Böck: Multiple vulnerabilities in RPM – and a rant

If you can massage that process, then you can target the defenses the builder has in place to prevent archive attacks- things like symlink traversal to allow arbitrary writing to the builder's host OS (pre-VM). At that point, it's just a matter of choosing proper targets for overwriting- if they're using xen (and the unpack was done as root w/out any fakeroot depriving), you'd just go after the xen binary for example.

It's a bit twisty, but that what I'm describing above is an actual vulnerability that occurred for opensuse build service back in '10/'11; it doesn't have to be a remote code exploit against RPM for it to be problematic- it can just be breaking assumptions that the build infrastructure relies on, then using more traditional attacks.

I'd assume these pathways have been improved since I last took a whack at them; however, people continually make mistakes when it comes to unpacking things safely, so potential issues in things like rpm tooling shouldn't be treated lightly.

For those who are not aware, many (perhaps most) rubyists use the RVM "Gemsets" feature for this: https://rvm.io/gemsets/basics

FYI, "rpm hell" referred to the fact that RPM doesn't include a dependency resolver, so folks doing manual package installations/upgrades had to work this out for themselves.

dkpg doesn't have a dependcy resolver either -- so it was subject to the exact sort of "deb hell" as rpm. However, most folks just used apt instead of manually invoking dpkg by hand, which took care of all of the dependencies.

Similarly, once Red Hat formally adopted yum, "rpm hell" disappeared nearly immediately.

> I can see corporate blindness anywhere I want [...]

Don't forget that you're also subject to your own cognative blindness.

Our servers started out with SuSE Linux 8.2 in 2003 and now run openSUSE 13.2. 13 years worth of distribution upgrades.

And yes, both my personal machines and the servers started out with i586 installations and were cross graded to x86_64 in ~ 2007. Back then Debian still had no multi-arch story at all. Because the "as good as possible" deb format didn't have the support.

Can't tell you how sick I am (to stick with to your words) of Debian fanboys who have nothing but unsubstantiated claims.

Now you could make a realistic argument by saying the Debian, and derivative distributions have been better at implementing applications or applications stack using DEB formats since it's implementation is less fragmented in Debian and it's derivatives compared to distribution that use the RPM format like Fedora and derivatives vs OpenSuse and derivatives vs distributions that use wait for it... rpm5 <sigh>.

Failure of single chosen package format in the linux ecosystem has now reached new heights and led to even more fragmentation by introducing flatpak and snaps as well as OrbitalApps and highlighted Appimage an existing solution which ultimately wont solve anything for upstream since they will be again forced to chose which format to use and at the same time include/exclude certain set of end users ( unless of course they end up on using the appimage which is afaikt the only that does not require the end user to install anything before being able to be used by the end user )

On the other side, I feel the "rpm" package is more "user friendly". I never liked the number of the dpkg-*/deb* (sub)commands. Instead rpm, has only one command, its switches are more coherent and linear.

Moreover, to create a RPM package you should edit only a .spec file. With a DEB package, the files to edit are.. a lot....

I'm not paid by Red Hat (though IMO dismissing comments because you consider them biased.. everyone is biased).

RPM hell existed 10+ years ago mainly before the existence of a dependency solver. Then secondly the problem is using random rpms with a dependency on a library with a slightly different .so name. Both problems do not really occur anymore.

I've been upgrading Mandrake into Mandriva into Mageia. According to Wikipedia (https://en.wikipedia.org/wiki/Mandriva) that happened in 2004. I've also moved my system from 32bit to 64bit. All using rpm, though obviously changing architectures isn't super easy.

> redhat, well, as you can see with this bug report, it's run by corporate types who do what they are told

Red Hat is a super big company and I welcome you to prove your claim. Being aggressive against people is NOT a good quality to have! You mention that you're better because you fix bugs faster, this while attacking everyone working for Red Hat. This while you don't know these people!

