Upgrade git version to > 2.7.3 on linux build and test machines to address CVE-2016-2324 and CVE‑2016‑2315

RESOLVED FIXED

Status

Infrastructure & Operations
RelOps: Puppet
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: arr, Assigned: dividehex)

Tracking

Details

Attachments

(2 attachments, 1 obsolete attachment)

Comment hidden (empty)
(Reporter)

Updated

2 years ago
No longer blocks: 1257614
(Reporter)

Updated

2 years ago
Blocks: 1256723
(Assignee)

Comment 1

2 years ago
git 2.7.4 has been built for centos(both i386 and x86_64) and puppetagain repos have been updated. We'll deploy first thing Monday.
(Assignee)

Comment 2

2 years ago
Created attachment 8732904 [details] [diff] [review]
bug11257635-1.patch
Attachment #8732904 - Flags: review?(dustin)
Comment on attachment 8732904 [details] [diff] [review]
bug11257635-1.patch

Review of attachment 8732904 [details] [diff] [review]:
-----------------------------------------------------------------

Very nice!
Attachment #8732904 - Flags: review?(dustin) → review+
(Assignee)

Comment 4

2 years ago
Comment on attachment 8732904 [details] [diff] [review]
bug11257635-1.patch

remote:   https://hg.mozilla.org/build/puppet/rev/71d4d717602d
remote:   https://hg.mozilla.org/build/puppet/rev/47b220b79993
Attachment #8732904 - Flags: checked-in+
(Assignee)

Comment 5

2 years ago
Comment on attachment 8732904 [details] [diff] [review]
bug11257635-1.patch

Backed out due to breaking other package dependency

remote:   https://hg.mozilla.org/build/puppet/rev/7e1a8288462f
remote:   https://hg.mozilla.org/build/puppet/rev/561da7d3e9aa


Mon Mar 21 10:08:02 -0700 2016 Puppet (err): Execution of '/bin/rpm -e mozilla-git-2.4.1-3.el6.x86_64' returned 1: error: Failed dependencies:
        mozilla-git is needed by (installed) git-remote-hg-185852e-1.el6.x86_64
Mon Mar 21 10:08:02 -0700 2016 /Stage[main]/Packages::Mozilla::Git/Package[mozilla-git]/ensure (err): change from 2.4.1-3.el6 to absent failed: Execution of '/bin/rpm -e mozilla-git-2.4.1-3.el6.x86_64' returned 1: error: Failed dependencies:
        mozilla-git is needed by (installed) git-remote-hg-185852e-1.el6.x86_64
Attachment #8732904 - Flags: checked-in+ → checked-in-
I think only Mark uses git-remote-hg, and even then only maybe, and only on the puppetmasters.  Maybe we should just give up on that?
(Assignee)

Comment 7

2 years ago
(In reply to Dustin J. Mitchell [:dustin] from comment #6)
> I think only Mark uses git-remote-hg, and even then only maybe, and only on
> the puppetmasters.  Maybe we should just give up on that?

I rebuilt the package to require git instead of mozilla-git, but I'm all in favor of dropping tools like this.  It also looks like the code base isn't being maintained anymore.  This might be a problem as we move forward with updating git and/or hg
Yeah, apparently git-cinnabar is the way forward for git/hg integration.  It's also possible, with modern hg's, to do puppet work in hg alone.
(Assignee)

Comment 9

2 years ago
Created attachment 8733074 [details] [diff] [review]
bug1257635-2.patch

Same as the last plus removal of git-remote-hg
Attachment #8732904 - Attachment is obsolete: true
Attachment #8733074 - Flags: review?(dustin)
Comment on attachment 8733074 [details] [diff] [review]
bug1257635-2.patch

Review of attachment 8733074 [details] [diff] [review]:
-----------------------------------------------------------------

OK if Mark's got a way to do development without git-remote-hg.

::: modules/packages/manifests/mozilla/git_remote_hg.pp
@@ +7,5 @@
>      case $::operatingsystem {
>          CentOS: {
>              package {
>                  "git-remote-hg":
> +                    ensure => absent;

Is this just temporary, after which this class will be removed?
Attachment #8733074 - Flags: review?(dustin) → review+
(Assignee)

Comment 11

2 years ago
(In reply to Dustin J. Mitchell [:dustin] from comment #10)
> Comment on attachment 8733074 [details] [diff] [review]
> bug1257635-2.patch
> 
> Review of attachment 8733074 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> OK if Mark's got a way to do development without git-remote-hg.
> 
> ::: modules/packages/manifests/mozilla/git_remote_hg.pp
> @@ +7,5 @@
> >      case $::operatingsystem {
> >          CentOS: {
> >              package {
> >                  "git-remote-hg":
> > +                    ensure => absent;
> 
> Is this just temporary, after which this class will be removed?

Yes.  The class will be removed soon down the line.
(Assignee)

Comment 12

2 years ago
Comment on attachment 8733074 [details] [diff] [review]
bug1257635-2.patch

remote:   https://hg.mozilla.org/build/puppet/rev/f2057c07032e
remote:   https://hg.mozilla.org/build/puppet/rev/ff66fc5a84b6
Attachment #8733074 - Flags: checked-in+
(Assignee)

Comment 13

2 years ago
Created attachment 8733111 [details] [diff] [review]
bug1257635-3-bump-git-version-ubuntu.patch
Attachment #8733111 - Flags: review?(dustin)
Attachment #8733111 - Flags: review?(dustin) → review+
(Assignee)

Updated

2 years ago
Depends on: 1258749
(Assignee)

Comment 14

2 years ago
Comment on attachment 8733111 [details] [diff] [review]
bug1257635-3-bump-git-version-ubuntu.patch

remote:   https://hg.mozilla.org/build/puppet/rev/36f91620d83b
remote:   https://hg.mozilla.org/build/puppet/rev/bef3388106f1
Attachment #8733111 - Flags: checked-in+
(Assignee)

Comment 15

2 years ago
For reference, the ubuntu git packages were pulled directly from the Ubuntu git maintainer's stable ppa
https://launchpad.net/~git-core/+archive/ubuntu/ppa
(Assignee)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.