rpminspect-1.3.1

A followup to the rpminspect-1.3 to address one critical bug that was found after the release was tagged.

• Update translation template
• Remove duplicate elf_end() call in init_elf_data() (#303)

rpminspect-1.3

General release and build process changes:

• Move the master branch to version 1.3
• Change Suggests to Recommends in the spec file
• Create mkannounce.sh to help make release announcements easier
• shellcheck fixes for mkannounce.sh

Config file or data/ file changes:

• Add kmidiff and politics to the inspections section of generic.yaml

Changes to the GitHub Actions CI scripts and files:

• Build and install rc from source on opensuse-leap
• Add .github/ and osdeps/ directories to extra-ci.yml
• Build and install rc from source on opensuse-tumbleweed
• Adjust curl(1) command line used for rc in opensuse CI jobs
• s/PowerTools/powertools/g in the centos8 PKG_CMD definition
• The output of html2text on opensuse systems is different
• Fixes for GitHub Actions on Debian and Ubuntu
• Disable Rust support in pip modules, more extra-ci fixes
• Update pip and setuptools on debian and ubuntu CI jobs
• Make sure pip is updated on debian, centos7, and centos8
• Fixes for extra-ci on arch, centos7, centos8, and debian
• Adjust docker image names for opensuse and arch
• Add Gentoo Linux to the Extra CI set
• extra-ci.yml typo fix for the gentoo job
• Use gentoo/stage3 as the container for the gentoo CI job
• Disable opensuse-tumbleweed and archlinux CI jobs
• Make sure util/determine-os.sh picks up Gentoo Linux
• Use pip install for PIP_CMD on gentoo
• Set PIP_CMD to pip install -user for gentoo
• Stop doing an emerge --sync on the gentoo CI job
• Replace emerge --sync with a manual portage sync
• Use emerge-webrsync to update portage on gentoo

rpminspect(1) changes:

• Support the new output function call syntax (#264)

Documentation changes:

• Add doc/git.md to explain source control conventions
• Update doc/git.md on how to track upstream
• Update TODO and README.md files
• Typo fix in README.md

General bug fix in the library or frontend program:

• Use warn() for non-fatal errors in mkdirp()
• Swap out some more fprintf()/fflush() reporting with warn()
• #include <err.h> in peers.c and rmtree.c
• Correctly handle the -w option on rpminspect(1) (#256)
• Drop the relative path handling for the -w option
• Skip debug packages in filesize, display changes correctly
• Fix YAML config file reading for BLOCK_INSPECTIONS
• Expand dump_config() to cover all config file settings
• Simplify list_to_string() so it handles 1-elements lists right
• Output the system-out xunit portion as CDATA (#264)
• Slightly change how strxmlescape() works
• Fix block handling problems in the YAML config reader
• Note single builds cannot be rebases in is_rebase()
• Handle a NULL from list_to_string() in abspath()
• Fix some memory leaks found by valgrind

librpminspect feature or significant changes:

• Require libabigail >= 1.8 in rpminspect.spec.in
• Enable multiple --headers-dir1 and --headers-dir2 args in abidiff
• Rename HEADER_MAN to HEADER_MANPAGE (#264)
• Add inspection_header_to_desc() to librpminspect (#264)
• Move init_elf_data() to readelf.c, move data to struct rpminspect
• Remove check_ipv6() from inspect_elf.c
• Add abspath() to canonicalize path strings
• Add strxmlescape() to strfuncs.c in librpminspect (#264)
• Handle the empty string case in abspath()
• Expand dump_cfg() to show runpath settings
• Hook up the driver for the runpath inspection
• Add uthash and move the file matching code to it.

New inspections or inspection changes (not bug fixes):

• Add xunit output format support (#264)
• Create the badfuncs inspection
• Add the runpath inspection to librpminspect
• In the runpath inspection, fail if DT_RPATH and DT_RUNPATH exist
• Do not match path prefixes in the runpath inspection

Test suite changes:

• Update inspect_elf.c unit tests for librpminspect changes
• Add badfuncs test cases
• Rename test/data/lto.c to test/data/mathlib.c
• Install patchelf for tests on fedora and centos
• Pass -D to rpminspect in the test suite
• Add integration tests for the runpath inspection
• Python flake8 and black fixes in test_runpath.py
• Python black fixes for test_runpath.py

rpminspect-1.2

Inspections:

