Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable zchunk and deltarpm before first template boot #137

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Disable zchunk and deltarpm before first template boot #137

wants to merge 1 commit into from

Conversation

DemiMarie
Copy link
Contributor

This disables zchunk as well as deltarpm, reducing DNF's attack surface. Since zchunk applies to metadata fetches, it must be turned off before the template is installed, as otherwise the template will use it when fetching metadata to check for updates.

This also ensures that users who install packages manually before using Qubes OS's updater get a hardened DNF configuration.

@DemiMarie DemiMarie force-pushed the disable-deltarpm-proper branch from d62ac02 to 9604d34 Compare June 16, 2024 23:20
@marmarek
Copy link
Member

PipelineRetry

@marmarek
Copy link
Member

The description doesn't match the implementation. The implementation uses those options during template build (and also package builds with legacy builder - which isn't mentioned in the description), but does not set it in the dnf config of the built template.
I think the confusion is about prepare-chroot-builder script - it's only used by legacy builder. Template building scripts are in template_rpm dir (where 01_install_core.sh calls into prepare-chroot-base, but not prepare-chroot-builder).

Anyway, I don't like putting too much customization into template builder scripts. If anything, it should be done via some package (either by shipping some config file, if config drop-ins are supported, or by adjusting config in post-install script). This is to ensure uniform result regardless if the user got older template and updated or got newer template directly.

@DemiMarie
Copy link
Contributor Author

The description doesn't match the implementation. The implementation uses those options during template build (and also package builds with legacy builder - which isn't mentioned in the description), but does not set it in the dnf config of the built template.

That’s a bug 😆.

I think the confusion is about prepare-chroot-builder script - it's only used by legacy builder. Template building scripts are in template_rpm dir (where 01_install_core.sh calls into prepare-chroot-base, but not prepare-chroot-builder).

Anyway, I don't like putting too much customization into template builder scripts. If anything, it should be done via some package (either by shipping some config file, if config drop-ins are supported, or by adjusting config in post-install script). This is to ensure uniform result regardless if the user got older template and updated or got newer template directly.

The purpose of this PR is to ensure that the customization is used during the template build itself.

marmarek
marmarek requested changes Jun 23, 2024
View reviewed changes
template_rpm/distribution.sh Outdated
--setopt=deltarpm=False
--setopt=zchunk=False
--setopt=gpgcheck=1
--setopt=localpkg_gpgcheck=1)
Copy link
Member

@marmarek marmarek Jun 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reliably breaks building any non-minimal template (see CI), because it prevents installing package that ships rpmfusion key. Don't do that.

@DemiMarie DemiMarie force-pushed the disable-deltarpm-proper branch from 5447d11 to 65f2fb9 Compare June 24, 2024 00:26
marmarek
marmarek requested changes Jun 26, 2024
View reviewed changes
template_rpm/distribution.sh Outdated Show resolved Hide resolved
@marmarek
Copy link
Member

marmarek commented Jun 26, 2024 via email

@DemiMarie
Disable zchunk and deltarpm during template build
a0cea5a 
This disables zchunk as well as deltarpm, reducing DNF's attack surface.
A change to core-agent-linux will do the same for the built templates
once they are installed.
@DemiMarie DemiMarie force-pushed the disable-deltarpm-proper branch from 65f2fb9 to a0cea5a Compare October 23, 2024 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek marmarek requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DemiMarie @marmarek