[Rpm-maint] [rpm-software-management/rpm] [RFC] rpmbuild, check: verify file hashes (PR #3039)
norbert manthey
notifications at github.com
Mon Apr 15 15:17:14 UTC 2024
```
During the %check target, no files that existed before are expected to be modified. This change adds a validation to the rpmbuild command, which will store file hashes, and compare them after compilation again.
Note: this is only a simple demonstrator that cannot handle large projects, and it is using a very simply hash function.
```
### Note
This is a demonstrator to steer discussions. A fully functional variant would likely use a dynamic container to store the hashes, handle errors better, and use a more sophisticated hash function.
We are aware that there are ways around this validation and still modify build files from the %check phase.
This is one way to implement the requirement to have an immutable build root during rpmbuild's %check phase, as described in https://github.com/rpm-software-management/rpm/issues/3010
### Testing Done
I compiled the xz-utils package of Amazon Linux 2 in an Amazon Linux 2 container image with this change. We also tested a malicious RPM that modified its build files during `%check`.
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/3039
-- Commit Summary --
* rpmbuild,check: verify file hashes
-- File Changes --
M build/build.c (130)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/3039.patch
https://github.com/rpm-software-management/rpm/pull/3039.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3039
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3039 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240415/da7e822a/attachment.html>
More information about the Rpm-maint
mailing list