Bug 560178

Summary: accountsservice - D-Bus interfaces for querying and manipulating user account information
Product: [Fedora] Fedora Reporter: Matthias Clasen <mclasen>
Component: Package ReviewAssignee: Christoph Wickert <cwickert>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: cwickert, fedora-package-review, notting
Target Milestone: ---Flags: cwickert: fedora‑review+
kevin: fedora‑cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-03 11:51:00 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 560179    

Comment 1 Matthias Clasen 2010-01-30 16:09:20 EST
It is worth pointing out that the package installs an activated dbus system bus service that runs as root and provides an api to change your own and other users account information, as well as gdm login screen configuration. These functions are protected by PolicyKit privileges:

org.freedesktop.accounts.change-own-user-data - for changing your own user name, photo, email address and similar 'ancillary information'. Core data like your home directory, account type and uid is protected by the user-administration privilege below:

org.freedesktop.accounts.user-administration - for changing any users user data.

org.freedesktop.accounts.set-login-option - for changing gdm login screen configuration.

The service stores 'ancillary information' (ie everything that doesn't go into /etc/passwd) in /var/lib/AccountsService.
Comment 2 Christoph Wickert 2010-01-30 17:50:05 EST
FIX - MUST: rpmlint must be run on every package. The output should be posted in the review.
$ rpmlint /var/lib/mock/fedora-rawhide-x86_64/result/accountsservice-*
accountsservice.src: W: no-buildroot-tag
accountsservice.x86_64: W: non-conffile-in-etc /etc/dbus-1/system.d/org.freedesktop.Accounts.conf
3 packages and 0 specfiles checked; 0 errors, 2 warnings.
OK - MUST: named according to the Package Naming Guidelines
OK - MUST: spec file name matches the base package %{name}
OK - MUST: package meets the Packaging Guidelines
OK - MUST: Fedora approved license and meets the Licensing Guidelines: GPLv3+
OK - MUST: License field in spec file matches the actual license
OK - MUST: license file included in %doc
OK - MUST: spec is in American English
OK - MUST: spec is legible
OK - MUST: sources match the upstream source by MD5 cb2ca0e1b45873fdd80fa7d8aeef7eac
OK - MUST: successfully compiles and builds into binary rpms on x86_64
OK - MUST: no ExcludeArch
OK - MUST: all build dependencies are listed in BuildRequires.
N/A - MUST: handles locales properly with %find_lang
N/A - MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun.
OK - MUST: Package does not bundle copies of system libraries.
N/A - MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review
OK - MUST: owns all directories that it creates (none)
OK - MUST: no duplicate files in the %files listing
OK - MUST: Permissions on files are set properly, includes %defattr(...)
OK - MUST: package has a %clean section, which contains rm -rf $RPM_BUILD_ROOT.
OK - MUST: consistently uses macros
OK - MUST: package contains code, or permissable content
N/A - MUST: Large documentation files should go in a -doc subpackage
OK - MUST: Files included as %doc do not affect the runtime of the application
N/A - MUST: Header files must be in a -devel package
N/A - MUST: Static libraries must be in a -static package
N/A - MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'.
N/A - MUST: If a package contains library files with a suffix, then library files that end in .so must go in a -devel package.
N/A - MUST: devel packages must require the base package using a fully versioned dependency
OK - MUST: The package does not contain any .la libtool archives.
N/A - MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section.
OK - MUST: package does not own files or directories already owned by other packages.
OK - MUST: at the beginning of %install, the package runs rm -rf $RPM_BUILD_ROOT
OK - MUST: all filenames valid UTF-8


SHOULD Items:
OK - SHOULD: Source package includes license text(s) as a separate file.
N/A - SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
OK - SHOULD: builds in mock.
OK - SHOULD: compiles and builds into binary rpms on all supported architectures.
OK - SHOULD: functions as described.
N/A - SHOULD: Scriptlets are used, those scriptlets must be sane.
N/A - SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency.
N/A - SHOULD: pkgconfig(.pc) files should be placed in a -devel pkg
N/A - SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.


Other items:
OK - latest stable version
OK - SourceURL valid
OK - Compiler flags ok
OK - Debuginfo complete


Issues: 
- src/user.c is GPLv2+. Is this intended? 
- TODO should be in %doc
- /etc/dbus-1/system.d/org.freedesktop.Accounts.conf should be %config.

Please fix these and consider the package APPROVED.

BTW: Build fails with --enable-docbook-docs because AccountsService.xml does not validate.
Comment 3 Matthias Clasen 2010-01-31 12:55:21 EST
- src/user.c is GPLv2+. Is this intended? 

This is because it started out as a copy of a gdm source file. At some point I may rewrite it completely.

- TODO should be in %doc

I disagree. This is my own, private TODO list that I'd rather not install on thousands of user systems. The fact that the autotools incude it in the tarball is a bit unfortunate. I may investigate how to keep it out of the tarball instead.

- /etc/dbus-1/system.d/org.freedesktop.Accounts.conf should be %config.

Disagreed again. While this is configuration (namely, configuration of the dbus policy for the service), it is not a config file. All an administrator can achieve by editing this file is to either break the functionality of the service, or worse, add security holes.
Comment 4 Christoph Wickert 2010-01-31 17:29:54 EST
(In reply to comment #3)
> I disagree. This is my own, private TODO list that I'd rather not install on
> thousands of user systems. The fact that the autotools incude it in the tarball
> is a bit unfortunate. I may investigate how to keep it out of the tarball
> instead.

Ok, then leave it out, but if it's your private TODO, then it shouldn't be in the tarball ether. IMO shipping TODOs is good practice because it's useful for people who are about to file RFEs and might encourage other developers to help you.

> - /etc/dbus-1/system.d/org.freedesktop.Accounts.conf should be %config.
> 
> Disagreed again. While this is configuration (namely, configuration of the dbus
> policy for the service), it is not a config file. All an administrator can
> achieve by editing this file is to either break the functionality of the
> service, or worse, add security holes.

Do as you like, but IMHO it should still be marked as %config. Other packages are doing this too.

...I'm wishing back the days when config files were in /etc and not in /var/lib and when files in /etc were true config files. ;)
Comment 5 Matthias Clasen 2010-02-01 12:21:40 EST
New Package CVS Request
=======================
Package Name: accountsservice
Short Description: D-Bus interfaces for querying and manipulating user account information
Owners: mclasen
Branches: 
InitialCC:
Comment 6 Kevin Fenzi 2010-02-01 19:07:42 EST
CVS done (by process-cvs-requests.py).
Comment 7 Matthias Clasen 2010-02-03 11:51:00 EST
built done