Bug 431320
| Summary: | Review Request: pam_usb - Hardware authentication using ordinary USB Flash Drives | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Guidolin Francesco <guidolinfrancesco> |
| Component: | Package Review | Assignee: | Lubomir Rintel <lkundrak> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | fedora-package-review, mtasaka, notting |
| Target Milestone: | --- | Flags: | j:
fedora_requires_release_note-
|
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-08-22 21:12:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 201449 | ||
|
Description
Guidolin Francesco
2008-02-02 19:54:06 UTC
This is my first package, and I am seeking a sponsor. I patched the original Makefile because it install the documentation under $(DESTDIR)/usr/share/doc/pamusb instead of $(DESTDIR)/usr/share/doc/pam_usb-0.4.2. Also I remove the flag -Wall because it's just present in $RPM_OPT_FLAGS. Then I patched src/pad.c because with CFLAGS="$RPM_OPT_FLAGS" it give some warning: src/pad.c: In function 'pusb_pad_open_system': src/pad.c:97: warning: ignoring return value of 'chown', declared with attribute warn_unused_result src/pad.c: In function 'pusb_pad_update': src/pad.c:213: warning: ignoring return value of 'fwrite', declared with attribute warn_unused_result src/pad.c:215: warning: ignoring return value of 'fwrite', declared with attribute warn_unused_result src/pad.c: In function 'pusb_pad_compare': src/pad.c:240: warning: ignoring return value of 'fread', declared with attribute warn_unused_result src/pad.c:242: warning: ignoring return value of 'fread', declared with attribute warn_unused_result So I make some checks to the return value of chown, fwrite and fread, and if they fails I log and error with log_error(). Did you know this package is already in the repository? It has been orphaned and is not in F8, although it is in F7. Your package seems to differ significantly from what is currently in the repository, and I would urge you to investigate the difference and make sure that if your package is imported it does not cause issues for users who are upgrading. Spec URL: http://web.tiscali.it/guidonet/pam_usb/pam_usb.spec SRPM URL: http://web.tiscali.it/guidonet/pam_usb/pam_usb-0.4.2-1.fc8.src.rpm I didn't know that it was already in the repository. Basically there's no big differences between the old pam_usb-0.4.0-1.fc7.src.rpm and my package, however now I merged my changes into the old package in the repository and I updated it. The binaries and the libraries are replaced, and the configuration file /etc/pamusb.conf is backward compatible with pam_usb-0.4.0, so there shouldn't be problem during the upgrade. In any case I'll make some tests with Fedora7 in the next few day, then I'll let you know if the upgrade works fine. I've found that in Fedora7 is available only pam_usb-0.3.3 and this is not good. The problem is that in the 0.4.x series certificates have been replaced by One Time Pads, so upgrading from pam_usb-0.3.3 to pam_usb-0.4.2 is impossible without loosing the old settings. pam_usb-0.3.3 is really old and obsolete, the security model of pam_usb-0.4.2 is more powerfull and a lot of bugs was fixed, so I think that the users who are still using pam_usb-0.3.3 should upgrade to the new version and recreate from scratch their settings. Please do not do that. You can introduce such incompatibilities in a major Fedora release, but it is not at all proper to just break the system of someone who does the prudent thing and lets their system update automatically. This goes doubly for a system that they might need to use to actually log into the system. Honestly I wouldn't even try to introduce this package into Fedora 8, because a user who hasd pam_usb installed and upgraded from F7 to F8 still has 0.3.3 installed. I would put the new package into rawhide and make sure that the release notes indicate the procedure which pam_usb users will need to go through to update things properly. I've investigated deeply and I've found an interesting thing: pam_usb-0.3.3 and pam_usb-0.4.2 store their settings in different places, so upgrading from 0.3.3 to 0.4.2 will not remove the old settings. I've installed and configured pam_usb-0.3.3 in Fedora7 and then I upgraded it to pam_usb-0.4.2; then I downgraded to pam_usb-0.3.3 again and the old settings was still there and it works normally like before. So I think we could insert the new pam_usb-0.4.2 in RawHide and then in Fedora9, and inform the users that after the upgrade their old settings will be ignored but won't be erased. So the users can choose between upgrade to the new pam_usb-0.4.2 and create the new settings from scratch or not to upgrade and still use pam_usb-0.3.3. If they install pam_usb-0.4.2 by mistake they can downgrade to pam_usb-0.3.3 and it will works again. In my opinion that upgrade to pam_usb-0.4.2 in Fedora9 is the right thing, because it's more secure and reliable, a lot of bugs was fixed, new functionality was added, and it's more easy to configure with the new tool pamusb-conf. pam_usb-0.3.3 instead is more difficult to configure and is less reliable because it's sufficient to copy the private key in the usb device to grant the access to the account of the user. The spec file is very nicely written and legible.
Builds in mock (tried in el5), uses compiler flags correctly.
Just a few things, probably only 1.) being a blocker, consider the other ones
just advices:
1.) RPMlint. Please correct these:
pam_usb.i386: E: non-standard-dir-perm
/usr/share/doc/pam_usb-0.4.2/pam.d-examples 0644
A standard directory should have permission set to 0755. If you get this
message, it means that you have wrong directory permissions in some dirs
included in your package.
pam_usb.i386: E: non-standard-dir-perm /usr/share/doc/pam_usb-0.4.2 0644
A standard directory should have permission set to 0755. If you get this
message, it means that you have wrong directory permissions in some dirs
included in your package.
pam_usb.i386: E: non-standard-executable-perm /usr/bin/pamusb-conf 0754
A standard executable should have permission set to 0755. If you get this
message, it means that you have a wrong executable permissions in some files
included in your package.
2.) Use of pmount
The tool uses non-standard mechanism to escalate privileges. If the dependence
of it can not be dropped, please document the fact that this package depends on
it in %description.
3.) sed -i -e 's|/lib/security|/%{_lib}/security|' Makefile
You already patch Makefile. I suggest you move this to the patch.
Additionally, please consider renaming the patch to
<name>-<version>-<intended_use>.patch
4.) %description is too long and contains non-portable formatting
Please take into consideration, how would the description look in a gui tool,
such as pup or packagekit gui. I suggest you leave only the first paragraph sans
the last sentence of it.
Ping on this. Now I don't use Linux anymore so I'm not interested on this RPM. If you want you can close this request. Bye. |