Bug 816975
Summary: | Review Request: mod_security_crs - ModSecurity Rules | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Peter Vrabec <pvrabec> |
Component: | Package Review | Assignee: | Marcela Mašláňová <mmaslano> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | athmanem, notting, package-review |
Target Milestone: | --- | Flags: | mmaslano:
fedora-review+
gwync: fedora-cvs+ |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-07 12:14:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Vrabec
2012-04-27 11:29:50 UTC
Upgraded mod_security package, which is not available in repo yet, is required to install/test the rule set. http://people.redhat.com/pvrabec/mod_security/mod_security-2.6.5-2.fc16.src.rpm $ rpmlint /home/pvrabec/rpmbuild/SRPMS/mod_security_crs-2.2.4-1.fc16.src.rpm mod_security_crs.src:35: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules mod_security_crs.src:36: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules mod_security_crs.src:37: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules mod_security_crs.src:38: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules mod_security_crs.src:41: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/ mod_security_crs.src:42: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules/ mod_security_crs.src:43: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules/ mod_security_crs.src:44: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules mod_security_crs.src:47: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/` mod_security_crs.src:48: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/$f mod_security_crs.src:60: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules mod_security_crs.src:63: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules mod_security_crs.src:64: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules mod_security_crs.src:65: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules 1 packages and 0 specfiles checked; 14 errors, 0 warnings. I suppose this is OK - according to the latest systemd trends. Could you create mod_security review in bugzilla and add the number into "depends on" in this review? I'll look at it. Package Review ============== Key: - = N/A x = Pass ! = Fail ? = Not evaluated ==== Generic ==== [!]: MUST Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: MUST Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [-]: MUST %build honors applicable compiler flags or justifies otherwise. [x]: MUST All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [!]: MUST Buildroot is not present Note: Buildroot is not needed unless packager plans to package for EPEL5 [x]: MUST Package contains no bundled libraries. [x]: MUST Changelog in prescribed format. [!]: MUST Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: Clean is needed only if supporting EPEL [x]: MUST Sources contain only permissible code or content. [x]: MUST %config files are marked noreplace or the reason is justified. [x]: MUST Each %files section contains %defattr if rpm < 4.4 Note: Note: defattr macros not found. They would be needed for EPEL5 [x]: MUST Macros in Summary, %description expandable at SRPM build time. [!]: MUST Package requires other packages for directories it uses. [x]: MUST Package uses nothing in %doc for runtime. [-]: MUST Package is not known to require ExcludeArch. [x]: MUST Permissions on files are set properly. [x]: MUST Package does not contain duplicates in %files. [x]: MUST Fully versioned dependency in subpackages, if present. [x]: MUST Spec file lacks Packager, Vendor, PreReq tags. [!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf is only needed if supporting EPEL5 [-]: MUST Large documentation files are in a -doc subpackage, if required. [x]: MUST If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: MUST License field in the package spec file matches the actual license. [x]: MUST License file installed when any subpackage combination is installed. [x]: MUST Package consistently uses macros (instead of hard-coded directory names). [x]: MUST Package is named according to the Package Naming Guidelines. [x]: MUST No %config files under /usr. [x]: MUST Package does not generate any conflict. [ ]: MUST Package obeys FHS, except libexecdir and /usr/target. [x]: MUST Package must own all directories that it creates. [x]: MUST Package does not own files or directories owned by other packages. [ ]: MUST Package installs properly. [!]: MUST Requires correct, justified where necessary. [!]: MUST Rpmlint output is silent. rpmlint mod_security_crs-2.2.4-1.fc18.src.rpm rpmlint mod_security_crs-2.2.4-1.fc18.src.rpm mod_security_crs.src:35: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules mod_security_crs.src:36: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules mod_security_crs.src:37: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules mod_security_crs.src:38: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules mod_security_crs.src:41: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/ mod_security_crs.src:42: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules/ mod_security_crs.src:43: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules/ mod_security_crs.src:44: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules mod_security_crs.src:47: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/` mod_security_crs.src:48: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/$f mod_security_crs.src:60: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules mod_security_crs.src:63: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules mod_security_crs.src:64: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules mod_security_crs.src:65: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules 1 packages and 0 specfiles checked; 14 errors, 0 warnings. rpmlint mod_security_crs-2.2.4-1.fc18.noarch.rpm mod_security_crs.noarch: W: only-non-binary-in-usr-lib mod_security_crs.noarch: W: install-file-in-docs /usr/share/doc/mod_security_crs-2.2.4/INSTALL 1 packages and 0 specfiles checked; 0 errors, 2 warnings. rpmlint mod_security_crs-extras-2.2.4-1.fc18.noarch.rpm mod_security_crs-extras.noarch: W: only-non-binary-in-usr-lib mod_security_crs-extras.noarch: W: no-documentation 1 packages and 0 specfiles checked; 0 errors, 2 warnings. [!]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. /home/marca/Development/816975/modsecurity-crs_2.2.4.tar.gz : MD5SUM this package : 160321534ba4859ccdb04ae1648fb51d MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12 [x]: MUST Spec file is legible and written in American English. [x]: MUST Spec file name must match the spec package %{name}, in the format %{name}.spec. [-]: MUST Package contains a SysV-style init script if in need of one. [x]: MUST File names are valid UTF-8. [-]: MUST Useful -debuginfo package or justification otherwise. [x]: SHOULD Reviewer should test that the package builds in mock. [x]: SHOULD If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: SHOULD Dist tag is present. [!]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [!]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q --requires). [x]: SHOULD Package functions as described. [x]: SHOULD Latest version is packaged. [x]: SHOULD Package does not include license text files separate from upstream. [x]: SHOULD SourceX is a working URL. [-]: SHOULD Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: SHOULD Package should compile and build into binary rpms on all supported architectures. [x]: SHOULD Package should compile and build into binary rpms on all supported architectures. [x]: SHOULD %check is present and all tests pass. [x]: SHOULD Packages should try to preserve timestamps of original installed files. [x]: SHOULD Spec use %global instead of %define. Issues: [!]: MUST Buildroot is not present Note: Buildroot is not needed unless packager plans to package for EPEL5 See: http://fedoraproject.org/wiki/Packaging/Guidelines#BuildRoot_tag [!]: MUST Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: Clean is needed only if supporting EPEL See: http://fedoraproject.org/wiki/Packaging/Guidelines#.25clean [!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf is only needed if supporting EPEL5 See: None [!]: MUST Rpmlint output is silent. rpmlint mod_security_crs-2.2.4-1.fc18.src.rpm mod_security_crs.src:35: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules mod_security_crs.src:36: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules mod_security_crs.src:37: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules mod_security_crs.src:38: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules mod_security_crs.src:41: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/ mod_security_crs.src:42: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules/ mod_security_crs.src:43: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules/ mod_security_crs.src:44: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules mod_security_crs.src:47: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/` mod_security_crs.src:48: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/$f mod_security_crs.src:60: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules mod_security_crs.src:63: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules mod_security_crs.src:64: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules mod_security_crs.src:65: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules 1 packages and 0 specfiles checked; 14 errors, 0 warnings. Why are you using modsecurity.d instead of modesecurity? We can discuss it later, because there are loads of other problems. rpmlint mod_security_crs-2.2.4-1.fc18.noarch.rpm mod_security_crs.noarch: W: only-non-binary-in-usr-lib mod_security_crs.noarch: W: install-file-in-docs /usr/share/doc/mod_security_crs-2.2.4/INSTALL 1 packages and 0 specfiles checked; 0 errors, 2 warnings. rpmlint mod_security_crs-extras-2.2.4-1.fc18.noarch.rpm mod_security_crs-extras.noarch: W: only-non-binary-in-usr-lib mod_security_crs-extras.noarch: W: no-documentation 1 packages and 0 specfiles checked; 0 errors, 2 warnings. See: http://fedoraproject.org/wiki/Packaging/Guidelines#rpmlint [!]