1404194 – fedpkg new-sources complains about 302 to https://src.fedoraproject.org/repo/pkgs/upload.cgi

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1404194 - fedpkg new-sources complains about 302 to https://src.fedoraproject.org/repo/pkgs/upload.cgi

Summary: fedpkg new-sources complains about 302 to https://src.fedoraproject.org/repo/...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fedpkg
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	cqi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-13 10:02 UTC by Jan Pazdziora
Modified:	2017-03-02 12:07 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-02 12:07:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora 2016-12-13 10:02:35 UTC

Description of problem:

On freshly installed fedpkg setup (with fresh /etc/rpkg/fedpkg.conf), attempt to run

   fedpkg new-sources name-version.tar.gz

fails with

Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://src.fedoraproject.org/repo/pkgs/upload.cgi">here</a>.</p>
</body></html>

Version-Release number of selected component (if applicable):

fedpkg-1.25-1.fc24.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have some file around that you want to upload to the lookaside cache.
2. Run fedpkg new-sources name-version.tar.gz

Actual results:

Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://src.fedoraproject.org/repo/pkgs/upload.cgi">here</a>.</p>
</body></html>

Expected results:

No error.

Additional info:

If the code cannot or does not want to handle the redirect, I should likely ship

lookaside_cgi = https://src.fedoraproject.org/repo/pkgs/upload.cgi

in etc/rpkg/fedpkg.conf.

Comment 1 Lubomír Sedlář 2016-12-13 10:36:17 UTC

Please try with fedpkg-1.26-3 and pyrpkg-1.47-5 from updates-testing.

This is related to using well known SSL certificate:
https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016

Comment 2 Jan Pazdziora 2016-12-13 10:59:54 UTC

Thanks, that changed the response to

Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

which I assume is a good thing.

Comment 3 Antonio T. (sagitter) 2016-12-13 11:15:47 UTC

Same problem on fedora 25.

Version-Release number of selected component (if applicable):
fedpkg-1.25-1.fc25.noarch

Comment 4 Lubomír Sedlář 2016-12-13 11:17:08 UTC

That is on it's way to be a good thing. It means you most likely don't have a kerberos ticket. It can be obtained by
    kinit <your_fas_login>@FEDORAPROJECT.ORG

Also, to be sure building works correctly, make sure you have koji-1.11.0-1 installed and /etc/koji.conf is up-to-date.

Comment 5 Michal Schorm 2016-12-15 11:22:48 UTC

(In reply to Lubomír Sedlář from comment #1)
> Please try with fedpkg-1.26-3 and pyrpkg-1.47-5 from updates-testing.

I encountered the same issue.
I confirm, that I updated those 2 packages and it works fine now.

Comment 6 Karel Volný 2016-12-15 15:51:43 UTC

(In reply to Lubomír Sedlář from comment #4)
> That is on it's way to be a good thing. It means you most likely don't have
> a kerberos ticket. It can be obtained by
>     kinit <your_fas_login>@FEDORAPROJECT.ORG

hmmmmm ....

$ kinit kvolny
Password for kvolny: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials

> Also, to be sure building works correctly, make sure you have koji-1.11.0-1

$ rpm -q koji
koji-1.11.0-1.fc25.noarch

> installed and /etc/koji.conf is up-to-date.

which means ...?

$ stat -c %y /etc/koji.conf
2016-12-09 15:55:40.000000000 +0100

... raising priority/severity, hope someone can resolve this quickly, it blocks me from fixing security vulnerability (arbitrary code execution) :-(

Comment 7 Jan Pazdziora 2016-12-15 15:59:24 UTC

Make sure you have

$ rpm -qf /etc/krb5.conf.d/fedoraproject_org 
fedora-packager-0.6.0.0-1.fc25.noarch

Also, check that your /etc/krb5.conf has

includedir /etc/krb5.conf.d/

in it. If you've tweaked /etc/krb5.conf, the stock might be in /etc/krb5.conf.rpmnew.

Comment 8 Karel Volný 2016-12-15 16:23:35 UTC

(In reply to Jan Pazdziora from comment #7)
> Make sure you have

thanks, but:

> $ rpm -qf /etc/krb5.conf.d/fedoraproject_org 
> fedora-packager-0.6.0.0-1.fc25.noarch

$ rpm -qf /etc/krb5.conf.d/fedoraproject_org
fedora-packager-0.6.0.0-1.fc25.noarch

> Also, check that your /etc/krb5.conf has
> 
> includedir /etc/krb5.conf.d/
> 
> in it. If you've tweaked /etc/krb5.conf, the stock might be in
> /etc/krb5.conf.rpmnew.

$ grep includedir /etc/krb5.conf
includedir /etc/krb5.conf.d/

... other suggestions?

Comment 9 Lubomír Sedlář 2016-12-16 08:07:39 UTC

You could try going through Kerberos information from Fedora Infrastructure team.
https://fedoraproject.org/wiki/Infrastructure/Kerberos
This is not a bug in fedpkg, so please follow up on #fedora-infra on IRC or file a ticket at
https://pagure.io/fedora-infrastructure/

Comment 10 Karel Volný 2016-12-16 08:20:58 UTC

sorry, but throwing html source at the user, as described in comment #2, really is not a nice thing to do, no matter what configuration did the user omit

Comment 11 cqi 2016-12-16 08:23:16 UTC

Hi Karel, how about use another bug to track this improvement?

Comment 12 Karel Volný 2016-12-16 08:27:28 UTC

why? - look at the description again, this one started exactly with the same problem, fedpkg outputting html source instead of handling that more gracefully

Comment 13 Fedora Admin XMLRPC Client 2017-02-21 16:41:56 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 14 cqi 2017-02-28 08:08:32 UTC

Hi Karel, could you please have a look at the problem you mentioned in comment 12? Currently, fedpkg is able to handle the error and not throw HTML source to user.

Comment 15 Karel Volný 2017-03-02 11:48:07 UTC

(In reply to cqi from comment #14)
> Hi Karel, could you please have a look at the problem you mentioned in
> comment 12? Currently, fedpkg is able to handle the error and not throw HTML
> source to user.

well, obviously I cannot reproduce the original problem, however trying new-sources without valid ticket, I'm now getting

Could not execute new_sources: Request is unauthorized.

which looks much better than the output in comment #2, thanks

Comment 16 cqi 2017-03-02 12:07:18 UTC

Thanks for you feedback.

Note You need to log in before you can comment on or make changes to this bug.