• Add the 'config' inspection to librpminspect
• Add the 'doc' inspection to librpminspect
• Rename the '%files' inspection to 'files' (#194)
• Add the 'patches' inspection to librpminspect
• Implement the 'virus' inspection and add test cases for it
• Add the 'politics' inspection to librpminspect
• Rename the 'DT_NEEDED' inspection to 'dsodeps'
• Rename 'LTO' inspection to 'lto'
  Enhancements:
• Use is_rebase() in the 'upstream' inspection
• Use rpmtdSetIndex() and rpmtdGetString() in get_header_value()
• Add get_rpmtag_fileflags() to files.c and call from extract_rpm()
• Rephrase reporting messages in the 'config' inspection
• Add a -D/--dump-config option to rpminspect(1)
• Add init_rebaseable() to librpminspect
• Check the rebaseable list in is_rebase() in librpminspect
• Remove unnecessary basename() calls in inspect_upstream.c
• Add get_rpm_header_string_array() to librpminspect
• Replace init_source() with get_rpm_header_string_array() in inspect_upstream.c
• Add uncompress_file() to librpminspect
• Add filecmp() and use that in place of zcmp/bzcmp/xzcmp
• Go ahead and wrap the rest of the libarchive compression filters
• Make sure uncompress_file() supports xz compression
• Handle more compressed file MIME types
• Support single package URLs for before and after builds (#190)
• Use warnx(), errx(), and err() in src/rpminspect.c
• Update the rpminspect.1 man page to reflect current status
• Support relative directory paths for the -w option (#188)
• Support slightly older versions of libclamav in inspect_virus.c
• Expand librpminspect with support for SHA-224, SHA-384, and SHA-512
• Define DEFAULT_MESSAGE_DIGEST in constants.h and use that.
• Replace some fprintf()/fflush() calls with warn()/warnx() calls
• Improve reporting in the patches inspection
• Allow optional 'commands' block in the config file
• Allow a set of excluded path prefixes in 'pathmigration'

Bug fixes:

• Use correct Version and Release values in download_build()
• #include <rpm/rpmfiles.h> -> #include <rpm/rpmfi.h>
• Use global reported variable in 'config' inspection
• Fix reporting errors in the 'doc' inspection
• Do not assume an or bn contain strings in is_rebase() (#196)
• free() allocated output string in inspect_changelog.c on errors
• s/10240/16384/ in archive_read_open_filename() call in unpack.c
• Only enable lz4 compression if ARCHIVE_FILTER_LZ4 is defined
• Remove unnecessary 'a' in DESC_PATCHES
• Handle invalid/missing RPMs in get_product_release()
• Fix a variety of small memory leaks in librpminspect
• 'it should added' -> 'it should be added'
• Only fail 'changedfiles' for VERIFY and higher results
• If 'removedfiles' only reports INFO messages, pass the inspection
• If 'addedfiles' only reports INFO results, pass the inspection
• If 'patches' only reports INFO results, pass the inspection
• No need to check value of allowed in permissions_driver()
• Do not let INFO results fail the 'doc' inspection.
• Do not let all INFO results in 'upstream' fail the inspection
• Fix RPMFILE_FLAGS handling for %config files (#221)
• Still report file changes in the 'config' inspection for rebases
• Correctly check RPMFILE_DOC flags in the 'doc' inspection
• Include rpm/rpmfi.h insted of rpm/rpmfiles.h
• Only check regular files and symlinks in the 'doc' inspection
• Remove unnecessary assert() statements in filecmp()
• Remove incorrect warnx() reportings based on filecmp() return value
• Exclude man pages from the 'doc' inspection
• Honor the -a command line option for downloads as well as runtime (#233)
• Fix assorted non-critical memory leaks
• Remove unnecessary warn() after a failed stat()
• Additional memory fixes for the abidiff inspection (#244)
• Free ELF symbol names list in find_lto_symbols() before return
• Followup to the memory fixes for read_abi() and free_abi()
• Prevent invalid pointer dereferencing in invalid result in 'patches' (#245)
• Avoid reusing the same abi_pkg_entry_t struct in read_abi()
• Fix the YAML parsing for the pathmigration block

Data files:

• Add config and doc to the inspections list in generic.yaml
• README.md updates
• Update po/ template files
• Note all valid message digests in data/politics/GENERIC

Tests:

