--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package rpm
Honestly I'm not sure the reason is good enough, but keeping the
decision on you.
It fixes confusing interaction with gpg2 on rpmsign - rpmsign asks for
passphrase which is not used at all. See #858998 (normal severity) for
more details.
It was fixed by backporting upstream patch (while removing API changes
this has introduced upstream), debdiff is attached.
unblock rpm/4.12.0.2+dfsg1-2
- -- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEh+Zzr4P2w6DDRMjD9KoinU1YwkUFAljbuFEACgkQ9KoinU1Y
wkXzwQ/+J8eswH1VSGV+FU5W/k0oJMZmugLciOp2CsayFmDolI9Now90cDzuuY7v
rdroWo44L2vdfvO3NA2IH/PsMeFMZ0+10daSJtIvOjSWKUYSCC+tMQ+OZq/wqzli
jUzetRVOLlTfFU3BFbNccBh76e5ehVb4qHZa7e7sCYaCjZTUb2B3jxbFLAIXAnqY
N7l0303S0AazDfpMJEmuYitbGEhrvFnIfVpl4r4+AkIcGpFZ8TGCgjqNOaICKvmK
kOk3/HtYtFOBdNlV6lMzntdsG2KjMHB8vUCDAkgJvjftg/ijXJ63nt3velqOHOWO
Xk6iuQQdeynT2wYis1qfq82kgu1VBEuRCi62M44nqRtIRQ1xqznhaiXXFzhFpMIR
g/zti/rM+VsFOhOgrfs0kwkNlGhmEn30JogJYmAnyoVzvUt3IZ+hQ+bj3Epw6Byi
Ruq27cdgcibSunjwdm/OJeK+Xk2bubaZ/AHBVkmNs0uJBJKveAbG5yI07gVdlFFE
zvrWixSfrm90f+hKNy8ybKdwTQOtk7JW1j8zAWfh1MF+SYJoYwz4F6Nxr9pO5OFl
tqWTQtwHDsBD0Qq4fh3R9yHwpIEXnAFaXA1Z2h5sim9V2v0yfinRWUwniSNqTgOo
jkOJdvhWOdp/kCp84T0/iW9w7PE7dOQpnw4IF52zEYp9iLAlMxk=
=4vJS
-----END PGP SIGNATURE-----
diff -Nru rpm-4.12.0.2+dfsg1/debian/changelog rpm-4.12.0.2+dfsg1/debian/changelog
--- rpm-4.12.0.2+dfsg1/debian/changelog 2016-11-10 14:02:04.000000000 +0100
+++ rpm-4.12.0.2+dfsg1/debian/changelog 2017-03-29 15:24:58.000000000 +0200
@@ -1,3 +1,10 @@
+rpm (4.12.0.2+dfsg1-2) unstable; urgency=medium
+
+ * Adjust debian/watch to new upstream website.
+ * Add patch to improve rpmsign behavior with gpgp2 (Closes: #858998).
+
+ -- Michal Čihař <nijel@debian.org> Wed, 29 Mar 2017 15:24:58 +0200
+
rpm (4.12.0.2+dfsg1-1) unstable; urgency=medium
* New upstream release.
diff -Nru rpm-4.12.0.2+dfsg1/debian/patches/series rpm-4.12.0.2+dfsg1/debian/patches/series
--- rpm-4.12.0.2+dfsg1/debian/patches/series 2016-11-10 14:02:04.000000000 +0100
+++ rpm-4.12.0.2+dfsg1/debian/patches/series 2017-03-29 15:05:43.000000000 +0200
@@ -13,3 +13,4 @@
fix-python-multiarch-include.patch
rpm-4.11.2-double-separator-warning.patch
fix-preun-scriptlet-failing-behaviour.patch
+0bce5fcf270711a2e077fba0fb7c5979ea007eb5.patch
diff -Nru rpm-4.12.0.2+dfsg1/debian/patches/0bce5fcf270711a2e077fba0fb7c5979ea007eb5.patch rpm-4.12.0.2+dfsg1/debian/patches/0bce5fcf270711a2e077fba0fb7c5979ea007eb5.patch
--- rpm-4.12.0.2+dfsg1/debian/patches/0bce5fcf270711a2e077fba0fb7c5979ea007eb5.patch 1970-01-01 01:00:00.000000000 +0100
+++ rpm-4.12.0.2+dfsg1/debian/patches/0bce5fcf270711a2e077fba0fb7c5979ea007eb5.patch 2017-03-29 15:17:39.000000000 +0200
@@ -0,0 +1,334 @@
+From 0bce5fcf270711a2e077fba0fb7c5979ea007eb5 Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Tue, 9 Jun 2015 18:06:29 +0200
+Subject: [PATCH] Allow gpg to get passphrase by itself.
