Hi all,
I need sources for latest Centos 8.2 kernel (kernel-4.18.0-193.14.2.el8_2). Since they are (now customarily) not available on vault.centos.org, I am attempting to build from git.centos.org.
However, I am unable to find the exact commit to build from. On https://git.centos.org/rpms/kernel/commits/c8, I see 13.2 and 14.3, but not 14.2 that actually shipped.
$git log --format="%C(auto) %h %s" origin/c8 | head -n 20 08e2843 debrand kernel-4.18.0-193.14.3.el8_2 284ac7b import kernel-4.18.0-193.14.3.el8_2 f990a59 Manual CentOS Debranding 6694789 debrand kernel-4.18.0-193.13.2.el8_2 56933c6 import kernel-4.18.0-193.13.2.el8_2 efc1e5b Manual CentOS Debranding afc068a debrand kernel-4.18.0-193.6.3.el8_2 d0c1e45 import kernel-4.18.0-193.6.3.el8_2 9af314c Manual CentOS Debranding b36366f debrand kernel-4.18.0-193.1.2.el8_2 c6227ee import kernel-4.18.0-193.1.2.el8_2 063bbb9 change to centos.pem 05d7b37 Manual CentOS Debranding 9f8b3f1 debrand kernel-4.18.0-193.el8 78ffa6b import kernel-4.18.0-193.el8 89ceb16 Manual CentOS Debranding 47aeda1 debrand kernel-4.18.0-147.8.1.el8_1 e9cecf3 import kernel-4.18.0-147.8.1.el8_1 718e82b Manual CentOS Debranding 223d051 debrand kernel-4.18.0-147.5.1.el8_1
Any help would be appreciated.
Thanks, Antal
On 2020-08-03 11:37, Antal Nemeš wrote:
Hi all,
I need sources for latest Centos 8.2 kernel (kernel-4.18.0-193.14.2.el8_2).
Since they are (now customarily) not available on vault.centos.org, I am attempting to build from git.centos.org.
However, I am unable to find the exact commit to build from.
On https://git.centos.org/rpms/kernel/commits/c8, I see 13.2 and 14.3, but not 14.2 that actually shipped.
$git log --format="%C(auto) %h %s" origin/c8 | head -n 20
08e2843 debrand kernel-4.18.0-193.14.3.el8_2
284ac7b import kernel-4.18.0-193.14.3.el8_2
Looking at upstream, Red Hat never released kernel-4.18.0-193.14.2.el8_2 into the wild. The RHEL update (https://access.redhat.com/errata/RHSA-2020:3218) was kernel-4.18.0-193.14.3.el8_2, which is why that's the version in git (pushed from Red Hat's internal RelEng systems). -193.14.2.el8_2 appears to be something unique to CentOS. Looking at the changelog of the CentOS package vs the RHEL one, this changelog entry is missing:
* Mon Jul 20 2020 Bruno Meneguele bmeneg@redhat.com [4.18.0-193.14.3.el8_2] - Reverse keys order for dual-signing (Frantisek Hrbata) [1837433 1837434] {CVE-2020-10713}
Something to do with differences between the way RHEL and CentOS do Secure Boot signing, perhaps?
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Howard Johnson Sent: Monday, 3 August 2020 14:02 To: The CentOS developers mailing list. centos-devel@centos.org Subject: Re: [CentOS-devel] kernel-4.18.0-193.14.2.el8_2 in git.centos.org
CAUTION: Origin is external! The content might not be safe!
On 2020-08-03 11:37, Antal Nemeš wrote:
Hi all,
I need sources for latest Centos 8.2 kernel (kernel-4.18.0-193.14.2.el8_2).
Since they are (now customarily) not available on vault.centos.org, I am attempting to build from git.centos.org.
However, I am unable to find the exact commit to build from.
On https://git.centos.org/rpms/kernel/commits/c8, I see 13.2 and 14.3, but not 14.2 that actually shipped.
$git log --format="%C(auto) %h %s" origin/c8 | head -n 20
08e2843 debrand kernel-4.18.0-193.14.3.el8_2
284ac7b import kernel-4.18.0-193.14.3.el8_2
Looking at upstream, Red Hat never released kernel-4.18.0-193.14.2.el8_2 into the wild. The RHEL update (https://access.redhat.com/errata/RHSA-2020:3218) was kernel-4.18.0- 193.14.3.el8_2, which is why that's the version in git (pushed from Red Hat's internal RelEng systems). -193.14.2.el8_2 appears to be something unique to CentOS. Looking at the changelog of the CentOS package vs the RHEL one, this changelog entry is missing:
- Mon Jul 20 2020 Bruno Meneguele bmeneg@redhat.com [4.18.0-
193.14.3.el8_2]
- Reverse keys order for dual-signing (Frantisek Hrbata) [1837433 1837434]
{CVE-2020-10713}
Something to do with differences between the way RHEL and CentOS do Secure Boot signing, perhaps?
Thanks. I guess that makes sense. But I still have no idea how to obtain the sources to build. I would backtrack to a previous one (193.13.2), but that one is missing kernel-modules-extra rpm package, even though koji[1] shows it was built. This is the first time I saw an actual binary rpm missing, which is worrying.
So I have backtrack two levels, to 193.6.3.
Any idea when we can expect release of 193.14.3?
