Bug 1028743 - (hans) Review Request: hans - IP over ICMP tunneling solution
Review Request: hans - IP over ICMP tunneling solution
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michal Ambroz
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2013-11-10 06:12 EST by Pavel Alexeev
Modified: 2017-10-08 21:48 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-10-08 21:20:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rebus: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description Pavel Alexeev 2013-11-10 06:12:33 EST
Spec URL: https://raw.github.com/Hubbitus/Fedora-packaging/d26aadd89b75ebd87c30b6c846378fba24595bf8/SPECS/hans.spec
SRPM URL: http://hubbitus.info/rpm/Fedora19/hans/hans-0.4.3-2.fc19.src.rpm
Description: Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a ping tunnel. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.

Hans runs on Linux as a client and a server. It runs on Mac OS X,
iPhone/iPod touch, FreeBSD and OpenBSD as a client only.

Fedora Account System Username: Hubbitus

Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6161766
One note also about rpmlint warning only-non-binary-in-usr-lib it already present rpmlint bug: bz#794777.
Comment 1 Christopher Meng 2014-03-03 02:28:27 EST
1. Update systemd scriptlets.

https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd

2. Users & Groups template:

https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation

3. Conditional lines for different init systems please if you want to maintain it in one spec. Currently they are broken.

4. No -sysvinit package please, handle them in conditional lines. Or turn it into %_bindir.

5. %{buildroot}/ --> %{buildroot}
Comment 2 Pavel Alexeev 2014-03-11 14:54:02 EDT
Hello, Christoper. Thanks for the comments.

%changelog                                                                                                                                                                                                                                                   
* Tue Mar 11 2014 Pavel Alexeev <Pahan@Hubbitus.info> - 0.4.3-3                                                                                                                                                                                              
- Drop all sysvinit support because it now MUST NOT be present in new packages (https://fedoraproject.org/wiki/Packaging:SysVInitScript?rd=Packaging/SysVInitScript#Initscripts_in_addition_to_systemd_unit_files).                                          
- Change user creation procedure, move in base package.

Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=6622750
Spec changes: https://github.com/Hubbitus/Fedora-packaging/commit/4e1c066a0a0ff81571276ec43676466a6fd0cbf2
Spec: https://raw.github.com/Hubbitus/Fedora-packaging/4e1c066a0a0ff81571276ec43676466a6fd0cbf2/SPECS/hans.spec
Srpm: http://hubbitus.info/rpm/Fedora20/hans/hans-0.4.3-3.fc21.src.rpm
Comment 3 Pavel Alexeev 2014-03-11 14:55:01 EDT
All issues addressed except 5. I prefer leave that slash on my oiunt of view it looks more like traditional path.
Comment 4 Pavel Alexeev 2015-08-04 17:24:26 EDT
Christopher could we continue please??
Comment 5 Michal Ambroz 2016-11-17 16:15:09 EST
Hello Pavel,
thaks for packaging hans. As Christopher Meng doesn't seem to be responding I would like to take over the package review.
I have found the spec and sources on github, but the spec and srpm is not available for download anymore. Claimed links do not download the files.


Generally package sees good to me and - just few coments:
- update to 0.4.4 
- I would recommend to change the source reference to 
https://github.com/friedrich/%{name}/archive/v%{version}.tar.gz#/hans-%{version}.tar.gz so the source file is named hans-%{version}.tar.gz
- rpmlint reports that there is missing-call-to-setgroups-before-setuid
Will be fixed by this patch (https://github.com/friedrich/hans/issues/15)
- I would say it is dangerous having working default configuration. I would recommend generating random password with first use - something like server key for the ssh.
- fix typos sulution->solution, dinamic->dynamic (hans-client.sysconfig)

