rpms / source-to-image

Clone
Source Code
GIT

#1 [DO NOT MERGE] Update to 1.1.13
Closed 3 years ago by yselkowitz. Opened 5 years ago by hhorak.
rpms/ hhorak/source-to-image update-1.1.13  into  rawhide

file modified
+1 
@@ -1,1 +1,2 @@ 
 

  /source-to-image-226afa1.tar.gz
 

+ /source-to-image-1.1.13.tar.gz

file modified
+12 -7 
@@ -29,22 +29,22 @@ 
 

  # https://github.com/openshift/source-to-image
 

  %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 

  %global import_path     %{provider_prefix}
 

- %global commit          226afa1319c3498f47b974ec8ceb36526341a19c
 

+ %global commit          b54d75d3de92d123e68a79c6ee09c2c5fe44e720
 

  %global shortcommit     %(c=%{commit}; echo ${c:0:7})
 

  

  %global majorFromGit    1
 

- %global minorFromGit    0+
 

- %global versionFromGit  v1.0.9
 

+ %global minorFromGit    1+
 

+ %global versionFromGit  v1.1.13
 

  %global commitFromGit   %{commit}
 

  

  

  Name:           %{repo}
 

- Version:        1.1.7
 

- Release:        3%{?dist}
 

+ Version:        1.1.13
 

+ Release:        1%{?dist}
 

  Summary:        A tool for building artifacts from source and injecting into docker images
 

  License:        ASL 2.0
 

  URL:            https://%{provider_prefix}
 

- Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
 

+ Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{version}.tar.gz
 

  

  # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 

  ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
 
@@ -149,7 +149,7 @@ 
 

  %endif
 

  

  %prep
 

- %setup -q -n %{repo}-%{commit}
 

+ %setup -q -n %{repo}-%{version}
 

  

  %build
 

  mkdir -p src/github.com/openshift
 
@@ -255,6 +255,11 @@ 
 

  %endif
 

  

  %changelog
 

+ * Thu Dec 13 2018 Honza Horak <hhorak@redhat.com> - 1.1.13-1
 

+ - Update to 1.1.13
 

+   Also fixes CVE-2018-1102
 

+   Resolves: #1590175
 

+ 

  * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.7-3
 

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

file modified
+1 -1 
@@ -1,1 +1,1 @@ 
 

- SHA512 (source-to-image-226afa1.tar.gz) = b1e7d05af5992cfcdd7886304c8d9f14b051d97e4721cda69279ce7508b958299231f0e0de30f6ecc84c0ea32592125c327dbbb5bbb85412aefb40588e6d021b
 

+ SHA512 (source-to-image-1.1.13.tar.gz) = d885f3e8ecb2d2e671461704ffde2b47d2ada9fb07f7cd0259242f1030768df4d7cd5d6a2963805938a139178f51ca5ed0875ac068e1873e6b648952de46dc0a

Also fixes CVE-2018-1102
Resolves: #1590175

rebased onto 0659caf
5 years ago

@jcajka @jchaloup just wondering whether someone from you'd like to do a quick sanity check.. as I'm not very confident in golang..

Hm, that's bad, while the build succeeds on rhel-7, it fails on fedora:
https://koji.fedoraproject.org/koji/taskinfo?taskID=31436941

Hm, that's bad, while the build succeeds on rhel-7, it fails on fedora:
https://koji.fedoraproject.org/koji/taskinfo?taskID=31436941

...because on RHEL the tests are not run at all.

Don't count of RHEL 7 to be representative of anything.

It hasn't got an up to date golang compiler for a long time (till the latest point release golang was frozen in a RHEL 7 stream), so it's been missing all the correctness fixes of recent compilers. Its go rpm macros are completely minimal and obsolete too, its Go packageset is also obsolete and full of (probably security) bugs, etc

That's what happens when RH forks Fedora, kills the EPEL link by refusing to update key packages, and then does not maintain the result for years.

So, basically, RHEL7 will let you get by with pretty much anything both Go code and Go packaging side, and help you produce broken software components.

And Fedora (rawhide) is not in a sterling set itself, it has months of fixes waiting for rh maintainers to review and merge, but it's still lights years ahead of what RHEL7 has become for Go.
Edited 5 years ago by nim

@nim read my previous note, please, the SPEC is written the way that %check is not run on RHEL at all. So you could have saved your comment, unless I missed some constructive point there.

I see now that the problem is not golang version, but source-to-image of a version 1.1.13, which adds quite a lot of code into vendor/golang.org/x/sys/unix/.

@hhorak

Unit tests are the first thing that fails with a recent golang compiler that applies more correctness checks

And Fedora should have a not too obsolete golang/sys/unix that should remove the need to bundle (even though the google sys/unix code is still generated against the kernel headers of an obsolete ubuntu kernel with nothing in common with Fedora or RHEL7 kernels). The result has finally started trickling back in EL7 this fall now that the RHEL7 golang compiler lock has been removed.
https://koji.fedoraproject.org/koji/rpminfo?rpmID=15907050

So, the problems you are hitting are quite common and explained by what I wrote. But feel free to ignore me and rediscover it all yourself.
Edited 5 years ago by nim

@nim ignorance was really not the intention, I appreciate your help, thanks. So now I should learn how to unbundle stuff from golang package I guess..

Assuming your upstream didn't bundle too old software versions, unbundling is just

  1. rm -fr vendor/packagename
  2. BuildRequires: golang(packagename)

If packagename is packaged in Fedora.

So, probably not all the stuff your package needs, since its uses parts of docker, and docker is the last thing that will be packaged sanely in Fedora, given how rotten its codebase is. But, you can probably shed many of the bundled deps, and use stuff that passed at least a few unit tests in koji.

If you feel ambitious you can package some of the missing deps, that's a good way to have their version tracked in rpm, and avoids finding too late upstream has been bundling CVE-riddled code (as long as someone bumps the Fedora packages regularly).

The compiler update, Fedora default golang compiler flags, and unbundling, tend to uncover bugs, first in unit tests, and (a bit less frequently) in the production code itself. Upstream unit testing is a lot weaker than the coverage stats people parade imply, since it tends to use a single compiler version, x86_64 only, with no hardening compiler flags, and frozen deps.

And I'd love to direct you to a clean recipe on how to do Go packages easily in Fedora, but while the latest fixes include full documentation, they won't be available until someone works on the cleanup plan. The sticking point is step 3, reviewing the fixes I wrote and prepared in the last months. Obviously, I can not review myself.

The previous attempt, currently used by Fedora, was documented in the wiki but the implementation has drifted a bit since, and I stopped updating the page, since FPC told me it was the wrong way to document things.
Edited 5 years ago by nim

Pull-Request has been closed by yselkowitz
3 years ago
Changes Summary 3
+1 -0
file changed
.gitignore
+12 -7
file changed
source-to-image.spec
+1 -1
file changed
sources
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.