This commit implements a read-only backend that allows accessing
of BerkeleyDB databases without using the BerkeleyDB library.
The code supports btree version 9-10 and hash version 8-10.
There are two use cases for this:
1) Conversion of an existing BerkeleyDB to a different
backend.
2) Allowing package scriptlets to do database queries while
in a transaction that replaced rpm with a version that
no longer links against BerkeleyDB.
If both BerkeleyDB and the read-only backend are enabled, rpm will
default to BerkeleyDB.
BDBD, LMDB and SQLite were already implicitly enabled via build
dependencies, but NDB build has not been enabled at all.
Came up when discussing read-only BDB in #980.
libgcrypt is a much more straightforward and lightweight as a library,
doesn't come with a massive runtime library of its own, runtime which
messes with SIGPIPE and all, has a nice clearly compatible license (LGPL)
and is somewhat faster than NSS. What's not to like?
Change the default and add relevant documentation to INSTALL. Drop
the hopefully now unnecessary override from distcheck flags, and
switch CI over too. Note that in CI, openssl-devel is still needed
for ima-evm (missing dep in ima-evm-utils-devel?)
This doesn't do anything at all in itself because all the repositories
have gpgcheck=1 by default. However adding this line allows disabling
the gpgcheck for individual builds via Semaphore build settings, which
allows us work around signatures on rawhide breaking semi-regularly,
blocking our CI for no fault of our own.
Unlike plain "check", this will catch regressions to out-of-tree builds,
source files present in git but missing in tarballs, etc so they are
found when introduced instead of pre-release heat.
To make this work we need to move the working dir inside docker away
from /opt, the combination of root user and distcheck blows the our whole
directory away at some point and things dont work so well after that.
In addition, rpmtests.log is no more in a nice and easy location
because it's failing somewhere inside the nested build thingie, so
try to find it...
We also need a few more packages installed now: git for the changelog
and doxygen for api docs. And ima-evm-utils-devel to build the plugin,
not the utils.
When enabled, log audit events for package install, update and remove.
The log includes the operation, package nevra, signature check result,
whether signatures are being enforced enforced and overall operation
result code. Package install/update/remove are logged as such,
obsoletion is logged as install + remove (whereas the erasure element
on updates is silent). Enable compilation in CI.
Loosely based on initial RHEL 7-8 implementations by Pavlina Moravcova
Varekova and Florian Festi (RhBug:1555326, RhBug:1607612)
We have no need for modularity so it's only excess weight to download
and more s*** that will occasionally break, taking our CI down with
it for absolutely no good reason.
No idea why it was not there, there are important API tests that are
only covered via the bindings. Drop /usr/bin/python from the install
while at it, we don't need that for anything anymore.
Michael Schroeder