Support yum for hermetic build

[tkopecek]

No description provided.

[tkopecek]

rhel6 image fails when gathering rpms from buildroot. It could be fixed by this. My concerns:
a) Is there better test that we're using yum instead of dnf (maybe passing whole package_manager object?)
b) Could missing --installchroot cause failures in some setups?

Btw, I was able to successfully build rhel6 package with this change.

[gemini-code-assist]

Code Review

This pull request adds support for yum in query_packages_location to enable hermetic builds on older systems. However, a high-severity command injection vulnerability was identified in mock/py/mockbuild/installed_packages.py where the dnf_cmd parameter is used without proper validation, potentially allowing arbitrary command execution. Additionally, the chrootpath is ignored for yum, which could lead to incorrect behavior within a chroot, and there's a portability concern with a hardcoded path to the repoquery executable.

[gemini-code-assist]

The dnf_cmd parameter is used directly to build a command for execution without proper validation. An attacker who can control the value of dnf_cmd can execute arbitrary commands on the system. The value should be validated against an allow-list of expected commands (e.g., /bin/dnf, /usr/bin/yum) before being used.

[gemini-code-assist]

When using yum, the chrootpath is ignored. This will cause repoquery to use the host's repository configuration instead of the one inside the chroot, which is incorrect. The repoquery command for yum should be configured to use the chroot's configuration. You can achieve this by using the --config flag to point to the yum.conf file inside the chroot.

Suggested change

	query_locations_cmd = ['/usr/bin/repoquery']
	query_locations_cmd = ['/usr/bin/repoquery']
	if chrootpath:
	query_locations_cmd += ['--config', os.path.join(chrootpath, 'etc/yum.conf')]

[gemini-code-assist]

Hardcoding the path to repoquery as /usr/bin/repoquery is not portable and may fail on systems where it's installed in a different location. This goes against the style guide's principle of compatibility across different Linux platforms. It would be more robust to search for the executable in the system's PATH. Consider adding a helper function to mock/py/mockbuild/util.py to find executables, similar to shutil.which, to ensure compatibility.

References

1. Repository style guide rule on compatibility: 'Code should run on both new and old Linux platforms. Including Fedora rawhide, all supported RHELs, openSUSE etc.' Hardcoding paths can break this compatibility. ^(link)
2. Repository style guide rule on internal utils: 'The file mock/py/mockbuild/util.py contains several helper functions that helps with compatibility. The code should use these functions when possible instead standard Python functions.' A new helper could be added here. ^(link)

[praiskup]

I am surprised that this is enough to make ancient clients happy. Nice.

[tkopecek]

It doesn't work for all repodata features, but it is enough for basic (rpms-only non-external repo (no mergerepo_c)) repo.

[praiskup]

Can you please add a Towncrier snippet? Otherwise looks good.

[tkopecek]

Can you please add a Towncrier snippet? Otherwise looks good.

Added - should I squash it?

[praiskup]

should I squash it?

Yes, please

[praiskup]

typo

[praiskup]

LGTM, hermetic test-case passes, +1