• Minor updates to try and make gate.sh more reliable
• Modify baseclass.py to allow 'before' and 'after' NVR tuples
• Use the after tuple to override the NVR in test_abidiff.py
• Use the after tuple to override the NVR in test_upstream.py
• Write rpminspect output to a file in the test suite
• Add 28 test cases for the 'config' inspection
• Fix the errors in the 'config' inspection found by the test suite
• Fix Python problems in the test suite reported by black and flake8
• Add Makefile targets for black and flake8
• One more formatting issue reporting by Python black in test_config.py
• More 'python black' formatting errors reported for test_config.py
• https://mandoc.bsd.lv -> http://mandoc.bsd.lv
• Add test_doc.py with 'doc' inspection test cases
• Ignore flake8 W291 in test_doc.py where we explicitly want whitepsace
• Define a new GitHub Action using utils/gate.sh
• shellcheck fixes for utils/gate.sh
• Install fedora-packager for the gate.yml GitHub Action
• Remove before and after variables from gate.sh; unused
• Adjust what things run during with GitHub Actions
• Restrict some GitHub Actions to source code and test suite changes
• Add test_changedfiles.py to the test suite
• Add test_patches.py with test cases for the 'patches' inspection
• flake8 fixes in the test suite
• Python format fixes for test_changedfiles.py
• Python format fixes for test_patches.py
• Better explanation as to why the EmptyLicenseTag tests are skipped
• Test suite cleanup; add rebase= and same= to TestCompareSRPM
• Black formatting fixes for the test suite
• Remove unused imports in test_upstream.py
• Python formatting fixes for test_virus.py
• Update the osdeps/*/reqs.txt files.
• More osdeps updates for the clamav needs
• Install 'xz' for the 'style' GitHub Action
• Stop the freshclam service for the Ubuntu gate job
• In tearDown() in the test suite, call rpmfluff clean() methods
• Add test_politics.py with 'politics' inspection test cases
• Python black format fixes for test_politics.py
• Increase the runtime timeout for test_virus.py
• Install the timeout decorator on all OSes in our GitHub Actions

Release:

• For BUILDTYPE=release, generate the correct type of changelog
• Minor logic error in submit-koji-builds.sh
• Fix reading existing spec file in submit-koji-builds.sh
• Use utils/find-ninja.sh to determine what ninja-build command to use
• Modify submit-koji-builds.sh to pick up all pkg-git branches

rpminspect-1.1

Here's a summary of changes in this release of rpminspect. There are 5 new inspections, a lot of bug fixes, and a lot of CI improvements.

Bug fixes:

• Don't assume we have a header or even a list of files (#161)
• Fix memory corruption in init_rpminspect
• Add missing DESC_MOVEDFILES block to inspection_desc()
• Ensure an int is used for snprintf() in inspect_manpage_path()
• Only report permissions change if there is a mode_diff (#181)
• Fix -Werror failures in inspect_abidiff.c
• Expand find_one_peer() to soft match versioned ELF shared libraries
• Be sure to close the open file before exiting init_fileinfo()
• Handle builds that lack all debuginfo packages (#186)
• Do not assume peer->after_hdr exists (#187)
• Fix memory leaks in abi.c functions
• open() failure in readfile() is not fatal, just return NULL
• Avoid comparing elf files that are not shared libraries
• Make sure to close open file descriptors from get_elf() calls

New inspections:

• The '%files' inspections looks at the %files blocks in the package spec file and checks for forbidden paths as defined in the configuration settings.
• The 'types' inspection compares MIME types between builds and reports changes for verification or informational purposes.
• The 'movedfiles' inspection reports if a file moved between subpackages (#155)
• The 'abidiff' inspection runs ELF objects through abidiff(1) from the libabigail project to report breaking ABI changes
• The 'kmidiff' inspection compares Linux kernel images and module directories to check for Kernel Module Interface/KABI compatibility

Major changes:

• Configuration files move to /usr/share/rpminspect and out of /etc/rpminspect
• No default configuration file provided (this allows multiple rpminspect-data packages on the system)
• The configuration file in rpminspect-data-generic is now named 'generic.yaml'
• Related to https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language, rename some of the configuration files and internal data structures:
  • In the configuration file, rename ipv6_blacklist to forbidden_ipv6_functions
  • In /usr/share/rpminspect, rename stat-whitelist/ to fileinfo/
  • In the code, replace "stat_whitelist" with "fileinfo".
  • In the code, replace "caps_whitelist" with "caps".
  • In /usr/share/rpminspect, rename abi-checking-whitelist/ to abi/
  • In /usr/share/rpminspect, rename version-whitelist/ to rebaseable/
  • In /usr/share/rpminspect, rename political-whitelist/ to politics/ (this directory now contains per-release files with the format described in the example file)
• Relicense librpminspect (lib/ and include/) as LGPL-3.0-or-later
• License the rpminspect-data-generic subpackage as CC-BY-4.0
• Add abi.c, the code that reads in the ABI compat level files (#144)
• Add -n/--no-rebase command line option to disable rebase detection
• Define new configuration file section for the 'abidiff' inspection
• Define new configuration file section for the 'kmidiff' inspection

Inspections:

• Only fail the annocheck inspection for RESULT_VERIFY
• Read debuginfo if available when running the 'annocheck' inspection
• Skip debuginfo and debugsource packages in the 'types' inspection
• Report findings for rebased builds in movedfiles, addedfiles, and removedfiles as INFO changes
• The 'movedfiles' inspection runs before addedfiles and removedfiles to account for moves before the other changes
• In the 'filesize' inspection, multiply the file size difference before dividing
• Enable 'permissions' inspection for single build analysis
• In the 'filesize' inspection, drop extra - from the message about file shrinkage
• Make sure all RESULT_INFO results are set to NOT_WAIVABLE
• Fix some specific problems with the 'permissions' inspection
• Update test_symlink.py tests for new waiver_auth values
• Report 'metadata' changes for rebased packages as INFO
• Do not fail the 'specname' inspection when given a non-SRPM
• For passing 'upstream' inspections, do not report a remedy string
• Do not fail the 'lostpayload' inspections if it only gives INFO messages
• Clarify unapproved license message in the 'license' inspection

Test suite:

• Add test suite cases for the '%files' inspection
• Add test suite cases for the 'types' inspection
• Build 'execstack' test program with -Wl,-z,lazy to eliminate BIND_NOW
• Drop unnecessary method re-definitions in base test classes
• Use super() rather than explicitly calling the parent class
• Call configFile() on object instance rather than using the parent class
• Improve the error reporting for test result checking
• Add basic tests for the filesize inspection
• Optionally check the result message
• Add further filesize tests for shrinking files
• Add 24 new test cases to cover the 'permissions' inspection
• Pass "-r GENERIC" to rpminspect in the TestCompareKoji class
• If check_results() raises AssertionError, dump the JSON output
• Fix test_changelog.py test cases that are failing
• Fix UnbalancedChangeLogEditCompareKoji
• Handle rpm versions with x.y.z.w version numbers in test_symlinks.py
• Add test_addedfiles.py to the integration test suite
• Update the test suite to cover rpmfluff 0.6
• Add integration test cases for the abidiff inspection (#144)
• Add 12 more 'permissions' inspection test cases for setuid file checks

CI:

• Migrate from Travis-CI to GitHub Actions
• Create a top-level directory tree called osdeps/ with specifics for each operating system used in CI
• Run CI on Fedora rawhide, Fedora latest stable, Debian testing, Ubuntu latest, OpenSUSE Leap, OpenSUSE Tumbleweed, CentOS 8, CentOS 7, and Arch Linux
• Run flake8 and black for Python code in the test suite
• Run ShellCheck on shell scripts in the tree
• Upload coverage report to https://codecov.io/gh/rpminspect/rpminspect/
• Add --diff to the Python format checker

Other Changes:

• Formatting fixes for 'make help' output
• Add attribute((sentinel)) to the run_cmd() prototype
• Modify add_entry() in init.c to skip duplicate entries
• Change 'nls' option in meson_options.txt to a boolean
• Modify meson.build to work with xmlrpc-c installations that lack a pkgconfig script
• Check all return values of getcwd()
• Move top level docs to MarkDown format
• Add Makefile target to maintain the AUTHORS.md file
• Add a copy of the Apache 2.0 license for the 5 files in librpminspect
• Update the License tag in the rpminspect.spec.in template file and the %license lines
• Support building on systems that lack <sys/queue.h>
• Add sl_run_cmd() to librpminspect, which is like run_cmd() but it takes a string_list_t instead of a varargs list
• Add init_arches() to librpminspect to create a cached ri->arches string_list_t
• Move free_argv_table() to runcmd.c
• Store copy of original pointer in strsplit() to free at the end
• Use mmap() and strsplit() in read_file() rather than a getline() loop
• Add utils/gate.sh for use from a .git/hooks/pre-push script to ensure changes to the C files in the tree will work across rpminspect runs for a handful of package builds
• Have check_abi() pass back the ABI compat level found
• Use read_file() in init_fileinfo(), init_caps(), validate_desktop_contents(), and disttag_driver()
• Adjust how init_fileinfo() and init_caps() iterate over file contents
• Fix 'tox -e format' style problems found
• Trim worksubdir from paths in reported abidiff and kmidiff commands
• Use FOPEN_MAX for nopenfd parameter in nftw() calls
• Make sure kmidiff is listed in the spec file