+
+Remove rpm asking for passphrase and then passing this passphrase
+to gpg via file descriptor (--passphrase-fd) but provide gpg with
+access to unredirected stdin to get passphrase directly from user.
+
+Remove also macro %__gpg_check_password_cmd because in this new signing
+scheme has no sense. rpm doesn't handle passphrase in any way,
+everything is done in gpg including checking of passphrase.
+
+We did this modification because of changes in gpg behavior. Since
+gpg-2.1 option "--passphrase-fd" doesn't work by default, only when
+it is explicitly allowed in gpg.conf. (rhbz:#1228234)
+---
+ macros.in | 4 +--
+ python/rpmsmodule.c | 9 +++---
+ rpmsign.c | 82 +++--------------------------------------------------
+ sign/rpmgensig.c | 67 +++++++++----------------------------------
+ sign/rpmsign.h | 3 +-
+ 5 files changed, 23 insertions(+), 142 deletions(-)
+
+--- a/macros.in
++++ b/macros.in
+@@ -531,11 +531,9 @@
+ # Macro(s) to hold the arguments passed to GPG/PGP for package
+ # signing and verification.
+ #
+-%__gpg_check_password_cmd %{__gpg} \
+- gpg --batch --no-verbose --passphrase-fd 3 -u "%{_gpg_name}" -so -
+
+ %__gpg_sign_cmd %{__gpg} \
+- gpg --batch --no-verbose --no-armor --passphrase-fd 3 \
++ gpg --no-verbose --no-armor \
+ %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \
+ --no-secmem-warning \
+ -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -41,72 +41,6 @@
+ POPT_TABLEEND
+ };
+
+-static int checkPassPhrase(const char * passPhrase)
+-{
+- int passPhrasePipe[2];
+- int pid, status;
+- int rc = -1;
+- int xx;
+-
+- if (passPhrase == NULL)
+- return -1;
+-
+- passPhrasePipe[0] = passPhrasePipe[1] = 0;
+- if (pipe(passPhrasePipe))
+- return -1;
+-
+- pid = fork();
+- if (pid < 0) {
+- close(passPhrasePipe[0]);
+- close(passPhrasePipe[1]);
+- return -1;
+- }
+-
+- if (pid == 0) {
+- char * cmd, * gpg_path;
+- char *const *av;
+- int fdno;
+-
+- close(STDIN_FILENO);
+- close(STDOUT_FILENO);
+- close(passPhrasePipe[1]);
+- if ((fdno = open("/dev/null", O_RDONLY)) != STDIN_FILENO) {
+- xx = dup2(fdno, STDIN_FILENO);
+- close(fdno);
+- }
+- if ((fdno = open("/dev/null", O_WRONLY)) != STDOUT_FILENO) {
+- xx = dup2(fdno, STDOUT_FILENO);
+- close(fdno);
+- }
+- xx = dup2(passPhrasePipe[0], 3);
+-
+- unsetenv("MALLOC_CHECK_");
+- gpg_path = rpmExpand("%{?_gpg_path}", NULL);
+-
+- if (!rstreq(gpg_path, ""))
+- setenv("GNUPGHOME", gpg_path, 1);
+-
+- cmd = rpmExpand("%{?__gpg_check_password_cmd}", NULL);
+- rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
+- if (xx >= 0 && rc == 0) {
+- rc = execve(av[0], av+1, environ);
+- fprintf(stderr, _("Could not exec %s: %s\n"), "gpg",
+- strerror(errno));
+- }
+- _exit(EXIT_FAILURE);
+- }
+-
+- close(passPhrasePipe[0]);
+- xx = write(passPhrasePipe[1], passPhrase, strlen(passPhrase));
+- xx = write(passPhrasePipe[1], "\n", 1);
+- close(passPhrasePipe[1]);
+-
+- if (xx >= 0 && waitpid(pid, &status, 0) >= 0)
+- rc = (WIFEXITED(status) && WEXITSTATUS(status) == 0) ? 0 : 1;
+-
+- return rc;
+-}
+-
+ /* TODO: permit overriding macro setup on the command line */
+ static int doSign(poptContext optCon)
+ {
+@@ -119,18 +53,10 @@
+ goto exit;
+ }
+
+- /* XXX FIXME: eliminate obsolete getpass() usage */
+- passPhrase = getpass(_("Enter pass phrase: "));
+- passPhrase = (passPhrase != NULL) ? rstrdup(passPhrase) : NULL;
+- if (checkPassPhrase(passPhrase) == 0) {
+- const char *arg;
+- fprintf(stderr, _("Pass phrase is good.\n"));
+- rc = 0;
+- while ((arg = poptGetArg(optCon)) != NULL) {
+- rc += rpmPkgSign(arg, NULL, passPhrase);
+- }
+- } else {
+- fprintf(stderr, _("Pass phrase check failed or gpg key expired\n"));
++ const char *arg;
++ rc = 0;
++ while ((arg = poptGetArg(optCon)) != NULL) {
++ rc += rpmPkgSign(arg, NULL, NULL);
+ }
+
+ exit:
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -128,7 +128,7 @@
+
+ /*
+ * Validate generated signature and insert to header if it looks sane.
