Bug 239097
Summary: | Review Request: nikto - Web server scanner | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sindre Pedersen Bjørdal <sindrepb> | ||||
Component: | Package Review | Assignee: | Francois Aucamp <francois.aucamp> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Package Reviews List <fedora-package-review> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | rayvd, rebus | ||||
Target Milestone: | --- | Flags: | francois.aucamp:
fedora-review+
gwync: fedora-cvs+ |
||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | nikto-2.1.5-10.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-06-08 00:40:47 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 239096 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Sindre Pedersen Bjørdal
2007-05-04 20:48:47 UTC
This is a pre-review: Encountered the following under MUST: MUST: Packaging Guidelines * I get the following when trying to install the RPM: error: Failed dependencies: perl(LW) is needed by nikto-1.36-1.noarch I notice Nikto itself provides an LW.pm -- should this be installed and a Provides line created? I can only find perl-libwhisker2 (which provides LW2.pm) in Fedora. Output of rpmlint: % rpmlint -i -v nikto-1.36-1.fc6.noarch.rpm I: nikto checking % echo $? 0 Under SHOULD: No issues. I was able to successfully build the package under mock. Everything else appears to check out. Note that the rpmlint output does not indicate any issues, I was merely including it in the review as suggested by the Review Guidelines. LW.pm is provided by the libwhisker2 package via a compability bridge. LW is discontinued and LW2 is recommended by upstream. Nikto will work just fine with the LW2 LW1 compability bridge. How to solve this package wise I don't know though. Suggestions welcome. Options I see: * Modify perl-libwhisker2 to include the LW1 compatability bridge. Perhaps as a -compat sub-package -- perl-libwhisker2-compat * Patch nikto to use LW2 calls (might be too much work) * See if nikto upstream would release a version for LW2 specifically * Create a perl-libwhisker package using the last stable version of LW.pl I like option #3 best, but probably not realistic. :-) Option 1 would be my choice. You'd have to work with the maintainer of that package however. Option #4 might be doable as well, but if LW1 is retired, do we really want to bring it into Fedora? I'm the maintainer of perl-libwhisker2. It already contains the compability bridge in the base package. See #239096 and let's continue discussion about changes to the perl-libwhisker2 there. (In reply to comment #3) > LW.pm is provided by the libwhisker2 package via a compability bridge. LW is > discontinued and LW2 is recommended by upstream. Nikto will work just fine with > the LW2 LW1 compability bridge. How to solve this package wise I don't know > though. Suggestions welcome. You don't have to do anything, it's fine; yum is smart enough to figure out which package provides perl(LW) (...which would be "perl-libwhisker2"). Ray: If you try to install the package with yum localinstall <packagename>, you'll see what I mean. :-) From a (very) quick look-over I can only spot one error in the spec: You do not need "Requires: perl-libwhisker" - again, RPM and yum does this automatically. If Ray doesn't grab this one, I'll give it a full review in a few hours. Ok, doing review: MUST items: * rpmlint is silent * package and spec file are named well * package meets Packaging Guidelines * package contains code licensed under the GPL, license file included * package contains code NOT licensed under the GPL. The following is the license contained in the *.db files: # This file may only be distributed and used with the full Nikto package. # This file may not be used with any software product without written permission from CIRT, Inc. # (c) 2001-2007 CIRT, Inc., All Rights Reserved. # By sending any database updates to CIRT, Inc., it is assumed that you # grant CIRT, Inc., the unlimited, non-exclusive right to reuse, modify and relicense the changes. IMO this is acceptable, since the content (the plugin db's) are freely distributable along with (and for use with) the nikto package (however, IANAL), but it does impact the license of RPM as a whole (see next point) X* "License" field in spec is MOSTLY correct (applies to code, not the content) !* license file is included in %doc (might want to add a second one, see NOTES below) * spec file is written in American English and legible * package source md5sum matches upstream source: d70107deb225489ecf20e2b46684674e nikto-1.36.tar.bz2 * package is noarch, builds successfully * BuildRequires are good X* Unnecessary "Requires" entry (see comment #6) * package handles locales properly (no locales) * package has no need for %post and %postun sections * package is not relocatable * package owns directories it creates * no duplicate entries in %files * file permissions are good * proper %clean section * spec file macros are used consistently !* package contains GPL'ed code a content under a different license * no -doc, -devel subpackages necessary X- some docs are missing (see NOTES below) * contents in %doc not required for runtime functionality of application SHOULD items: * package builds in mock (fc6/i386) * package functions properly NOTES: Patches: Do note that the "nikto-1.36-config.patch" patch hardcodes the package's config file location. There at least needs to be a comment about this in the spec; if someone moved %{_sysconfdir} they would want to know why the package won't work anymore... What I would recommend, however, is removing the patch, and replacing it with sed scripts in %prep, making use of RPM's macros. For example, the following line (if used in %prep) would do what the first entry in the patch does, except that the package just needs to be rebuilt (without modification) if any dir locations ever change: sed -i "s:$CFG{configfile}=\"config.txt\":$CFG{configfile}=\"%{_sysconfdir}/nikto/config\":" nikto.pl Docs: Maybe include the READE_plugins.txt file? It might be outdated, but its the only plug-in documentation in the package... License: As the content is licensed under a GPL-incompatible license, and CIRT only allows for the distribution of the necessary plugin content along with the FULL nikto package, you will have to change the "License" field of the RPM to something like "Custom, see LICENSE.txt" (or whatever file is appropriate). Also, I would recommend adding a "database-license.txt" (or something similar) file containing the license information to %doc (the license is in the header of each .db file). rpmlint is going to moan about such a "custom" License field entry, but it's unavoidable here. Other than these points, the package looks good. Fix the mentioned issues (or argue against them ;-) ), and I'll approve the package. Updated: - Remove libwhisker Requires - Replace configfile patch with sed magic - Update License - Add database-license.txt and README_plugins.txt to %doc Spec URL: http://folk.ntnu.no/sindrb/packages/green_nyc/nikto.spec SRPM URL: http://folk.ntnu.no/sindrb/packages/green_nyc/nikto-1.36-2.fc7.src.rpm Created attachment 155554 [details] Example sed inline script to fixup paths in nikto's default config file Ok, almost there... However, the sed one-liner in comment #7 was just an example - you'll need to call sed on "config.txt" as well in order to "re-create" the effects of the "nikto-1.36-config.patch" patch. Because config.txt is a user-editable configuration file, this isn't a big issue, although we probably want to enable nikto to use nmap by default (esp. considering it's listed in Requires, and the -2 release isn't using it by default). I have attached a text file with a 2-liner sed script that adds the "missing" changes from nikto-1.36-config.patch. Please add it, and then I'll do a final review. Is %prep the right place for this sed magic? Updated: - Add sed magic to really replace nikto-1.36-config.patch Spec URL: http://folk.ntnu.no/sindrb/packages/green_nyc/nikto.spec SRPM URL: http://folk.ntnu.no/sindrb/packages/green_nyc/nikto-1.36-3.fc7.src.rpm (In reply to comment #10) > Is %prep the right place for this sed magic? Yes, because we are essentially just applying an "in-line" patch :-). The sed magic modifies (i.e. patches or "prepares") the package content for compilation (it is not actually being built yet) and installation (obviously it's not being installed yet either). In this case, "compilation" is not applicable, so %build is empty, but patching a file using sed is not equivalent to "building" it. Anyhow, on with the review: + Good points from comment #7 still apply, except: + rpmlint output isn't silent, but OK: W: nikto invalid-license Custom, see LICENSE.txt -- This is expected, due to the fact that the code is GPL, but the .db content isn't. (see comment #7) + Requires are good + License is good (code under GPL and content freely distributable with this program) + License field gives appropriate license information + %docs are good + program installs and runs fine Everything looks fine. ------------------------- This package is APPROVED. ------------------------- New Package CVS Request ======================= Package Name: nikto Short Description: Web server scanner Owners: foolish Branches: F-7 FC-6 EL-4 EL-5 CVS done. Package Change Request ====================== Package Name: nikto New Branches: epel7 Owners: rebus Hello SCM team, plase can you add epel7 branch for the nikto package? Thank you Michal Ambroz Git done (by process-git-requests). nikto-2.1.5-10.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/nikto-2.1.5-10.el7 nikto-2.1.5-10.el7 has been pushed to the Fedora EPEL 7 stable repository. |