Unsigned python2-psutil package in Gluu Repo

By: James McDonald user 13 May 2020 at 12:57 p.m. CDT

12 Responses
James McDonald gravatar
The CentOS/RHEL 7 Gluu Repos have an unsigned python2-psutil package: python2-psutil-5.7.0-1.el7.x86_64.rpm This package has a couple issues: 1. It wants to update python2-psutil-5.6.7-1.el7.x86_64 from the EPEL Repos 2. It is NOT signed 3. shows a build host of 'localhost' - I see a mix of rpms in the repo and some have actual build-hosts and a few just have 'localhost' 4. I'm not seeing the gluu packages depending on python2-psutil anyway, so why would it be included in the repo? This leads me to wonder if this package is not legitimate. Possibly it was injected by a malicious third party? If it is legitimate, at the very least it needs to be properly signed, and should probably be clearly documented if this version of this package is required and expected to be present in the repo.
Rhel 7.7
closed

Answers

By Mohib Zico staff 13 May 2020 at 1:11 p.m. CDT

Copy
Mohib Zico gravatar
@Davit.Nikoghosyan: what do you think?

By Michael Schwartz Account Admin 13 May 2020 at 1:31 p.m. CDT

Copy
Michael Schwartz gravatar
It needs to be signed. I believe the customer who needed this didn't have access to EPEL.

By James McDonald user 13 May 2020 at 1:41 p.m. CDT

Copy
James McDonald gravatar
I do have access to EPEL but the EPEL repos only have version python2-psutil-5.6.7-1.el7.x86_64.rpm so because your copy is a higher version, a yum-update tries to install it, then fails because it's not signed.

By James McDonald user 13 May 2020 at 1:43 p.m. CDT

Copy
James McDonald gravatar
I also don't see any of the gluu packages depending on python2-psutil and I don't see anything in the docs, so I would wonder why you have that in your repo at all.

By Davit Nikoghosyan staff 13 May 2020 at 2:09 p.m. CDT

Copy
Davit Nikoghosyan gravatar
@Mohib.Zico I am removing this package from gluu repo. Gluu repo should have only gluu packages on it.

By Devrim Yatar staff 13 May 2020 at 2:13 p.m. CDT

Copy
Devrim Yatar gravatar
That package is required for Cluster Manager.

By Davit Nikoghosyan staff 13 May 2020 at 2:18 p.m. CDT

Copy
Davit Nikoghosyan gravatar
@Mustafa.Baser we can get it from centos repo, why we need to add it into gluu repo ?

By James McDonald user 13 May 2020 at 2:28 p.m. CDT

Copy
James McDonald gravatar
I don't see it in the current dep list for clustermgr package. And if so, does it require 5.7+ specifically?

By Michael Schwartz Account Admin 13 May 2020 at 2:52 p.m. CDT

Copy
Michael Schwartz gravatar
James, ignore it. It's not for you. We have a customer with an airlocked deployment, and they need it.

By Davit Nikoghosyan staff 13 May 2020 at 3:07 p.m. CDT

Copy
Davit Nikoghosyan gravatar
James, I signed python2-psutil package in gluu repo. It should not give signiture issues anymore

By Devrim Yatar staff 13 May 2020 at 4:13 p.m. CDT

Copy
Devrim Yatar gravatar
> @Mustafa.Baser we can get it from centos repo, why we need to add it into gluu repo ? @Davit.Nikoghosyan, centos repo contains old version. > I don't see it in the current dep list for clustermgr package. And if so, does it require 5.7+ specifically? James, yes it require 5.7+

By Davit Nikoghosyan staff 15 May 2020 at 11:06 a.m. CDT

Copy
Davit Nikoghosyan gravatar
@Mustafa.Baser I signed python2-psutil 5.7.0 package and put into gluu repo. Now we will not get issues about unsigned package in install/upgrade process. Seems we are done here. I will close the ticket, please reopen if you face other issues regarding this. Thanks,

Post an answer