rpminspect-1.0

The major change in this release is the move to YAML for the configuration file and profile format. Those files now end in .yaml rather than .conf to reflect the change. The rpminspect.yaml has also received a bit of restructuring to make things a bit more consistent. Comments are included along with example settings or options commented out.

Enhancements:

• Use YAML for the rpminspect configuration file and profiles
• Remove '#include <iniparser.h>' from rpminspect.h
• Update 'hardened' annocheck definition, add another LTO prefix
• Add some basic verbose output from rpminspect(1)
• Split 'emptyrpm' inspection in to 'lostpayload' and 'emptyrpm' (#147)
• Handle INSPECT_LOSTPAYLOAD in inspection_desc()
• Add DESC_PATHMIGRATION and reformat the struct inspect for reading.
• Report %changelog section differences as INFO (#123)
• Add get_specfile_macros() and get_macros() to librpminspect (#152)
• Don't worry about EM_BPF objects in ELF_K_AR file types (#153)
• Support macros in the Release tag in the 'disttag' inspection (#152)
• Simplify the get_elf_section() function a bit.
• Drop eu-elfcmp(1) usage in the changedfiles inspection.
• Rename on_stat_whitelist() to on_stat_whitelist_mode(), fix some errors.
• Add on_stat_whitelist_owner() and on_stat_whitelist_group()
• Ignore debug paths in the symlinks inspection.
• Restrict RPM spec file macro gathering to %define and %global.
• Ignore multiline macros in get_specfile_macros()
• Add ignore_path() function to librpminspect
• Expand foreach_peer_file() with use_ignores parameter.
• Update the 'ignore' section in rpminspect.yaml with additional Python files.
• Expand strreplace() to support removing substrings.
• Trim rpminspect working directory from annocheck(1) details.
• Skip debuginfo files in the 'annocheck' inspection.

Bug Fixes:

• Reduce the number if (null) prints in debug mode for shellsyntax
• Force kver in list iteration to a string.
• Debugging output in inspect_lto.c
• More debugging output in inspect_lto.c
• In find_lto_symbols(), start at SHT_PROGBITS instead of SHT_SYMTAB.
• Move () usage for DESC* macros to inspect.h
• Report dangling symlinks as INFO for now (#145)
• Fix ELF_K_AR handling in get_elf_machine() (#153)
• Remove stray 7 from an #include line
• Fix -fPIC loss/gain reporting in the elf inspection (#153)
• Do not report all after objects without -fPIC as having lost PIC (#153)
• Remove DEBUG_PRINT for the config file name read in init.c
• Display errno value when getpwnam_r() or getgrnam_r() fail
• Handle missing users and groups from the system
• Only try to read the UID or GID in the ownership inspection.
• Final getpwnam_r()/getgrnam_r() changes for whitelist.c
• If shdr in _get_elf_helper() is NULL, return NULL.
• s/%%/%/g in results.h
• Account for whitespace other than ' ' on Release: lines (#157)
• In the 'symlinks' inspection, if reltarget is "", do not try to further modify it (#159)
• Make sure all static path buffers use PATH_MAX consistently.
• Followup to the PIC check for static ELF libraries (#153)

Test Suite:

