Bug 480851
| Summary: | Review Request: ccrypt - Secure encryption and decryption of files and streams | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Fabian Affolter <mail> |
| Component: | Package Review | Assignee: | Dan Horák <dan> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | fedora-package-review, gratien.dhaese, notting |
| Target Milestone: | --- | Flags: | dan:
fedora-review+
gwync: fedora-cvs+ |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.8-1.fc10 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-08-15 08:17:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 480855 | ||
|
Description
Fabian Affolter
2009-01-20 22:02:21 UTC
My review. I cannot sponsor you as I'm not (yet) an approved packager.
Once this package gets approved contact a sponsor from the official list.
To that end, have you done any unoffical reviews of other's packages?
If so, please post links. If not, do a few, and post links.
Package: 94e1a15eec27d8db271df733230aae5e ccrypt-1.7-1.fc9.src.rpm
$ rpm -i ~/Download/ccrypt-1.7-1.fc9.src.rpm
Clean.
$ md5sum ../SOURCES/ccrypt-1.7.tar.gz
19526e31a7d234e29d54dbcc876605d5 ../SOURCES/ccrypt-1.7.tar.gz
$ md5sum ~/Download/ccrypt-1.7.tar.gz
19526e31a7d234e29d54dbcc876605d5 /home/gdha/Download/ccrypt-1.7.tar.gz
Source tarball is the same in SRPM package as on the official web-site.
Good.
$ rpmbuild -bs ccrypt.spec
Wrote: /home/gdha/RPM/SRPMS/ccrypt-1.7-1.fc9.src.rpm
$ rpmbuild -ba SPECS/ccrypt.spec
Clean build on x86.
Requires: libcrypt.so.1 (noticed this requirement during build)
To be checked...
$ rpm -qpl /home/gdha/RPM/RPMS/i386/ccrypt-1.7-1.fc9.i386.rpm
/usr/bin/ccat
/usr/bin/ccdecrypt
/usr/bin/ccencrypt
/usr/bin/ccrypt
/usr/share/doc/ccrypt-1.7
/usr/share/doc/ccrypt-1.7/AUTHORS
/usr/share/doc/ccrypt-1.7/COPYING
/usr/share/doc/ccrypt-1.7/ChangeLog
/usr/share/doc/ccrypt-1.7/NEWS
/usr/share/doc/ccrypt-1.7/README
/usr/share/doc/ccrypt-1.7/cypfaq01.txt
/usr/share/man/man1/ccat.1.gz
/usr/share/man/man1/ccdecrypt.1.gz
/usr/share/man/man1/ccencrypt.1.gz
/usr/share/man/man1/ccrypt.1.gz
- MUST: rpmlint must be run on every package. The output should be posted in
the review.
Clean.
- MUST: The package must be named according to the Package Naming Guidelines .
Good.
- MUST: The spec file name must match the base package %{name}, in the format
%{name}.spec unless your package has an exemption on Package Naming Guidelines
Good.
- MUST: The package must meet the Packaging Guidelines .
Good.
- MUST: The package must be licensed with a Fedora approved license and meet
the Licensing Guidelines .
Good.
- MUST: The License field in the package spec file must match the actual
license.
Good.
- MUST: If (and only if) the source package includes the text of the license(s)
in its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.
Good.
- MUST: The spec file must be written in American English.
Good.
- MUST: The spec file for the package MUST be legible. If the reviewer is
unable to read the spec file, it will be impossible to perform a review. Fedora
is not the place for entries into the Obfuscated Code Contest
(http://www.ioccc.org/).
Good. Wondering if the following line is relevant for the description:
"which is the U.S. government's chosen candidate for the Advanced
Encryption Standard." Your call.
- MUST: The sources used to build the package must match the upstream source,
as provided in the spec URL. Reviewers should use md5sum for this task. If no
upstream URL can be specified for this package, please see the Source URL
Guidelines for how to deal with this.
Good.
- MUST: The package must successfully compile and build into binary rpms on at
least one supported architecture.
Good.
- MUST: If the package does not successfully compile, build or work on an
architecture, then those architectures should be listed in the spec in
ExcludeArch. Each architecture listed in ExcludeArch needs to have a bug filed
in bugzilla, describing the reason that the package does not compile/build/work
on that architecture. The bug number should then be placed in a comment, next
to the corresponding ExcludeArch line. New packages will not have bugzilla
entries during the review process, so they should put this description in the
comment until the package is approved, then file the bugzilla entry, and
replace the long explanation with the bug number. The bug should be marked as
blocking one (or more) of the following bugs to simplify tracking such issues:
FE-ExcludeArch-x86 , FE-ExcludeArch-x64 , FE-ExcludeArch-ppc ,
FE-ExcludeArch-ppc64
Will you be able to fix the build problem on PPC? Otherwise, add a tag to
exclude it.
Via koji I was able to build on ppc.
- MUST: All build dependencies must be listed in BuildRequires, except for any
that are listed in the exceptions section of the Packaging Guidelines ;
inclusion of those as BuildRequires is optional. Apply common sense.
You need the glibc-devel package for -lcrypt
- MUST: The spec file MUST handle locales properly. This is done by using the
%find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
Good.
- MUST: Every binary RPM package which stores shared library files (not just
symlinks) in any of the dynamic linker's default paths, must call ldconfig in
%post and %postun. If the package has multiple subpackages with libraries, each
subpackage should also have a %post/%postun section that calls /sbin/ldconfig.
An example of the correct syntax for this is:
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
NA.
- MUST: If the package is designed to be relocatable, the packager must state
this fact in the request for review, along with the rationalization for
relocation of that specific package. Without this, use of Prefix: /usr is
considered a blocker.
NA.
- MUST: A package must own all directories that it creates. If it does not
create a directory that it uses, then it should require a package which does
create that directory. Refer to the Guidelines for examples.
Good.
- MUST: A package must not contain any duplicate files in the %files listing.
Good.
- MUST: Permissions on files must be set properly. Executables should be set
with executable permissions, for example. Every %files section must include a
%defattr(...) line.
Good.
- MUST: Each package must have a %clean section, which contains rm -rf
%{buildroot} ( or $RPM_BUILD_ROOT ).
Good.
- MUST: Each package must consistently use macros, as described in the macros
section of Packaging Guidelines .
Good.
- MUST: The package must contain code, or permissable content. This is
described in detail in the code vs. content section of Packaging Guidelines .
Good.
- MUST: Large documentation files should go in a -doc subpackage. (The
definition of large is left up to the packager's best judgement, but is not
restricted to size. Large can refer to either size or quantity)
NA.
- MUST: If a package includes something as %doc, it must not affect the runtime
of the application. To summarize: If it is in %doc, the program must run
properly if it is not present.
Good.
- MUST: Header files must be in a -devel package.
NA.
- MUST: Static libraries must be in a -static package.
NA.
- MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'
(for directory ownership and usability).
NA.
- MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1),
then library files that end in .so (without suffix) must go in a -devel
package.
NA.
- MUST: In the vast majority of cases, devel packages must require the base
package using a fully versioned dependency: Requires: %{name} =
%{version}-%{release}
NA.
- MUST: Packages must NOT contain any .la libtool archives, these should be
removed in the spec.
Good.
- MUST: Packages containing GUI applications must include a %{name}.desktop
file, and that file must be properly installed with desktop-file-install in the
%install section. This is described in detail in the desktop files section of
the Packaging Guidelines . If you feel that your packaged GUI application does
not need a .desktop file, you must put a comment in the spec file with your
explanation.
NA.
- MUST: Packages must not own files or directories already owned by other
packages. The rule of thumb here is that the first package to be installed
should own the files or directories that other packages may rely upon. This
means, for example, that no package in Fedora should ever share ownership with
any of the files or directories owned by the filesystem or man package. If you
feel that you have a good reason to own a file or directory that another
package owns, then please present that at package review time.
NA.
- MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot}
( or $RPM_BUILD_ROOT ). See Prepping BuildRoot For %install for details.
Good.
- MUST: All filenames in rpm packages must be valid UTF-8.
Good.
- SHOULD: If the source package does not include license text(s) as a
separate file from upstream, the packager SHOULD query upstream to include it.
Good.
- SHOULD: The description and summary sections in the package spec file
should contain translations for supported Non-English languages, if available.
Good.
- SHOULD: The the package builds in mock.
# mock -r default rebuild SRPMS/ccrypt-1.7-1.fc9.src.rpm
Good on i386.
- SHOULD: The package should compile and build into binary rpms on all
supported architectures.
$ koji build --arch=x86_64 --scratch dist-f10 SRPMS/ccrypt-1.7-1.fc9.src.rpm
Good.
$ koji build --arch=ppc --scratch dist-f10 SRPMS/ccrypt-1.7-1.fc9.src.rpm
Good. (See http://koji.fedoraproject.org/koji/taskinfo?taskID=1071232 )
- SHOULD: The package functions as described.
Good.
- SHOULD: If scriptlets are used, those scriptlets must be sane.
NA.
- SHOULD: Usually, subpackages other than devel should require the base
package using a fully versioned dependency.
NA.
- SHOULD: The placement of pkgconfig(.pc) files depends on their usecase,
and this is usually for development purposes, so should be placed in a -devel
pkg.
NA.
- SHOULD: If the package has file dependencies outside of /etc, /bin,
/sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the
file instead of the file itself.
Good.
(In reply to comment #1) > My review. I cannot sponsor you as I'm not (yet) an approved packager. > Once this package gets approved contact a sponsor from the official list. Thanks, I don't need a sponsor. > Requires: libcrypt.so.1 (noticed this requirement during build) > To be checked... see below > Good. Wondering if the following line is relevant for the description: > "which is the U.S. government's chosen candidate for the Advanced > Encryption Standard." Your call. I removed some sentences. > Will you be able to fix the build problem on PPC? Otherwise, add a tag to > exclude it. > Via koji I was able to build on ppc. I will exclude ppc64 for the moment. This is my second package with issues about openssl on ppcX. > - MUST: All build dependencies must be listed in BuildRequires, except for any > that are listed in the exceptions section of the Packaging Guidelines ; > inclusion of those as BuildRequires is optional. Apply common sense. > > You need the glibc-devel package for -lcrypt I don't think that I need glibc-devel. The koji log shows that the check for -lcrypt is ok without BR glibc-devel. But maybe I'm mistaken... http://koji.fedoraproject.org/koji/getfile?taskID=1100286&name=build.log Updated files: Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-2.fc9.src.rpm (In reply to comment #2) > > > Good. Wondering if the following line is relevant for the description: > > "which is the U.S. government's chosen candidate for the Advanced > > Encryption Standard." Your call. > > I removed some sentences. Thanks - it is much better. > > > Will you be able to fix the build problem on PPC? Otherwise, add a tag to > > exclude it. > > Via koji I was able to build on ppc. > > I will exclude ppc64 for the moment. This is my second package with issues > about openssl on ppcX. Thanks - acceptable for me. > > > - MUST: All build dependencies must be listed in BuildRequires, except for any > > that are listed in the exceptions section of the Packaging Guidelines ; > > inclusion of those as BuildRequires is optional. Apply common sense. > > > > You need the glibc-devel package for -lcrypt > > I don't think that I need glibc-devel. The koji log shows that the check for > -lcrypt is ok without BR glibc-devel. But maybe I'm mistaken... Hum, is indeed strange, but your comment is correct. It works nice without it. So, unless somebody complains do not use in the spec file. > > http://koji.fedoraproject.org/koji/getfile?taskID=1100286&name=build.log > > Updated files: > > Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec > SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-2.fc9.src.rpm The SRPM URL was wrong! The correct URL is: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-2.fc10.src.rpm Next actions are: 1/ final approval of the spec and RPM/SRPM packages of an "official" approver is still needed 2/ finding a sponsor, but you did not need one according to your comment #2 Thanks, go ahead - for me it's fine. I will do the formal review, it looks good as already found during the pre-review, but I have found 2 issues there: - a test-suite is included in the sources in the "check" directory, you should add a %check section containing "make check" into the spec file - the failure on ppc64 is a result of buggy code in maketables or a bug in GCC in combination with our security related compiler flags and you can ask for access to ppc654 system on fedora-devel for further investigation (In reply to comment #4) > - the failure on ppc64 is a result of buggy code in maketables or a bug in GCC > in combination with our security related compiler flags and you can ask for > access to ppc654 system on fedora-devel for further investigation so it's buggy code -> the "r" array on line 