Debian Package Tracker - open-build-service

general

source: open-build-service (main)
version: 2.9.4-2
maintainer: Debian Ruby Extras Maintainers (archive) [DMD]
uploaders: Andrew Lee (李健秋) [DMD] – Lucas Kanashiro [DMD] – Héctor Orón Martínez [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 2.7.1-10
unstable: 2.9.4-2

versioned links

2.7.1-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.9.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

obs-api
obs-productconverter
obs-server
obs-utils
obs-worker

action needed

A new upstream version is available: 2.9.6 high

A new upstream version 2.9.6 is available, you should consider packaging it.

Created: 2019-03-24 Last update: 2019-04-22 01:53

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2018-12466: openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.
CVE-2017-9268: In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).

Please fix them.

Created: 2018-03-05 Last update: 2019-04-07 23:44

Depends on packages which need a new maintainer normal

The packages that open-build-service depends on which need a new maintainer are:

createrepo (#922361)
- Recommends: createrepo
lsb (#924519)
- Depends: lsb-base lsb-base
rpm (#923352)
- Depends: rpm
apache2 (#910917)
- Depends: apache2
osc (#923351)
- Depends: osc

Created: 2018-01-06 Last update: 2019-04-22 01:46

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2019-03-29 Last update: 2019-04-22 01:38

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.9.4-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 33449eddce4dbec0ff4e95a6a174d1e66aab11ff
Merge: 9d149e5f 4c390a3d
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Mon Apr 15 16:02:39 2019 +0000

    Merge branch 'fix-delayed-jobs' into 'debian/master'
    
    Fix delayed jobs
    
    See merge request ruby-team/open-build-service!27

commit 4c390a3ddf44fe5f91cfe33160ec3e2a6126ef4b
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Fri Apr 12 16:03:01 2019 -0300

    debian/osb-api.prerm: stop the new obsapi systemd unit files

commit b76eb761bd6d62f4009df8cf9cf0255139a11185
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Fri Apr 12 15:08:32 2019 -0300

    debian/obs-api.postrm: stop obsapi systemd services

commit 44c6a4022c6684a16656a414dcae4cb380516a7f
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Fri Apr 12 14:00:13 2019 -0300

    debian/rake-tasks.sh: create a function to reload obsapi

commit 17b890377191a7a8a074a32cf491cdad1ece3fe4
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Fri Apr 12 12:29:26 2019 -0300

    debian/rake-tasks.sh: stop all running processes from the old installation
    
    Since we are moving from obsapidelayed to multiple systemd unit files,
    after the upgrade some processes related to delayed_jobs and clockwork
    might keep running. The setup task was modified to stop any of these
    processes if they exist.

commit 9d149e5ff28054b6f412490ccea80bfbb9fe40b4
Merge: 54cdaa2a 7d71ef52
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Wed Apr 10 18:20:34 2019 +0000

    Merge branch 'update-migration' into 'debian/master'
    
    Update migration
    
    See merge request ruby-team/open-build-service!26

commit 7d71ef52fd6de672d08db48917513e0a3bf553a0
Merge: 2062ad68 54cdaa2a
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Wed Apr 10 18:20:29 2019 +0000

    Merge branch 'debian/master' into 'update-migration'
    
    # Conflicts:
    #   debian/changelog

commit 54cdaa2a91419b7aba802b9a9086bb5bdadee1b0
Merge: 2b17811f c6b85cbd
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Wed Apr 10 17:58:16 2019 +0000

    Merge branch 'upgrade-doc' into 'debian/master'
    
    Add some instructions on how to upgrade an existent instance
    
    See merge request ruby-team/open-build-service!22

commit c6b85cbd3dbc5bddad7584ad3bca3461e9720431
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Mon Apr 8 10:21:53 2019 -0300

    Add instructions on how to upgrade an existent instance

commit 2062ad689573a2f258553852ead01c8005071828
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Tue Apr 9 14:26:39 2019 -0300

    debian/rules: do not start obs-api services after installation
    
    Due to obs-api services depend on some steps executed by the setup task
    to start successfully, they always fail the attempt of initialization
    after installation.

commit 1c689ec2f3c12b336270c7607e5b9cca39fe005f
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Tue Apr 9 14:17:01 2019 -0300

    Update debian/rake-tasks.sh migration task
    
    Restart all the obs-api related services after migrating the database.

commit 2b17811f7f8c1b1745fce53773d7c14f37500810
Merge: 43ee5b8e 3a92e797
Author: Andrew Lee <ajqlee@debian.org>
Date:   Wed Apr 10 04:27:01 2019 +0000

    Merge branch 'add-news' into 'debian/master'
    
    debian/NEWS: add new entry for users upgrading to 2.9.4-3
    
    See merge request ruby-team/open-build-service!25

commit 3a92e7978fd28abeca9200d9a6e4124e6c1c9587
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Tue Apr 9 13:57:53 2019 -0300

    debian/NEWS: add new entry for users upgrading to 2.9.4-3
    
    Notify users to check the default Passenger user when upgrading.

commit 43ee5b8e7a8559090bfc22382a3c2ee150a0dd36
Merge: 2ce6c055 0f25a298
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Tue Apr 9 10:31:04 2019 +0000

    Merge branch 'permission-fix' into 'debian/master'
    
    Move permission adjustment into maintainer script and fix permissions
    
    See merge request ruby-team/open-build-service!24

commit 0f25a298b82880a6ce1e85fc23ac62dccfea3810
Author: Andrew Lee (李健秋) <ajqlee@debian.org>
Date:   Tue Apr 9 17:45:04 2019 +0800

    Move permission adjustment into maintainer script and fix permissions
    for upgrade
    
    Move permission adjustment from rake-tasks.sh into obs-api.postinst
    script and fix permissions for upgrade. (Closes: #926198)
    
    Signed-off-by: Andrew Lee (李健秋) <andrew.lee@collabora.co.uk>

commit 2ce6c055ca92b5c984f38df6a530af7dbb2da9ed
Merge: 3e94d52f 8fac779a
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Mon Apr 8 14:59:20 2019 +0000

    Merge branch 'migration-patch' into 'debian/master'
    
    Add patch to fix the database migration
    
    See merge request ruby-team/open-build-service!21

commit 8fac779a5d1166cfb73e5c79857db60599bb66b8
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Mon Apr 8 09:27:50 2019 -0300

    Add patch to fix the database migration

commit 3e94d52f1b4ab48a30ccd2172e8edb40670ac4a5
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Wed Apr 3 16:36:01 2019 -0300

    debian/changelog: fix obsapidelayed systemd unit file

commit ad0fd9fc283ceb817fc367d3cc975a3eb81105de
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Tue Apr 2 20:18:03 2019 -0300

    debian/changelog: add some autopkgtests test cases

commit 084b0eda9548ae5339c6d7028c3ea6d0f2bda9e9
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Tue Apr 2 20:16:29 2019 -0300

    Move DoD projects example configs to obs-api package, instead of obs-server

commit 14b2718e20c37dcc829b8bdd311e7f1ab7f40d44
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Tue Apr 2 15:09:14 2019 -0300

    Improve autopkgtest test cases

commit a21dc5db588e68a0859005dc712797cdb912a1f2
Merge: 461e5456 10eeab1d
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Mon Apr 1 11:21:09 2019 +0000

    Merge branch 'autopkgtest-smoke-test' into 'debian/master'
    
    Add autopkgtest case to smoke test the complete setup
    
    See merge request ruby-team/open-build-service!20

commit 10eeab1da3928356b12c8d7536e79bf81a855b43
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Thu Mar 28 15:47:50 2019 -0300

    Add autopkgtest test case to smoke test the complete setup
    
    In this test the api, the server, and one worker are configured,
    a DoD project and a test project are created, and finally the
    hello package is created and commited to the test project which
    makes use of the DoD project to download the dependencies.

commit 461e5456d4f0d1ccbe65ea836327519c3c7f14e0
Merge: cd17a9fe 1439769d
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Thu Mar 28 15:42:13 2019 +0000

    Merge branch 'autopkgtest-check-web-ui' into 'debian/master'
    
    Autopkgtest check web ui
    
    See merge request ruby-team/open-build-service!19

commit cd17a9fe378f557afc0baf7aeb9d7e2e3da0e1b8
Merge: 91adacfd 5d17d585
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Thu Mar 28 15:39:27 2019 +0000

