpm -qp --changelog /var/cache/zypp/<....>/polkit-<xxx.yyy>.<arch>.rpm
Yes, it's not easily available before installation, but at least you know that's what will be installed. If you look into OBS, you still are not 100% sure that's what you get from your local mirror ;-)
Not bad options either. The biggest thing for me wasn't so much (in this instance) not wondering if it was worth the hassle, but whether or not the CVE was patched or if I was going to have to mitigate in some other way post-update. Suffice to say, I've learned a lot from this thread about how to find the changelogs (which I've never really worried about before for some reason). -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Wed, 26 Jan 2022 00:47:16 +0100, Jan Engelhardt wrote:
On Wednesday 2022-01-26 00:43, Jim Henderson wrote:
I wanted to check and see if CVE-2021-4034 was patched in the polkit update that came today for 15.3 - I see on OBS that the patch is there for Tumbleweed and Factory, but Leap 15.3 isn't shown there. The patch comes from the SLE update repo (named "Update repository with updates from SUSE Linux Enterprise 15" on my system). Where can we look to see what's included in the build if not on OBS?
It is not built on build.opensuse.org AFAICT. But the source is imported so you can rebuild and get the same result.
osc ls SUSE:SLE-15:Update/polkit.22390 standard x86_64
I get "too many parameters" with that command, and if I drop "standard x86_64", I get "unauthorized". Looks like I might need to set up osc again (haven't since I upgraded to 15.3). -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Tue, 25 Jan 2022 23:50:35 +0000, Jim Henderson wrote:
I get "too many parameters" with that command, and if I drop "standard x86_64", I get "unauthorized". Looks like I might need to set up osc again (haven't since I upgraded to 15.3).
Ah, once I got logged in, I saw that it's just a 'ls', and not a rebuild, and I see the patch file there for this security bulletin. Thanks, Jan. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
participants (8)
-
Andreas Schwab -
Dominique Leuenberger / DimStar -
Jan Engelhardt -
Jim Henderson -
Marcus Meissner -
Martin Wilck -
Mischa Salle -
Stefan Seyfried