Bug 869861

Summary: Review Request: pam_openshift - Openshift PAM module
Product: [Fedora] Fedora Reporter: Troy Dawson <tdawson>
Component: Package ReviewAssignee: Michael S. <misc>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: misc, notting, package-review
Target Milestone: ---Flags: misc: fedora-review+
gwync: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-29 06:44:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Troy Dawson 2012-10-25 01:22:22 UTC
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/pam_openshift.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/pam_openshift-1.0.4-1.fc19.src.rpm
Description: The Openshift PAM module configures proper SELinux context for
processes in a session.
Fedora Account System Username: tdawson

Comment 1 Michael S. 2012-10-27 13:07:08 UTC
Hi, sorry for being late, I was a little too sick for doing it right now.

I have a few question :
- some files are under a BSD license, shouldn't it be reflected somewhere ?

- why pam-libra and pam-openshift provides/obsoletes ?
( I guess that's for internal reason of openshift, but once the transitition happened, this can be removed, I think )

- man page title is incorrect ( still use pam_libra ), I would suggest to regenerate it from the .xml, instead of using the copy shipped by upstream ( and ask to upstream to drop it, or at least, to place the needed code in the Makefile )

- I think there is some missing requires for shell scripts like attr and  policycoreutils. They are likely installed by default, but as they are marked as optional, I would add them explicitly ( following the whole discussion on fedora minimal installation on -devel )

Comment 2 Troy Dawson 2012-10-29 13:26:14 UTC
It is actually dual licensed code (BSD and/or GPL).  We are choosing to use GPL.  But ya, I'll see about getting that more clear upstream.

The original rpm was called pam-libra, and was then switched to pam-openshift.  There are currently instructions for "Build your own PAAS" for building those rpm's on Fedora.  So we know there are some people that need this.
But yes, upstream is planning on only having those there until they feel confident that nobody needs them anymore.

Man Pages:
Good catch, we'll fix that.  Upstream is also in the process of adding the missing man page.

Another good catch.

Upstream will soon have another release (with the man page fixes).  I'll work on getting the other changes you talked about in that version and we'll just use that version, instead of patching this version up.

Comment 3 Michael S. 2012-10-29 14:39:38 UTC
The rpm seemed otherwise good, so do we wait for next upstream release ?

Comment 4 Troy Dawson 2012-11-05 23:41:28 UTC
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/pam_openshift.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/pam_openshift-1.1.1-2.fc19.src.rpm

Man page fixed, also man page added for oo-namespace-init

I did a rpm -qp --requires pam_openshift and it listed both libattr.so.1 and libselinux.so.1.  So it picks up attr, but libselinux doesn't pull in policycoreutils, so I have added that.

The license is technically there and correct.  Since it's a dual license it's a little more confusing than normal.  I couldn't figure out a good way to make it more clear without possibly breaking the license.

Man page and Requires are in the merge path with upstream.  License requires more talking to upstream.  But I think for now it is good enough.

Comment 5 Troy Dawson 2012-11-20 22:51:25 UTC
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/pam_openshift.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/pam_openshift-1.1.2-2.fc18.src.rpm

Updated to latest stable version from upstream.
This version has all the fixes in it.

Comment 6 Michael S. 2012-11-22 09:10:58 UTC
Package Review

[x] = Pass
[!] = Fail
[-] = Not applicable
[?] = Not evaluated
[ ] = Manual review needed

===== Notes =====

- Requires on attr may still be needed ( but again, this is a in progress discussion )
- Licensing is a little bit unclear ( why GPLv2, not more, etc ), but I guess that's nitpicking ( especially since the code is already under a BSD license )

- explicit %attr is likely not needed in %files, as this is the default permission ( IIRC ). Not blocking but would be cleaner IMHO.

- not sure if that a groff issue or a man page issue
pam_openshift.x86_64: W: manual-page-warning /usr/share/man/man8/pam_openshift.8.gz 169: warning: macro `HTML-TAG' not defined

Man page display fine, so let's say this is not blocking.

So the package is approved.

===== MUST items =====

[x]: Package does not contain any libtool archives (.la)
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Rpath absent or only used for internal libs.
[x]: Development (unversioned) .so files in -devel subpackage, if present.
     Note: Unversioned so-files in private %_libdir subdirectory (see
     attachment). Verify they are not in ld path.

[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package contains no bundled libraries.
[x]: Changelog in prescribed format.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Sources contain only permissible code or content.
[x]: Each %files section contains %defattr if rpm < 4.4
[x]: Macros in Summary, %description expandable at SRPM build time.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package requires other packages for directories it uses.
[x]: Package uses nothing in %doc for runtime.
[x]: Package is not known to require ExcludeArch.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Fully versioned dependency in subpackages, if present.
[x]: Package complies to the Packaging Guidelines
[x]: Spec file lacks Packager, Vendor, PreReq tags.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "BSD (3 clause)". 1 files have unknown license. Detailed output of
     licensecheck in
[x]: Package consistently uses macro is (instead of hard-coded directory
[x]: Package is named using only allowed ASCII characters.
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: Package do not use a name that already exist
[x]: Package obeys FHS, except libexecdir and /usr/target.
[x]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package is not relocatable.
[x]: Requires correct, justified where necessary.
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file is legible and written in American English.
[x]: Spec file name must match the spec package %{name}, in the format
[-]: Package contains systemd file(s) if in need.
[x]: File names are valid UTF-8.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Large documentation must go in a -doc subpackage.
     Note: Documentation size is 30720 bytes in 5 files.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
[-]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Final provides and requires are sane (rpm -q --provides and rpm -q
[-]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[!]: Uses parallel make.
[x]: SourceX tarball generation or download is documented.
[x]: SourceX / PatchY prefixed with %{name}.
[x]: SourceX is a working URL.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed files.
[x]: Spec use %global instead of %define.

===== EXTRA items =====

[x]: Spec file according to URL is the same as in SRPM.
[x]: Large data in /usr/share should live in a noarch subpackage if package is

Checking: pam_openshift-1.1.2-2.fc17.x86_64.rpm
pam_openshift.x86_64: W: spelling-error Summary(en_US) Openshift -> Open shift, Open-shift, Downshift
pam_openshift.x86_64: W: manual-page-warning /usr/share/man/man8/pam_openshift.8.gz 169: warning: macro `HTML-TAG' not defined
pam_openshift.x86_64: W: manual-page-warning /usr/share/man/man8/pam_openshift.8.gz 169: warning: macro `"' not defined
1 packages and 0 specfiles checked; 0 errors, 3 warnings.

Rpmlint (installed packages)
# rpmlint pam_openshift
pam_openshift.x86_64: W: spelling-error Summary(en_US) Openshift -> Open shift, Open-shift, Downshift
pam_openshift.x86_64: W: manual-page-warning /usr/share/man/man8/pam_openshift.8.gz 169: warning: macro `HTML-TAG' not defined
pam_openshift.x86_64: W: manual-page-warning /usr/share/man/man8/pam_openshift.8.gz 169: warning: macro `"' not defined
1 packages and 0 specfiles checked; 0 errors, 3 warnings.
# echo 'rpmlint-done:'

pam_openshift (rpmlib, GLIBC filtered):


Unversioned so-files
pam_openshift: /lib64/security/pam_libra.so
pam_openshift: /lib64/security/pam_openshift.so

MD5-sum check
http://mirror.openshift.com/pub/origin-server/source/pam_openshift/pam_openshift-1.1.2.tar.gz :
  CHECKSUM(SHA256) this package     : a3fc4758128aaf2566017e964d3df3e5a9e005c7b50e09f7c1adf04d052e9def
  CHECKSUM(SHA256) upstream package : a3fc4758128aaf2566017e964d3df3e5a9e005c7b50e09f7c1adf04d052e9def

Generated by fedora-review 0.2.0 (Unknown) last change: Unknown
Buildroot used: fedora-17-x86_64
Command line :./try-fedora-review -b 869861

Comment 7 Troy Dawson 2012-11-24 16:35:21 UTC
New Package SCM Request
Package Name: pam_openshift
Short Description: Openshift PAM module
Owners: tdawson maxamillion
Branches: f18 f17

Comment 8 Gwyn Ciesla 2012-11-24 18:19:33 UTC
Git done (by process-git-requests).

Comment 9 Fedora Update System 2012-11-25 01:01:10 UTC
pam_openshift-1.1.2-2.fc18 has been submitted as an update for Fedora 18.

Comment 10 Fedora Update System 2012-11-25 19:29:47 UTC
pam_openshift-1.1.2-2.fc18 has been pushed to the Fedora 18 testing repository.

Comment 11 Fedora Update System 2012-11-29 06:44:27 UTC
pam_openshift-1.1.2-2.fc18 has been pushed to the Fedora 18 stable repository.