[OE-core] [PATCH 1/1] rpm: make install with --nosignature and --nodigest work
Mark Hatle
mark.hatle at windriver.com
Thu Sep 22 14:53:57 UTC 2016
On 9/21/16 8:39 PM, Robert Yang wrote:
>
>
> On 09/21/2016 10:10 PM, Mark Hatle wrote:
>> On 9/20/16 10:37 PM, Robert Yang wrote:
>>>
>>>
>>> On 09/21/2016 04:33 AM, Mark Hatle wrote:
>>>> On 9/20/16 10:00 AM, Burton, Ross wrote:
>>>>>
>>>>> On 20 September 2016 at 09:15, Hongxu Jia <hongxu.jia at windriver.com
>>>>> <mailto:hongxu.jia at windriver.com>> wrote:
>>>>>
>>>>> -Upstream-Status: Submitted [Sent email to rpm-devel at rpm5.org
>>>>> <mailto:rpm-devel at rpm5.org>]
>>>>> +Upstream-Status: Rejected [Sent email to rpm-devel at rpm5.org
>>>>> <mailto:rpm-devel at rpm5.org>]
>>>>> +http://rpm5.org/community/rpm-devel/5655.html
>>>>> <http://rpm5.org/community/rpm-devel/5655.html>
>>>>>
>>>>>
>>>>> Considering upstream has explicitly rejected this patch, why should we accept it?
>>>>>
>>>>> Ross
>>>>>
>>>>>
>>>>
>>>> I'm confused by what the patch is doing looking at it.
>>>>
>>>> It sounds like from the description there is a bug that without the change,
>>>> packages with (intentionally) bad checksums and such are allowed to be installed.
>>>>
>>>> The bug is caused by a previous patch that enabled nosignature, etc -- because
>>>> the comparisons turned out to be backwards.
>>>>
>>>> So really nosignature, etc is already in place -- it's just not working properly?
>>>>
>>>> What was rejected upstream is the use of nosignature in any context. RPM5
>>>> maintainer believes it is unwise and unsafe to permit uses to install packages
>>>> that have failed basic validation. (I tend to agree.) Similarly, even being
>>>> able to run queries and other operations against them may be dangerous as well.
>>>
>>> If command like "rpm5 -qp --nosignature --nodigest <file.rpm>" queries database,
>>> then it would cause rpm5 hang when more than one "rpm5 -qp" is running, so I
>>> fixed the *query* problem, and the *install* problem is not caused by the fix.
>>> Btw., *rpm4* doesn't query database when "rpm -qp file.rpm", if we are going
>>> to use dnf in next release, maybe we can consider using rpm4 as Fedora does.
>>> I did a rough statistics for oe-core's local patches, the winner is rpm, it
>>> has 77 local patches, that's not good for maintaining, and you can imagine that
>>
>> 30 patches are simply configuration changes.
>>
>> 42 patches are bug fixes that have been submitted and will likely go away in the
>> next uprev.
>>
>>> how many times it surprised us. rpm4 should be more stable than rpm5, I don't
>>> know how many distros use rpm5, I can't access rpm5.org atm, it seems that the
>>> web is down (It was OK yesterday), but widely used distros like Redhat and Suse
>>
>> The website is working for me today.
>>
>>> uses rpm4, so maybe rpm4 will make our life much more easier, and also for
>>> yocto's user. I think that why we need rpm5 before was because we need use it
>>
>> There is a major problem with rpm4. It doesn't support cross compiling at all.
>> We know in the past there have been significant problems with it and BerkleyDB
>> with endian issues. Also it was not possible to do cross-architecture installs
>> (in the past, this one might be resolved.)
>>
>> The general functionality between RPM4 and RPM5 is nearly identical. RPM 4 has
>> a plug-in interface (which I personally don't believe should be used due to
>> security issues.) RPM 5 has a focus around specific security enhancements.
>> Some are reasonable, some are a bit too experimental to be used.
>>
>> The other main difference is software license. RPM 4 is 'GPLv2', while RPM5 is
>> 'LGPLv2'. This doesn't sound like a big deal at first -- but RPM 4 can't be
>> linked to OpenSSL for it's crypto library. RPM 4 is linked ONLY to NSS, while
>> RPM5 can use beecrypt, nss, openssl and others. This makes for a significantly
>> more flexible embedded system.
>>
>>> to compute the package dependencies, but now we have smartpm, so we don't rely
>>> on that any more.
>>>
>>> Here is the recipe list which has more than 10 local patches, and we have 1762
>>> patches atm:
>>> 77 rpm
>>
>> I'd think it's a better comparison to say '30', the configuration items. So
>> it's similar to perl or openssl in complexity. I'd agree that is a fair comparison.
>>
>>> 59 gcc-5.4
>>> 49 gcc-6.2
>>> 36 ltp
>>> 31 python3
>>> 30 perl
>>> 29 openssl
>>> 28 man
>>> 27 glibc
>>> 24 python
>>> 23 tcp-wrappers-7.6
>>> 23 systemd
>>> 18 busybox
>>> 14 syslinux
>>> 14 python-smartpm
>>> 14 elfutils-0.166
>>> 14 apt
>>> 13 qemu
>>> 13 libtool
>>> 13 gstreamer1.0-plugins-bad
>>> 13 glib-2.0
>>> 13 binutils
>>> 13 bind
>>> 12 coreutils-6.9
>>> 11 valgrind
>>> 11 gdb
>>> 11 dhcp
>>> 11 autoconf
>>> 10 unzip
>>> 10 dpkg
>>> 10 console-tools-0.3.2
>>>
>>>>
>>>> If fixing the problem is as simple as reverting the other change -- and that
>>>> doesn't cause other problems elsewhere... I'd rather see that.
>>>
>>> We can't revert the patch, it would break packagefeed-stability.bbclass,
>>> we will see the hang
>>
>> Something is wrong with the implementation then.
>>
>> You should not be doing the equivalent of:
>>
>> list = '<all packages>'
>> for each in list; do rpm -qp $each ; done
>>
>> This is HORRIBLY inefficient, even with rpm4.
>>
>> The proper way to query a number of packages is in a single transaction. This
>> permits RPM to load the data and validation structures once.
>>
>> This is equivalent to:
>> rpm -qp `cat list`
>>
>> or
>>
>> echo list > /tmp/tmpfile
>> rpm -qp /tmp/tmpfile
>
> pkg-diff.sh from build-compare can only use two rpm pkgs as arguments:
>
> pkg-diff.sh rpm1 rpm2
Sounds like a potential -future- enhancement to build-compare.
> So we use "for each in list; do pkg-diff.sh each1 each2; done". We need
> change pkg-diff.sh to make it accept files as arguments. And it works well
> with rpm4, so I'm not sure whether the upstream can accept such a change
> or not. The hang reason for rpm5 is that it reads database (/var/lib/rpm)
> when not needed, so I think that fix rpm5 is the correct way.
A quick and simple alternative (since quering the DB isn't desired in any case)
is to simple set '--dbpath=<random tmp location>' then after the query remove
the tmp location. No database, no collision, no problem.
--Mark
> // Robert
>
>
>
>>
>> (The later solving the problem of 'too many arguments')
>>
>> This may seem counter intuitive, as the first way looks to be better on a
>> multi-core machine -- but in my experience the overhead of starting rpm, setting
>> up the data structures is very expensive, much more then the
>> load/validate/display of the package information.
>>
>> --Mark
>>
>>>
>>>>
>>>> --Mark
>>>>
>>
>>
More information about the Openembedded-core
mailing list