Bug 458643

Summary: Review Request: dansguardian - Content filtering web proxy
Product: [Fedora] Fedora Reporter: Bernie Innocenti <bernie+fedora>
Component: Package ReviewAssignee: Felix Kaechele <felix>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: fedora-package-review, felix, gwync, michel, notting, pavel.lisy, ploujj, sayamindu, sundaram, tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-10 07:29:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
GCC 4.4 Fix none

Description Bernie Innocenti 2008-08-11 10:10:08 UTC 
Spec URL: http://www.codewiz.org/pub/fedora/pkgs/dansguardian.spec
SRPM URL: http://www.codewiz.org/pub/fedora/pkgs/dansguardian-2.9.9.5-1.src.rpm
Description:
DansGuardian is a web filtering engine that checks the content within
the page itself in addition to the more traditional URL filtering.

DansGuardian is a content filtering proxy. It filters using multiple methods,
including URL and domain filtering, content phrase filtering, PICS filtering,
MIME filtering, file extension filtering, POST filtering.
Comment 1 Jason Tibbitts 2008-08-11 11:50:50 UTC 
Please note that there are some who believe this software to be unacceptable for Fedora due to the distribution restrictions of the upstream website http://dansguardian.org/?page=download:

"
Before downloading, please read the copyright for DansGuardian 2. DansGuardian is not free to download from this website for commercial use. 
"

I happen to not be one of them, but either way this should be commented on by either the legal folks or perhaps the board.  Blocking FE-Legal.
Comment 2 Bernie Innocenti 2008-08-12 05:52:25 UTC 
(In reply to comment #1)
> "
> Before downloading, please read the copyright for DansGuardian 2. DansGuardian
> is not free to download from this website for commercial use. 
> "

Yeah I have seen this notice too.  It's such a funny and naive business model :-)

I also don't think it affects people obtaining the source and binary from me or from Fedora, but let's wait for legal's opinion.
Comment 3 Jason Tibbitts 2008-08-12 12:41:30 UTC 
Well, the argument I saw on IRC (which is not my argument, so please don't ask me to defend it) is that people who obtain this package from Fedora may not be able to obtain the upstream source under the same terms as Fedora.  In other words, you may not legally be able to take the spec, run spectool -g and build your own package.  It's an interesting argument but I'm not sure it applies since Fedora itself is entitled to all of the usual software freedoms which are required (modification and redistribution are permitted, obviously since the source is GPL).
Comment 4 Michel Lind 2008-08-26 21:41:40 UTC 
What if the spec that Fedora ships does *not* contain the full URL to the source tarball? Put the full URL under a comment, noting that access to that URL is restricted to non-commercial use.

Since Fedora is a non-commercial project, the Fedora maintainer's downloading of the source from upstream is legit. But let's wait and see what -legal says about this.
Comment 5 Gwyn Ciesla 2008-09-09 16:56:45 UTC 
We just ran into this with UQM.  If the license is non-commercial only, it's too restrictive and cannot by included in Fedora.
Comment 6 Jason Tibbitts 2008-09-09 17:12:20 UTC 
The license isn't non-commercial only; I'm not sure where that impression would come from.  It's GPL; the upstream website is simply restrictive about who they distribute it to, but they impose no redistribution restrictions on us.
Comment 7 Gwyn Ciesla 2008-09-09 17:21:50 UTC 
Is not redistribution with a distro, for which money occasionally changes hands, not commercial use?

What about if this were to make it in to RHEL?

Very curious to see legal's response.
Comment 8 Tom "spot" Callaway 2008-10-09 19:42:06 UTC 
Okay, so I tried to reach Daniel Barron, but was unsucessful.

Based on that, RH Legal advises us to do this:

Get rid of the initial sentence in the license header (in every place that it appears in the source):

   //Please refer to http://dansguardian.org/?page=copyright2
   //for the license for this code.

Replace it with this:

   //Copyright (C) Daniel Barron.

You can do this in a patch, you do not need to make a modified tarball.

Mark the package as GPLv2+, because that is what we will be distributing under.

Lifting FE-Legal.
Comment 9 Felix Kaechele 2008-10-22 08:50:14 UTC 
Are you still interested in maintaining this? I use this on a regular basis at my school.
I would like to take over the maintenance for this package if you aren't interested anymore.
Comment 10 Pavel Lisý 2008-11-15 18:20:01 UTC 
What is actual state of packaging this? 

I really want it in F10 and I can help if it is needed.
Comment 11 Bernie Innocenti 2008-12-14 06:45:09 UTC 
(In reply to comment #10)
> What is actual state of packaging this? 
> 
> I really want it in F10 and I can help if it is needed.

I think we're waiting for the reviewer to approve the package.
Comment 12 Felix Kaechele 2008-12-14 09:38:49 UTC 
Funny that the reviewer itself has never commented on this bug. I'd be willing to take over the review if the original reviewer doesn't want to do so.
Comment 13 Sayamindu Dasgupta 2008-12-14 10:43:12 UTC 
(In reply to comment #12)
> Funny that the reviewer itself has never commented on this bug. I'd be willing
> to take over the review if the original reviewer doesn't want to do so.

Sorry for the delay, I have been swamped with a lot of work for the past few months. I did raise the issue regarding this package in the fedora-legal mailing list, and it looks like it is legal to redistribute the software.

