Bug 848043

Summary: Review Request: sshguard - Protect hosts from brute force attacks against ssh
Product: [Fedora] Fedora Reporter: Sebastien Caps <sebastien.caps>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: bleanhar, notting, package-review
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-31 04:23:24 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
files with conflicting licenses none

Description Sebastien Caps 2012-08-14 08:27:47 EDT
Spec URL: http://repo.virer.net/raw/sshguard.spec
SRPM URL: http://repo.virer.net/raw/sshguard-1.5-1.src.rpm
Description: 
Sshguard protects networked hosts from brute force attacks
against ssh servers. It detects such attacks and blocks the
attacker's address with a firewall rule.

Fedora Account System Username: virer
Comment 1 Brenton Leanhardt 2012-08-14 10:18:12 EDT
Hi,

I would like to perform an informal review as part of my sponsorship process.

You should use the dist tag in your release:
https://fedoraproject.org/wiki/Packaging/DistTag

The Buildroot tag should not be used:
http://fedoraproject.org/wiki/Packaging:Guidelines#BuildRoot_tag

Also, these lines are not needed:
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}

They are essentially doing the same thing as the clean tag, which is also not needed:
http://fedoraproject.org/wiki/Packaging:Guidelines#.25clean
Comment 3 Brenton Leanhardt 2012-08-14 10:53:33 EDT
This looks pretty good!  Apologies for not making myself more clear in my last comment.  You can actually remove the %clean section altogether:

http://fedoraproject.org/wiki/Packaging:Guidelines#.25clean
Comment 4 Sebastien Caps 2012-08-14 11:00:46 EDT
Oh! I need new glasses. Thanks again :)

SRPMS: 
http://repo.virer.net/raw/sshguard-1.5-1.fc16.src.rpm
SPEC:  
http://repo.virer.net/raw/sshguard.spec
Comment 5 Brenton Leanhardt 2012-08-14 11:15:02 EDT
Hmm, I think this is still the old spec file.  The following lines should be removed:

BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot

%clean
rm -rf $RPM_BUILD_ROOT

I had the same problem when I was submitting my first packages and eventually I started scp'ing the files to a timestamped directory on my webserver to avoid confusion.  eg,

http://repo.virer.net/raw/package-reviews/201208141113/sshguard.spec

It's also good to start getting into the practice up bumping the Release number in the spec and updating the changelog.
Comment 7 Brenton Leanhardt 2012-08-14 11:48:59 EDT
Thanks for the prompt fixes.  Here's the full output of fedora review.  I'm not in the package group yet so someone else will need to do the final approval.  However that process should go quicker for you now.  Good luck!!


Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



==== C/C++ ====
[x]: MUST Package does not contain any libtool archives (.la)
[ ]: MUST Package does not contain kernel modules.
[ ]: MUST Package contains no static executables.
[x]: MUST Rpath absent or only used for internal libs.


