Metrics dashboard and graph editor
Go to file
Stan Cox 0c1df2a22a Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715
Resolves: rhbz#2131192
Resolves: rhbz#2134475
Resolves: rhbz#2126766
2022-11-01 16:09:46 -04:00
.github/workflows update to upstream Grafana 7.5.15, resolve CVE-2021-23648 and CVE-2022-21698 2022-04-22 14:29:58 +02:00
.gitignore update to upstream version 7.5.10 2021-09-30 18:17:18 +02:00
0001-update-grafana-cli-script-with-distro-specific-paths.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0002-add-manpages.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0003-update-default-configuration.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0004-remove-unused-backend-dependencies.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0005-remove-unused-frontend-crypto.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0006-notifications-use-HMAC-SHA256-to-generate-password-r.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0007-skip-marketplace-plugin-install-test.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
0010-v9.0.x-Login-email-before-username-57406.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
1001-vendor-patch-removed-backend-crypto.patch update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
1002-vendor-use-pbkdf2-from-OpenSSL.patch Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
1003-vendor-skip-goldenfiles-tests.patch update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
build_frontend.sh update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
create_bundles_in_container.sh update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
create_bundles.sh update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
gating.yaml Introducing gating.yaml 2021-06-16 05:51:01 +02:00
grafana.rpmlintrc update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
grafana.spec Fix CVE-2022-39229 CVE-2022-2880 CVE-2022-41715 2022-11-01 16:09:46 -04:00
grafana.sysusers update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
list_bundled_nodejs_packages.py update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
README.md update to upstream v9.0.8 2022-09-15 18:34:41 +02:00
sources update to upstream Grafana 9.0.9, fix CVE-2022-35957 2022-09-21 16:00:28 +02:00

grafana

The grafana package

Setup instructions

  • clone the upstream sources: git clone https://github.com/grafana/grafana && cd grafana
  • checkout the version of the specfile: git checkout <currentversion>
  • apply existing patches: git am ../0*.patch

Upgrade instructions

  • follow the Setup instructions above
  • rebase to the new version: git fetch && git rebase --onto <newversion> <oldversion>
    • rebasing remove-unused-backend-dependencies.patch: only apply the patch to pkg/extensions/main.go and run go mod tidy, then go.mod and go.sum will get updated automatically
    • rebasing remove-unused-frontend-crypto.patch: only apply the patch to package.json and run yarn install, then yarn.lock will get updated automatically
  • create new patches from the modified git commits: git format-patch -N --no-stat --no-signature <newversion> && mv *.patch ..
  • update Version, Release, %changelog and tarball NVRs in the specfile
  • create bundles and manifest: ./create_bundles_in_container.sh
  • inspect the vendor tarball for any new non-FIPS crypto (vendor/golang.org/x/crypto), delete these files/directories in the Makefile and update the patch-removed-backend-crypto.patch if required
  • update specfile with contents of the .manifest file
  • update the manpages patch in 0002-add-manpages.patch and other patches if required
  • run local build: rpkg local
  • run rpmlint: rpmlint -r grafana.rpmlintrc /tmp/rpkg/grafana-*/grafana-*.src.rpm /tmp/rpkg/grafana-*/x86_64/grafana-*.x86_64.rpm
  • run a scratch build: fedpkg scratch-build --srpm
  • upload new source tarballs: fedpkg new-sources *.tar.gz *.tar.xz
  • commit new sources file

Patches

  • create the patch
  • declare and apply (%prep) the patch in the specfile
  • if the patch affects Go or Node.js dependencies, or the webpack
    • update the create_bundles.sh script and apply the patch
    • create new tarballs
    • update the specfile with new tarball name and contents of the .manifest file

General guidelines

  • aim to apply all patches in the specfile
  • avoid rebuilding the tarballs

Patches fall in several categories:

  • modify dependency versions
  • modify both sources and vendored dependencies (e.g. CVEs)
  • modify the Node.js source (i.e. affect the webpack)
  • some patches are conditional (e.g. FIPS)

Patches cannot be applied twice. It is not possible to unconditionally apply all patches in the Makefile, and great care must be taken to include the required patches at the correct stage of the build.

Reproducible Bundles

Run ./create_bundles_in_container.sh to generate a reproducible vendor and webpack bundle.

Verification