Other issues from rpmlint seems to be minors.
$ rpmlint SRPMS/hans-0.4.4-1.fc24.src.rpm RPMS/x86_64/hans-0.4.4-1.fc24.x86_64.rpm RPMS/x86_64/hans-client-0.4.4-1.fc24.x86_64.rpm RPMS/x86_64/hans-server-0.4.4-1.fc24.x86_64.rpm RPMS/x86_64/hans-debuginfo-0.4.4-1.fc24.x86_64.rpm
hans.src: W: spelling-error %description -l en_US firewalled -> fire walled, fire-walled, firewall ed
hans.x86_64: W: spelling-error %description -l en_US firewalled -> fire walled, fire-walled, firewall ed
hans.x86_64: E: missing-call-to-setgroups-before-setuid /usr/sbin/hans
hans.x86_64: W: no-manual-page-for-binary hans
hans-client.x86_64: W: spelling-error %description -l en_US sulution -> solution, insulation, ululation
hans-client.x86_64: W: no-documentation
hans-client.x86_64: W: non-standard-uid /etc/sysconfig/hans-client hans
hans-client.x86_64: E: non-readable /etc/sysconfig/hans-client 600
hans-server.x86_64: W: no-documentation
hans-server.x86_64: W: non-standard-uid /etc/sysconfig/hans-server hans
hans-server.x86_64: E: non-readable /etc/sysconfig/hans-server 600
5 packages and 0 specfiles checked; 3 errors, 10 warnings.
Comment 6 Michal Ambroz 2016-11-18 06:13:13 EST
One more bit - the LICENSE should go to separate %license tag.
Comment 7 Pavel Alexeev 2016-11-26 17:50:38 EST
Michal thank you very much taking that.

Update to 1.0 and address most mentioned issues.

But what about password? I can't generate it in on build time, and as it in just in options now can't handle "first run". Do you think it have worth move it in some separate file and wrap into script checking it present??

Does it have worth? In any case you can't run it without administrator configuration because forced to provide IP instead of placeholder <SERVER_IP>. Do you want I also replace `-p password` on something like `-p <PASSWORD>`?

Provided patch present in version 1.0 sources code.

Changes: https://github.com/Hubbitus/Fedora-packaging/commit/b96a43057e188def285881d8d47800e20b1a82ff
Spec: https://raw.githubusercontent.com/Hubbitus/Fedora-packaging/b96a43057e188def285881d8d47800e20b1a82ff/SPECS/hans.spec
Rpm: http://rpm.hubbitus.info/Fedora25/hans/hans-1.0-1.fc25.src.rpm
Comment 8 Michal Ambroz 2016-12-18 23:02:26 EST
As there is no update from Christopher Meng for couple of years, I will take over the package review.

Michal Ambroz
Comment 9 Pavel Alexeev 2017-01-03 18:57:45 EST
@Michal, do you plan continue review?
Comment 10 Michal Ambroz 2017-01-04 09:12:18 EST
Yes ... the xmass frenzy is behind us I will be on it now.
Comment 11 Michal Ambroz 2017-01-08 20:42:11 EST
Package Review
==============

Summary:
- please use the %{optflags}
- consider syncing the %pre and "%pre server" macros for user creation
- consider making the dependency of the client and server fully versioned


Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[X]: Package does not contain kernel modules.
[X]: Package contains no static executables.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[X]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
     GPLv3+
     sha1.cpp licensed with sha1_license.txt
     tunemu licensed with 2 clause BSD - compatible to be included in GPLv3+ project
[X]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "BSD (2 clause)", "GPL (v2 or later)", "GPL (v3 or later)",
     "Unknown or generated". 7 files have unknown license. Detailed output
     of licensecheck in licensecheck.txt
[X]: License file installed when any subpackage combination is installed
     license included in the base has package, it is required from the subpackages
[!]: %build honors applicable compiler flags or justifies otherwise.
     please use the %{optflags} such as 
     make %{?_smp_mflags} CFLAGS="%{optflags}"

