Bug 1057874 - Review Request: libspf2 - Implementation of the Sender Policy Framework for SMTP authorization
Summary: Review Request: libspf2 - Implementation of the Sender Policy Framework for S...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Jenkins
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1057876
TreeView+ depends on / blocked
 
Reported: 2014-01-25 15:47 UTC by Matt Domsch
Modified: 2015-06-01 17:05 UTC (History)
12 users (show)

Fixed In Version: libspf2-1.2.10-5.20150405gitd57d79fd.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-22 22:43:44 UTC
Type: ---
Embargoed:
steve: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Matt Domsch 2014-01-25 15:47:40 UTC
Spec URL: http://domsch.com/fedora/libspf2/libspf2.spec
SRPM URL: http://domsch.com/fedora/libspf2libspf2-1.2.10-1.git0e23f41e.fc20.src.rpm
Description: 
libspf2 implements the Sender Policy Framework, a part of the SPF/SRS
protocol pair. libspf2 is a library which allows email systems such as
Sendmail, Postfix, Exim, Zmailer and MS Exchange to check SPF records
and make sure that the email is authorized by the domain name that it
is coming from. This prevents email forgery, commonly used by
spammers, scammers and email viruses/worms.


Fedora Account System Username: mdomsch

Comment 1 Matt Domsch 2014-01-25 15:49:38 UTC
All credit to Paul Howarth for this spec.  I did update the code to latest git upstream, and patch for newer autotools in F20.  The BR: automake-1.13 is spurious; the code is patched already, but running scratch-builds, it is still invoking automake-1.13 implicitly.  Ugh.  Will try to fix that before actual upload, somehow.

Comment 2 Christopher Meng 2014-04-16 04:19:44 UTC
Are these option needed?

--enable-perl

--with-bind

Comment 3 Christopher Meng 2014-07-13 02:57:26 UTC
Are you going to continue?

Comment 4 Matt Domsch 2014-07-22 01:59:33 UTC
I haven't given it any thought since January, honestly.

--enable-perl is avoidable, it just makes a test suite which we aren't otherwise using.

re --with-bind:
The libspf-alt configure script now has a --with-bind=DIR option to
  let people use a different version of the bind than the default
  installed with the system.  This functionality was added by Emmanuel
  Dreyfus <manu <at> netbsd.org>

I see no reason to do that, we use system libraries whenever possible.

Comment 5 Felix Schwarz 2014-09-27 13:05:53 UTC
There is a typo in the srpm url mention in comment #1. Should be 
http://domsch.com/fedora/libspf2/libspf2-1.2.10-1.git0e23f41e.fc20.src.rpm

Comment 6 Matt Domsch 2014-09-27 21:27:42 UTC
with the new opendmarc package, we no longer need a standalone libspf2.

Comment 7 Matt Domsch 2014-10-01 13:57:27 UTC
I am withdrawing this packaging request, as opendmarc now implements SPF testing internally, and without requiring libspf2.

https://bugzilla.redhat.com/show_bug.cgi?id=1057876
is the opendmarc package review.

Comment 8 Matt Domsch 2014-10-01 13:59:05 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=905304
is the opendmarc package review, not 1057876.

Comment 9 Scott Kitterman 2015-04-01 18:39:30 UTC
I'm not a Fedora/Red Hat user, but I am the Debian opendmarc maintainer as well as someone who's been involved in SPF development for a long time (for instance the editor for RFC 7208).  I was asked to post to this bug to suggest reopening this as a better solution than using the internal opendmarc SPF code.

The internal opendmarc SPF code is not a full SPF implementation.  I have reviewed it and have not been able to (as an example) find where it implements the DNS lookup limits specified in RFC 4408 section 10.1/RFC 7208 4.6.4.  While it's possible I missed something (I didn't have a huge amount of time for a thorough analysis), I don't think the opendmarc SPF code is suitable for production use and have linked opendmarc in Debian against libspf2.  I would recommend Red Hat/Fedora do the same.

In Debian, there are additional packages that use libspf2, so providing a libspf2 package would also make those packagable too.

