Bug 173388
Summary: | Review Request: mod_evasive - Denial of Service evasion module for Apache | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Konstantin Ryabitsev <icon> |
Component: | Package Review | Assignee: | Ruben Kerkhof <ruben> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | cweyl, jorton, kevin, rpm |
Target Milestone: | --- | Flags: | ruben:
fedora-review+
petersen: fedora-cvs+ |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.nuclearelephant.com/projects/mod_evasive/ | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-05-12 16:49:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 163779 |
Description
Konstantin Ryabitsev
2005-11-16 20:35:49 UTC
Ping. Regarding the %description, "et cetera" are two words, and the Latin word "et" means "and," so it is redundant to say "and et...." Also, I think it is more appropriate to mention iptables instead of ipchains. So, I suggest that penultimate sentence should end "iptables, firewalls, routers, et cetera." Or just "etc." It's just a copy-paste of the description provided by the author on the website. I'll make the changes. > "et cetera" are two words I disagree. "Et cetera" are two words in latin, but it have been adopted as one word in most languages with latin roots such as Spanish, Italian, Portuguese, etcetera ... ;) It have been adopted by english from Spanish - I think - an exists in english dictionaries, so if you're not going to tranlate the whole description to latin, to separate "et cetera" makes no sense for me. http://dictionary.reference.com/search?q=etcetera I've never seen it as one word in English - though I have seen it simply abbreviated etc. :) Iago -- In English, both are valid but have slightly different meanings and connotations. In this case, "et cetera" is correct. However, it's probably better to avoid entirely in %description and actually be specific. Also, this is ridiculously pedantic and none of us should care. :) Yes, can I get some comments that don't deal with orthography? :) >> Also, this is ridiculously pedantic and none of us should care Completely agree :) >> Yes, can I get some comments that don't deal with orthography? :) Not too much from my side, but it rebuilds fine - warning user icon does not exist - installs cleanly, and rpmlint is happy. The module license is not ideal (w.r.t GPL/ASL 2.0 incompatibility) otherwise looks fine. I've made a few cosmetic changes to the package: http://linux.duke.edu/~icon/misc/fe/mod_evasive.spec http://linux.duke.edu/~icon/misc/fe/mod_evasive-1.10.1-1.src.rpm * Tue Dec 06 2005 Konstantin Ryabitsev <icon> - 1.10.1-1 - Cleaning up description - Cleaning up install - Slight modification to default config (add DOSWhitelist entries) - Disttagging - Adding test.pl to docs If I can get it approved, I'll finish up the process of adding it to extras. (PS: Not much I can do about the license. :)) Ping. This has been in the approval queue for over a month now. Can someone finally approve it, please? :) Pretty please? * rpmlint clean: [mpeters@jerusalem result]$ ls *.rpm && rpmlint *.rpm mod_evasive-1.10.1-1.fc4.i386.rpm mod_evasive-debuginfo-1.10.1-1.fc4.i386.rpm mod_evasive-1.10.1-1.fc4.src.rpm [mpeters@jerusalem result]$ * proper naming of package and spec file * licensed with open source nice license (GPL) - BUT - incompat w/ Apache license * Spec file American English, readable, etc. * md5sum matches upstream - 784fca4a124f25ccff5b48c7a69a65e5 * Compiles in FC4 x86 mock * Correct %files section NEEDS It should restart the apache webserver The license thing - can you ask upstream to change it? Otherwise I think that is a block because GNU specifies that Apache Software License is not compat with GPL, and the module uses httpd-devel to build, so I'm not sure it can go into extras under the GPL license. OK, I've emailed the developer telling him about the situation. Hopefully he'll consider switching licenses. I don't agree that the package should automatically restart apache, though. Apache restarts are rarely sane, so I'd rather be cautious and let the admin do the restart on eir own. (In reply to comment #13) > I don't agree that the package should automatically restart apache, though. > Apache restarts are rarely sane, so I'd rather be cautious and let the admin do > the restart on eir own. If they are installing the module, they can't use it unless they restart it. Furthermore, there is the update issue. Security hole found in package - update issued. Sysadmin has yum running as a service to update his system. He checks the rpm - thinks he's safe because it's at patch level, but since apache hasn't restarted he's vulnerable. -=- Any comments from packaging veterans on this? Yeah, but this isn't any different from any other security update to apache. Currently, rpm -q --scripts httpd show: preinstall scriptlet (using /bin/sh): # Add the "apache" user /usr/sbin/useradd -c "Apache" -u 48 \ -s /sbin/nologin -r -d /var/www apache 2> /dev/null || : postinstall scriptlet (using /bin/sh): # Register the httpd service /sbin/chkconfig --add httpd preuninstall scriptlet (using /bin/sh): if [ $1 = 0 ]; then /sbin/service httpd stop > /dev/null 2>&1 /sbin/chkconfig --del httpd fi If the main apache package isn't doing automatic restarts for updated packages, then I don't think an apache module package should act differently. IMO doing anything to running services on package upgrades is generally evil. (occasionally a necessary evil, but not in this case). General case is that the admin may have made config changes which they do not yet want to apply. They may want to do a graceful restart to avoid kicking off active clients. etc. Doing an httpd restart for a module upgrade would definitely be very evil (imagine "yum update mod_foo mod_bar mod_baz ..."). OK. That's fine then. Anything standing in the way of this being approved now? Normalize summary field for easy parsing This has been in review queue for over a year now. :) Can we please approve it or discard it? There is a policy to deal with this sort of thing: http://fedoraproject.org/wiki/Extras/Policy/StalledReviews Consider this to indicate that the review is stalled and that a response is needed soon. If there is no response in 1 week, we will move this back to NEW and someone else can review it. (In reply to comment #21) > If there is no response in 1 week, we will move this back to NEW and someone > else can review it. > Switching to FE-NEW Hi Konstant, Review for release 1.10.1-1 * RPM name is OK * Builds fine in mock * rpmlint looks OK * File list looks OK * Config files of mod_evasive look OK Needs work: * Source 0 is not available (http://www.nuclearelephant.com/projects/mod_evasive/ mod_evasive_1.10.1.tar.gz). The project is now at http://www.zdziarski.com/projects/mod_evasive/ * Spec file: some paths are not replaced with RPM macros Please replace /usr/sbin/apxs with %{_sbindir}/apxs Updated spec/srpm: http://blues.mcgill.ca/~icon/fe/mod_evasive.spec http://blues.mcgill.ca/~icon/fe/mod_evasive-1.10.1-2.fc7.src.rpm Looks perfect. This package is APPROVED. Hi Konstantin Are you still planning on adding this package to Extras? Setting fedora-review flag as per http://fedoraproject.org/wiki/PackageReviewProcess New Package CVS Request ======================= Package Name: mod_evasive Short Description: Denial of Service evasion module for Apache Owners: icon Branches: FC-6, EL-4, EL-5 InitialCC: done Konstantin, are you still planning on building this? It's build for apache-2.0 systems, which pretty much means EL-4. It doesn't work under apache-2.2 at the moment. |