Bug 513320
| Summary: | Review Request: boxbackup - A fast, secure and automatic online backup system | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stewart Adam <s.adam> |
| Component: | Package Review | Assignee: | Jason Tibbitts <j> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | abo, bjohnson, bloch, fedora, i, package-review, tcallawa |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-09-14 01:23:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 201449 | ||
|
Description
Stewart Adam
2009-07-23 02:12:09 UTC
This fails to build for me: + test -e configure + ./bootstrap ./bootstrap: line 3: aclocal: command not found ./bootstrap: line 4: autoheader: command not found ./bootstrap: line 5: autoconf: command not found Looks like missing dependencies. Scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=1615423 Thanks for pointing this out. I've fixed this and I'm doing a scratch build now, if it succeeds I will post updated links. Alright, build dependencies fixed. I also disabled the test bench as it requires a large amount of system resources as well as a specific firewall configuration (see comment in SPEC). SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.3.rc2.20090721svn.fc11.src.rpm Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1618669 Updated to build to SVN r2559, which includes the changes made in 0.11rc4: SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.1.rc4.20090916svn.src.rpm This SRPM also fixes the issue of .svn directories being included as %doc files. License http://www.boxbackup.org/license.html looks like "BSD with advertising", though it's not exactly the same. It's probably a good idea to let fedora-legal confirm that it's "close enough". See http://fedoraproject.org/wiki/Licensing:Main#Good_Licenses Indeed, that license is non-free. The reason is because of the wording:
3. All use of this software and associated advertising materials must
display the following acknowledgement:
This product includes software developed by Ben Summers.
This differs from the standard BSD with advertising in that it includes the words "all use of this software". This is probably just a case of poor license drafting, but even if he means that interactive programs must display an acknowledgement, as written the clause goes beyond that.
The obvious way to make this free would be to reword it to match BSD with advertising (as sick as it makes me to type that):
3. All advertising materials mentioning features or use of this software must
display the following acknowledgement:
This product includes software developed by Ben Summers.
Even better would be for it to drop the advertising clause altogether and use stock BSD, because it also eliminates the GPL incompatibility caused by the advertising clause.
As it stands now, this is blocked for Fedora.
Blocking FE-Legal as there's not much point in reviewing this in its current state. I've spoken with upstream, here's a link to discussion on the box backup mailing list: http://lists.boxbackup.org/pipermail/boxbackup/2010-January/000005.html It seems that they were already thinking about this as well, so once Ben (the main contributor to box backup) agrees then the license can be switched to GPL or BSD. Box Backup is now dual-licensed: the core libraries are BSD and the rest is GPL-like, with optional exceptions for linking against the Microsoft VSS SDK and OpenSSL. Chris's post about the change is here: http://lists.boxbackup.org/pipermail/boxbackup/2010-January/000034.html The full changes in the license can be viewed in trac: http://www.boxbackup.org/trac/changeset/2600 Does this look OK to accept into Fedora now? Looks good, please pass along my thanks to upstream on a thorough and well thought out relicensing effort. Lifting FE-Legal. FYI I'm happy to be a co-maintainer on this one if you like. I'm already a Fedora package maintainer, and an upstream developer for Box Backup (and the original RPM packager). Thanks for your work to submit this for Fedora Stewart. Sure, that would be great! Did anything ever happen here? It would be good to get at least an updated spec/srpm set with the relicensed code. (In reply to comment #13) > Did anything ever happen here? It would be good to get at least an updated > spec/srpm set with the relicensed code. I'll try to build an updated package for this weekend. SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.1.rc8.fc14.src.rpm Scratch build for dist-f14: http://koji.fedoraproject.org/koji/taskinfo?taskID=2599478 I have changed the UID to 52 since 50 & 51 have been taken since the review started and I also updated the license tag to reflect the licensing changes in the project (binaries are now under GPLv2+, with certain exceptions, or 3-clause BSD). The licensing for the source code is a bit complex, however it is described in the LICENSE-DUAL.txt and LICENSE-GPL.txt files included as %doc. The project also doesn't compile any shared libraries, only a few CLI utilities and a daemon so the licensing for binary distribution becomes extremely simple: GPLv2+ with exceptions, or BSD. Can you explain why this absolutely requires a static UID? Will a dynamically allocated UID not work? We have very, very few UIDs we can allocate so we really don't want to do so unless it is absolutely necessary. Oh, and also, that fedora-usermgmt stuff is really a terribly bad idea. Does the officially recognized procedure not work for this package for some reason? https://fedoraproject.org/wiki/Packaging:UsersAndGroups Sorry about the usermgmt stuff, I followed an example from another package without realizing it was non-standard. I've