Bug 1232433
| Summary: | Review Request: python-certifi - Python package for providing Mozilla's CA Bundle | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | William Moreno <williamjmorenor> |
| Component: | Package Review | Assignee: | Nobody's working on this, feel free to take it <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | Jonathan Underwood <jonathan.underwood> |
| Priority: | medium | ||
| Version: | rawhide | CC: | jonathan.underwood, package-review, stefw |
| Target Milestone: | --- | Flags: | jonathan.underwood:
fedora-review+
gwync: fedora-cvs+ |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-certifi-2015.04.28-5.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-27 16:33:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1230968 | ||
|
Description
William Moreno
2015-06-16 18:19:55 UTC
OK, first question. This package ships some CA certs under /usr/lib/python... Fedora has a goal of sharing CAcerts system wide, and an application or library bundling its own cacerts is potentially a security problem. Unfortunately there aren't any packaging guidelines about this as far as I can see. Here are some useful links: https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://lists.fedoraproject.org/pipermail/devel/2014-January/193617.html So, my questions are: 1) Why isn't this package using the system wide cacert bundle? 2) If there's a good answer to (1), why aren't the certs stored under /etc/pki/python-certifi or somesuch application directory? I'm cc'ing Stef on this bug in the hope he might offer some guidance here (Kai's email address no longer seems valid). Look like I can remove the bundle certificate and use a symlink, in python-requests if done in this way: http://pkgs.fedoraproject.org/cgit/python-requests.git/tree/python-requests.spec But I will wait for aditional comments. Yes, that does seem like a good approach. Note also that this package actually was previously in Fedora, and has been orphaned and remove. dead.package contains: 2014-06-04 - This package was already retired in pkgdb/blocked in koji, but no dead.package file existed. The original retirement reason is unclear. pkgdb entry: https://admin.fedoraproject.org/pkgdb/package/python-certifi/ Un-orphaning it requires a package review anyway, and your packaging is much better as it adds in py3 support. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - Package does not use a name that already exists. Note: A package with this name already exists. Please check https://admin.fedoraproject.org/pkgdb/acls/name/python-certifi See: https://fedoraproject.org/wiki/Packaging/NamingGuidelines#Conflicting_Package_Names ---> Package was previously orphaned. - Package bundles cacerts (n the wrong location) - better to symlink to system cacert bundle, and add appropriate Requires. - Package contains files with shellbangs at the top which need removing - see rpmlint output below. - Other issues below. ===== MUST items ===== Generic: [!]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. The spec file has the License field specifying ISC as the license. But the LICENSE file in the source states: This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. So, I think the license field is incorrect. Also, the LICENSE file doesn't actually contain the full text of the license, just merely a URL to download it from. Packaging guidelines state that a full copy of the LICENSE file is included with the source, so you'll need to work with upstream to include the full license. [!]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [!]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated". 7 files have unknown license. Detailed output of licensecheck in /home/jgu/Fedora/1232433-python- certifi/licensecheck.txt [!]: License file installed when any subpackage combination is installed. The LICENSE file isn't installed (even though it has the problem mentioned above). [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [!]: Requires correct, justified where necessary. Unbundling the certs will require adding an extra Require to pull in the cacerts. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 20480 bytes in 2 files. [!]: Package complies to the Packaging Guidelines See above. [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [x]: Python eggs must not download any dependencies during the build process. [x]: A package which is used by another package via an egg interface should provide egg info. [x]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [!]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [-]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in python3-certifi [x]: Package functions as described. [x]: Latest version is packaged. [!]: Package does not include license text files separate from upstream. [x]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: python-certifi-2015.04.28-1.fc22.noarch.rpm python3-certifi-2015.04.28-1.fc22.noarch.rpm python-certifi-2015.04.28-1.fc22.src.rpm python-certifi.noarch: E: non-executable-script /usr/lib/python2.7/site-packages/certifi/core.py 0644L /usr/bin/env python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/mkcert.pem python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/cacert.pem python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/old_root.pem python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/mkcert.pem python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/cacert.pem python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/old_root.pem python3-certifi.noarch: E: non-executable-script /usr/lib/python3.4/site-packages/certifi/core.py 0644L /usr/bin/env 3 packages and 0 specfiles checked; 2 errors, 6 warnings. Rpmlint (installed packages) ---------------------------- python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/mkcert.pem python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/cacert.pem python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/old_root.pem python3-certifi.noarch: E: non-executable-script /usr/lib/python3.4/site-packages/certifi/core.py 0644L /usr/bin/env python-certifi.noarch: E: non-executable-script /usr/lib/python2.7/site-packages/certifi/core.py 0644L /usr/bin/env python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/mkcert.pem python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/cacert.pem python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/old_root.pem 2 packages and 0 specfiles checked; 2 errors, 6 warnings. Requires -------- python3-certifi (rpmlib, GLIBC filtered): python(abi) python-certifi (rpmlib, GLIBC filtered): python(abi) python3 Provides -------- python3-certifi: python3-certifi python-certifi: python-certifi Source checksums ---------------- https://pypi.python.org/packages/source/c/certifi/certifi-2015.04.28.tar.gz : CHECKSUM(SHA256) this package : 99785e6cf715cdcde59dee05a676e99f04835a71e7ced201ca317401c322ba96 CHECKSUM(SHA256) upstream package : 99785e6cf715cdcde59dee05a676e99f04835a71e7ced201ca317401c322ba96 Generated by fedora-review 0.6.0 (3c5c9d7) last change: 2015-05-20 Command line :/usr/bin/fedora-review -b 1232433 Buildroot used: fedora-22-x86_64 Active plugins: Python, Generic, Shell-api Disabled plugins: Java, C/C++, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP, Ruby Disabled flags: EXARCH, DISTTAG, EPEL5, BATCH, EPEL6 Note the guidelines for unretiring a package as well: https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_an_Orphaned_Package_Procedure OK, doesn't look like we're going to get a response from Stef. I think the unbundling and symlinking your suggestion is the way to go. Can you address all of the issues raisedd above, and we'll get this finished and work on the rest of the stack you've submitted for review. Spec URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi.spec SRPM URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi-2015.04.28-2.fc22.src.rpm I have patched python-certifi to serve the certificates provided by ca-certificates, this is the same aproach used in python-request. I see you've also fixed the license field. You really should get into the habit of recording all changes you make in the spec file changelog. This also helps with review - most folks also post the changelog entry into the BZ review tickets along with the updated Spec URL and SRPM URL to help the reviewer quickly see what has been changed.
OK, so still to address:
1. Removing the shell bangs from lib files to silence rpmlint errors. Something like the following (untested) in %install:
#drop shebangs from python_sitearch
find %{buildroot}%{python_sitelib}/%{pypi_name} -name '*.py' \
-exec sed -i '1{\@^#!/usr/bin/env python@d}' {} \;
Obviously you'll need to adapt that and do it for both python 2 and 3.
2. Raising the license file issue with upstream - please post a link to an upstream ticket.
Once those are adressed, this should be good to go.
Also, do you not need to symlink to the system pem certs, or patch the python files to search for them in the system directory? Actually, looking at this, once you remove the pem files, this package is literally a couple of lines of python wrapping around a calls to os.path.split and os.path.join. I can't help feeling that it would actually be simpler to simply patch the appliaction to find the cacerts directly than package this. But, up to you. Spec URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi.spec SRPM URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi-2015.04.28-3.fc22.src.rpm --------- - 2015.04.28-3 - Remove shebang There is not need to simlink with ca-certificates, I only patch one line of the source: - return os.path.join(f, 'cacert.pem') + return "/etc/pki/tls/certs/ca-bundle.crt" So the os.patch get executed but it will always retun the full patch to the certificates provides by ca-certificates. I run mkdocs without any problem with the patched package, maybe I will need to patch livereload to use ca-certificas without need of python-certifi but I will work in that later, for now this patch work fine. I run the seb in %%prep so both the python 2 and 3 are build without the invalid shebang. License is MPLv2.0 now I have not rpmlint messages after that. I have asked upstream about include the license file in the tarball: https://github.com/certifi/python-certifi/issues/24 OK, great, APPROVED. Thanks for the review :) Package Change Request ====================== Package Name: python-certifi New Branches: master f22 Owners: williamjmorenor InitialCC: williamjmorenor This package was retired previusly but I want to become the maintainer of this package so this is a dependency of livereload and mkdocs. I have opened a ticker to un block this branches in the release: https://fedorahosted.org/rel-eng/ticket/6207 Git done (by process-git-requests). python-certifi-2015.04.28-4.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/python-certifi-2015.04.28-4.fc22 python-certifi-2015.04.28-5.fc22,livereload-2.4.0-8.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/python-certifi-2015.04.28-5.fc22,livereload-2.4.0-8.fc22 Package python-certifi-2015.04.28-5.fc22, livereload-2.4.0-8.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-certifi-2015.04.28-5.fc22 livereload-2.4.0-8.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-11367/python-certifi-2015.04.28-5.fc22,livereload-2.4.0-8.fc22 then log in and leave karma (feedback). python-certifi-2015.04.28-5.fc22, livereload-2.4.0-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |