Bug 1002275 - Review Request: ima-evm-utils - IMA/EVM Utilities
Review Request: ima-evm-utils - IMA/EVM Utilities
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Josh Bressers
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1384450 998565
  Show dependency treegraph
 
Reported: 2013-08-28 14:59 EDT by Vivek Goyal
Modified: 2017-08-01 10:43 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-30 05:48:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bressers: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)
Package review document (6.87 KB, text/plain)
2013-08-29 09:10 EDT, Josh Bressers
no flags Details
Package review (7.26 KB, text/plain)
2013-09-05 14:44 EDT, Josh Bressers
bressers: review+
Details

  None (edit)
Description Vivek Goyal 2013-08-28 14:59:10 EDT
Spec URL: http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils.spec
SRPM URL: http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils-0.6-1.fc19.src.rpm
Description: 

Hi,

I just finished packaging ima-evm-utils. I would appreciate if it can be reviewed for inclusion in Fedora 20.

This utilties will help sign a binary and store its signature in security.ima xattr. And these signatures can be verified at run time.

IMA is designed to do lot more but above is primary use case I am interested in right now.

Fedora Account System Username: vgoyal
Comment 1 Vivek Goyal 2013-08-28 15:25:04 EDT
Here is rpmlint report.

$ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm
ima-evm-utils.spec: W: invalid-url Source0: ima-evm-utils-0.6.tar.gz
ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices
ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl
ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices
ima-evm-utils.src: W: invalid-url Source0: ima-evm-utils-0.6.tar.gz
3 packages and 1 specfiles checked; 0 errors, 5 warnings.
Comment 2 Paul Wouters 2013-08-28 16:13:15 EDT
I will sponsor Vivek, but  as I started this package review originally, I will let someone else formally review it (though I'll review it as well)
Comment 3 Josh Bressers 2013-08-28 16:19:30 EDT
I can do the review. I'm taking the bug.
Comment 4 Christopher Meng 2013-08-28 22:26:45 EDT
Where does your source come from?

I can only see 0.2...

http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/
Comment 5 Josh Bressers 2013-08-29 09:10:21 EDT
Created attachment 791795 [details]
Package review document

Here are the only things I found in this review that need to be addressed.

The spec file claims this package is covered under LGPLv2. The COPYING file is for GPLv2, the single source file uses LGPLv2 in its header comment. - I'm not a lawyer, I don't know how to sort this one (generally we include the COPYING file in the docs directory). Spot can probably clarify.

I can't find the upstream source tarball for this. Can the full URL be added to the spec file.

Otherwise it looked good. The full report is attached.
Comment 6 Vivek Goyal 2013-08-29 09:39:25 EDT
(In reply to Christopher Meng from comment #4)
> Where does your source come from?
> 
> I can only see 0.2...
> 
> http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/

Maintainer has released 0.6 yesterday but for some reason URL of that tar file is not showing up at sourceforge. Even maintainer is confused. When he logs in he can see the file there and it says URL will show up shortly and it has been close to 24 hours and URL is not showing yet.

He sent me tar file in mail personally and that's what I used for this source rpm.

I will ping him again and see if he can do something to make situation better.

BTW, git tree for this source is here and there one can see that version 0.6 has been released.

http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/
Comment 7 Vivek Goyal 2013-08-29 10:04:10 EDT
(In reply to Josh Bressers from comment #5)
> 
> The spec file claims this package is covered under LGPLv2. The COPYING file
> is for GPLv2, the single source file uses LGPLv2 in its header comment. -
> I'm not a lawyer, I don't know how to sort this one (generally we include
> the COPYING file in the docs directory). Spot can probably clarify.

Thanks Josh. This is a good point. I have sent mail to upstream maintainer for clarification in this matter.
Comment 9 Vivek Goyal 2013-09-04 22:43:14 EDT
Ok, both licensing and source issues have been sorted out. I have uploaded a new set of spec and source rpm file. Pleaese review..

http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils.spec
http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils-0.6-1.fc19.src.rpm
Comment 10 Vivek Goyal 2013-09-04 22:43:48 EDT
Following is rpmlint report.

[makerpm@localhost SPECS]$ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm
ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices
ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl
ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices
3 packages and 1 specfiles checked; 0 errors, 3 warnings.
Comment 11 Vivek Goyal 2013-09-04 22:44:23 EDT
Now this package is GPLV2. Both COPYING and src/evmct.c have been modified to reflect this fact.
Comment 12 Vivek Goyal 2013-09-04 22:45:20 EDT
Maintainer has got the sourceforge linke working. Original source of tar ball is following.

http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/ima-evm-utils-0.6.tar.gz/
Comment 13 Vivek Goyal 2013-09-05 14:19:29 EDT
bresser mentioned that new spec file does not have COPYING file in %doc. Fixed that and uploaded new files.
Comment 14 Vivek Goyal 2013-09-05 14:20:30 EDT
Following is rpmlint output with new spec file and rpms.

[makerpm@localhost SPECS]$ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm
ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices
ima-evm-utils.x86_64: E: incorrect-fsf-address /usr/share/doc/ima-evm-utils-0.6/COPYING
ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl
ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices
3 packages and 1 specfiles checked; 1 errors, 3 warnings.
Comment 15 Vivek Goyal 2013-09-05 14:21:02 EDT
Notice fsf address is old one in COPYING file. I have informed upstream maintainer about it.
Comment 16 Josh Bressers 2013-09-05 14:44:53 EDT
Created attachment 794444 [details]
Package review

The only possible issue here is an incorrect fsf address. This will be addressed upstream and isn't a reason to hold up the package.
Comment 17 Vivek Goyal 2013-09-05 17:07:03 EDT
scratch koji build of package.

http://koji.fedoraproject.org/koji/taskinfo?taskID=5902553
Comment 18 Vivek Goyal 2013-09-05 17:13:54 EDT
New Package SCM Request
=======================
Package Name: ima-evm-utils
Short Description: IMA/EVM support utilities
Owners: vgoyal
Branches: f20
InitialCC:
Comment 19 Gwyn Ciesla 2013-09-06 08:18:49 EDT
fedora-review flag not set
Comment 20 Gwyn Ciesla 2013-09-06 09:40:03 EDT
Git done (by process-git-requests).
Comment 21 T.C. Hollingsworth 2013-09-07 21:54:16 EDT
Please clear the FE-NEEDSPONSOR blocker when you sponsor someone (or intend to do so).  This makes it easier to find packages that really do require sponsorship in the tracker bug.  Thanks!
Comment 22 Christopher Meng 2013-09-30 05:48:04 EDT
Please remember to close the bug.

Note You need to log in before you can comment on or make changes to this bug.