If you want to review the package, feel free to assign it to yourself.
Comment 14 Felix Kaechele 2008-12-17 09:17:21 UTC 
Here are some issues that need to be addressed imo (without trying to impose my personal style of writing specs :-) before I can start the "real" review process
- why do you %define real_name DansGuardian when it is never used in the spec any further?
- why does BuildRequires: gcc-c++, have a ',' at the end when there's nothing following?
- you should better include dansguardian.httpd and dansguardian.init into a source file. That would improve readability of the spec.
- you seem not to have written a patch as suggested in comment #8
- in %files why do you set %defattr(-, root, root, 0755) instead of %defattr(-, root, root, -)? Is it really necessary to mark all files executeable?
- same for %defattr(0700, nobody, nobody, 0755) a few lines after that
- don't put www files in /var/www. You should rather put them into /usr/share/dansguardian. Then you would also need to rewrite the apache config that is supplied. See the package phpMyAdmin for an example.
Comment 15 Bernie Innocenti 2008-12-21 12:07:01 UTC 
All comments from Felix hopefully addressed in this new release:

http://www.codewiz.org/pub/fedora/source/dansguardian-2.9.9.5-2.src.rpm
http://www.codewiz.org/pub/fedora/specs/dansguardian.spec
Comment 16 Felix Kaechele 2009-01-20 11:15:45 UTC 
I have to apologize for having you wait so long. But now I got enough time to do the review.

A few things to get the review going again:

- Could you please update to the latest stable version 2.10.0.2?

- This is the rpmlint output I get when running on the binary RPM:

dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/systemv-init 0644
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/logrotation 0644
dansguardian.x86_64: E: executable-marked-as-config-file /etc/rc.d/init.d/dansguardian
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/bsd-init 0644
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/solaris-init 0644
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/dansguardian.pl 0644
dansguardian.x86_64: W: conffile-without-noreplace-flag /etc/dansguardian/authplugins/ident.conf
(...)
dansguardian.x86_64: W: incoherent-subsys /etc/rc.d/init.d/dansguardian $prog
dansguardian.x86_64: W: incoherent-subsys /etc/rc.d/init.d/dansguardian $prog
dansguardian.x86_64: W: incoherent-subsys /etc/rc.d/init.d/dansguardian $prog

If you are unsure how to solve this issues you can try rpmlint -I. Example:

  rpmlint -I incoherent-subsys

Please also feel free to ask here.
Comment 17 Bernie Innocenti 2009-02-20 15:57:28 UTC 
Updated rpm with all the above warnings fixed, plus a few more changes to build cleanly in dist-f10:

  http://www.codewiz.org/pub/fedora/source/dansguardian-2.10.0.2-3.src.rpm
  http://www.codewiz.org/pub/fedora/specs/dansguardian.spec
Comment 18 Pavel Lisý 2009-02-23 12:18:51 UTC 
Do you think about making default firewall configuration? Similar settings are made in Ubuntu CE but through firehol package.

This is what I use for my children's computers in combination with tinyproxy (running under nobody user on 3128 port):

cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables-dansguardian-backup

sed \
-e '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/a\
\
# dansguargian settings\
# --- begin\
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 3128 -m owner ! --uid-owner nobody -j DROP\
# --- end\
' \
-e '/^\*filter/i\
\
# tinyproxy settings\
# --- begin\
*nat\
:PREROUTING ACCEPT [0:0]\
:POSTROUTING ACCEPT [0:0]\
:OUTPUT ACCEPT [0:0]\
:in_trproxy.1 - [0:0]\
:out_trproxy.1 - [0:0]\
-A PREROUTING -p tcp -m tcp --sport 1000:65535 --dport 80 -j in_trproxy.1\
-A in_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\
-A OUTPUT -p tcp -m tcp --sport 32768:61000 --dport 80 -j out_trproxy.1\
-A out_trproxy.1 -m owner --uid-owner nobody -j RETURN\
-A out_trproxy.1 -m owner --uid-owner root -j RETURN\
-A out_trproxy.1 -d 127.0.0.1 -j RETURN\
-A out_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\
-A OUTPUT -j ACCEPT\
COMMIT\
# --- end\
' /etc/sysconfig/iptables-dansguardian-backup > /etc/sysconfig/iptables

This is useful when you want deny all http traffic outside except defined users (nobody = tinyproxy user, root = yum update, ...)
You don't need make proxy setting in browser too.
Comment 19 Felix Kaechele 2009-02-27 09:53:21 UTC 
#18: I believe that you should contact Thomas Woerner on that. He maintains system-config-firewall. He might include it as a template into his package.

I hope to finish the review soon but there are still some issues that need to be addressed. More to follow. Sorry for having you wait so long.
Comment 20 Felix Kaechele 2009-03-08 21:47:51 UTC 
Created attachment 334451 [details]
GCC 4.4 Fix

I have the review 90% done but there is one thing I'd like you to do before I can approve the package: Please update to the last upstream version and apply the patch (with -p1) I attached. It fixes the source to build with gcc 4.4. Please also do not forget to send this patch upstream.
Comment 21 Felix Kaechele 2009-04-11 22:05:28 UTC 
poke
Comment 22 Rahul Sundaram 2009-05-07 15:03:07 UTC 
Ping once more. I will wait for a couple of weeks or otherwise close this review request.
Comment 23 Felix Kaechele 2009-05-07 15:08:15 UTC 
I'll open a new one in that case with a new spec. So feel free to close this review if the original reporter doesn't respond.
Comment 24 Bernie Innocenti 2009-05-08 07:57:56 UTC 
Please, feel free to take over this package from me, I don't use dansguardian any longer and I don't have much time to maintain it.  Sorry :-(

You could reassign this bug to yourself rather than opening a new one.
Comment 25 Felix Kaechele 2009-05-10 07:29:34 UTC 
Opened a new review with a completely rewritten SPEC file.

*** This bug has been marked as a duplicate of bug 500013 ***
Comment 26 Fedora Update System 2009-07-15 10:26:17 UTC 
dansguardian-2.10.1.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/dansguardian-2.10.1.1-1.fc11