Skip to content

[release/8.0] Use SHA256 for RPM digest #53157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 10, 2024
Merged

[release/8.0] Use SHA256 for RPM digest #53157

merged 1 commit into from
Jan 10, 2024

Conversation

NikolaMilosavljevic
Copy link
Member

Backport of #52664

FIPS compliance blocks installation of RPM packages that use MD5 digest algorithm. We use fpm tool which defaults to MD5 digests. The fix is to specify SHA256 instead.

The fix was made in arcade with dotnet/arcade#14269, installer fix is in dotnet/installer#17933

This is the same fix that was made by many other RPM package owners, for instance: https://github.com/influxdata/telegraf

@NikolaMilosavljevic NikolaMilosavljevic requested review from wtgodbe and a team as code owners January 4, 2024 22:55
@ghost ghost added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Jan 4, 2024
@ghost ghost added this to the 8.0.x milestone Jan 4, 2024
@ghost
Copy link

ghost commented Jan 4, 2024

Hi @NikolaMilosavljevic. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document.
Otherwise, please add tell-mode label.

@NikolaMilosavljevic NikolaMilosavljevic requested review from jkoritzinsky and removed request for wtgodbe January 4, 2024 22:55
@ghost
Copy link

ghost commented Jan 4, 2024

Hey @dotnet/aspnet-build, looks like this PR is something you want to take a look at.

@NikolaMilosavljevic NikolaMilosavljevic self-assigned this Jan 4, 2024
@NikolaMilosavljevic NikolaMilosavljevic added the Servicing-consider Shiproom approval is required for the issue label Jan 4, 2024
@ghost
Copy link

ghost commented Jan 4, 2024

Hi @NikolaMilosavljevic. Please make sure you've updated the PR description to use the Shiproom Template. Also, make sure this PR is not marked as a draft and is ready-to-merge.

To learn more about how to prepare a servicing PR click here.

@NikolaMilosavljevic NikolaMilosavljevic added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Jan 5, 2024
@ghost
Copy link

ghost commented Jan 5, 2024

Hi @NikolaMilosavljevic. This PR was just approved to be included in the upcoming servicing release. Somebody from the @dotnet/aspnet-build team will get it merged when the branches are open. Until then, please make sure all the CI checks pass and the PR is reviewed.

@NikolaMilosavljevic
Copy link
Member Author

This was approved for servicing.

@NikolaMilosavljevic
Copy link
Member Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Jan 8, 2024
edited
Loading

@wtgodbe do you know why Source-Build (Managed) would fail with yarn errors, like the following?

2024-01-07T03:48:31.2333268Z     error [email protected]: The engine "node" is incompatible with this module. Expected version "^14 || ^16 || ^17 || ^18 || ^19". Got "20.9.0"
2024-01-07T03:48:31.2413366Z     error Found incompatible module.

My change does not affect source-build.

@NikolaMilosavljevic
Copy link
Member Author

NikolaMilosavljevic commented Jan 8, 2024
edited
Loading

@wtgodbe do you know why Source-Build (Managed) would fail with yarn errors, like the following?

2024-01-07T03:48:31.2333268Z     error [email protected]: The engine "node" is incompatible with this module. Expected version "^14 || ^16 || ^17 || ^18 || ^19". Got "20.9.0"
2024-01-07T03:48:31.2413366Z     error Found incompatible module.

My change does not affect source-build.

It seems that NodeJS projects are being built in verification builds and that's what's causing the failure. Other recent PRs are failing with the same issue, i.e. #53213

Curiously, there was one recent PR that had all successful checks (including source-build). Verification builds for that PR did not build NodeJS projects - #53147

cc @MackinnonBuck

@wtgodbe, since this failure is unrelated to my changes, can you merge this PR? We do not want to merge the other related PR for backport to release/6.0.

@wtgodbe
Copy link
Member

wtgodbe commented Jan 8, 2024

since this failure is unrelated to my changes, can you merge this PR? We do not want to merge the other related PR for backport to release/6.0.

I'd be more comfortable merging after @MackinnonBuck takes a look. Branches are open for another week, so we have some time.

Out of curiosity, why do we want this PR but not the 6.0 one?

@MackinnonBuck
Copy link
Member

It looks like we fixed a similar build issue in main here. I'm going to try backporting the change to release/8.0 and see if that fixes these problems. I initially pushed it as a commit here but figured it would be better to test it separately first. Sorry for the noise!

@MackinnonBuck
Copy link
Member

#53220

@NikolaMilosavljevic
Copy link
Member Author

since this failure is unrelated to my changes, can you merge this PR? We do not want to merge the other related PR for backport to release/6.0.

I'd be more comfortable merging after @MackinnonBuck takes a look. Branches are open for another week, so we have some time.

Out of curiosity, why do we want this PR but not the 6.0 one?

cc @leecow

We'd like to minimize potential for breaking some customers on .NET 6.0. That release could be targeting some older distros that might not support sha256 rpm digest. While that is not very likely, it would be a breaking change if it happened.

@wtgodbe wtgodbe enabled auto-merge (squash) January 9, 2024 19:28
@NikolaMilosavljevic
Copy link
Member Author

@wtgodbe @MackinnonBuck after rebasing the PR, source-build leg is passing, but there are issues in tests, which run on Windows. Since we know that my changes are unrelated and needed for February release, can this PR be merged?

@wtgodbe wtgodbe disabled auto-merge January 10, 2024 17:34
@wtgodbe wtgodbe merged commit 6b17d15 into dotnet:release/8.0 Jan 10, 2024
@ghost ghost modified the milestones: 8.0.x, 8.0.2 Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wtgodbe wtgodbe wtgodbe approved these changes

@jkoritzinsky jkoritzinsky Awaiting requested review from jkoritzinsky

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy

@halter73 halter73 Awaiting requested review from halter73

Assignees

@NikolaMilosavljevic NikolaMilosavljevic

Labels
area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework Servicing-approved Shiproom has approved the issue
Projects
Servicing
Status: Done
Milestone
8.0.2
Development

Successfully merging this pull request may close these issues.
3 participants
@NikolaMilosavljevic @wtgodbe @MackinnonBuck