Bug 798738 (mysqlenum)
| Summary: | Review request: mysqlenum - is an automatic blind SQL injection tool. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | pjp <pj.pandit> |
| Component: | Package Review | Assignee: | Nobody's working on this, feel free to take it <nobody> |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | athmanem, jlieskov, mail, metherid, misc, mrunge, notting, package-review, susi.lehtola, tcallawa |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://www.andreafabrizi.it/?mysqlenum | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-05-03 06:54:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 563471 | ||
|
Description
pjp
2012-02-29 17:43:27 UTC
pjp, you can't review your own package. You should only set fedora-review-flag if you're going to do a review. One minor: If you're not going to submit this for el5, then you should remove rm -rf $RPM_BUILD_ROOT from install section. Oops sorry,(In reply to comment #1) > pjp, you can't review your own package. > You should only set fedora-review-flag if you're going to do a review. Oh, sorry about that, got confused. > One minor: If you're not going to submit this for el5, then you should remove > rm -rf $RPM_BUILD_ROOT from install section. Why not, I can submit it for el5 as well. Hope that's ok. Thank you. Removed the 'Security' keyword. Please don't use that one for cases like this, as it has different purpose. This is not a security issue, just package review request. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Here's some comments: - Source0 should be point to upstream ie: http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz - Use %{version} macro instead of hard coded version (eg: in Source0) - %{_sysconfdir}/mysqlenum.conf should be marked as %config I added FE-SECLAB blocker since this package is in Security Lab spin wishlist. (In reply to comment #4) > - Source0 should be point to upstream ie: > http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz I had done that, it causes error during $ rpmbuild -ba error: File /home/rpm/rpmbuild/SOURCES/download.php?file=%{name}-%{version}.tar.gz: No such file or directory Please see: SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-2.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3849235 Thanks. According to [1], you should use something like: # Upstream URL does not end with tarball name # You can get the tarball by following a link from: # http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz Source0: %{name}-%{version}.tar.gz [1] http://fedoraproject.org/wiki/Packaging:SourceURL#Troublesome_URLs (In reply to comment #6) > # Upstream URL does not end with tarball name > # You can get the tarball by following a link from: > # http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz > Source0: %{name}-%{version}.tar.gz Yep, done. Please see SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-3.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3849337 Thank you! pjp: please fill in your full name in bugzilla. Are you a member of the packaging group? Have you been sponsored? Please document what patch0 does. And be sure to run rpmlint on your rpms, at least the summary does not adhere to Fedora standards. (In reply to comment #8) > Are you a member of the packaging group? Have you been sponsored? Yes, I am. > Please document what patch0 does. And be sure to run rpmlint on your rpms, at > least the summary does not adhere to Fedora standards. Please see: SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-4.fc16.src.rpm $ rpmlint SPECS/mysqlenum.spec SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz 0 packages and 1 specfiles checked; 0 errors, 1 warnings. $ rpmlint RPMS/x86_64/mysqlenum-0.3-4.fc16.x86_64.rpm mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum 1 packages and 0 specfiles checked; 0 errors, 1 warnings. $ rpmlint SRPMS/mysqlenum-0.3-4.fc16.src.rpm mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz 1 packages and 0 specfiles checked; 0 errors, 1 warnings. I think you should split the patch in 2 separate patchs, and add a comment about when you have sent them upstream ( and of course, sending them upstream ). See https://fedoraproject.org/wiki/Packaging:Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment (In reply to comment #10) > I think you should split the patch in 2 separate patchs, Okay. > and add a comment > about when you have sent them upstream ( and of course, sending them upstream). Yes, I've sent(on Feb 29'th 2012) the patch to upstream author -> andrea.fabrizi But haven't heard anything from him. I've split the original patch into two: one for COPYING and other for the Makefile. Please see: SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: pjp.dgplug.org/tools/mysqlenum-0.3-5.fc16.src.rpm $ rpmlint SPECS/mysqlenum.spec SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz 0 packages and 1 specfiles checked; 0 errors, 1 warnings. $ rpmlint RPMS/x86_64/mysqlenum-0.3-5.fc16.x86_64.rpm mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum 1 packages and 0 specfiles checked; 0 errors, 1 warnings. $ rpmlint SRPMS/mysqlenum-0.3-5.fc16.src.rpm mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz 1 packages and 0 specfiles checked; 0 errors, 1 warnings. Thank you. The md5sum doesn't match, it seems that you repackaged everything in a different directory. You should not do it, and rather use -n option of %setup :
%setup -q -n %{name}
Please fix.