switched to a dynamically created user as well as fixed a minor error in the server package's README file. SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.2.rc8.fc14.src.rpm I thought I saw on IRC that someone was going to review this last week, but nothing seems to have happened so I'll make some further comments. The makefile hides important data; adding 'V=1' to the make call makes it more useful. I'll trust the previous licensing work and assume that license tag and such are correct. Your scriptlets don't seem to correspond to the recommended ones from http://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets It seems to me that you do the restart on upgrade at the wrong time. It should be in the new package %post, not the old package %preun. What you have restarts the old server, uninstalls it and installs the new one. (Of course, the whole initscript thing is changing for f15, but we don't have any systemd guidelines yet). Here's the rpmlint output: boxbackup.x86_64: E: non-standard-dir-perm /etc/boxbackup/bbackupd 0700L boxbackup.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbackupd $prog boxbackup.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbackupd $prog boxbackup.x86_64: W: incoherent-init-script-name bbackupd ('boxbackup', 'boxbackupd') These are all OK. boxbackup-debuginfo.x86_64: W: spurious-executable-perm /usr/src/debug /boxbackup-0.11rc8/lib/win32/getopt.h It's odd that the header is executable, and doubly odd that it's in the package at all. Why is the stuff in lib/win32 being built? (cd ../../lib/win32; make -q RELEASE=1 NODEPS=1 || make RELEASE=1 NODEPS=1) make[2]: Entering directory `/builddir/build/BUILD/boxbackup-0.11rc8/lib/win32' g++ -DBOX_RELEASE_BUILD -O2 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -Wundef -DBOX_VERSION="\"0.11rc8\"" -DBOX_MODULE="\"lib/win32\"" -c emu.cpp -o ../../release/lib/win32/emu.o g++ -DBOX_RELEASE_BUILD -O2 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -Wundef -DBOX_VERSION="\"0.11rc8\"" -DBOX_MODULE="\"lib/win32\"" -c getopt_long.cpp -o ../../release/lib/win32/getopt_long.o (echo -n > ../../release/lib/win32/win32.a; rm ../../release/lib/win32/win32.a) ar cq ../../release/lib/win32/win32.a ../../release/lib/win32/emu.o ../../release/lib/win32/getopt_long.o ranlib ../../release/lib/win32/win32.a make[2]: Leaving directory `/builddir/build/BUILD/boxbackup-0.11rc8/lib/win32' boxbackup-server.x86_64: W: non-standard-uid /etc/boxbackup/bbstored boxbackup boxbackup-server.x86_64: E: non-standard-dir-perm /etc/boxbackup/bbstored 0700L boxbackup-server.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbstored $prog boxbackup-server.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbstored $prog boxbackup-server.x86_64: W: incoherent-init-script-name bbstored ('boxbackup-server', 'boxbackup-serverd') These are all OK. Why are the files in /etc/boxbackup/ completely empty? (In reply to comment #19) > I thought I saw on IRC that someone was going to review this last week, but > nothing seems to have happened so I'll make some further comments. > > The makefile hides important data; adding 'V=1' to the make call makes it more > useful. Done. > > I'll trust the previous licensing work and assume that license tag and such are > correct. I've double checked this and to the best of my knowledge (IANAL) it is OK. The only possible problem I see is that the GPL license has exceptions for MS VSS and OpenSSL, so strictly speaking it isn't standard GPL nor "GPLv2+ with exceptions" as defined in the Fedora licensing page... In the LICENSE-DUAL.TXT it's referred to as "Box Backup GPL". > Your scriptlets don't seem to correspond to the recommended ones from > http://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets Sorry about that! I must have misread the %postun for %preun and appended it to the other scriptlets... Fixed it. > boxbackup-debuginfo.x86_64: W: spurious-executable-perm /usr/src/debug > /boxbackup-0.11rc8/lib/win32/getopt.h > It's odd that the header is executable, and doubly odd that it's in the package > at all. Why is the stuff in lib/win32 being built? It looks as if that file acts as a sort of abstraction layer. If on Unix, it maps the EMU_{F,L,}STAT structs to the system ones and stops because of this line: #if ! defined EMU_INCLUDE && defined WIN32 The rest of Box Backup references EMU_* and so it will automatically get the right one depending on the platform. I believe something similar happens in getopt_long.cpp because neither _MSC_VER or __MINGW32__ should be defined. > Why are the files in /etc/boxbackup/ completely empty? /etc/boxbackup/bbstored and /etc/boxbackup/bbbackupd are the locations that the services store the account data and user/server certificates so that will vary from machine to machine and it needs to be initialized correctly by the user (I provide instructions on how to do so in the README.fedora files for each package) I suppose it would be possible to provide a sample configuration and let the user create the certificates, but then we'd be dictating where backups are stored on the server machine and disabling the userland raid feature. I think it is much easier to let Box Backup handle all of it - the tools included easily and quickly create the necessary configuration and certificates once the user provides information about the server (or client) machine. SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.3.rc8.fc14.src.rpm Hate to do this, but now that I look at the license stuff I'm having trouble figuring out what's what. The COPYING.txt file indicates that a bunch of stuff is under their specific "GPLv2+ with exceptions" license, and that some of the code is dual licensed "GPL (v something) or BSD", and of course it says "unless stated otherwise in the file" so you have to check all of the files. So it looks to me to be a bit more complicated than just "BSD or GPLv2+ with exceptions". You will need to figure out which parts of the final packages are under which license(s) and indicate that, generally with a comment in the spec near the License: tag but if it gets overly complex you can move it off to a file included as documentation. I'm guessing since spot already signed off on these that there's no problem with compatibility between the different license stuff, since you can always use the dual-licensed stuff under the BSD license in order to link it with the GPLv2+ with exceptions stuff. It seems that nothing owns /etc/boxbackup. * source files match upstream. sha256sum: 7bd734b5ab37f67aa88029635306e586b9e33bffe4ded5760f9d299b2b03e01b boxbackup-0.11rc8.tgz * package meets naming and versioning guidelines. * specfile is properly named, is cleanly written and uses macros consistently. * summaries are OK. * descriptions are OK. * dist tag is present. ? license field matches the actual license. * license is open source-compatible. * license text included in package. * latest version is being packaged. * BuildRequires are proper. * compiler flags are appropriate. * package builds in mock (rawhide, x86_64). * package installs properly. * debuginfo package looks complete. * rpmlint has acceptable complaints. * final provides and requires are sane: boxbackup-0.11-0.3.rc8.fc15.x86_64.rpm config(boxbackup) = 0.11-0.3.rc8.fc15 boxbackup = 0.11-0.3.rc8.fc15 boxbackup(x86-64) = 0.11-0.3.rc8.fc15 = /bin/bash /bin/sh /usr/bin/perl chkconfig config(boxbackup) = 0.11-0.3.rc8.fc15 initscripts libcrypto.so.10()(64bit) libdb-4.8.so()(64bit) libedit.so.0()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libssl.so.10()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(GLIBCXX_3.4)(64bit) libstdc++.so.6(GLIBCXX_3.4.11)(64bit) libstdc++.so.6(GLIBCXX_3.4.14)(64bit) libstdc++.so.6(GLIBCXX_3.4.9)(64bit) libz.so.1()(64bit) openssl >= 0.9.7a perl(strict) shadow-utils boxbackup-server-0.11-0.3.rc8.fc15.x86_64.rpm config(boxbackup-server) = 0.11-0.3.rc8.fc15 boxbackup-server = 0.11-0.3.rc8.fc15 boxbackup-server(x86-64) = 0.11-0.3.rc8.fc15 = /bin/bash /bin/sh /usr/bin/perl config(boxbackup-server) = 0.11-0.3.rc8.fc15 libcrypto.so.10()(64bit) libdb-4.8.so()(64bit) libedit.so.0()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libssl.so.10()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(GLIBCXX_3.4)(64bit) libstdc++.so.6(GLIBCXX_3.4.11)(64bit) libstdc++.so.6(GLIBCXX_3.4.14)(64bit) libstdc++.so.6(GLIBCXX_3.4.9)(64bit) libz.so.1()(64bit) perl(strict) * no bundled libraries. X fails to own /etc/boxbackup. * doesn't own any directories it shouldn't. * no duplicates in %files. * file permissions are appropriate. * no generically named files * scriptlets are OK (service management, user creation). * code, not content. * documentation is small, so no -doc subpackage is necessary. * %docs are not necessary for the proper functioning of the package. * no static libraries. * no libtool .la files. Any update here? Sorry about the delays, I've investigated the license problem and upload an updated package up soon. For Fedora it looks like it will be only GPLv2+ with exceptions, since the compiles include lib/backupclient which (among others) is GPLv2+ only. SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.4.rc8.fc14.src.rpm I have changed the License tag to "Box Backup GPL", which is the name upstream gave for the GPLv2-like license with the linking exceptions for OpenSSL and MS VSS. This makes rpmlint output a new warning: boxbackup.src: W: invalid-license Box Backup GPL Although I believe we can ignore this as spot gave the OK. Perhaps we ask him to look it over quickly again just to be sure? As for the ownership of /etc/boxbackup, the troublesome part is that both the client and the server packages store their files in sub-directories of /etc/boxbackup so I've made both packages own it. rpmlint also complains about this: boxbackup.x86_64: W: non-standard-uid /etc/boxbackup boxbackup boxbackup.x86_64: E: non-standard-dir-perm /etc/boxbackup 0700L I've done used nonstandard permissions (boxbackup:root 0700) to prevent outside users from taking peeks at the backup configuration (for either the client or server) or from gaining access to the certificates/encryption keys. Well, we don't invent new license tags without going through legal. Generally we'd use "GPLv2 with exceptions" for that kind of thing but if you think it deserves a new tag, we'll block FE-Legal again and see what spot says. Yeah, I would prefer we use GPLv2 with exceptions, as they really haven't created a new license here (at least not for the purposes of tracking). Okay, here it is! SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.5.rc8.fc14.src.rpm Hmm, this is still blocking FE-Legal so I haven't really looked at it until now, but isn't the legal issue resolved with that last update? The package is outdated now and some packaging guidelines have moved on a bit, but if the legal issue is resolved and the package is updated then I'm willing to finish this up. Just let me know. Lifting FE-Legal, as this seems to be okay now. Great, thanks - I'll read over the changes made to the guidelines and post an updated RPM soon. Note: I've stopped using Box Backup and no longer have an interested in maintaining this package. I'll leave this open for someone else to pick up if they wish. |