RPM

Comment 7 for bug 910708

Revision history for this message
Jeff Johnson (n3npq) wrote :

Note that the code path of rpm -qa does not attempt
to verify signatures and will not call rpmhkpValidate()
afaik.

Anton Kirilenko is encouraged to report his issues either
at the "bankrupt" qa.mandriva.com or here at launchpad.net/rpm,
particularly if he is claiming "Me too." anecdotally and also
claiming that RPM is somehow a "stopper" for his efforts.

I cannot fix what isn't reported. Nor can I fix (until January 20th,
your date for milestone assigment -> implementation) passes.

Hint: You can escalate the priority/importance of this bug more
easily than I can at the moment. I will wait to January 20th
to assess what else is needed: I see this issue as CRITICAL and
switching to MANDATORY signature checking as ESSENTIAL
no matter what.

I'm not at all surprised at the issue appearing. Note that the
core issue has nothing to do with whether RPM segaults
(although RPM has to be made immune to segfaults no
matter what).

But the core issue is that there is bad data being added to
an rpmdb through a different code path. As soon as the
segfault here with --Va (and with the alleged -qa issue) is
"fixed", the core issue -- bad data being added to an rpmdb --
will become invisible and will not be reported ever again (and
will still exist).

Many (I would claim most) segfaults in RPM are data related. In
spite of MANDATORY signature/digest checking on all
data read from *.rpm packages that is being routinely
disabled, as is ACID behavior.