Also, please add post a complete url, as I am using fedora-review, and it is confuse if the url is not complete ( ie, without http:// ). And this is not needed to clean the buildroot in %install, see https://fedoraproject.org/wiki/Packaging:Guidelines#BuildRoot_tag Hi, I've made the changes, please see: SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-6.fc16.x86_64.rpm $ rpmlint SPECS/mysqlenum.spec SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz 0 packages and 1 specfiles checked; 0 errors, 1 warnings. $ rpmlint SRPMS/mysqlenum-0.3-6.fc16.src.rpm mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz 1 packages and 0 specfiles checked; 0 errors, 1 warnings. $ rpmlint RPMS/x86_64/mysqlenum-0.3-6.fc16.x86_64.rpm mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum 1 packages and 0 specfiles checked; 0 errors, 1 warnings. (In reply to comment #16) > SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-6.fc16.x86_64.rpm Please see: SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-6.fc16.src.rpm You didn't fix the problem of comment #13 and that's a blocker. Hey sorry, I've fixed it. Please see: SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-7.fc16.src.rpm $ rpmlint SPECS/mysqlenum.spec SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz 0 packages and 1 specfiles checked; 0 errors, 1 warnings. $ rpmlint SRPMS/mysqlenum-0.3-7.fc16.src.rpm mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz 1 packages and 0 specfiles checked; 0 errors, 1 warnings. $ rpmlint RPMS/x86_64/mysqlenum-0.3-7.fc16.x86_64.rpm mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum 1 packages and 0 specfiles checked; 0 errors, 1 warnings. Thank you. The tarball is still not matching the md5sum, the tarball upstream is using root user, and seems that the one in the rpm use the rpm user. I replaced the source tarball with the upstream one. Please see SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-8.fc16.src.rpm $ rpmlint SPECS/mysqlenum.spec SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz 0 packages and 1 specfiles checked; 0 errors, 1 warnings. $ rpmlint RPMS/x86_64/mysqlenum-0.3-8.fc16.x86_64.rpm mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum 1 packages and 0 specfiles checked; 0 errors, 1 warnings. $ rpmlint SRPMS/mysqlenum-0.3-8.fc16.src.rpm mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz 1 packages and 0 specfiles checked; 0 errors, 1 warnings. Thank you. Hi, sorry to not have answered earlier, was busy IRL. I looked at the license side, and there is a base64.c base64.h files under BSD license with : * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the Apache Group * for use in the Apache HTTP server project (http://www.apache.org/)." Not sure if that's suitable for Fedora, so I place this as blocked by FE-Legal. BSD with advertising is a free software license albeit GPL incompatible. Acceptable for Fedora according to https://fedoraproject.org/wiki/Licensing:Main. PJP, do consult with upstream on whether they are willing to drop the advertising clause nevertheless. That license is actually ASL 1.0, which is Free but GPL-incompatible. Lifting FE-Legal. I wrote to upstream about the license issue more than a week ago, no reply yet. I wrote to upstream again, still no reply. Non responsive upstream, that's not good :/ any progress here? (In reply to comment #28) > any progress here? Nope, no reply from upstream. Another mail sent to upstream, waiting for reply. Upstream reply: +-------------------------+ | sorry but mysqlenum is an old software, that I not maintain anymore, | I do not recommend to you to package it. | | Regards, | Andrea |