Skip to content

rpminspect-0.5
Compare
Choose a tag to compare
@dcantrell dcantrell released this 05 Sep 19:29
v0.5
36366d4

rpminspect-0.5 is now available with the following bug fixes and improvements:

  • Support running rpminspect on local RPM packages (#23). You may now specify a local RPM or SRPM as the input for rpminspect. If you specify a before and after file, rpminspect will assume they are peers and will perform applicable inspections.

  • Adjust the 'text' output mode by adding some extra blank lines for readability.

  • For the 'changedfiles' inspection, get the list of possible C and C++ header file endings from the header_file_extensions setting in rpminspect.conf.

  • Add dnf instructions to the README file to help get the development packages installed on Fedora or RHEL.

  • Prevent a crash in get_product_release() when the build specification lacks enough information to infer a product release (e.g., a Koji build ID).

  • Start an integration test suite in the tests/ subdirectory.

  • Adopt a Code of Conduct for the project, see CODE_OF_CONDUCT.md

  • Move the data/setuid subdirectory to data/stat-whitelist. The files will be installed to /usr/share/rpminspect and the stat-whitelist subdirectory provides information on file modes, owners, and groups for known setuid/setgid files.

  • Process a [vendor-data] section in the configuration file which contains paths to locations provided by the rpminspect data package.

  • Fix configuration file detection in rpminspect.

New inspections:

  • Implement the 'removedfiles' inspection. When comparing two builds, rpminspect will report if files have disappeared from packages from the before to the after build. If the removed file was an ELF shared object, rpminspect reports it as a RESULT_BAD noting it may be a potential ABI break. Files removed from a security path prefix are also marked as RESULT_BAD and as WAIVABLE_BY_SECURITY. All other removals are reported as RESULT_VERIFY.

  • Implement the 'addedfiles' inspection. Kind of like the opposite of removedfiles, but does a little more. It ignores the debuginfo things and Python .egg-info files. It also checks to make sure no package added files to /var/tmp or /tmp. It also checks to make sure there are no *~ or *.orig files. Likewise, it makes sure no package has subdirectories like __MACOSX, .cvs, or .git. These settings are all modifiable in the rpminspect.conf file. Lastly, if a new setuid or setgid file is added, it flags it for a security team review unless it is on the stat-whitelist for the product release and the expected permissions match those in the package.

Builds are available in Copr as well as the f31 and rawhide branches.

Assets 4
Loading