Comment 10 Steve Jenkins 2015-04-02 02:52:02 UTC
Thanks, Scott (I'm the one who asked Scott to come chime in here as the Debian maintainer and as someone who's involved with SPF for a while).

Matt: Any chance you'd consider un-withdrawing this packaging request and forging ahead with a RedHat libspf2 package?

I'd love to be able to build Fedora/EPEL opendmarc against libspf2.

Thanks!

Comment 11 Matt Domsch 2015-04-04 22:06:34 UTC
By popular request, reopening.

https://domsch.com/linux/fedora/libspf2/
has current libspf2 master branch packaged up, building for Fedora 21.  It needed only autotools redoing to match f21 packages.

Comment 12 Steve Jenkins 2015-04-05 06:55:30 UTC
Booyah! Thanks, Matt!

* Comment: Not sure how much additional review is needed, but in the spirit of keeping this moving right along and doing everything I can to change that review flag to +, I'll bite. :)

MUST: rpmlint output (SRPM and spec): PASS

libspf2.src: W: spelling-error %description -l en_US scammers -> stammers, slammers, scampers
libspf2.src:45: W: macro-in-comment %{version}
libspf2.src:253: W: macro-in-comment %doc
libspf2.src:49: W: mixed-use-of-spaces-and-tabs (spaces: line 49, tab: line 26)
libspf2.src: W: invalid-url Source0: libspf2-1.2.10-d57d79fd.tar.xz
1 packages and 0 specfiles checked; 0 errors, 5 warnings.

All are bogus, except for the spaces & tabs which isn't a deal killer (but is an easy fix).

MUST: rpmlint output (RPMs): PASS

libspf2.i686: W: spelling-error %description -l en_US scammers -> stammers, slammers, scampers
libspf2.i686: W: incoherent-version-in-changelog 1.2.10-2 ['1.2.10-2.gitd57d79fd.fc21', '1.2.10-2.gitd57d79fd']
libspf2.i686: W: install-file-in-docs /usr/share/doc/libspf2/INSTALL
libspf2-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/libspf2-1.2.10-d57d79fd/src/libreplace/getopt.h
libspf2-devel.i686: W: spelling-error %description -l en_US apidocs -> rapids
libspf2-devel.i686: W: no-documentation
libspf2-progs.i686: W: no-documentation
libspf2-progs.i686: W: no-manual-page-for-binary spf_example
libspf2-progs.i686: W: no-manual-page-for-binary spfquery.libspf2
libspf2-progs.i686: W: no-manual-page-for-binary spftest
libspf2-progs.i686: W: no-manual-page-for-binary spfd.libspf2
4 packages and 0 specfiles checked; 1 errors, 10 warnings.

I'm assuming upstream has been notified about the incorrect-fsf-address error (which is the only requirement when this error occurs, so not a show stopper).

MUST: The package must be named according to the Package Naming Guidelines: PASS

MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines: PASS (BSD / LGPLv2+)

MUST: The License field in the package spec file must match the actual license: PASS (Also says BSD / LGPLv2+ on the upstream website)

MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc: PASS

MUST: The spec file must be written in American English: PASS

MUST: The spec file for the package MUST be legible: PASS

MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this: PASS

MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture: PASS

EL5: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416830
EL6: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416836
EL7: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416840
F20: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416843
F21: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416939


MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line: N/A


MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense: PASS

MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden: N/A

MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun: PASS

MUST: Packages must NOT bundle copies of system libraries: PASS

MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker: N/A

MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory: PASS

MUST: A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations): PASS

MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example: PASS

MUST: Each package must consistently use macros: PASS

MUST: The package must contain code, or permissable content: PASS

MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity): N/A

MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present: PASS

MUST: Static libraries must be in a -static package: NEEDSWORK (?)

The description of of the -devel package says it "contains the header files and static libraries necessary for developing programs using the libspf2 (Sender Policy Framework) library." Does that mean we need a -static package AND a -devel package? Or is it acceptable to include these static libraries there?