+- * NSS doesn't support everything GPG does. Basic tests to see if the
++ * NSS doesn't support everything GPG does. Basic tests to see if the
+ * generated signature is something we can use.
+ * Return 0 on success, 1 on failure.
+ */
+@@ -182,10 +182,9 @@
+ return rc;
+ }
+
+-static int runGPG(sigTarget sigt, const char *sigfile, const char * passPhrase)
++static int runGPG(sigTarget sigt, const char *sigfile)
+ {
+ int pid = 0, status;
+- int inpipe[2];
+ int inpipe2[2];
+ FILE * fpipe = NULL;
+ unsigned char buf[BUFSIZ];
+@@ -194,12 +193,6 @@
+ rpm_loff_t size;
+ int rc = 1; /* assume failure */
+
+- inpipe[0] = inpipe[1] = 0;
+- if (pipe(inpipe) < 0) {
+- rpmlog(RPMLOG_ERR, _("Couldn't create pipe for signing: %m"));
+- goto exit;
+- }
+-
+ inpipe2[0] = inpipe2[1] = 0;
+ if (pipe(inpipe2) < 0) {
+ rpmlog(RPMLOG_ERR, _("Couldn't create pipe for signing: %m"));
+@@ -214,9 +207,6 @@
+ char *cmd = NULL;
+ const char *gpg_path = rpmExpand("%{?_gpg_path}", NULL);
+
+- (void) dup2(inpipe[0], 3);
+- (void) close(inpipe[1]);
+-
+ (void) dup2(inpipe2[0], STDIN_FILENO);
+ (void) close(inpipe2[1]);
+
+@@ -238,25 +228,9 @@
+ delMacro(NULL, "__plaintext_filename");
+ delMacro(NULL, "__signature_filename");
+
+- (void) close(inpipe[0]);
+- inpipe[0] = 0;
+ (void) close(inpipe2[0]);
+ inpipe2[0] = 0;
+
+- fpipe = fdopen(inpipe[1], "w");
+- if (!fpipe) {
+- rpmlog(RPMLOG_ERR, _("fdopen failed\n"));
+- goto exit;
+- }
+- inpipe[1] = 0;
+-
+- if (fprintf(fpipe, "%s\n", (passPhrase ? passPhrase : "")) < 0) {
+- rpmlog(RPMLOG_ERR, _("Could not write to pipe\n"));
+- goto exit;
+- }
+- (void) fclose(fpipe);
+- fpipe = NULL;
+-
+ fpipe = fdopen(inpipe2[1], "w");
+ if (!fpipe) {
+ rpmlog(RPMLOG_ERR, _("fdopen failed\n"));
+@@ -298,20 +272,12 @@
+ }
+
+ exit:
+- if (fpipe)
+- fclose(fpipe);
+-
+- if (inpipe[0])
+- close(inpipe[0]);
+-
+- if (inpipe[1])
+- close(inpipe[1]);
+
+ if (inpipe2[0])
+- close(inpipe[0]);
++ close(inpipe2[0]);
+
+ if (inpipe2[1])
+- close(inpipe[1]);
++ close(inpipe2[1]);
+
+ if (pid)
+ waitpid(pid, &status, 0);
+@@ -328,8 +294,7 @@
+ * @param passPhrase private key pass phrase
+ * @return 0 on success, 1 on failure
+ */
+-static int makeGPGSignature(Header sigh, int ishdr, sigTarget sigt,
+- const char * passPhrase)
++static int makeGPGSignature(Header sigh, int ishdr, sigTarget sigt)
+ {
+ char * sigfile = rstrscat(NULL, sigt->fileName, ".sig", NULL);
+ struct stat st;
+@@ -337,7 +302,7 @@
+ size_t pktlen = 0;
+ int rc = 1; /* assume failure */
+
+- if (runGPG(sigt, sigfile, passPhrase))
++ if (runGPG(sigt, sigfile))
+ goto exit;
+
+ if (stat(sigfile, &st)) {
+@@ -376,16 +341,15 @@
+ return rc;
+ }
+
+-static int rpmGenSignature(Header sigh, sigTarget sigt1, sigTarget sigt2,
