Bug 1329886

Summary:	Review Request: dnscrypt-proxy - DNSCrypt client
Product:	[Fedora] Fedora	Reporter:	Nikos Roussos <comzeradd>
Component:	Package Review	Assignee:	Gwyn Ciesla <gwync>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	rawhide	CC:	fedora, gwync, package-review
Target Milestone:	---	Flags:	gwync: fedora-review+
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-06-18 18:34:40 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Nikos Roussos 2016-04-24 11:31:52 UTC

Spec URL: https://comzeradd.fedorapeople.org/specs/dnscrypt-proxy.spec
SRPM URL: https://comzeradd.fedorapeople.org/srpms/dnscrypt-proxy-1.6.1-1.fc23.src.rpm
Description: DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
Fedora Account System Username: comzeradd

Comment 1 Ralf Senderek 2016-05-22 12:05:32 UTC

Nicos, 

using the specfile and sources you provide, my build failed as the compiler was unable to make the target configure:

+ cd /builddir/build/BUILD
+ cd dnscrypt-proxy-1.6.1
+ make configure
make: *** No rule to make target 'configure'.  Stop.

Please try to build your package in KOJI and publish the URL here.

Ralf

Comment 2 Nikos Roussos 2016-06-06 10:20:01 UTC

Thanks. It seems that I uploaded an old spec.

SPEC: https://comzeradd.fedorapeople.org/specs/dnscrypt-proxy.spec
SRPM: https://comzeradd.fedorapeople.org/srpms/dnscrypt-proxy-1.6.1-2.fc24.src.rpm

Comment 3 Gwyn Ciesla 2016-06-09 14:14:54 UTC

- rpmlint checks return:
dnscrypt-proxy.src: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
The value of this tag appears to be misspelled. Please double-check.

Ignore.

dnscrypt-proxy.src: W: invalid-url URL: https://dnscrypt.org/ <urlopen error timed out>
The value should be a valid, public HTTP, HTTPS, or FTP URL.

Please fix.

- package meets naming guidelines
- package meets packaging guidelines
! license says GPLv2 but I see LGPLv2, and COPYING references BSD, please revisit.
- spec file legible, in am. english
- source matches upstream
- package compiles on devel (x86)
- no missing BR
- no unnecessary BR
- no locales
- not relocatable
- owns all directories that it creates
- no duplicate files
- permissions ok
- %clean ok
- macro use consistent
- code, not content
- no need for -docs
- nothing in %doc affects runtime
- no need for .desktop file 

So just the URL and license tag.

Comment 4 Nikos Roussos 2016-06-09 20:02:54 UTC

Thanks. I fixed the license. It's MIT. The URL seems correct. Probably the site was down a few hours ago.

SPEC: https://comzeradd.fedorapeople.org/specs/dnscrypt-proxy.spec
SRPM: https://comzeradd.fedorapeople.org/srpms/dnscrypt-proxy-1.6.1-3.fc24.src.rpm

Comment 5 Gwyn Ciesla 2016-06-09 20:12:29 UTC

Looks good, but I missed two rpmlint errors:

dnscrypt-proxy.x86_64: E: missing-call-to-setgroups-before-setuid /usr/sbin/dnscrypt-proxy
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

dnscrypt-proxy.x86_64: E: missing-call-to-chdir-with-chroot /usr/sbin/dnscrypt-proxy
This executable appears to call chroot without using chdir to change the
current directory. This is likely an error and permits an attacker to break
out of the chroot by using fchdir. While that's not always a security issue,
this has to be checked.

Comment 6 Nikos Roussos 2016-06-09 20:39:39 UTC

Yes, I have open relevant bugs upstream.

missing-call-to-chdir-with-chroot
This seems to be wrong reporting from rpmlint.
https://github.com/jedisct1/dnscrypt-proxy/issues/422

missing-call-to-setgroups-before-setuid
This is now fixed upstream and will be included on the next release.
https://github.com/jedisct1/dnscrypt-proxy/issues/421

Comment 7 Gwyn Ciesla 2016-06-09 20:51:14 UTC

Ok, great!

APPROVED.

Comment 8 Gwyn Ciesla 2016-06-09 21:22:55 UTC

Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/dnscrypt-proxy

Comment 9 Fedora Update System 2016-06-09 21:57:03 UTC

dnscrypt-proxy-1.6.1-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ad1cee380b

Comment 10 Fedora Update System 2016-06-10 17:59:56 UTC

dnscrypt-proxy-1.6.1-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ad1cee380b

Comment 11 Fedora Update System 2016-06-18 18:34:38 UTC

dnscrypt-proxy-1.6.1-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.