Bug 958585
| Summary: | Review Request: mosquitto - An Open Source MQTT v3.1 Broker | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rich Mattes <richmattes> |
| Component: | Package Review | Assignee: | Christopher Meng <i> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | esandeen, i, notting, roger |
| Target Milestone: | --- | Flags: | i:
fedora-review+
gwync: fedora-cvs+ |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mosquitto-1.2-1.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-08-29 22:21:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rich Mattes
2013-05-01 22:35:23 UTC
*** Bug 638459 has been marked as a duplicate of this bug. *** Hi, License check shows this package is 2-clause and 3-clause mix licensed. And I found that there shouldn't have any problems if there is no uthash library bundled. BSD (2 clause) -------------- /var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/mosquitto-1.1.3/src/uthash.h This package bundle library uthash, I just packaged it in June so please unbundle it. =============== Another problem is in its code, as warnings said: mosquitto.i686: E: missing-call-to-setgroups /usr/sbin/mosquitto This error output has been renamed to missing-call-to-setgroups-before-setuid. This will be available in the next version. And the explanation is: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges So consider an upstream fix. ======= Other issues: mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libssl.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libcrypto.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libpthread.so.0 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libm.so.6 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libgcc_s.so.1 Please see http://fedoraproject.org/wiki/Common_Rpmlint_issues and fix. I unbundled uthash and fixed the unsued shlib dependency error by adding -Wl,--as-needed to the LDFLAGS for the build. I will contact upstream about working on a fix for the missing call to setgroups. Updated packages can be found here Spec URL: http://rmattes.fedorapeople.org/RPMS/mosquitto/mosquitto.spec SRPM URL: http://rmattes.fedorapeople.org/RPMS/mosquitto/mosquitto-1.1.3-2.fc19.src.rpm $ rpmlint mosquitto.spec ../RPMS/x86_64/mosquitto*1.1.3-2* mosquitto.x86_64: E: missing-call-to-setgroups /usr/sbin/mosquitto 3 packages and 1 specfiles checked; 1 errors, 0 warnings. APPROVED. oNLY: Remember removing "rm -rf $RPM_BUILD_ROOT" in %install section in SCM. Thanks Christopher. I'll be sure to remove that line before I build the package. New Package SCM Request ======================= Package Name: mosquitto Short Description: An Open Source MQTT v3.1 Broker Owners: rmattes Branches: f18 f19 el6 InitialCC: Git done (by process-git-requests). I'm upstream, I had this pointed out by Eric Sandeen. Thanks for taking the time to do the packaging. Thanks for the hint about setgroups/initgroups. I'll sort that out for the next release, which is likely to be this weekend unless anything other problems pop up. I'd suggest using straight "make" rather than cmake because it adds extra bits like symbol hiding in the C library. The cmake build scripts are really intended for Windows to generate Visual Studio project files. I spend most of my packaging effort on the debian side of things - I can make some suggestions of what to set in terms of configuration if you would like. I've made some changes in 1.2 that make life a bit easier in that regard. (In reply to Roger Light from comment #7) My pleasure. If you are willing to keep it in Fedora, you can register a account at FAS and CC the bugzilla from pkgdb. However you should let users to install it via yum but not compiling it on their own. ;) Thanks, but I'm trying to keep my packaging efforts low :) It's already a big effort doing a release with what I already do. Hi Roger, thanks for chipping in. I'm a fan of cmake so I went ahead and used it, but if the makefiles are a better way of doing things on Linux then I don't have any problem switching to them. I'll make sure to do so before im At the moment, I'm just using the default configuration file that ships with the source distribution, and I created a simple systemd unit to start and stop the server with the same options as the upstart job in the service/ subdirectory. One thing I should probably add to the systemd unit is to start the service[1] as User=mosquitto. We're creating the mosquitto user at rpm installation time for this purpose, but the default configuration is set to run as root. If you have any other suggestions, I'd be happy to hear them. Also, if you're interested in carrying a systemd unit file with the source distribution, I'll be happy to help you test and verify it. [1] http://www.freedesktop.org/software/systemd/man/systemd.service.html Unless you specify otherwise, the behaviour when run as root is to drop privileges to the mosquitto user and its group (and now the supplementary groups as well). You can tell it what user to use in the config file. If that user is root, it warns that it is a bad idea, but runs. If all of the files that it needs to write are owned by mosquitto then there is no need to start running as root. On Debian/Ubuntu I'm moving to a config file that looks like this: https://bitbucket.org/oojah/mosquitto-packaging/src/tip/debian/mosquitto.conf This gives a very simple config that is unlikely to be changed by the end user and provides a location where they can add their own customisations. mosquitto.conf will be installed as mosquitto.conf.example from 1.2, so as not to clobber anything. The log to file there is new for 1.2 and I'm configuring the .debs to use logrotate as well: https://bitbucket.org/oojah/mosquitto-packaging/src/tip/debian/mosquitto.logrotate The only other extra things that I'm doing are adding some directories in /etc/mosquitto for TLS certificates, and packaging mosquitto.py for both Python 2 and Python 3. I'd be happy to put the systemd unit in the source distribution. mosquitto-1.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/mosquitto-1.2-1.fc19 mosquitto-1.2-1.fc19 has been pushed to the Fedora 19 testing repository. mosquitto-1.2-1.fc19 has been pushed to the Fedora 19 stable repository. |