==== Generic ====
[x]: EXTRA Rpmlint is run on all installed packages.
     Note: No rpmlint messages.
[x]: EXTRA Spec file according to URL is the same as in SRPM.
[ ]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[ ]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[ ]: MUST Package contains no bundled libraries.
[ ]: MUST Changelog in prescribed format.
[ ]: MUST Sources contain only permissible code or content.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[ ]: MUST Macros in Summary, %description expandable at SRPM build time.
[ ]: MUST Package contains desktop file if it is a GUI application.
[ ]: MUST Development files must be in a -devel package
[ ]: MUST Package requires other packages for directories it uses.
[ ]: MUST Package uses nothing in %doc for runtime.
[ ]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[ ]: MUST Package complies to the Packaging Guidelines
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[ ]: MUST Large documentation files are in a -doc subpackage, if required.
[ ]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[ ]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "Public domain", "ISC", "GPL" For detailed output of licensecheck see
     file: /home/rpmbuild/rpmbuild/SPECS/sshguard/licensecheck.txt
[ ]: MUST Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: MUST Package is named using only allowed ascii characters.
[ ]: MUST Package is named according to the Package Naming Guidelines.
[ ]: MUST Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[ ]: MUST Package obeys FHS, except libexecdir and /usr/target.
[ ]: MUST If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[ ]: MUST Package must own all directories that it creates.
[ ]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[ ]: MUST Package is not relocatable.
[ ]: MUST Requires correct, justified where necessary.
[x]: MUST Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
[ ]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[ ]: MUST Package contains systemd file(s) if in need.
[x]: MUST File names are valid UTF-8.
[ ]: MUST Useful -debuginfo package or justification otherwise.
[x]: SHOULD Reviewer should test that the package builds in mock.
[x]: SHOULD Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL5 is required
[ ]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[ ]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[ ]: SHOULD Package functions as described.
[ ]: SHOULD Latest version is packaged.
[ ]: SHOULD Package does not include license text files separate from
     upstream.
[x]: SHOULD SourceX tarball generation or download is documented.
[x]: SHOULD SourceX / PatchY prefixed with %{name}.
[x]: SHOULD SourceX is a working URL.
[ ]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[ ]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[ ]: SHOULD %check is present and all tests pass.
[ ]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[x]: SHOULD Spec use %global instead of %define.

Rpmlint
-------
Checking: sshguard-debuginfo-1.5-2.fc16.i686.rpm
          sshguard-1.5-2.fc16.i686.rpm
          sshguard-1.5-2.fc16.src.rpm
sshguard-debuginfo.i686: E: empty-debuginfo-package
3 packages and 0 specfiles checked; 1 errors, 0 warnings.


Rpmlint (installed packages)
----------------------------
# rpmlint sshguard
sshguard.i686: I: enchant-dictionary-not-found en_US
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
# echo 'rpmlint-done:'

Requires
--------
sshguard-debuginfo-1.5-2.fc16.i686.rpm (rpmlib, GLIBC filtered):
    

sshguard-1.5-2.fc16.i686.rpm (rpmlib, GLIBC filtered):
    
    iptables  
    libc.so.6  
    libpthread.so.0  
    openssh-server  
    rtld(GNU_HASH)  

Provides
--------
sshguard-debuginfo-1.5-2.fc16.i686.rpm:
    
    sshguard-debuginfo = 1.5-2.fc16
    sshguard-debuginfo(x86-32) = 1.5-2.fc16

sshguard-1.5-2.fc16.i686.rpm:
    
    sshguard = 1.5-2.fc16
    sshguard(x86-32) = 1.5-2.fc16

MD5-sum check
-------------
http://downloads.sourceforge.net/sshguard/sshguard-1.5.tar.bz2 :
  CHECKSUM(SHA256) this package     : b537f8765455fdf8424f87d4bd695e5b675b88e5d164865452137947093e7e19
  CHECKSUM(SHA256) upstream package : b537f8765455fdf8424f87d4bd695e5b675b88e5d164865452137947093e7e19


Generated by fedora-review 0.2.2 (9f8c0e5) last change: 2012-08-09
Command line :/usr/bin/fedora-review -n sshguard
External plugins:
Comment 8 Brenton Leanhardt 2012-08-14 13:56:19 EDT
My sponsor reminded me I need to manually verify all items from the last post that were not automatically detected.  My comments are inline.  The main problems are licensing related.


==== Generic ====
[x]: EXTRA Rpmlint is run on all installed packages.
     Note: No rpmlint messages.
[x]: EXTRA Spec file according to URL is the same as in SRPM.
[!]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.

The specfile specifies the license is GPLv2+ however that does not appear to be the case.  In the README it looks like there are technically 2 licenses used and then 1 library in the public domain.  Other files mention the GPL.  It will be important to have upstream clarify the license.

[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[x]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: MUST Package contains no bundled libraries.
[!]: MUST Changelog in prescribed format.