• Fixes a ValueError if hostname has no periods
• Install python3-pyyaml in the Docker test environment.
• Use fedora:rawhide for the Docker tests.
• Try multiple ways of finding the kernel development files in test_kmod.py
• Syntax error in test_kmod.py
• In test_ownership.py, use the built rpminspect rather than a script.
• In test_symlinks, use built rpminspect rather than a shell script.
• Use built executables in test_upstream.py tests rather than scripts.
• Add '%global __os_install_post %{nil}' to rpmfluff spec headers.
• Make sure man pages we expect gzipped are gzipped in test_manpage.py
• Set QA_SKIP_BUILD_ROOT=1 in %install in test_symlinks.py tests.
• Add '%global __arch_install_post %{nil}' to symlinks spec headers.
• Install kernel-core for the test suite.
• Find the kernel build directory in test/data/derp-kmod/Makefile
• Skip ELOOP symlink tests if rpm >= 4.15.90 is used
• Pass the kernel build directory to derp-kmod/Makefile from test_kmod.py
• Install 'make' in the Docker test environment
• Support Linux 5.6.0 struct proc_ops in derp-kmod
• Report changed files as RESULT_INFO when rebasing packages (#150)
• Ignore missing XML entity definition errors (#148)
• Install python3-devel for the test suite.
• Install libffi-devel for the test suite
• Use the rpm Python module in test_symlinks.py to get rpm version.
• Add check_results() to test/baseclass.py
• Install 'setup' in the Docker test image
• Add mock(1) in the Docker test environment.
• Add sssd-client to the Docker test environment
• Fix problem constructing package download URLs in librpminspect.
• Add a new disttag test case to cover tab field separators.
• Add more example data to test_disttag.py to cover recent bug reports.
• Add manually-invoked regression testing scripts.
• Support a positional parameter on 'make check' to run part of test suite.
• Fix build_module() in test_kmod.py

Misc:

• Use this project's user.name and user.email for Koji builds
• Update README
• rpminspect.conf -> rpminspect.yaml in rpminspect.spec.in
• Set default JVM byte code version to 43 in rpminspect.yaml
• Update the local test instructions to run individual test scripts.
• Small update to the MISSING file.
• Search correct files for POTFILES additions.
• Update POTFILES and rpminspect.pot template
• BR libmandoc-devel >= 1.14.5
• BR libmandoc-devel without specific version for EPEL-7 and F-30
• Create TARGET_ARG to get optional target arguments.
• Change *-dtds packages from Requires to Suggests for el8 and fedora.
• 'sort | uniq' -> 'sort -u'
• Rename 'make release' to 'make new-release'; add 'make release'

rpminspect-0.13

Some new inspections, bug fixes for existing inspections, and general improvements. Test cases continue to expand. Many thanks to those who have contributed test cases and bug reports that help make test cases.

The LTO inspection is tied to the https://fedoraproject.org/wiki/LTOByDefault change in Fedora. The inspection reports of any ELF relocatables that sneak through with LTO bytecode. LTO bytecode is not portable across gcc releases so we should not ship ELF .o files with that attached.

The symlinks inspection checks for dangling symlinks and warns of circular links and other conditions that present problems in RPM packages.

This release took a little longer to get out because the Koji API had some changes. The module_build_service_id key in the Koji XML-RPC response changed from a string to an integer. This also uncovered some problems in rpminspect with how download URLs are constructed. All of that has been fixed now in rpminspect.

Lastly, the result reporting structure in librpminspect has changed in an effort to support more varied output types in the future.

New inspections

• Add 'LTO' inspection to librpminspect (#129)

• Add the 'symlinks' inspection to librpminspect (#133)

• Add a new faux-result to the results output for 'rpminspect'. Not really an inspection, but this is useful for debugging and bug reporting because it is easy to see how rpminspect was invoked.

Bug fixes:

• Fix some errors when running with libiniparser 3.1
• Only set CURLOPT_TCP_FASTOPEN if we have it available
• Make sure the changelog inspection runs with before/after pairs (#130)
• Ignore debuginfo and debugsource packages in the kmod inspection
• Skip the kmod inspection if there is no peer_file (#131)
• Handle kernel modules that move paths between builds (#131)
• First part of reworking the add_result() API
• Add init_result_params() to reset the struct result_params structures
• Remove MPARSE_MAN to let libmandoc autodetect the type (#132)
• Revise list_to_string() to support optional delimiter
• Add get_elf_section_names() to librpminspect
• Do not strdup() header and remedy in add_result_entry()
• Store package extract root in rpmpeer_entry_t for each package
• Add strtype() to librpminspect to return string indicating file type
• Simplify the license inspection routine (#138)
• Add get_elf_machine() to readelf.c (#139)
• Elf64_Half -> GElf_Half in dt_needed_driver()
• Skip eBPF ELF objects in the 'elf' inspection (#139)
• Stop appending a newline to string in strappend()
• Collect all results from getLatestBuild Koji XML-RPC call (#137)
• Return EM_NONE in get_elf_machine()
• In download_build(), fix how srcfmt is set
• Fix some memory errors associated with the results and parameters
• Use params.msg for reporting in check_bin_rpm_changelog()
• Make sure only RPM files are passed to get_rpm_info()
• get_rpm_info() and add_peer() have void returns
• When public headers change in 'changedfiles', do not free param.details
• Check if eptr->data is NULL in find_one_peer (#142)
• Define EM_BPF if elf.h lacks it (impacts EPEL-7 builds)
• Skip 'upstream' inspection if no source packages are provided
• Simplify how the versions are collected in inspect_upstream()

