[Rpm-maint] [rpm-software-management/rpm] rpm 4.20.0 alpha fallout #2 : urpmi --no-verify is broken by rpm checking on its own (Issue #3142)

soig notifications at github.com
Tue Jun 4 09:15:46 UTC 2024


We are hitting issues on Mageia with 4.20.x.
The first issue is that signatures being refused

This one seems to be on Mageia :

> error: Verifying a signature using certificate 00EDB89585B012A8916F0DF8B742FA8B80420F66 (Mageia Packages <[packages at mageia.org](mailto:packages at mageia.org)>):
>   1. Certificiate B742FA8B80420F66 invalid: certificate is not alive
>       because: The primary key is not live
>       because: Expired on 2012-03-13T12:10:11Z
>   2. Key B742FA8B80420F66 invalid: key is not alive
>       because: The primary key is not live
>       because: Expired on 2012-03-13T12:10:11Z

However this break "urpmi --no-verify" which used to behave like rpm --noverify
But now only rpm --nosignature can bypass this check, whereas rpm --no-verify used to do the same, which looks like regression ?

Previously, we used to check pkgs in urpmi but it looks like rpm does it on its own now too:
http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/main_loop.pm#n527
Which calls:
http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/main_loop.pm#n129
Which calls:
http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/signature.pm#n40
Which calls:
http://gitweb.mageia.org/software/rpm/perl-URPM/tree/URPM.xs#n3306
Which calls rpmReadPackageFile()

See attached logs showing urpmi output with both rpm-4.19 & 4.20
For me, there's 2 issues : 
- rpmlib < 4.20 not doing some checks
- rpmlib  redoing the checks performed by urpmi, and thus breaking urpmi when the user already says "yes, let's continue" after urpmi warned him/her
- same problem when using --no-verify which is the same as the user answering "y" above
- 
Do we've to set RPMPROB_FILTER_VERIFY when calling rpmtsRun() ?
Would it impact urpmi running on older rpm versions (aka no more checks there) ?
Or should we kill that check (but then no more informative error in GUI?

Note that we all those upstream patches have been backported:
0001-Ensure-noarch-packages-don-t-get-debuginfo.patch
0001-Fix-noprep-regression-from-introducing-mkbuilddir.patch
0002-Drop-an-accidentally-added-duplicated-test.patch
0003-Make-build-in-place-much-less-of-a-hack-and-also-wor.patch
0001-Fix-incomplete-header-on-plain-src.rpm-build-modes-r.patch
0001-Hammer-in-no-debuginfo-for-noarch-packages-damn-it-r.patch
0001-Fix-regression-on-subpackage-debuginfo-RPMTAG_SOURCE.patch
0001-Fix-a-buildroot-regression-on-an-early-__spec_instal.patch

See you

[LOG.urpmi-rpm-4.19.txt](https://github.com/user-attachments/files/15545757/LOG.urpmi-rpm-4.19.txt)
[LOG.urpmi-rpm-4.20.txt](https://github.com/user-attachments/files/15545758/LOG.urpmi-rpm-4.20.txt)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3142
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3142 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240604/8cc26b21/attachment.html>


More information about the Rpm-maint mailing list