[X]: Package contains no bundled libraries without FPC exception.
[X]: Changelog in prescribed format.
[X]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[-]: Package uses nothing in %doc for runtime.
[X]: Package consistently uses macros (instead of hard-coded directory
     names).
[X]: Package is named according to the Package Naming Guidelines.
[X]: Package does not generate any conflict.
[X]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[X]: Requires correct, justified where necessary.
[X]: Spec file is legible and written in American English.
[X]: Package contains systemd file(s) if in need.
[X]: Useful -debuginfo package or justification otherwise.
[X ]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 10240 bytes in 2 files.
[X]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[X]: Final provides and requires are sane (see attachments).
[?]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in hans-
     client , hans-server , hans-debuginfo
[X]: Package functions as described.
[X]: Latest version is packaged.
[X]: Package does not include license text files separate from upstream.
[?]: Scriptlets must be sane, if used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[X]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[X]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Uses parallel make %{?_smp_mflags} macro.
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: No rpmlint messages.
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
- seems to be sane to me

Checking: hans-1.0-1.fc26.x86_64.rpm
          hans-client-1.0-1.fc26.x86_64.rpm
          hans-server-1.0-1.fc26.x86_64.rpm
          hans-debuginfo-1.0-1.fc26.x86_64.rpm
          hans-1.0-1.fc26.src.rpm
hans.x86_64: W: spelling-error %description -l en_US firewalled -> fire walled, fire-walled, firewall ed
hans.x86_64: W: no-manual-page-for-binary hans
hans-client.x86_64: W: no-documentation
hans-client.x86_64: W: non-standard-uid /etc/sysconfig/hans-client hans
hans-client.x86_64: E: non-readable /etc/sysconfig/hans-client 600
hans-server.x86_64: W: no-documentation
hans-server.x86_64: W: non-standard-uid /etc/sysconfig/hans-server hans
hans-server.x86_64: E: non-readable /etc/sysconfig/hans-server 600
hans.src: W: spelling-error %description -l en_US firewalled -> fire walled, fire-walled, firewall ed
5 packages and 0 specfiles checked; 2 errors, 7 warnings.




Rpmlint (debuginfo)
-------------------
Checking: hans-debuginfo-1.0-1.fc26.x86_64.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.





Rpmlint (installed packages)
----------------------------
hans.x86_64: W: spelling-error %description -l en_US firewalled -> fire walled, fire-walled, firewall ed
hans.x86_64: W: no-manual-page-for-binary hans
hans-server.x86_64: W: no-documentation
hans-server.x86_64: W: non-standard-uid /etc/sysconfig/hans-server hans
hans-server.x86_64: E: non-readable /etc/sysconfig/hans-server 600
hans-client.x86_64: W: no-documentation
hans-client.x86_64: W: non-standard-uid /etc/sysconfig/hans-client hans
hans-client.x86_64: E: non-readable /etc/sysconfig/hans-client 600
4 packages and 0 specfiles checked; 2 errors, 6 warnings.



Requires
--------
hans (rpmlib, GLIBC filtered):
    /bin/sh
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libm.so.6()(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libstdc++.so.6(CXXABI_1.3.1)(64bit)
    libstdc++.so.6(CXXABI_1.3.9)(64bit)
    rtld(GNU_HASH)
    shadow-utils

hans-debuginfo (rpmlib, GLIBC filtered):

hans-server (rpmlib, GLIBC filtered):
    /bin/sh
    config(hans-server)
    hans
    systemd

hans-client (rpmlib, GLIBC filtered):
    /bin/sh
    config(hans-client)
    hans
    systemd



Provides
--------
hans:
    hans
    hans(x86-64)

hans-debuginfo:
    hans-debuginfo
    hans-debuginfo(x86-64)

hans-server:
    config(hans-server)
    hans-server
    hans-server(x86-64)

hans-client:
    config(hans-client)
    hans-client
    hans-client(x86-64)