Test cases:

• Expand the template rpminspect.conf file for the test suite
• Handle 'localhost.localdomain' FQDN in the test suite base clases
• Rework the test_manpage.py tests to work with rpm >= 4.11.x
• Test cases for kernel modules changing paths between builds (#131)
• Add 'LTO' inspection test cases (#129)
• Add tests for the 'symlinks' inspection to the test suite
• Add test cases for the 'ownership' inspection
• Add test cases for the 'upstream' inspection

Misc:

• Remove the GitHub Release page stuff from utils/release.sh
• Drop meson_version from meson.build
• Change meson.build to require xmlrpc-c >= 1.32.5
• BuildRequires xmlrpc-c >= 1.32.5 and iniparser >= 3.1
• Modify the Makefile so it works with 'ninja' or 'ninja-build'
• Rename the tests/ subdirectory to test/
• Split meson.build out in to different meson.build files
• Move builds.c to lib/, remove builds.h from src/
• Move rpminspect.conf to data/, expand data/meson.build
• Fix the --version output to remove '@' wrapping the version number
• Remove diff.3, the code is gone from lib/
• Begin doc/Doxyfile for API documentation
• Add Doxygen documentation for badwords.c, builds.c, and checksums.c
• Add Doxygen documentation to four C files, update others
• Support [lto] section with lto_symbol_name_prefixes in rpminspect.conf
• Add explicit librpminspect Requires to the main package
• Update translation template

rpminspect-0.12

A lot of changes since 0.11. The main focus of this release is more test cases. A lot of test cases have been contributed or expanded.

Many fixes around the %changelog inspection and license tag inspection. There was a failed attempt moving librpminspect to libdiff code from BSD, but that just wasn't working out. librpminspect will continue using diff(1) for now.

As always, please report issues to this GitHub project. Pull requests welcome for review!

rpminspect-0.11

The first new release of 2020! It has been several months now, so I thought it was time to make a new release. There are a lot of bug fixes in this release. There are always bug fixes, but since rpminspect is getting regular testing with Fedora builds it is helping uncover a lot of bugs and getting them fixed up.

Things of note:

• Caches. librpminspect will cache file MIME types, RPM headers, and file checksums. These are used throughout the library and it makes sense to save the values for later use. The result is faster execution time and lower memory usage.

• The 'annocheck' inspection is now present. This runs annocheck on ELF objects. You can define different annocheck tests to run in rpminspect.conf in the [annocheck] section. The left of the equal sign is the name of the annocheck test you're defining and the right of the equal sign are the arguments to the annocheck program.

• Add the 'filesize' inspection to report file size increases or decreases between builds.

• Add the 'permissions' inspection to report stat(2) changes between builds. The stat-whitelist per product release is checked to see if anything is allowed to be setgid or setuid. If those settings are found but it's not whitelisted, report a security review result.

• rpminspect.conf has a [specname] section to help guide the 'specname' inspection which is useful for projects like SCL which do some package name modifications on top of what the actual spec file is named.

• Add the 'DT_NEEDED' inspection to compare the DT_NEEDED entries in dynamic ELF executables and shared libraries between before and after builds.

• Use the Freedesktop.org icon lookup routine for the 'desktop' inspection when validating desktop entry files.

• Use libcap rather than libcap-ng in the inspections that do things with POSIX capabilities.

• Add the 'capabilities' inspection to report capabilities(7) changes between builds. Checks findings against the capabilities whitelist for the product release. Anything found that is not whitelisted will report a security review result.

• Add the 'kmod' inspection to check for new or removed kernel module parameters. For builds with the same version, report lost module parameters as VERIFY. For builds with different versions, report lost module parameters as INFO. Always report added module parameters as INFO.