You don't technically need to include %{?dist} in the changelog.

[x]: MUST Sources contain only permissible code or content.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[-]: MUST Macros in Summary, %description expandable at SRPM build time.
[-]: MUST Package contains desktop file if it is a GUI application.
[-]: MUST Development files must be in a -devel package
[-]: MUST Package requires other packages for directories it uses.
[x]: MUST Package uses nothing in %doc for runtime.
[x]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[x]: MUST Package complies to the Packaging Guidelines
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[-]: MUST Large documentation files are in a -doc subpackage, if required.
[-]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[!]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "Public domain", "ISC", "GPL" For detailed output of licensecheck see
     file: /home/rpmbuild/rpmbuild/SPECS/sshguard/licensecheck.txt

I've attached this file to help you.

[x]: MUST Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: MUST Package is named using only allowed ascii characters.
[x]: MUST Package is named according to the Package Naming Guidelines.
[x]: MUST Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: MUST Package obeys FHS, except libexecdir and /usr/target.
[-]: MUST If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: MUST Package must own all directories that it creates.
[x]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[x]: MUST Package is not relocatable.
[x]: MUST Requires correct, justified where necessary.
[x]: MUST Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[!]: MUST Package contains systemd file(s) if in need.

I appears sshguard run as a daemon process and would therefore require a systemd file.

[x]: MUST File names are valid UTF-8.
[x]: MUST Useful -debuginfo package or justification otherwise.
[x]: SHOULD Reviewer should test that the package builds in mock.
[x]: SHOULD Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL5 is required
[x]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[x]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[x]: SHOULD Package functions as described.
[x]: SHOULD Latest version is packaged.
[x]: SHOULD Package does not include license text files separate from
     upstream.
[x]: SHOULD SourceX tarball generation or download is documented.
[x]: SHOULD SourceX / PatchY prefixed with %{name}.
[x]: SHOULD SourceX is a working URL.
[x]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[-]: SHOULD %check is present and all tests pass.
[x]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[x]: SHOULD Spec use %global instead of %define.
Comment 9 Sebastien Caps 2012-08-16 11:48:06 EDT
Ok answer from upstream licence is BSD (don't know why mandrake mention GPLv2+)
I have created systemd scripts I will try to push them upstream when validated.

SRPM:
http://repo.virer.net/PackagesReviews/2012081617/sshguard-1.5-3.fc16.src.rpm
SPEC:
http://repo.virer.net/PackagesReviews/2012081617/sshguard.spec
Comment 10 Brenton Leanhardt 2012-08-16 13:08:23 EDT
Thanks for tracking that down.  Unfortunately there definitely appears to be some conflicting licenses mentioned in the code.  I'll attach the output of the fedora-review license checker.

In the case where this project needs multiple licensing you can see this page:
http://fedoraproject.org/wiki/Packaging:LicensingGuidelines#Multiple_Licensing_Scenarios

Also, there is a minor diff between the linked specfile and the SRPM specfile.  I occationally have this problem too so just be careful. :)
Comment 11 Brenton Leanhardt 2012-08-16 13:10:45 EDT
Created attachment 604981 [details]
files with conflicting licenses

You can see there are some files with GPL licenses and others with what fedora-review thinks is ISC (but may indeed be BSD).
Comment 12 Sebastien Caps 2012-08-16 15:50:26 EDT
Ok added Public Domain and GPLv2+ in the license list
SPEC:
http://repo.virer.net/PackagesReviews/2012081620/sshguard.spec
SRPM:
http://repo.virer.net/PackagesReviews/2012081620/sshguard-1.5-4.fc16.src.rpm
Comment 13 Sebastien Caps 2012-08-29 11:15:41 EDT
fc18 build
http://koji.fedoraproject.org/koji/taskinfo?taskID=4434562
Comment 14 Sebastien Caps 2012-12-31 04:23:24 EST
Since I still lack of sponsor and I have no more time to spend on it, I close it.