Source checksums
----------------
https://github.com/friedrich/hans/archive/v1.0.tar.gz#/hans-1.0.tar.gz :
  CHECKSUM(SHA256) this package     : 53090083d440466e573b35f2eeab0b4b0dcd3e6290f797c999b4f5a0b5caaba2
  CHECKSUM(SHA256) upstream package : 53090083d440466e573b35f2eeab0b4b0dcd3e6290f797c999b4f5a0b5caaba2


Generated by fedora-review 0.6.1 (f03e4e7) last change: 2016-05-02
Command line :/usr/bin/fedora-review -b 1028743
Buildroot used: fedora-rawhide-x86_64
Active plugins: Generic, Shell-api, C/C++
Disabled plugins: Java, Python, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP
Disabled flags: EXARCH, DISTTAG, EPEL5, BATCH, EPEL6
Comment 12 Michal Ambroz 2017-01-08 20:45:18 EST
Still I believe that having the package in workable state with default password of "password" or any other hardcoded password will results in many people vulnerabe.

If you see this achivable it would be great if package wont start untill you change the default password so something else.

Mik
Comment 13 Pavel Alexeev 2017-01-22 09:13:11 EST
Honestly, I do not see problem there. If you must change IP address before it start to work you will see password in same line of config to be able change it.

Meantime if you insist I change it to <PASSWORD> placeholder and add line of note to require user set it.

Other issues also should be addressed.

Changes: https://github.com/Hubbitus/Fedora-packaging/commit/e568e5469e069e8dd0ade1f5454deb30a7a1deb3
Spec: https://raw.githubusercontent.com/Hubbitus/Fedora-packaging/e568e5469e069e8dd0ade1f5454deb30a7a1deb3/SPECS/hans.spec
Srpm: http://rpm.hubbitus.info/Fedora25/hans/hans-1.0-2.fc26.src.rpm
Koji scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=17375774
Comment 14 Pavel Alexeev 2017-02-25 13:50:33 EST
Michal ping
Comment 15 Pavel Alexeev 2017-03-12 17:58:07 EDT
Michal Ambroz do you plan answer and continue? I think all found by you issues resolved.
Comment 16 Michal Ambroz 2017-03-28 19:04:58 EDT
Hello Pavel,
I still see a password in the config, just this time it is literally "<PASSWORD>" as a password. Or am I missing something?

You know - things like Mirai are spreading because of default passwords.

Mik.
Comment 18 Michal Ambroz 2017-06-16 21:52:26 EDT
Hello Pavel,
perfect - tested the package and it won't start if password was not changed.
Good.

Please there are some minor typos in the changelog.


Other than that - free to go.
Michal Ambroz
Comment 19 Michal Ambroz 2017-07-11 13:46:31 EDT
Ping Pavel?
Comment 20 Pavel Alexeev 2017-08-13 11:29:23 EDT
Sorry for the delay.
Repo requested https://pagure.io/releng/fedora-scm-requests/issue/23
Comment 21 Gwyn Ciesla 2017-08-13 18:46:17 EDT
(fedrepo-req-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/hans
Comment 22 Gwyn Ciesla 2017-08-13 18:46:27 EDT
(fedrepo-req-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/hans
Comment 23 Fedora Update System 2017-09-11 14:22:36 EDT
hans-1.0-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ab6f36271b
Comment 24 Fedora Update System 2017-09-11 15:09:11 EDT
hans-1.0-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-289180fc05
Comment 25 Fedora Update System 2017-09-11 20:50:50 EDT
hans-1.0-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-289180fc05
Comment 26 Fedora Update System 2017-09-11 21:23:54 EDT
hans-1.0-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ab6f36271b
Comment 27 Pavel Alexeev 2017-10-08 18:58:22 EDT
Michal Ambroz thank you very much for the review. Hans eventually in Fedora.
Could I also review something for you?
Comment 28 Fedora Update System 2017-10-08 21:20:01 EDT
hans-1.0-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2017-10-08 21:48:50 EDT
hans-1.0-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.