[1] https://koji.mbox.centos.org/koji/buildinfo?buildID=12631
Regards, Antal
On 03/08/2020 11:37, Antal Nemeš wrote:
I need sources for latest Centos 8.2 kernel (kernel-4.18.0-193.14.2.el8_2).
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
On 8/3/20 8:50 AM, Trevor Hemsley via CentOS-devel wrote:
On 03/08/2020 11:37, Antal Nemeš wrote:
I need sources for latest Centos 8.2 kernel (kernel-4.18.0-193.14.2.el8_2).
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
On Mon, Aug 3, 2020 at 7:13 AM Brian Stinson bstinson@centosproject.org wrote:
On 8/3/20 8:50 AM, Trevor Hemsley via CentOS-devel wrote:
On 03/08/2020 11:37, Antal Nemeš wrote:
I need sources for latest Centos 8.2 kernel (kernel-4.18.0-193.14.2.el8_2).
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
In any event, releasing the srpm to vault will be the right answer to the original post.
Akemi
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Brian Stinson Sent: Monday, 3 August 2020 16:14
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
Great, thanks for confirmation. This throws a gigantic monkey wrench in my attempts at automating src.rpm generation from git.centos.org, so I hope this was an exceptional occurrence?
Regards, Antal
On 8/3/20 9:43 AM, Antal Nemeš wrote:
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Brian Stinson Sent: Monday, 3 August 2020 16:14
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
Great, thanks for confirmation. This throws a gigantic monkey wrench in my attempts at automating src.rpm generation from git.centos.org, so I hope this was an exceptional occurrence?
Regards, Antal _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
These are very exceptional circumstances, but we're looking into how to make our processes go easier for future coordinated fixes.
--Brian
On 8/3/20 9:43 AM, Antal Nemeš wrote:
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Brian Stinson Sent: Monday, 3 August 2020 16:14
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
Great, thanks for confirmation. This throws a gigantic monkey wrench in my attempts at automating src.rpm generation from git.centos.org, so I hope this was an exceptional occurrence?
Yes .. one could say that an embargoed, 'named' sescureboot/kernel fix that requires a signature from Microsoft before release AND requires hiding embargoed content (which CentOS is not set up to do ..we build everythign in the open) .. is VERY MUCH an exceptional occurrence.
Then throw in the fact the both RHEL and CentOS installs could no longer BOOT .. I think you are it the most unbelievable and most complicated build we have ever done in as the CentOS Project.
On 8/3/20 10:19 AM, Johnny Hughes wrote:
On 8/3/20 9:43 AM, Antal Nemeš wrote:
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Brian Stinson Sent: Monday, 3 August 2020 16:14
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
Great, thanks for confirmation. This throws a gigantic monkey wrench in my attempts at automating src.rpm generation from git.centos.org, so I hope this was an exceptional occurrence?
Yes .. one could say that an embargoed, 'named' sescureboot/kernel fix that requires a signature from Microsoft before release AND requires hiding embargoed content (which CentOS is not set up to do ..we build everythign in the open) .. is VERY MUCH an exceptional occurrence.
Then throw in the fact the both RHEL and CentOS installs could no longer BOOT .. I think you are it the most unbelievable and most complicated build we have ever done in as the CentOS Project.
NOTE: I have built, signed, and released about 90% of ALL content for CentOS Linux since 2004 // this is by far the most complicated thing I have ever built.
Brian Stinson is a genius :) So is Peter Jones.
On 8/3/20 9:43 AM, Antal Nemeš wrote:
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Brian Stinson Sent: Monday, 3 August 2020 16:14
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
Great, thanks for confirmation. This throws a gigantic monkey wrench in my attempts at automating src.rpm generation from git.centos.org, so I hope this was an exceptional occurrence?
Yes .. one could say that an embargoed, 'named' sescureboot/kernel fix that requires a signature from Microsoft before release AND requires hiding embargoed content (which CentOS is not set up to do ..we build everythign in the open) .. is VERY MUCH an exceptional occurrence.
Some filtering rules in my brain just triggered an alarm here, too many words like 'embargoed content', 'secureboot', 'hiding', 'Microsoft'... on a GNU/Linux devel list :-)
Simon
On 8/3/20 10:34 AM, Simon Matter via CentOS-devel wrote:
On 8/3/20 9:43 AM, Antal Nemeš wrote:
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Brian Stinson Sent: Monday, 3 August 2020 16:14
I believe 14.3 is exactly the same as 14.2 except that RH needed to adjust the signing order of their certificates and since those are RH specific, 14.2 == 14.3 for the intents and purposes of non-RHEL builds.
Trevor
This is the correct answer. The difference between 14.2 and 14.3 is only applicable to RHEL, and is not a change in the underlying content. The CentOS kernels were dual-signed in the right order for us in 14.2
--Brian
Great, thanks for confirmation. This throws a gigantic monkey wrench in my attempts at automating src.rpm generation from git.centos.org, so I hope this was an exceptional occurrence?
Yes .. one could say that an embargoed, 'named' sescureboot/kernel fix that requires a signature from Microsoft before release AND requires hiding embargoed content (which CentOS is not set up to do ..we build everythign in the open) .. is VERY MUCH an exceptional occurrence.
Some filtering rules in my brain just triggered an alarm here, too many words like 'embargoed content', 'secureboot', 'hiding', 'Microsoft'... on a GNU/Linux devel list :-)
You and me both .. :)