You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Red Hat customer is using the gradle plugin to build his RPM packages.
When using a snippet as shown below, it ends up creating a RPM with directories marked with %config flag, e.g.:
from ('src'){
fileType CONFIG
into '/opt/foo/bar'
createDirectoryEntry true
addParentDirs false
}
fileMode = 0755
ends up getting a RPM with /opt/foo/bar being tagged:
# rpm -qp --qf "[%{filenames} %{fileflags:fflags} \n]" ~/foo-1.0.noarch.rpm
/opt/foo/bar c
/opt/foo/bar/somedir c
/opt/foo/bar/somefile c
This leads to getting the following error when installing the package with latest RPM found on Fedora 38 (rpm-4.18.2-1.fc38) and RHEL8 (rpm-4.14.3-28.el8_9), in case /opt/foo/bar doesn't already exist:
# rpm -i ~/foo-1.0.noarch.rpm
error: failed to open dir platform of /opt/foo/bar/: No such file or directory
error: unpacking of archive failed on file /opt/foo/bar/somedir: cpio: open failed - No such file or directory
error: foo-1.0.noarch: install failed
On RHEL8, such package could be installed with older releases of RPM, up to rpm-4.14.3-26.el8 included, i.e. before fixing CVE-2021-35937, CVE-2021-35938 and CVE-2021-35939.
We believe (@ffesti and myself) that tagging a directory with %config flag is an error, the flag should only be used with regular files.
Could you please confirm it's indeed an error to flag directories with %config flag.
If so, would it be possible to harden RPM to fail with a different error, clearly stating the RPM is not following the spec.
To Reproduce
Steps to reproduce the behavior:
I don't know, this seems to require gradle plugin.
The text was updated successfully, but these errors were encountered:
%config is only allowed for regular files and links. While rpmbuild won't
produce package with other files with %config other tools might. Handle
these cases gracefully by ignoring the %config flag.
Resolves: rpm-software-management#2890
%config is only allowed for regular files and links. While rpmbuild won't
produce package with other files with %config other tools might. Handle
these cases gracefully by ignoring the %config flag.
Resolves: #2890
Describe the bug
A Red Hat customer is using the gradle plugin to build his RPM packages.
When using a snippet as shown below, it ends up creating a RPM with directories marked with %config flag, e.g.:
ends up getting a RPM with
/opt/foo/bar
being tagged:This leads to getting the following error when installing the package with latest RPM found on Fedora 38 (
rpm-4.18.2-1.fc38
) and RHEL8 (rpm-4.14.3-28.el8_9
), in case/opt/foo/bar
doesn't already exist:On RHEL8, such package could be installed with older releases of RPM, up to
rpm-4.14.3-26.el8
included, i.e. before fixing CVE-2021-35937, CVE-2021-35938 and CVE-2021-35939.We believe (@ffesti and myself) that tagging a directory with %config flag is an error, the flag should only be used with regular files.
Could you please confirm it's indeed an error to flag directories with %config flag.
If so, would it be possible to harden RPM to fail with a different error, clearly stating the RPM is not following the spec.
To Reproduce
Steps to reproduce the behavior:
I don't know, this seems to require gradle plugin.
The text was updated successfully, but these errors were encountered: