By: James McDonald user 13 May 2020 at 12:57 p.m. CDT

12 Responses
James McDonald gravatar
The CentOS/RHEL 7 Gluu Repos have an unsigned python2-psutil package: python2-psutil-5.7.0-1.el7.x86_64.rpm This package has a couple issues: 1. It wants to update python2-psutil-5.6.7-1.el7.x86_64 from the EPEL Repos 2. It is NOT signed 3. shows a build host of 'localhost' - I see a mix of rpms in the repo and some have actual build-hosts and a few just have 'localhost' 4. I'm not seeing the gluu packages depending on python2-psutil anyway, so why would it be included in the repo? This leads me to wonder if this package is not legitimate. Possibly it was injected by a malicious third party? If it is legitimate, at the very least it needs to be properly signed, and should probably be clearly documented if this version of this package is required and expected to be present in the repo.

By Mohib Zico staff 13 May 2020 at 1:11 p.m. CDT

Mohib Zico gravatar
@Davit.Nikoghosyan: what do you think?

By Michael Schwartz staff 13 May 2020 at 1:31 p.m. CDT

Michael Schwartz gravatar
It needs to be signed. I believe the customer who needed this didn't have access to EPEL.

By James McDonald user 13 May 2020 at 1:41 p.m. CDT

James McDonald gravatar
I do have access to EPEL but the EPEL repos only have version python2-psutil-5.6.7-1.el7.x86_64.rpm so because your copy is a higher version, a yum-update tries to install it, then fails because it's not signed.

By James McDonald user 13 May 2020 at 1:43 p.m. CDT

James McDonald gravatar
I also don't see any of the gluu packages depending on python2-psutil and I don't see anything in the docs, so I would wonder why you have that in your repo at all.

By Davit Nikoghosyan staff 13 May 2020 at 2:09 p.m. CDT

Davit Nikoghosyan gravatar
@Mohib.Zico I am removing this package from gluu repo. Gluu repo should have only gluu packages on it.

By Mustafa Baser staff 13 May 2020 at 2:13 p.m. CDT

Mustafa Baser gravatar
That package is required for Cluster Manager.

By Davit Nikoghosyan staff 13 May 2020 at 2:18 p.m. CDT

Davit Nikoghosyan gravatar
@Mustafa.Baser we can get it from centos repo, why we need to add it into gluu repo ?

By James McDonald user 13 May 2020 at 2:28 p.m. CDT

James McDonald gravatar
I don't see it in the current dep list for clustermgr package. And if so, does it require 5.7+ specifically?

By Michael Schwartz staff 13 May 2020 at 2:52 p.m. CDT

Michael Schwartz gravatar
James, ignore it. It's not for you. We have a customer with an airlocked deployment, and they need it.

By Davit Nikoghosyan staff 13 May 2020 at 3:07 p.m. CDT

Davit Nikoghosyan gravatar
James, I signed python2-psutil package in gluu repo. It should not give signiture issues anymore

By Mustafa Baser staff 13 May 2020 at 4:13 p.m. CDT

Mustafa Baser gravatar
> @Mustafa.Baser we can get it from centos repo, why we need to add it into gluu repo ? @Davit.Nikoghosyan, centos repo contains old version. > I don't see it in the current dep list for clustermgr package. And if so, does it require 5.7+ specifically? James, yes it require 5.7+

By Davit Nikoghosyan staff 15 May 2020 at 11:06 a.m. CDT

Davit Nikoghosyan gravatar
@Mustafa.Baser I signed python2-psutil 5.7.0 package and put into gluu repo. Now we will not get issues about unsigned package in install/upgrade process. Seems we are done here. I will close the ticket, please reopen if you face other issues regarding this. Thanks,