    Merge branch 'obs-api-systemd-unit-files' into 'debian/master'
    
    Obs api systemd unit files
    
    See merge request ruby-team/open-build-service!18

commit 1439769ddc2d1f0dcb087ec3f605613bdd8b43b3
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Thu Mar 28 11:49:10 2019 -0300

    Add autopkgtest test case to check web ui setup

commit 5d17d585cecab39e4fca3e85e51fa88cd5ec688c
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Thu Mar 28 11:32:34 2019 -0300

    Tweak obs-api.postinst to support new systemd unit files
    
    These modifications are needed to successfully start the services
    when obs-api is installed.

commit 4ef40310dd50134150f9cd9d40cb8cca7825f6f1
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Thu Mar 28 11:30:15 2019 -0300

    Split the obsapidelayed systemd unit file into others unit files
    
    The new systemd unit files were adapted from the latest upstream
    unit files. The current strategy with a single unit file does not
    work.

commit 91adacfd3d057f7f711c4de42eda4109d58aa447
Merge: 0c4ecc8d 532b204c
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Fri Mar 22 11:41:05 2019 +0000

    Merge branch 'publish-ddeb-files' into 'debian/master'
    
    Publish Ubuntu ddeb files to the repositories
    
    See merge request ruby-team/open-build-service!17

commit 532b204cd9f2bf2a1d13bb563b0ea6d9fe7f9775
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Thu Mar 21 15:33:59 2019 -0300

    Publish Ubuntu ddeb files to the repositories

commit 0c4ecc8dc6d6c7abb2808caf6b59c68301c3b827
Merge: acd2a24c ff01ce39
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Thu Mar 21 11:07:36 2019 +0000

    Merge branch '853164-tasks-max' into 'debian/master'
    
    Added obsworker.service.d/tasks.conf to override DefaultTasksMax.
    
    See merge request ruby-team/open-build-service!16

commit ff01ce39a48476c45c2f19a6921d3595728f7ec9
Author: Andrew Lee (李健秋) <ajqlee@debian.org>
Date:   Thu Mar 21 19:03:02 2019 +0800

    Correct the install path for tasks.conf file.
    
    Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

commit 13efd936881db407c6bf91c77318241c0d8061e8
Author: Andrew Lee (李健秋) <ajqlee@debian.org>
Date:   Thu Mar 21 18:04:07 2019 +0800

    Added obsworker.service.d/tasks.conf to override DefaultTasksMax.
    
    Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

commit acd2a24c42da2eecd28b748d8e71f6f1b1f294fa
Merge: 37fd892f 69a2d30b
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Thu Mar 21 09:02:01 2019 +0000

    Merge branch 'enable-obsservice' into 'debian/master'
    
    Enable obsservice daemon
    
    See merge request ruby-team/open-build-service!14

commit 69a2d30b463764fb5c497d2badf7fa10d1b24465
Author: Andrew Lee (李健秋) <ajqlee@debian.org>
Date:   Thu Mar 21 12:28:54 2019 +0800

    Delete obsservicerun first as it's in the obsrun group that may cause problem to remove obsrun group.
    
    Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

commit ed1431884baf4eb16882dd8fdc3ef539e419b618
Author: Andrew Lee (李健秋) <ajqlee@debian.org>
Date:   Thu Mar 21 12:00:36 2019 +0800

    Handle delete accounts/group according to https://wiki.debian.org/AccountHandlingInMaintainerScripts .
    
    Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

commit 37fd892f9193bd33f0583c663f7c43f75c316ff0
Merge: ad1ca88f 8ff9c5ec
Author: Héctor Orón Martínez <zumbi@debian.org>
Date:   Wed Mar 20 18:55:25 2019 +0000

    Merge branch 'publish-asc-files' into 'debian/master'
    
    Publish Debian upstream tarball signatures to the repos
    
    See merge request ruby-team/open-build-service!15

commit 8ff9c5ec20f9edcb67c4ecc8440e7b69af962f0f
Author: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Date:   Wed Mar 20 10:48:13 2019 -0300

    Publish Debian upstream tarball signatures to the repos

commit 770124ec8a90717161a5b0edf5a76ae6349807e1
Author: Andrew Lee (李健秋) <ajqlee@debian.org>
Date:   Wed Mar 20 16:21:52 2019 +0800

    Enable obsservice daemon
    
    The obsservice daemon requires user obsservicerun to create /srv/obs,
    so that we also revert the obsservicerun user from 2.7.4. And I
    believe this would also fix #924233 which was unable to purge as
    obsservicerun user still exist on the system that got created by
    previously installed 2.7.4 version.
    
    Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

Created: 2019-03-20 Last update: 2019-04-21 22:45

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

obs-productconverter could be marked Multi-Arch: foreign

Created: 2016-12-16 Last update: 2019-04-21 21:31

lintian reports 14 warnings normal

Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-04-05 Last update: 2019-04-05 06:44

7 ignored security issues in stretch low

There are 7 open security issues in stretch.

7 issues skipped by the security teams:

CVE-2018-7688: A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.
CVE-2018-12466: openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.
CVE-2017-9268: In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).
CVE-2017-5188: The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
CVE-2018-12479: A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df.
CVE-2018-7689: Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.
CVE-2018-12467: Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.

Please fix them.

Created: 2018-03-05 Last update: 2019-04-07 23:44

testing migrations

excuses:
- Migrates after: ruby-clockwork, ruby-jquery-ui-rails, ruby-sprite-factory, ruby-voight-kampff
- 34 days old (2 needed)
- Updating open-build-service introduces new bugs: #924233
- Piuparts tested OK - https://piuparts.debian.org/sid/source/o/open-build-service.html
- Required age reduced by 3 days because of autopkgtest
- Checking build-dependency on amd64
- Not touching package due to block request by freeze (please contact debian-release if update is needed)
- Not considered

news

[rss feed]

[2019-03-18] Accepted open-build-service 2.9.4-2 (source) into unstable (Lucas Kanashiro)
[2019-02-07] Accepted open-build-service 2.9.4-1 (source all) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2018-10-09] Accepted open-build-service 2.7.4-3 (source) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2018-04-26] open-build-service REMOVED from testing (Debian testing watch)
[2018-03-17] open-build-service 2.7.4-2 MIGRATED to testing (Debian testing watch)
[2018-03-10] open-build-service REMOVED from testing (Debian testing watch)
[2017-09-04] open-build-service 2.7.4-2 MIGRATED to testing (Debian testing watch)
[2017-09-03] open-build-service REMOVED from testing (Debian testing watch)
[2017-08-12] open-build-service 2.7.4-2 MIGRATED to testing (Debian testing watch)
[2017-08-06] Accepted open-build-service 2.7.4-2 (source) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2017-08-06] Accepted open-build-service 2.8.2-1 (source) into experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2017-08-03] Accepted open-build-service 2.7.4-1 (source) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2017-02-05] open-build-service 2.7.1-10 MIGRATED to testing (Debian testing watch)
[2017-01-25] Accepted open-build-service 2.7.1-10 (source all) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2017-01-02] open-build-service 2.7.1-9 MIGRATED to testing (Debian testing watch)
[2016-12-22] Accepted open-build-service 2.7.1-9 (source) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-12-19] Accepted open-build-service 2.7.1-8 (source amd64) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-12-15] Accepted open-build-service 2.7.1-7 (source amd64) into unstable (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-12-08] Accepted open-build-service 2.7.1-6 (source amd64) into experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-11-17] Accepted open-build-service 2.7.1-5 (source amd64) into experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-10-25] Accepted open-build-service 2.7.1-4 (source amd64) into experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-10-20] Accepted open-build-service 2.7.1-3 (source amd64) into experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-10-19] Accepted open-build-service 2.7.1-2 (source amd64) into experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)
[2016-09-20] Accepted open-build-service 2.7.1-1 (source amd64) into experimental, experimental (Andrew Lee (李健秋)) (signed by: 李健秋 Andrew Lee)

bugs [bug history graph]

all: 7
RC: 1
I&N: 2
M&W: 3
F&P: 1
patch: 0

links

homepage
lintian (0, 14)
buildd: logs, clang
popcon
debci
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.9.4-1