Bug 452901 (ocspd)
| Summary: | Review Request: ocspd - OpenCA OCSP Daemon | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Patrick Monnerat <patrick> | ||||
| Component: | Package Review | Assignee: | Mamoru TASAKA <mtasaka> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | a.badger, fedora-package-review, itamar, mtasaka, notting | ||||
| Target Milestone: | --- | Flags: | mtasaka:
fedora-review+
a.badger: fedora-cvs+ |
||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-10-13 16:17:59 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Patrick Monnerat
2008-06-25 18:32:07 UTC
Created attachment 310379 [details]
OpenCA license derived from source package
Build seems to be failing at the very early stage: http://koji.fedoraproject.org/koji/taskinfo?taskID=687769 Oups! Mocked successfully with fedora-8-i386, but: AC_SUBST( PACKAGE_MINOR ) --> configure.in:14: error: AC_SUBST: `PACKAGE_MAJOR ' is not a valid shell variable name ...seems autoconf 2.62 does not like extraneous spaces around variable names... At the same URL as above, you can find a new version patching the configure.in file accordingly. Has passed mock -r fedora-devel-i386. Thanks for trying and reporting. This license is functionally identical (only changes are trademarks and copyright holders) to Apache 1.0. Use: License: ASL 1.0 Lifting FE-Legal. Thanks for the legal advice. License change applied. Would you update the new srpm then?
(note: please change the release number every time you modify your package
when version number does not change, otherwise we are just confused.
Also, if this uses a "release candidate" tarball, the current versioning
does not follow Fedora naming guidelines:
http://fedoraproject.org/wiki/Packaging/NamingGuidelines#Pre-Release_packages )
Some very quick random remarks (only just watching your spec file)
* %SOURCE must be given with full URL:
https://fedoraproject.org/wiki/Packaging/SourceURL
* Please do not specify Vendor: item. Fedora builder automatically tags this item as
"Fedora Project".
* %{openssl_req} tag is redundant. Even Fedora 1 has 0.9.7a openssl.
* Also, "Requires: openssl" should be removed. rpmbuild automatically adds
libraries dependency
to binary rpms, which will correctly pick out needed openssl.
* Please remove redundant [ -n "${RPM_BUILD_ROOT}" -a "${RPM_BUILD_ROOT}" != '/'
] &&
part.
* The directory %{_sysconfdir}/ocspd/ is not owned by any package.
* Perhaps %{_sysconfdir}/ocspd/ocspd.conf is listed twice.
* Please use %{_initrddir} instead of %{_sysconfdir}/rc.d/init.d
* We now recommend %defattr(-,root,root,-)
New version: 1.5.1-0.1.rc1 Spec file at: http://www.etude-riondel.ch/pm/ocspd.spec SRPM at: http://www.etude-riondel.ch/pm/ocspd-1.5.1-0.1.rc1.fc8.src.rpm _ Full URL in Source:. _ No more vendor:. _ No openssl version requirement. _ No openssl install-time requirement. _ RPM_BUILD_ROOT tests for cleaning removed. _ Directory %{_sysconfdir}/ocspd now owned by the package. _ %{_initrddir} used where possible. _ %defattr completed. _ init.d script reworked in a more fedora-styled way. But: * Yes, %{_sysconfdir}/ocspd/ocspd.conf is listed twice, as well as %{_sysconfdir}/ocspd/private. I did not find another "clean" way to do it, sinces these two items need specialized attributes/ownership. Even using a file list, I do not see a better "readable" way to own %{_sysconfdir}/ocspd and package theses two special subitems without listing them twice. This version "mock"ed successfully on fedora-devel-i386 rpmlint says: $ rpmlint SPECS/ocspd.spec 0 packages and 1 specfiles checked; 0 errors, 0 warnings. $ rpmlint SRPMS/ocspd-1.5.1-0.1.rc1.fc8.src.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. $ rpmlint RPMS/i386/ocspd-debuginfo-1.5.1-0.1.rc1.fc8.i386.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. $ rpmlint RPMS/i386/ocspd-1.5.1-0.1.rc1.fc8.i386.rpm ocspd.i386: W: non-standard-uid /etc/ocspd/private ocspd ocspd.i386: E: non-standard-dir-perm /etc/ocspd/private 0700 1 packages and 0 specfiles checked; 1 errors, 1 warnings. Explanation: /etc/ocspd/private is a directory intended to contain private cryptographic keys, that should be readable only by the user running the daemon (user ocspd created in the %pre section). Any other "more standard" solution ? Patrick, sorry. It seems that I missed your last reply for about 3 months. Would you still want to import this package into Fedora? If so I will recheck your latest srpm later. Never mind for the delay. Yes, I'm still interested in having this package in Fedora, since there is no current alternative in it to provide this service. Please also note that upstream does not publish new releases and does not respond to patch proposals, bug reports, etc. I do not know if this is a blocker for you. For 1.5.1-0.1.rc1
* About permission/ownership arround %_sysconfdir/ocspd
- Perhaps you want below?
--------------------------------------------------
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/ocspd
%dir %{_sysconfdir}/ocspd/c*
%attr(700,ocspd,root) %dir %{_sysconfdir}/ocspd/private
%config(noreplace) %{_sysconfdir}/ocspd/ocspd.conf
--------------------------------------------------
When %dir is used the directory only is included.
* configure option
- build.log shows:
--------------------------------------------------
229 default ocspd user : ocspd
230 default ocspd group : daemon
231 enable engine support : true
232 enable semaphores : true
233 enable debug messages : false
234 with openca-prefix : /usr/OpenCA
235 install prefix : /usr
--------------------------------------------------
Is the line 234 (openca-prefix) okay?