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. /home/marca/Development/816975/modsecurity-crs_2.2.4.tar.gz : MD5SUM this package : 160321534ba4859ccdb04ae1648fb51d MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12 See: http://fedoraproject.org/wiki/Packaging/SourceURL The path to Perl differs in every script. Replace /opt/usr/local/perl by /usr/bin/perl in spec in the install section. Same problem with lua scripts. Use the default installation, not /opt. Not sure if you don't need set requires lua. It's in BR, but I'm not sure how it is with run time. You are surely missing requires on Perl modules. You need to require them for full functionality of those scripts: Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(XMLRPC::Lite), perl(HTTP::Cookies), Time::Local, Sys::Hostname, LWP::UserAgent, LWP::Debug, URI, HTTP::Date, Cwd, Getopt::Std, IO::File, IO::Socket, IO::Select, HTTP::Request, HTTP::Response, Safe, Storable, Getopt::Long, Pod::Usage, FindBin, Data::Dumper, Sys::Hostname, Data::Types, Switch (all of these will have perl(XXX) around). non-mandatory: perl(GnuPG) Unresolved dependency: mod_security >= 2.6.5 The description is not descriptive enough. It's not obvious what is mod_security doing. The deffattr attribute is needed in EL-5 and older. Fix it to correct %defattr (-,root,root,-) or remove it. License: I wonder where you get GPLv2. In License file and in code is only ASL 2.0. Generated by fedora-review 0.1.3 External plugins: updated package is available here: Spec URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs.spec SRPM URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs-2.2.4-2.fc16.src.rpm Some issues that you mentioned are fixed. What is not fixed? * MD5SUM this package : 160321534ba4859ccdb04ae1648fb51d MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12 This must be bug in fedora-review tool. :) I have double checked the sources from upstream and it was OK. * "Why are you using modsecurity.d instead of modesecurity?" I'm inclined to "modsecurity.d" for these reasons: - upstream prefers .d - we used to put rules files in .d directory - a main package (mod_security) use /etc/httpd/modsecurity.d/ for rules * perl and lua dependencies are not relevant because we don't ship any scripts in the package. * mod_security >= 2.6.5 & mod_security review mod_security-2.6.5 is already available in rawhide. The review is not needed. I hope the rest is OK. thnx. for the review. (In reply to comment #5) > updated package is available here: > Spec URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs.spec > SRPM URL: > http://people.redhat.com/pvrabec/mod_security/mod_security_crs-2.2.4-2.fc16.src.rpm > > Some issues that you mentioned are fixed. > > What is not fixed? > > * MD5SUM this package : 160321534ba4859ccdb04ae1648fb51d > MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12 > This must be bug in fedora-review tool. :) I have double checked the sources > from upstream and it was OK. > I filed a bug https://fedorahosted.org/FedoraReview/ticket/49 > * "Why are you using modsecurity.d instead of modesecurity?" > I'm inclined to "modsecurity.d" for these reasons: > - upstream prefers .d > - we used to put rules files in .d directory > - a main package (mod_security) use /etc/httpd/modsecurity.d/ for rules > OK. > * perl and lua dependencies are not relevant because we don't ship any scripts > in the package. > OK. > * mod_security >= 2.6.5 & mod_security review > mod_security-2.6.5 is already available in rawhide. The review is not needed. > > > I hope the rest is OK. thnx. for the review. OK. APPROVED New Package SCM Request ======================= Package Name: mod_security_crs Short Description: ModSecurity Rules Owners: pvrabec Branches: f17 InitialCC: Git done (by process-git-requests). I'd like to maintain a epel branch of this packages (required by mod_security) Package Change Request ====================== Package Name: mod_security_crs New Branches: el5 el6 Owners: athmane Peter, any objections? No objections, I'm very happy to see Athmane's effort. Package Change Request ====================== Package Name: mod_security_crs New Branches: el5 el6 Owners: athmane Git done (by process-git-requests). |