133 (maketables.c) consists of too small members (word8) for storing word32 values as returned by function multrot2113 Thanks for your help. (In reply to comment #4) > - a test-suite is included in the sources in the "check" directory, you should > add a %check section containing "make check" into the spec file At the moment there is an issue with the 'check' -------<%--------- BC=8, KC=8, Inverse difference a0[i][j]=232, a1[j*4+i]=-30 BC=8, KC=8, Inverse difference a0[i][j]=8, a1[j*4+i]=109 Inverse: 32 differences Total: 647 differences The optimized Rijndael implementation does not agree with the reference implementation. FAIL: rijndael-check ccrypt: key does not match ./length-check.sh: test failed for file length 0. FAIL: length-check.sh ./ccrypt-check.sh:57: Action returned 4 instead of 0. ./ccrypt-check.sh: test failed. FAIL: ccrypt-check.sh Random seed: 1236549206 Passed. PASS: crypt3-check =================== 3 of 4 tests failed =================== make[2]: *** [check-TESTS] Fehler 1 make[2]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' make[1]: *** [check-am] Fehler 2 make[1]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' -------%>--------- (In reply to comment #5) > (In reply to comment #4) > > - the failure on ppc64 is a result of buggy code in maketables or a bug in GCC > > in combination with our security related compiler flags and you can ask for > > access to ppc654 system on fedora-devel for further investigation > > so it's buggy code -> > the "r" array on line 133 (maketables.c) consists of too small members (word8) > for storing word32 values as returned by function multrot2113 Added a patch for this. Now it works on ppc64. (In reply to comment #6) > Thanks for your help. > > (In reply to comment #4) > > - a test-suite is included in the sources in the "check" directory, you should > > add a %check section containing "make check" into the spec file > > At the moment there is an issue with the 'check' > > -------<%--------- > > BC=8, KC=8, Inverse difference a0[i][j]=232, a1[j*4+i]=-30 > BC=8, KC=8, Inverse difference a0[i][j]=8, a1[j*4+i]=109 > Inverse: 32 differences > Total: 647 differences > The optimized Rijndael implementation does not agree with the reference > implementation. > FAIL: rijndael-check > ccrypt: key does not match > ./length-check.sh: test failed for file length 0. > FAIL: length-check.sh > ./ccrypt-check.sh:57: Action returned 4 instead of 0. > ./ccrypt-check.sh: test failed. > FAIL: ccrypt-check.sh > Random seed: 1236549206 > Passed. > PASS: crypt3-check > =================== > 3 of 4 tests failed > =================== > make[2]: *** [check-TESTS] Fehler 1 > make[2]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' > make[1]: *** [check-am] Fehler 2 > make[1]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' > > -------%>--------- > What platform is it? The tests did run successful on my Rawhide/x86_64. F10/i386 Hm, in my opinion we should insist on a positive result from the built-in tests. Yes, the built-in test should be passed successfully. I will try to get in touch with upstream about this issue. Still are only 3 of 4 test successful passed for i386. There are a lot of compiler errors... Anyway updated files: Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-4.fc10.src.rpm Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1321176 Now upstream seems to have 1.8 formal release. Would you check that? I will. Thanks Mamoru The spec file should be online. At the moment I have a poor connection and I'm not able to upload the SRPM. I was lucky here we go Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.8-1.fc11.src.rpm Everything looks OK now, tests are passed, the ExcludeArch blocker bug can be removed. It could hardly be better :-) This package is APPROVED. Thanks Dan for the review and your help with this package. New Package CVS Request ======================= Package Name: ccrypt Short Description: Secure encryption and decryption of files and streams Owners: fab Branches: F-10 F-11 InitialCC: CVS done. ccrypt-1.8-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ccrypt-1.8-1.fc10 ccrypt-1.8-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ccrypt-1.8-1.fc11 ccrypt-1.8-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ccrypt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8200 ccrypt-1.8-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ccrypt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8209 ccrypt-1.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. ccrypt-1.8-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Package Change Request ====================== Package Name: ccrypt New Branches: epel7 el6 Owners: fab InitialCC: Git done (by process-git-requests). |