add_changelog_entry(): Incorrect `evr` expansion

[jessp01]

What happened? What is the problem?

For this specfile: https://gitlab.com/CentOS/archives/git.centos.org/rpms/openssh/-/blob/c7/SPECS/openssh.spec

The below code results in the wrong evr being set in the last changelog entry:

#!/usr/bin/env python3
import sys

from specfile import Specfile

specfile = Specfile(sys.argv[1], force_parse=True)
changelog_entry = "This is a test changelog entry"
with specfile as spec:
    spec.bump_release()
    spec.add_changelog_entry(changelog_entry)
specfile.save()

$ git diff # after running the snippet

@@ -71,7 +71,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -842,6 +842,9 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Mon Sep 15 2025 Jesse Portnoy <jesse.portnoy@perforce.com> - 0.10.3-2.23
+This is a test changelog entry
+
 * Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-23 + 0.10.3-2
 - Avoid remote code execution in ssh-agent PKCS#11 support
   Resolves: CVE-2023-38408

In other words, the evr is set to 0.10.3-2.23 (the value of %{pam_ssh_agent_ver}-%{pam_ssh_agent_rel)

What did you expect to happen?

In other changelog entries, the version is set to %{version}-%{release} + %{pam_ssh_agent_ver}-%{pam_ssh_agent_rel}. Obviously, the two latter macros are very specific to this specfile and I have no expectation that we'll analyse all specfile macros in an attempt to find such things but I did expect the result to be the same as what I get with the below:

with specfile as spec:
spec.add_changelog_entry(changelog_entry, evr=f"{spec.expanded_version}-{spec.expanded_release}")

To wit:

 %changelog
+* Mon Sep 15 2025 Jesse Portnoy <jesse.portnoy@perforce.com> - 7.4p1-23.1
+This is a test changelog entry

Looking at the code here: https://github.com/packit/specfile/blob/main/specfile/specfile.py#L614:

evr = "%{?epoch:%{epoch}:}%{version}-%{release}"

I'm not sure (haven't done any debugging yet) how the above gets to 0.10.3-2.23; doing the same with rpmspec returns the expected result:

$ rpmspec --srpm -q --queryformat "%{epoch}:%{version}-%{release}" SPECS/openssh.spec

(none):7.4p1-23.el7.1

Example URL(s)

No response

Steps to reproduce

0. Run the above snippet with https://gitlab.com/CentOS/archives/git.centos.org/rpms/openssh/-/blob/c7/SPECS/openssh.spec as the first arg
1. Check the last changelog entry

Workaround

• There is an existing workaround that can be used until this issue is fixed.
  One can set the evr explicitly with:

add_changelog_entry(changelog_entry, evr=f"{spec.expanded_version}-{spec.expanded_release}")

Participation

• I am willing to submit a pull request for this issue. (Packit team is happy to help!)

[jessp01]

I took a deeper look at the spec and the issue seems to stem from this block:

%package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base
Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}

However, since {expanded_epoch}:{spec.expanded_version}-{spec.expanded_release} return the expected result, the main/primary version and release, expanded in lines 73-74:

  73 Version: %{openssh_ver}
  74 Release: %{openssh_rel}%{?dist}%{?rescue_rel}.3

Could we not use these, rather than invoke rpm.expandMacro("%{?epoch:%{epoch}:}%{version}-%{release}")?

[jessp01]

Hi @nforro ,

I created this pull: #492
Please let me know if you see a reason why this change might cause issues elsewhere. I did test it with multiple specs and the units also pass.

PS
My apologies for the first commit which DID introduce a regression (caught by the units as part of the CI). I had an issue running the units locally which I have since solved so this shan't reoccur:)

[nforro]

Hi, sorry it took me so long to get to this.

I'm not sure (haven't done any debugging yet) how the above gets to 0.10.3-2.23; doing the same with rpmspec returns the expected result:

$ rpmspec --srpm -q --queryformat "%{epoch}:%{version}-%{release}" SPECS/openssh.spec

(none):7.4p1-23.el7.1

That's not doing the same. Doing the same would be:

$ rpmspec --rpms -q --queryformat "%{epoch}:%{version}-%{release}\n" SPECS/openssh.spec | tail -n1

(none):0.10.3-2.23.fc42

And that's exactly the problem here. Thanks for the PR, I'll comment there.

[jessp01]

HI @nforro .

Hi, sorry it took me so long to get to this.

No worries, we all get busy with other things.

That's not doing the same. Doing the same would be:

$ rpmspec --rpms -q --queryformat "%{epoch}:%{version}-%{release}\n" SPECS/openssh.spec | tail -n1

Indeed. But at the time of writing the original bug description, I have not yet looked into the root cause. Once I have (as per #491 (comment)), the issue became much clearer and of course, rpmspec --srpm -q --queryformat "%{epoch}:%{version}-%{release}" SPECS/openssh.spec does not expose it, whereas rpmspec --rpms -q --queryformat "%{epoch}:%{version}-%{release}\n" SPECS/openssh.spec | tail -n1 does (for obvious reasons).

And that's exactly the problem here. Thanks for the PR, I'll comment there.

My pleasure. Will address the comments there.