+- const char * passPhrase)
++static int rpmGenSignature(Header sigh, sigTarget sigt1, sigTarget sigt2)
+ {
+ int ret;
+
+- ret = makeGPGSignature(sigh, 0, sigt1, passPhrase);
++ ret = makeGPGSignature(sigh, 0, sigt1);
+ if (ret)
+ goto exit;
+
+- ret = makeGPGSignature(sigh, 1, sigt2, passPhrase);
++ ret = makeGPGSignature(sigh, 1, sigt2);
+ if (ret)
+ goto exit;
+ exit:
+@@ -431,21 +395,20 @@
+ return (rc == 0);
+ }
+
+-static int replaceSignature(Header sigh, sigTarget sigt1, sigTarget sigt2,
+- const char *passPhrase)
++static int replaceSignature(Header sigh, sigTarget sigt1, sigTarget sigt2)
+ {
+ /* Grab a copy of the header so we can compare the result */
+ Header oldsigh = headerCopy(sigh);
+ int rc = -1;
+-
++
+ /* Nuke all signature tags */
+ deleteSigs(sigh);
+
+ /*
+- * rpmGenSignature() internals parse the actual signing result and
++ * rpmGenSignature() internals parse the actual signing result and
+ * adds appropriate tags for DSA/RSA.
+ */
+- if (rpmGenSignature(sigh, sigt1, sigt2, passPhrase) == 0) {
++ if (rpmGenSignature(sigh, sigt1, sigt2) == 0) {
+ /* Lets see what we got and whether its the same signature as before */
+ rpmTagVal sigtag = headerIsEntry(sigh, RPMSIGTAG_DSA) ?
+ RPMSIGTAG_DSA : RPMSIGTAG_RSA;
+@@ -462,10 +425,9 @@
+ * Create/modify elements in signature header.
+ * @param rpm path to package
+ * @param deleting adding or deleting signature?
+- * @param passPhrase passPhrase (ignored when deleting)
+ * @return 0 on success, -1 on error
+ */
+-static int rpmSign(const char *rpm, int deleting, const char *passPhrase)
++static int rpmSign(const char *rpm, int deleting)
+ {
+ FD_t fd = NULL;
+ FD_t ofd = NULL;
+@@ -550,7 +512,7 @@
+ sigt2 = sigt1;
+ sigt2.size = headerSizeof(h, HEADER_MAGIC_YES);
+
+- res = replaceSignature(sigh, &sigt1, &sigt2, passPhrase);
++ res = replaceSignature(sigh, &sigt1, &sigt2);
+ if (res != 0) {
+ if (res == 1) {
+ rpmlog(RPMLOG_WARNING,
+@@ -684,7 +646,7 @@
+ }
+ }
+
+- rc = rpmSign(path, 0, passPhrase);
++ rc = rpmSign(path, 0);
+
+ if (args) {
+ if (args->hashalgo) {
+@@ -700,5 +662,5 @@
+
+ int rpmPkgDelSign(const char *path)
+ {
+- return rpmSign(path, 1, NULL);
++ return rpmSign(path, 1);
+ }
diff -Nru rpm-4.12.0.2+dfsg1/debian/watch rpm-4.12.0.2+dfsg1/debian/watch
--- rpm-4.12.0.2+dfsg1/debian/watch 2016-11-10 14:02:04.000000000 +0100
+++ rpm-4.12.0.2+dfsg1/debian/watch 2016-11-17 11:42:24.000000000 +0100
@@ -1,3 +1,4 @@
version=3
opts="repacksuffix=+dfsg1,dversionmangle=s/\+dfsg\d*$//" \
- http://rpm.org/releases/rpm-4.12.x/rpm-([\d\.]+).tar.bz2
+ http://rpm.org/download.html \
+ https://github.com/rpm-software-management/rpm/releases/download/rpm-[\d\.]+-release/rpm-([\d\.]+).tar.bz2
--- End Message ---