Mailinglist Archive: opensuse-factory (269 mails)

< Previous Next >
[opensuse-factory] Turning certain rpmlint errors into warnings
Hello,

the SUSE security team wants to change part of our process in a way that will
affect (open)SUSE packagers. Several features in a package currently produce
rpmlint errors that ask packagers to submit the package for a review by the
security team. E.g.:
- Adding a setuid binary
- Changing polkit settings

This is described here:
https://en.opensuse.org/index.php?title=openSUSE:Package_security_guidelines&oldid=136012#Audit_Bugs_for_the_Security_Team

The current approach (error by rpmlint) has the drawback that this also
triggers in devel projects. So if you package something with a setuid binary
but don't intend to make this package part of (open)SUSE you will still see the
errors. You then either have to suppress them or we have to spend effort on
reviewing something that's not in an official distribution.

We want to change these errors into warnings without badness (first only in
Factory, but in short order also for openSUSE:* and SUSE:* too). You will still
see a warning that informs you that you need to go through a review if you want
it in an official distribution. This is then enforced by adding reviews for the
security team to each request made to an official distribution if these
warnings are present. Once the changes have been reviewed and whitelisted the
warnings will vanish.

The upside for you is that you can already use/test your packages in the devel
project without being blocked by build errors.

We hope to make the process faster and easier for everyone involved. Nothing
will change for you if:
- you don't need special permissions in you package
- you need special permissions and they were already checked by the
security team

If you see one of these warnings they describe what you need to do to get your
submits through without an additional review being added to the submit. We have
a constant flow of audit bugs, so please open you audit request as early as
possible so that we don't introduce a delay in your request while we review the
changes.

If you have any questions please ask away (please CC me) or contact
security@xxxxxxx

Thanks,
Johannes for the SUSE security team
--
GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg
Geschäftsführer: Felix Imendörffer (HRB 247165, AG München)

< Previous Next >
This Thread
  • No further messages