Bug 452901 (ocspd)

Summary: Review Request: ocspd - OpenCA OCSP Daemon
Product: [Fedora] Fedora Reporter: Patrick Monnerat <patrick>
Component: Package ReviewAssignee: Mamoru TASAKA <mtasaka>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: a.badger, fedora-package-review, itamar, mtasaka, notting
Target Milestone: ---Flags: mtasaka: fedora-review+
a.badger: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-13 16:17:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
OpenCA license derived from source package none

Description Patrick Monnerat 2008-06-25 18:32:07 UTC
Spec URL: http://www.etude-riondel.ch/pm/ocspd.spec
SRPM URL: http://www.etude-riondel.ch/pm/ocspd-1.5.1-rc1.2.fc8.src.rpm

Description:  The ocspd is an RFC2560 compliant OCSPD responder. It can be used to verify the status of a certificate using OCSP clients (such as Mozilla/Firefox/Thunderbird/Apache). It is CRL-based, and is able to fetch CRLs from files, LDAP or HTTP.

This product is under the OpenCA license, which is Apache-like: should be Fedora-compatible.
OpenCA releases an RPM (openca-ocspd) used as starting point for the current one. The license paragraph has not been changed, resulting in an rpmlint error. 

Needs also a system-user named "ocspd" for the daemon.

This is my first package and I need a sponsor.

Comment 1 Michal Nowak 2008-06-26 20:36:32 UTC
Created attachment 310379 [details]
OpenCA license derived from source package

Comment 2 Mamoru TASAKA 2008-06-30 18:32:16 UTC
Build seems to be failing at the very early stage:

Comment 3 Patrick Monnerat 2008-06-30 20:30:06 UTC
Oups! Mocked successfully with fedora-8-i386, but:
configure.in:14: error: AC_SUBST: `PACKAGE_MAJOR ' is not a valid shell variable
...seems autoconf 2.62 does not like extraneous spaces around variable names...

At the same URL as above, you can find a new version patching the configure.in
file accordingly. Has passed mock -r fedora-devel-i386.
Thanks for trying and reporting.

Comment 4 Tom "spot" Callaway 2008-07-01 17:23:44 UTC
This license is functionally identical (only changes are trademarks and
copyright holders) to Apache 1.0. Use:

License: ASL 1.0

Lifting FE-Legal.

Comment 5 Patrick Monnerat 2008-07-01 17:40:55 UTC
Thanks for the legal advice.
License change applied.

Comment 6 Mamoru TASAKA 2008-07-01 18:15:02 UTC
Would you update the new srpm then? 
(note: please change the release number every time you modify your package 
       when version number does not change, otherwise we are just confused.
       Also, if this uses a "release candidate" tarball, the current versioning
       does not follow Fedora naming guidelines:
http://fedoraproject.org/wiki/Packaging/NamingGuidelines#Pre-Release_packages )

Some very quick random remarks (only just watching your spec file)
* %SOURCE must be given with full URL:

* Please do not specify Vendor: item. Fedora builder automatically tags this item as
  "Fedora Project".

* %{openssl_req} tag is redundant. Even Fedora 1 has 0.9.7a openssl.

* Also, "Requires: openssl" should be removed. rpmbuild automatically adds
libraries dependency
  to binary rpms, which will correctly pick out needed openssl.

* Please remove redundant [ -n "${RPM_BUILD_ROOT}" -a "${RPM_BUILD_ROOT}" != '/'
] &&

* The directory %{_sysconfdir}/ocspd/ is not owned by any package.

* Perhaps %{_sysconfdir}/ocspd/ocspd.conf is listed twice.

* Please use %{_initrddir} instead of %{_sysconfdir}/rc.d/init.d

* We now recommend %defattr(-,root,root,-)

Comment 7 Patrick Monnerat 2008-07-02 14:32:18 UTC
New version: 1.5.1-0.1.rc1
Spec file at: http://www.etude-riondel.ch/pm/ocspd.spec
SRPM at: http://www.etude-riondel.ch/pm/ocspd-1.5.1-0.1.rc1.fc8.src.rpm
_ Full URL in Source:.
_ No more vendor:.
_ No openssl version requirement.
_ No openssl install-time requirement.
_ RPM_BUILD_ROOT tests for cleaning removed.
_ Directory %{_sysconfdir}/ocspd now owned by the package.
_ %{_initrddir} used where possible.
_ %defattr completed.
_ init.d script reworked in a more fedora-styled way.

* Yes, %{_sysconfdir}/ocspd/ocspd.conf is listed twice, as well as
%{_sysconfdir}/ocspd/private. I did not find another "clean" way to do it,
sinces these two items need specialized attributes/ownership. Even using a file
list, I do not see a better "readable" way to own %{_sysconfdir}/ocspd and
package theses two special subitems without listing them twice. 

This version "mock"ed successfully on fedora-devel-i386

rpmlint says:
$ rpmlint SPECS/ocspd.spec 
0 packages and 1 specfiles checked; 0 errors, 0 warnings.
$ rpmlint SRPMS/ocspd-1.5.1-0.1.rc1.fc8.src.rpm 
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
$ rpmlint RPMS/i386/ocspd-debuginfo-1.5.1-0.1.rc1.fc8.i386.rpm 
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
$ rpmlint RPMS/i386/ocspd-1.5.1-0.1.rc1.fc8.i386.rpm 
ocspd.i386: W: non-standard-uid /etc/ocspd/private ocspd
ocspd.i386: E: non-standard-dir-perm /etc/ocspd/private 0700
1 packages and 0 specfiles checked; 1 errors, 1 warnings.

Explanation: /etc/ocspd/private is a directory intended to contain private
cryptographic keys, that should be readable only by the user running the daemon
(user ocspd created in the %pre section). Any other "more standard" solution ?

Comment 8 Mamoru TASAKA 2008-10-03 17:23:29 UTC
Patrick, sorry. It seems that I missed your last reply for about 3 months.

Would you still want to import this package into Fedora? If so I will
recheck your latest srpm later.

Comment 9 Patrick Monnerat 2008-10-06 09:10:08 UTC
Never mind for the delay.
Yes, I'm still interested in having this package in Fedora, since there is no current alternative in it to provide this service.
Please also note that upstream does not publish new releases and does not respond to patch proposals, bug reports, etc. I do not know if this is a blocker for you.

Comment 10 Mamoru TASAKA 2008-10-06 17:08:46 UTC
For 1.5.1-0.1.rc1

* About permission/ownership arround %_sysconfdir/ocspd
  - Perhaps you want below?
%dir %{_sysconfdir}/ocspd
%dir %{_sysconfdir}/ocspd/c*
%attr(700,ocspd,root) %dir %{_sysconfdir}/ocspd/private
%config(noreplace) %{_sysconfdir}/ocspd/ocspd.conf
    When %dir is used the directory only is included.

* configure option
  - build.log shows:
   229  default ocspd user      : ocspd
   230  default ocspd group     : daemon
   231  enable engine support   : true
   232  enable semaphores       : true
   233  enable debug messages   : false
   234  with openca-prefix      : /usr/OpenCA
   235  install prefix          : /usr
    Is the line 234 (openca-prefix) okay?

* autoheader
  - build.log shows:
   246  configure: WARNING: unrecognized options: --disable-shared
   247  + make -j4
   248  Making all in src
   249  make[1]: Entering directory `/builddir/build/BUILD/openca-ocspd-1.5.1-rc1/src'
   250  cd .. && /bin/sh /builddir/build/BUILD/openca-ocspd-1.5.1-rc1/build/missing --run autoheader
   251  rm -f stamp-h1
   252  touch config.h.in
   253  make  all-am
   254  make[2]: Entering directory `/builddir/build/BUILD/openca-ocspd-1.5.1-rc1/src'
    * configure option "--disable-shared" doesn't seem to be used
    * calling autoheader beforehand is also needed.

* About creating user
  - Now I recommend to follow this way:

* %changelog
  - In %changelog please remove ".fc8" part (because this
    part differs between branches)

Comment 11 Patrick Monnerat 2008-10-07 10:00:36 UTC
Thanks for your review, Mamoru

Line 234 above (openca-prefix) is OK, since it is unused (presumably reminiscent from a larger project, openca, from which ocspd is derived).

I have uploaded a new version:

_ %files have been reworked according to your suggestion (thanks for it :-).
_ autoheader called in spec file, effectively removing the warning you mention
_ configure file patched to unambiguously remove option "--disable-shared" and option removed from spec file.
_ User creation reworked according to the new directives
_ .fc8 removed from comment

Successful mock fedora-devel-i386

rpmlint binary RPM says:
ocspd.i386: W: non-standard-uid /etc/ocspd/private ocspd
ocspd.i386: E: non-standard-dir-perm /etc/ocspd/private 0700
ocspd.i386: E: incoherent-subsys /etc/rc.d/init.d/ocspd ocspd}

Same explanation as for 1.5.1-0.1.rc1 for the 2 firsts.
Subsys OK (ocspd) after shell processing: the last rpmlint report is a misunderstanding of the shell script by rpmlint.

rpmlint spec, source and debuginfo reports none.

Comment 12 Mamoru TASAKA 2008-10-07 10:18:57 UTC
Lots of issues I mentioned I mentioned in my comment 6 are again re-introduced.
Please fix them again.

Comment 13 Mamoru TASAKA 2008-10-07 10:25:05 UTC
(In reply to comment #12)
> Lots of issues I mentioned I mentioned in my comment 6 are again re-introduced.
> Please fix them again.

s/I mentioned I mentioned/I mentioned/' :)

Comment 14 Patrick Monnerat 2008-10-07 13:17:27 UTC
Apologizes. I restarted from an old version :-(
Please find the new one:

Old versions have been removed from the server (thus orphaning previous links!)

Comment 15 Mamoru TASAKA 2008-10-07 19:07:00 UTC
Okay, two more issues (and I think these are all if I am not missing any...
I hope)

* Obsoletes/Provides
  - For some reasons (mainly for upgrading path), this type of Obsoletes/Provides 
    should be specified by full EVR (Epoch-Version-Release), like:
Obsoletes: openca-ocspd <= %{version}-%{release}
Provides:  openca-ocspd = %{version}-%{release}
  ! By the way are these two Obsoletes/Provides really needed?

* groupadd
  - Adding group "daemon" is not needed. "setup" rpm correctly
    adds this group.
  ! By the way it is usually preferable that this package (ocspd)
    creates its own group and use it.

Comment 16 Patrick Monnerat 2008-10-08 09:50:21 UTC
Obsoletes/Provides is required in case someone installed the openca-ocspd package provided by upstream on sourceforge.net (http://sourceforge.net/project/showfiles.php?group_id=20873&package_id=25740).

Version 1.5.1-0.3.rc1:
_ Obsoletes/Provides completed.
_ Group 'daemon' replaced by 'ocspd'.


Comment 17 Mamoru TASAKA 2008-10-08 19:22:35 UTC

* This package itself is now okay.
* As written on


  A person who wants to get sponsor is requested to "show that 
  you have an understanding of the process and of the packaging 
  guidelines", usually by submitting another review request or
  do a pre-review of other person's review request.

  For your case you have another review request (bug 459631).
  The srpm in that bug does not build (on x86_64) currently, however
  the spec file itself seems good to some extent and
  I hope you will fix it properly (note: it may be that I don't
  have enough time to review bug 459631)

    This package (ocspd) is APPROVED by mtasaka

Please follow the procedure written on:
from "Get a Fedora Account".
After you request for sponsorship a mail will be sent to sponsor 
members automatically (which is invisible for you) which notifies 
that you need a sponsor. After that, please also write on
this bug for confirmation that you requested for sponsorship and
your FAS (Fedora Account System) name. Then I will sponsor you.

If you want to import this package into Fedora 8/9, you also have
to look at
(after once you rebuilt this package on koji Fedora rebuilding system).

If you have questions, please ask me.

Comment 18 Patrick Monnerat 2008-10-09 09:49:43 UTC
Thanks Mamoru.
Should I wait for bug #459631 successful review before requesting sponsorship, or may I submit request already ?

Comment 19 Mamoru TASAKA 2008-10-09 09:56:45 UTC
I will sponsor you so please submit sponsorship request now.

Comment 20 Patrick Monnerat 2008-10-09 10:08:18 UTC
I just applied to the packager group.
My FAS name is "monnerat"

Comment 21 Mamoru TASAKA 2008-10-09 11:02:52 UTC
Okay, now I am sponsoring you. Please follow "Join" wiki again.

Comment 22 Patrick Monnerat 2008-10-10 16:55:31 UTC
New Package CVS Request
Package Name: ocspd
Short Description: OpenCA OCSP Daemon
Owners: monnerat
Branches: F-8 F-9 F-10

Comment 23 Toshio Ernie Kuratomi 2008-10-11 00:12:52 UTC
cvs done