fix(apache-commons-compress) repack source tarball without encrypted sources#17201
Open
anphel31 wants to merge 1 commit into
Open
fix(apache-commons-compress) repack source tarball without encrypted sources#17201anphel31 wants to merge 1 commit into
anphel31 wants to merge 1 commit into
Conversation
anphel31
force-pushed
the
anphel/esrp-signfix-apache-commons-compress
branch
from
9ccdecb to
29c51f9
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR repacks the Apache Commons Compress source tarball to remove ESRP-flagged encrypted test fixtures, then wires the modified source into the Azure Linux component definition and rendered outputs.
Changes:
- Adds a dedicated component definition with a replacement source tarball reference.
- Adds a helper script to reproduce the modified tarball and upload instructions.
- Updates rendered source hash, lock fingerprint, and rpmautospec release/changelog.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
base/comps/apache-commons-compress/apache-commons-compress.comp.toml |
Defines the component-specific replacement source file. |
base/comps/apache-commons-compress/modify_source.sh |
Adds deterministic source repacking helper. |
base/comps/components.toml |
Removes the inline component entry and leaves a pointer comment. |
locks/apache-commons-compress.lock |
Refreshes component input fingerprint. |
specs/a/apache-commons-compress/apache-commons-compress.spec |
Updates rendered release and changelog. |
specs/a/apache-commons-compress/sources |
Updates rendered source hash for the repacked tarball. |
Comments suppressed due to low confidence (2)
base/comps/apache-commons-compress/modify_source.sh:68
- This comment points maintainers to
specs/a/apache-commons-compress/sourcesfor the upstream hash, but this PR changes that manifest to the repacked tarball hash. The hard-coded value is still the original upstream hash, so future updates need a reliable upstream source for this value instead of the now-rewritten rendered manifest.
# Known upstream SHA-512 (from specs/a/apache-commons-compress/sources).
# Bump when version changes.
UPSTREAM_SHA512="c7a2cef26959e687ad19b96b5ba8393d7514095e13bf0f29bd41e6b3c3cb2260d8ff23283ff3d5fd137b2522b843e7f0f50ab46bcf0f66df5383674f35f223ab"
base/comps/apache-commons-compress/modify_source.sh:112
- This file list includes directory entries, and GNU tar recurses into directories by default when they are passed via
--files-from. Because the samefindoutput also lists every child, the repacked archive will contain duplicate entries rather than being byte-identical to upstream except for the removed fixtures; filter the list or disable recursion before computing the replacement hash.
LC_ALL=C find "${TOPDIR}" -print0 \
| LC_ALL=C sort -z \
| LC_ALL=C tar \
29c51f9 to
9212631
Compare
… tarball The upstream Apache Commons Compress source tarball ships encrypted test fixtures flagged by the AZL RPM signing pipeline (ESRP) as suspicious / malware-like content: - src/test/resources/bla.encrypted.7z - src/test/resources/password-encrypted.zip Such content blocks the SRPM from being published. Neither file is used at runtime — they only feed the project's encrypted-archive unit tests — so removing them has no effect on the shipped package. Add base/comps/apache-commons-compress/modify_source.sh, which reproducibly repacks the upstream tarball with those files removed, and use azldev's replace-upstream / replace-reason mechanism on the source-files entry to swap the patched tarball into the Fedora 'sources' manifest in place (no spec edit required). Refs Task 19805.
anphel31
force-pushed
the
anphel/esrp-signfix-apache-commons-compress
branch
from
9212631 to
b81da63
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The upstream Apache Commons Compress source tarball
(
commons-compress-1.27.1-src.tar.gz) ships encrypted-archive testfixtures flagged by the AZL RPM signing pipeline (ESRP) as suspicious /
malware-like content:
commons-compress-1.27.1-src/src/test/resources/bla.encrypted.7zcommons-compress-1.27.1-src/src/test/resources/password-encrypted.zipSuch content blocks the SRPM from being published. Neither file is used
at runtime — they only feed Apache Commons Compress's encryption-related
unit tests, which are not run in our build (
%mvn_build -j -fpasses-fto skip tests, and the spec has no%check) — so removing them hasno effect on the shipped package.
This PR replaces the upstream tarball (effectively, see below) with a
deterministically-repacked one that is byte-identical to upstream
except that those two files have been stripped. The swap is done via
azldev's
replace-upstreammechanism, which rewrites the matching entryin Fedora's
sourceslookaside manifest in place — so we keep theupstream filename and the spec's
Source0line is untouched.Changes
base/comps/apache-commons-compress/modify_source.sh— New helperscript that:
commons-compress-1.27.1-src.tar.gzfromarchive.apache.organd verifies its SHA-512 againstspecs/a/apache-commons-compress/sources.REMOVE_PATHS(currentlybla.encrypted.7zand
password-encrypted.zip; add more there as new flags arise).commons-compress-1.27.1-src.azl.tar.gz:tar --sort=name --owner=0 --group=0 --numeric-owner --mtime=@1577836800 --format=gnu— stable file order, fixed ownership and mtime.gzip -n -9— strips filename/mtime from the gzip header so the SHA-512 is identical across re-runs and machines.az storage blob uploadcommand for the AZL lookaside cache. The blob is uploaded under the
upstream filename (no
.azl.) becausereplace-upstreammatchesby filename.
base/comps/apache-commons-compress/apache-commons-compress.comp.toml— Promoted the inline
[components.apache-commons-compress]entryfrom
base/comps/components.tomlto a dedicated file (with a pointercomment left behind) and added a
[[…source-files]]entry with:filename = "commons-compress-1.27.1-src.tar.gz"(same as upstream).hash/hash-type = "SHA512"of the repacked tarball.originURL pointing at the AZL lookaside cache.replace-upstream = true+replace-reason = "…"so azldevtransparently swaps the upstream entry in the
sourcesmanifestwith auditable WARN-level logging.
Reproduction
Validation
azldev comp render -p apache-commons-compress— succeeds; therendered
sourcesmanifest has the new SHA-512 swapped in place.azldev comp build -p apache-commons-compress— succeeds; producedapache-commons-compress-1.27.1-14.azl4.src.rpmandapache-commons-compress-1.27.1-14.azl4.noarch.rpm.commons-compress-1.27.1-src.tar.gzmatches the expected SHA-512 and contains neither flagged fixture.