[PLUG] rpm-4.1 released

Eric Harrison eharrison at mail.mesd.k12.or.us
Wed Sep 18 16:55:50 UTC 2002


On Wed, 18 Sep 2002, Paul Heinlein wrote:

>Red Hat is trying to move past the "can't figure out which package 
>will satisfy my missing dependency" difficulties many have 
>experienced. If you're plagued by such things, maybe an update to rpm 
>4.1 (and the attendant rpmdb-redhat package) will help.
>
>--Paul Heinlein <heinlein at attbi.com>

I was chatting with Jeff Johnson a couple of weeks ago and he mentioned
that rpm 4.1 breaks up2date in RH7.x.

I just verified that is it does indeed break up2date, in addition to breaking
dependancies for kdeadmin, gnorpm, and ucd-snmp (perhaps more).

Be sure to try rpm 4.1 on a test box first...

-Eric

>---------- Forwarded message ----------
>Date: Wed, 18 Sep 2002 11:48:52 -0400
>From: Jeff Johnson <jbj at redhat.com>
>Reply-To: rpm-list at redhat.com
>To: rpm-list at redhat.com
>Subject: rpm-4.1 released
>
>
>Rpm 4.1 is now available at
>
>        ftp://ftp.rpm.org/pub/rpm/dist/rpm-4.1.x
>
>The final part of the release (6x, 7x, etc) indicates the version
>of Red Hat Linux for which the package has been built. For example,
>the i386 packages for Red Hat 6.2 are
>        rpm-4.1-6x.i386.rpm
>        rpm-devel-4.1-6x.i386.rpm
>        rpm-build-4.1-6x.i386.rpm
>        rpm-python-4.1-6x.i386.rpm
>        popt-1.7-6x.i386.rpm
>
>This version is also available through anonymous cvs:
>        cvs -d :pserver:anonymous at cvs.rpm.org:/cvs/devel login
>        (no password, just carriage return)
>        cvs -d :pserver:anonymous at cvs.rpm.org:/cvs/devel get rpm
>        cd rpm
>        cvs up -r rpm-4_1-release
>You will need the versions of libtool, autoconf, and automake identified
>in autogen.sh if you wish to build from CVS.
>
>Please report any difficulties, problems, issues, feature requests, whatever at
>        http://bugzilla.redhat.com
>
>Here's a brief summary of features that have been added. See the
>CHANGES file in the src rpm for the gory details.
>
>1) Header signatures and digests, if available, are verified when (first)
>   retrieved from the rpm database.
>
>2) The rpm database permits concurrent access. That means that it is now
>   possible to run rpm in %post scriptlets.
>
>   Note: What still remains is to find out whether there are deadlocks
>   (there are), and whether the deadlocks can be avoided or otherwise
>   handled gracefully. I'd really like to support (at least read)
>   concurrent access to the rpm database, but it's gonna take a lot
>   of careful (i.e. reproducible) testing to achieve that goal. Any
>   and all help is appreciated. What's very promising is that the
>   problems are deadlocks, not segfaults, but reproducing deadlocks
>   is gonna be quite challenging.
>
>3) The rpmdb-redhat package (which contains an "everything" rpm database),
>   if installed, will be used to provide suggested solutions for unresolved
>   dependencies. Try installing the rpmdb-redhat package from Raw Hide if
>   interested.
>
>DSA/RSA signature verification using RFC-2440 OpenPGP V3
>packets is now implemented directly in rpm. The signature,
>if available, is always verified when reading a package, and failures
>are always reported.
>
>Signing is done with gpg/pgp helpers as always, and both a new,
>header-only, as well as the Good Old header+payload signature
>are generated. In fact, all of Red Hat 7.3 was signed with rpm-4.1,
>so both signatures should be present in 7.3 packages.
>
>What's also new is pubkey management using --import. Basically
>	rpm --import RPM-GPG-KEY
>(or any ascii armored OpenPGP pubkey) will wrap the binary OpenPGP
>packet in a header, and install just like any other package.
>
>Here's what you see if you have not yet imported the correct pubkey(s):
>
>bash$ sudo rpm -Uvh popt-1.7-7x.i386.rpm
>warning: popt-1.7-7x.i386.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e
>...
>
>Here's what the Red Hat pubkeys look like when imported:
>==========================================================================
>bash$ rpm -qa | grep pubkey
>gpg-pubkey-0352860f-3c3cb5e4
>gpg-pubkey-db42a60e-37ea5438
>
>bash$ rpm -qi gpg-pubkey-db42a60e
>Name        : gpg-pubkey                   Relocations: (not relocateable)
>Version     : db42a60e                          Vendor: (none)
>Release     : 37ea5438                      Build Date: Sat 16 Mar 2002 10:47:53 AM EST
>Install date: Sat 16 Mar 2002 10:47:53 AM EST      Build Host: localhost
>Group       : Public Keys                   Source RPM: (none)
>Size        : 0                                License: pubkey
>Summary     : gpg(Red Hat, Inc <security at redhat.com>)
>Description :
>-----BEGIN PGP PUBLIC KEY BLOCK-----
>Version: rpm-4.1 (beecrypt-2.2.0)
>
>mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8HQzcxAZ5
>7m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOMGxdwYRGr1Spw8Qyd
>LhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNVEDGaWYJcch5z5B1of/41G8kE
>AKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjSZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJ
>fCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLPlncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7
>T6AlZ74VMpjGxxkWU6vV2xsWXCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b
>/VGo2Jr8mhLUqoIbE6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcR
>MCiBURESPjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg
>SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwIDFgIBAheA
>AAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sBXmLDmPOEFI75mpTr
>KYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05UlMH27qFYzLbT6npXwXYIOtVn
>0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+
>hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmE
>S6UdQujFBE6EANqPhp0coYoIhHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2Jt
>B/tW7utpy12wh1J+JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcA
>zwADBQf9E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK
>ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8BwjyRymX
>Qp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE54XFtOd04NMgWI63u
>qZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWYFiA6fD10eB+BlIUqIw80Vgjs
>BKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wkOZoaEtcubsNMquuLCMWijYhGBBgRAgAG
>BQI36lRyAAoJECGRgM3bQqYOhyYAnj7hVDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTk
>snI+4O1765F7tA==
>=3AHZ
>-----END PGP PUBLIC KEY BLOCK-----
>==========================================================================
>
>For the extremely security conscious and the overly curious, I note the
>following limitations:
>
>	1) there's no attempt (yet) to verify the signature on the
>	pubkey before verifying the package signature.
>
>	2) there's no attempt (yet) to implement any trust model using
>	OpenPGP packets. All imported keys in the rpm database are considered
>	trusted.
>
>	3) only V3 signatures are implemented ATM.
>
>If that's not to your taste, then you can export the signature from a
>package and verify using gpg outside of rpm. For example, here's a
>short script that verifies the traditional header+payload signatures of
>a package using gpg:
>
>==========================================================================
>#!/bin/sh
>
>for pkg in $*
>do
>    if [ "$pkg" = "" -o ! -e "$pkg" ]; then
>	echo "no package supplied" 1>&2
>	exit 1
>    fi
>
>    plaintext=`mktemp $0-$$.XXXXXX`
>    detached=`mktemp $0-$$.XXXXXX`
>
># --- Extract detached signature
>    rpm -qp -vv --qf '%{siggpg:armor}' $pkg > $detached
>
># --- Figger the offset of header+payload in the package
>    leadsize=96
>    o=`expr $leadsize + 8`
>
>    set `od -j $o -N 8 -t u1 $pkg`
>    il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
>    dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`
>
>    sigsize=`expr 8 + 16 \* $il + $dl`
>    o=`expr $o + $sigsize + \( 8 - \( $sigsize \% 8 \) \) \% 8`
>
># --- Extract header+payload
>    dd if=$pkg ibs=$o skip=1 2>/dev/null > $plaintext
>
># --- Verify DSA signature using gpg
>    gpg --batch -vv --verify $detached $plaintext
>
># --- Clean up
>    rm -f $detached $plaintext
>done
>==========================================================================
>
>Enjoy
>
>73 de Jeff
>
>





More information about the PLUG mailing list