Talk: Popular third-party RPMs fail to install/update/remove due to security policies verification

would this help ?

any solution for the VLC problem ?

We’re not discussing VLC here, please create a separate topic for it, thanks.

1 Like

Still having issues with this in a very reproducible way.

  1. With fedora toolbox create toolbox --release 38
  2. toolbox enter fedora-toolbox-38
  3. su -
  4. dnf update -y
  5. enable copr agriffis/neovim-nightly
  6. dnf install python3-neovim

with result:

Problem opening package python3-neovim-0.4.3.0.git.601.71102c0-1.fc38.noarch.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
⬢[root@toolbox ~]# 

I have tried to add --nogpgcheck with the same results
Also tried

sudo update-crypto-policies --set LEGACY 

with no success. Any further suggestions here?

FYI: The simple dnf update on the fresh f38 toolbox also terminated with:

Failed:
  shadow-utils-2:4.13-4.fc38.x86_64                     shadow-utils-2:4.13-6.fc38.x86_64                    
2 Likes

This might be caused by having old crypto-policies and rpm*, yes. Which means the rpm signature issues are still present. The toolbox image content is old and doesn’t include even Beta packages. I assume the image would get re-generated once F38 is Final, but I’m not sure who to ask to confirm. @adamwill Would you know?

I can confirm this in the my own F38 toolbox:

Error unpacking rpm package shadow-utils-2:4.13-6.fc38.x86_64
  Running scriptlet: rpm-4.18.1-1.fc38.x86_64                                                                  43/116 
error: unpacking of archive failed on file /usr/bin/newgidmap;64254ae7: cpio: cap_set_file failed - No data available
error: shadow-utils-2:4.13-6.fc38.x86_64: install failed

Can you please file a bug against shadow-utils in https://bugzilla.redhat.com and link it here? Thanks!

1 Like

https://bugzilla.redhat.com/show_bug.cgi?id=2183034

Sorry this should really have been a separate thread! (shadow-utils issue)

1 Like

https://bugzilla.redhat.com/show_bug.cgi?id=2183038

Bug report for container image/toolbox

1 Like

@rishi might be able to help with rebuilding the container image. I’m not sure if there’s a regular schedule for that; there probably should be.

fedpkg container-build is currently broken and preventing the images from being rebuilt: Issue #11367: 'fedpkg container-build' fails with Python TypeError - releng - Pagure.io

The images are manually rebuilt at the moment with a fedpkg container-build followed by the Bodhi dance. We have been trying to change that for a while. Hopefully, we will make some progress for Fedora 39.

By the way, in case you are not changing the image definitions, but just doing a simple rebuild, then don’t be afraid to go ahead and do it. You don’t have to edit anything in dist-git. Just fedpkg container-build and Bodhi.

We have put in some self-tests to the Dockerfile which should catch breakages caused by files going inadvertently missing from the images. We will try to enhance that to make things as robust as possible.

1 Like

A new fedora-toolbox:38 build is now in Bodhi: https://bodhi.fedoraproject.org/updates/FEDORA-CONTAINER-2023-5046242970

Many thanks to @kevin for fixing the build system in record time!

1 Like