* autoheader
- build.log shows:
--------------------------------------------------
246 configure: WARNING: unrecognized options: --disable-shared
247 + make -j4
248 Making all in src
249 make[1]: Entering directory `/builddir/build/BUILD/openca-ocspd-1.5.1-rc1/src'
250 cd .. && /bin/sh /builddir/build/BUILD/openca-ocspd-1.5.1-rc1/build/missing --run autoheader
251 rm -f stamp-h1
252 touch config.h.in
253 make all-am
254 make[2]: Entering directory `/builddir/build/BUILD/openca-ocspd-1.5.1-rc1/src'
--------------------------------------------------
* configure option "--disable-shared" doesn't seem to be used
* calling autoheader beforehand is also needed.
* About creating user
- Now I recommend to follow this way:
https://fedoraproject.org/wiki/Packaging/UsersAndGroups
* %changelog
- In %changelog please remove ".fc8" part (because this
part differs between branches)
Thanks for your review, Mamoru Line 234 above (openca-prefix) is OK, since it is unused (presumably reminiscent from a larger project, openca, from which ocspd is derived). I have uploaded a new version: http://www.etude-riondel.ch/pm/ocspd.spec http://www.etude-riondel.ch/pm/ocspd-1.5.1-rc1.3.fc8.src.rpm _ %files have been reworked according to your suggestion (thanks for it :-). _ autoheader called in spec file, effectively removing the warning you mention _ configure file patched to unambiguously remove option "--disable-shared" and option removed from spec file. _ User creation reworked according to the new directives _ .fc8 removed from comment Successful mock fedora-devel-i386 rpmlint binary RPM says: ocspd.i386: W: non-standard-uid /etc/ocspd/private ocspd ocspd.i386: E: non-standard-dir-perm /etc/ocspd/private 0700 ocspd.i386: E: incoherent-subsys /etc/rc.d/init.d/ocspd ocspd} Same explanation as for 1.5.1-0.1.rc1 for the 2 firsts. Subsys OK (ocspd) after shell processing: the last rpmlint report is a misunderstanding of the shell script by rpmlint. rpmlint spec, source and debuginfo reports none. Lots of issues I mentioned I mentioned in my comment 6 are again re-introduced. Please fix them again. (In reply to comment #12) > Lots of issues I mentioned I mentioned in my comment 6 are again re-introduced. > Please fix them again. s/I mentioned I mentioned/I mentioned/' :) Apologizes. I restarted from an old version :-( Please find the new one: http://www.etude-riondel.ch/pm/ocspd.spec http://www.etude-riondel.ch/pm/ocspd-1.5.1-0.2.rc1.fc8.src.rpm Old versions have been removed from the server (thus orphaning previous links!) Okay, two more issues (and I think these are all if I am not missing any...
I hope)
* Obsoletes/Provides
- For some reasons (mainly for upgrading path), this type of Obsoletes/Provides
should be specified by full EVR (Epoch-Version-Release), like:
---------------------------------------------------
Obsoletes: openca-ocspd <= %{version}-%{release}
Provides: openca-ocspd = %{version}-%{release}
---------------------------------------------------
! By the way are these two Obsoletes/Provides really needed?
* groupadd
- Adding group "daemon" is not needed. "setup" rpm correctly
adds this group.
! By the way it is usually preferable that this package (ocspd)
creates its own group and use it.
Obsoletes/Provides is required in case someone installed the openca-ocspd package provided by upstream on sourceforge.net (http://sourceforge.net/project/showfiles.php?group_id=20873&package_id=25740). Version 1.5.1-0.3.rc1: _ Obsoletes/Provides completed. _ Group 'daemon' replaced by 'ocspd'. http://www.etude-riondel.ch/pm/ocspd.spec http://www.etude-riondel.ch/pm/ocspd-1.5.1-0.3.rc1.fc8.src.rpm Okay. * This package itself is now okay. * As written on http://fedoraproject.org/wiki/PackageMaintainers/HowToGetSponsored A person who wants to get sponsor is requested to "show that you have an understanding of the process and of the packaging guidelines", usually by submitting another review request or do a pre-review of other person's review request. For your case you have another review request (bug 459631). The srpm in that bug does not build (on x86_64) currently, however the spec file itself seems good to some extent and I hope you will fix it properly (note: it may be that I don't have enough time to review bug 459631) ------------------------------------------------------------ This package (ocspd) is APPROVED by mtasaka ------------------------------------------------------------ Please follow the procedure written on: http://fedoraproject.org/wiki/PackageMaintainers/Join from "Get a Fedora Account". After you request for sponsorship a mail will be sent to sponsor members automatically (which is invisible for you) which notifies that you need a sponsor. After that, please also write on this bug for confirmation that you requested for sponsorship and your FAS (Fedora Account System) name. Then I will sponsor you. If you want to import this package into Fedora 8/9, you also have to look at http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem/Bodhi-info-DRAFT (after once you rebuilt this package on koji Fedora rebuilding system). If you have questions, please ask me. Thanks Mamoru. Should I wait for bug #459631 successful review before requesting sponsorship, or may I submit request already ? I will sponsor you so please submit sponsorship request now. I just applied to the packager group. My FAS name is "monnerat" Okay, now I am sponsoring you. Please follow "Join" wiki again. New Package CVS Request ======================= Package Name: ocspd Short Description: OpenCA OCSP Daemon Owners: monnerat Branches: F-8 F-9 F-10 InitialCC: cvs done |