Yes, the user should be given enough dynamite to blow off their system, but this one is just giving them the dynamite and the plutonium, together. The correct solution to these problems is always to report the issue, and get a fixed package to upgrade to, and *then* remove it. Of course that might not be realistic on some environments or by some providers. :( The error message in these cases should explain that, and that's something I need to fix first. The point is that if there are removal maintainer scripts they are there to perform cleanup or similar, so if you do not run them or skip bogus ones (and their roll-back maintainer script calls) by ignoring their exit codes you might end up with a crufty system at best or broken one at worst anyway, at which point it might actually seem preferable that the admin has to open, read and edit the script itself (obviously many will simply remove it). In the end I guess I'll just add the option and let users destroy their own systems, which is what will be advised all over the Internets, blaming the package manager in the process anyway, oh well. (And on that front I'd like to add some kind of tainting tracking so that if you do any of such things then when the system does not work and the user reports the issue, we can know that, well, they "voided their support warranty" and they get to keep the pieces together, if the maintainer does not feel like dealing with it, https://wiki.debian.org/Teams/Dpkg/Spec/TaintedDatabase.)

And of course there's a single case were dpkg cannot currently safely recover from some types of broken prerm maintainer scripts, and that one is also covered in the the FAQ (https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_dpkg_be_tol...).

But ideally, packages should have no need to contain any maintainer scripts, which would remove this problem entirely, and that's a direction we want to go in the future, see https://wiki.debian.org/Teams/Dpkg/Spec/DeclarativePackaging.

I've certainly had postinst/postrm scripts leave packages in terrible state, where the only recourse is to edit an exit 0 to scripts under /var/lib/dpkg/info. Sometime due to my own packaging mistakes, sometimes because using unstable. But in less used packages these errors do slip to released packages too. The major failing case is when upstream changes configuration file format and maintainer tries to write a conversion script from old format to new. Maintainer scripts are a major tripwire without an easy recovery path. And one of the reasons I wouldn't recommend distributing third party software in .deb files. It would be less painful if there was a built-in rollback mechanism...

That RHEL support policy, it is not related to RPM. With RHEL, any RHEL version still gets big updates (6.0, 6.1, etc). Those upgrades work just fine and they change loads between those releases. A RHEL version is supported longer than likely your hardware.

I dislike that they don't support upgrades, but for RHEL it isn't that big of a deal. It is important for Fedora and so on. For those it works just fine.

> Red Hat have produced at least three major buggy versions

What do you mean? I don't recall these versions.

> Yum - built to get round some of the obvious deficiencies - is now deprecated in favour of DNF

DNF is pretty much YUM but quicker.

You also didn't explain "nobody gives a care".

This is a failing of the entire PPA idea, but it was a technical failing of dpkg in and of itsself that I had to dig around and manually futz the postinst / prerm scripts. This is simply rpm -e --noscripts or rpm -ivh --noscripts in Redhat.

Then I must incorrectly what we are talking about. Because I occasionally run into prerm scripts that fails on package upgrades. It makes the upgrade fail and even the remove fail. Those are the time I msut go and edit the script in the dpkg scripts base to make it return early and finish the upgrade.

So what I describe _does_ happen. One solution is: I misidentifed the problem you and the GP are talking about. Is that the case ?

preseed is awful (only autoyast is worse). Canonical attempted to repair this by writing kickseed but that ultimately failed.

abrtd + faf are amazing for being able to gather any segfault / thing to drop core on thousands of nodes and have a central reporting place. I think Ubuntu has a trimmed down simplified version of this with the apport retracer bits, but faf is generic enough it would be quite trivial to write a dpkg plugin and just have one to rule them all.

rpm -V so hard! I recall several years back (5 or 6, maybe more?) Debian Packaging Policy didn't require including the bits to run debsums, so there were literally packages in the archive that didn't work with debsums. Unbelievable to me. I know there was a huge bit of work from Canonical to fix all of the packages missing them and then the policy changes to require it. However, you still can't get the information you can get from rpm -V from any of the debian tools that I'm aware of. Simply put, a silly hack like this thing I wrote for fun (http://www.digitalprognosis.com/opensource/scripts/restor...) is absolutely impossible to do on any dpkg based system.

I could literally go on quite a while, but find the Redhat tends to be a better overall distro. Yes Debian Stable is really great for certain use cases, but for what I do (HPC / Finance), Redhat based distros simply blow it out of the water.

These should fail on the package builder servers / reproducible build servers, yes?

If you've got any examples of these in stable or testing, I would have thought you could raise a bug - let me know if you need a hand.

That should (in principle!) not happen when using either --root or --instdir, but if you have a reproducer I'm very interested in a bug report, or a short recipe, so that I can get it fixed. Thanks.