Bug 579428 (w3af)

Summary: Package Review: w3af - Web Application Attach and Audit Framework
Product: [Fedora] Fedora Reporter: Michal Ambroz <rebus>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: bressers, fedora-package-review, notting, opensource, rebus, supercyper1
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-17 17:51:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 201449    

Description Michal Ambroz 2010-04-05 06:09:20 UTC 
Dear members, please could you review this package to check its suitability for the Fedora Project?

The W3AF, is a Web Application Attack and Audit Framework.
The W3AF core and it's plug-ins are fully written in python.
The project has more than 130 plug-ins, which check for SQL injection,
cross site scripting (XSS), local and remote file inclusion and much more.

SPEC Url: http://rebus.webz.cz/d/w3af.spec
SRPM Url: http://rebus.webz.cz/d/w3af-1.0-0.1.rc3.fc12.src.rpm

Best regards 
Michal Ambroz
Comment 1 Josh Bressers 2010-04-05 11:52:28 UTC 
While this package has a security relevance, the Security keyword is for security flaws. I'm removing the keyword.

Thanks for adding this, it should prove useful.
Comment 2 Michal Ambroz 2010-04-06 19:03:53 UTC 
This will be long run I guess.

http://lists.fedoraproject.org/pipermail/legal/2010-April/001213.html
Tom "spot" Callaway pointed out that the package as it is could be complicated from the licensing point of view. 
GPLv2 is incompatible with GPLv3. 

Any help with review/comments/suggestions/packing dependencies are welcome.
Comment 3 Till Maas 2010-06-30 14:15:56 UTC 
Some issues I found at first sight:

1) the manpage does not need to be gziped manually, this is done automatically by rpm
2) The complex License tag should have a comment explaining why it is that complicated
3) for the locales find-lang.sh should be used (see package guidelines)
4) the correct SF.net download URL is downloads.sourceforge.net/%{name}/%{name}-1.0-rc3.tar.bz2 iirc (see Source guidelines)
5) The patches need comments explaining why they are not upstreamable or if they are, what there upstream status is e.g. a pointer to the upstream tracker with the patch would be good. And please add a date to these comments

If you need detailed URLs to the mentioned guidelines, please ask and I will provide them.

And please provide links to unofficial reviews you performed, if you did some.
Comment 4 Jason Tibbitts 2010-11-17 13:38:45 UTC 
Were the licensing issues ever clarified?

Any response to Till's commentary above?  At this point few people will spend time looking at this ticket if you don't respond to existing commentary.