Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UnixPB: Fix Insecure Downloads In RHEL/SLES playbooks. #3355

Merged
merged 5 commits into from
Jan 31, 2024
Merged

UnixPB: Fix Insecure Downloads In RHEL/SLES playbooks. #3355

merged 5 commits into from
Jan 31, 2024

Conversation

steelhead31
Copy link
Contributor

@steelhead31 steelhead31 commented Jan 25, 2024
edited
Loading

Fixes #3341 & #3147

Ref: Security Audit Issue TOB-5 issues identified with insecure downloads in SLES & RHEL

Checklist

github-actions[bot]
github-actions bot previously requested changes Jan 25, 2024
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

@steelhead31
Copy link
Contributor Author

This is still awaiting the OpenSuse fixes, and shouldn't be merged until completed. This PR has been raised for visibility.

@steelhead31 steelhead31 changed the title UnixPB: Fix Insecure Downloads In RHEL/Suse/OpenSuse playbooks. UnixPB: Fix Insecure Downloads In RHEL/SLES playbooks. Jan 29, 2024
@steelhead31 steelhead31 marked this pull request as ready for review January 30, 2024 11:32
@steelhead31
Copy link
Contributor Author

/thaw

@github-actions github-actions bot dismissed their stale review January 30, 2024 16:35

Pull Request unblocked - code freeze is over.

@steelhead31 steelhead31 requested a review from sxa January 31, 2024 09:08
sxa
sxa approved these changes Jan 31, 2024
View reviewed changes
Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of notes:

  1. Did you find something that required zlib-devel to be installed? With Use bundled zlib on all versions, not just 21 temurin-build#3459 the JDK should no longer require it for build purposes
  2. I didn't realise we still had 32-bit stuff being installed in here. Don't think it's something that adoptium uses (we've never built for 32-bit xlinux) but we should perhaps check with IBM (@AdamBrousseau @sej-jackson ?) to see if they still have a requirement for those and if not, consider stripping it out to reduce complexity here.

Happy to approve in the meantime especially to alleviate the initial concern.

ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/NVidia_Cuda_Toolkit/tasks/main.yml Outdated Show resolved Hide resolved
@steelhead31 @sxa
Update ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/NVidia_Cuda…
187fb92 
…_Toolkit/tasks/main.yml

Co-authored-by: Stewart X Addison <[email protected]>
@steelhead31
Copy link
Contributor Author

  1. Did you find something that required zlib-devel to be installed? With Use bundled zlib on all versions, not just 21 temurin-build#3459 the JDK should no longer require it for build purposes

I've tried both build and test without zlib ( building fails due to missing X11, ALSA & Fontconfig dependencies, ), of which the Fontconfig does have a dependency on zlib ( which isn't installed by default on SLES 12 at least ).. Im inclined to leave it for the moment, and do some further investigation.

@steelhead31 steelhead31 merged commit dad0271 into adoptium:master Jan 31, 2024
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sxa sxa sxa approved these changes

@karianna karianna karianna approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
ansible
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Signature verification disabled when installing software
3 participants
@steelhead31 @karianna @sxa