• Shorten the output of 'rpminspect -l'. To get the long descriptions, pass -v with -l.

• Properly distinguish between built noarch packages and source packages.

• Change the result severity in the 'upstream' inspection based on package versions. If the builds are the same version, the severity is VERIFY is sources change. If the builds are different versions, that change is expected.

• Handle s390 and s390x ELF objects in the 'elf' inspection.

• Handle ENOENT failures in realpath() when unpacking archives.

• Implement runtime profiles. These are like rpminspect.conf files that are loaded after rpminspect.conf and can further override settings. Profiles are selected with the -p option. Any section in rpminspect.conf except [common] is valid in a profile. Profiles are files of the format /etc/rpminspect/profiles/NAME.conf where NAME is what you pass to the -p option.

• Handle symlinks correctly when copying build trees.

• Fix Koji scratch build handling in librpminspect. There may be instances where the XMLRPC API gives nil return values.

• Plus much more. See the RPM changelog or git commit history for more details.

Be sure to also get the latest rpminspect-data package for your product. rpminspect-data-fedora is the one for Fedora Linux. The rpminspect.conf continues to evolve and change.

rpminspect-0.10

There are a lot of bug fixes and some new features in this release.

Features:

• Support an optional [products] section that defines a product release string and a regular expression to match it against. The idea here is that dist tags may vary a bit within one product. You might have .fc31, .fc31_server, and .fc31_laptop (all examples). All of these should be 'fc31'. You can define a regular expression to match all of those and call the product release string 'fc31'.

• Support SRPM files that have no Source entries.

• Handle sub packages with different version numbers from the main package.

• Add support for Koji tasks. rpminspect can download Koji builds using a build identifier. Now rpminspect can download Koji tasks given a task ID number. This allows rpminspect to use scratch builds.

Bug fixes are numerous. The full details are in the RPM changelog or the git log.

rpminspect-0.9

This is primarily and bug fix and stabilization release. I have continued on the integration test suite and fixed a lot of bugs as well as bugs reported by users.

Bug fixes and other improvements:

• Fix forbidden_path_prefixes check in the addedfiles inspection (#59)
• Do not output Waiver Authorization for RESULT_INFO results
• Add get_nevra() to librpminspect to get RPMTAG_NEVRA
• Improve forbidden_path_prefixes results reporting (#59)
• Add missing free() to inspect_desktop.c
• Use the GNU version of basename(3) and ensure we don't use the libgen version.
• Adjust how and where rpmtdFree() is called
• Call rpmFreeRpmrc() from main() before the program exits
• Add some missing free() calls in run_cmd()
• Use headerGetString() throughout librpminspect
• Two hidden bugs in inspect_elf.c resolved via the integration suite
• Fix a problem with peer detection when comparing single RPM files.
• Use lstat(2) in copyfile() so symlinks are correctly handled

General code cleanup:

• Fix forbidden_path_prefixes check in the addedfiles inspection (#59)
• Do not output Waiver Authorization for RESULT_INFO results
• Add get_nevra() to librpminspect to get RPMTAG_NEVRA
• Improve forbidden_path_prefixes results reporting (#59)
• Simplify the is_valid_license() code that concatenates tokens
• Use string_list_t ** for user_data in elf_archive_iterate()
• Reformat a line in get_elf_section() to make it more readable.
• Stop setting whichbuild in so many places in build.c
• Add a HISTORY file explaining a bit about the history of rpminspect
• All RESULT_OK results should be NOT_WAIVABLE
• disttag inspection failures should be not waivable

Development/release related changes:

• Use jq(1) to escape strings for JSON
• If asset ID cannot be found, dump what github returned on stdout
• Fix error in the 'make release' target
• Add the git log to the release notification published to github
• Simple Makefile to drive different parts of the build.

Test suite fixes and improvements:

• Add losing -fPIC on 32-bit builds test in test_elf.py
• Add test_elf.py test cases for DT_TEXTREL on 32-bit architectures
• Add forbidden IPv6 function use tests to tests/test_elf.py
• Add elf_ipv6_blacklist to the sample rpminspect.conf file
• Add test_elf.py to the tests/ subdirectory
• Expand integration test suite to support waiver auth checking
• Add xml inspection integration tests.
• Complete the tests/test_manpage.py integration tests