MUST: Development files must be in a -devel package: PASS

MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release}: NEEDSWORK - the %{?_isa} is missing

MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built: PASS

MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation: N/A

MUST: Packages must not own files or directories already owned by other packages: PASS

MUST: All filenames in rpm packages must be valid UTF-8: PASS

SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it: I did that for you!

SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available: N/A

SHOULD: The reviewer should test that the package builds in mock: PASS (used koji)

SHOULD: The package should compile and build into binary rpms on all supported architectures: PASS

SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example: PASS

SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity: PASS (although allowing me to be an arbiter of sanity is questionable... ;))

SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency: NEEDSWORK (any harm in adding %{?_isa} to progs package, too?)

SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb: N/A (no .pc file)

SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself: N/A

SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense: PASS

Overall result - NEEDSWORK, but extremely minor stuff... and it's possible for Matt to talk me out of at least a couple of them if I'm misunderstanding them. :)

Comment 13 Matt Domsch 2015-04-05 20:13:37 UTC
There are no static libraries included in the -devel package.

I have added %{?_isa} to the -devel package Requires.

We do not need to add %{?_isa} to other subpackage Requires, they will be handled automatically by rpmbuild.

I believe the scriptlets are sane, they only run ldconfig and manage adding/removing to alternatives.

libspf2-1.2.10-3.gitd57d79fd.fc21.x86_64.rpm and related files
posted to https://domsch.com/linux/fedora/libspf2/ with the only change being to add %{?_isa} to the -devel package Requires.
diff -urNp 2/libspf2.spec 3/libspf2.spec
--- 2/libspf2.spec      2015-04-04 17:00:15.000000000 -0500
+++ 3/libspf2.spec      2015-04-05 15:08:58.000000000 -0500
@@ -4,9 +4,9 @@
 # Each change to the spec requires a bump to version/release of both library and perlmod
 %global git d57d79fd
 %global library_version 1.2.10
-%global library_release 2.git%{git}%{?dist}
+%global library_release 3.git%{git}%{?dist}
 %global perlmod_version 0.01
-%global perlmod_release 6.git%{git}%{?dist}
+%global perlmod_release 7.git%{git}%{?dist}

 # Set to 1 for a compat-libspf2 package
 %global compat 0
@@ -87,7 +87,7 @@ Summary:      Development tools needed to bui
 Group:         Development/Libraries
 Version:       %{library_version}
 Release:       %{library_release}
-Requires:      %{name} = %{version}-%{release}
+Requires:      %{name}%{?_isa} = %{version}-%{release}

 %description devel
 The libspf2-devel package contains the header files and static
@@ -281,6 +281,9 @@ exit 0
 %endif

 %changelog
+* Sun Apr  5 2015 Matt Domsch <mdomsch> - 1.2.10-3
+- update for review comments
+
 * Sat Apr  4 2015 Matt Domsch <mdomsch> - 1.2.10-2
 - update to upstream 1.2.10+git
 - update automake / autoconf for Fedora 21

Comment 14 Matt Domsch 2015-04-05 20:31:30 UTC
I've fixed the whitespace in the .spec and uploaded it to my website.  I'll drop this copy into the final package being checked in.  Not worth doing a rebuild for right now.

Comment 15 Michael Schwendt 2015-04-05 21:11:39 UTC
If you posted up-to-date "Spec URL:" and "SRPM URL:" lines, it would become much more obvious what the latest files to review are, and the fedora-review tool would have an easy job fetching the latest packages, too: fedora-review -b 1057874

[...]

https://domsch.com/linux/fedora/libspf/libspf2-1.2.10-3.gitd57d79fd.fc21.src.rpm

This does not follow the snapshot versioning guidelines.

 https://fedoraproject.org/wiki/Packaging:Guidelines#Version_and_Release
  -> https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Snapshot_packages


> %if %{compat}
> Provides:	libspf2 = %{version}-%{release}
> %endif

Quite useless, if there is no %?_isa Provides as to complement the two automatic Proides for %name and %name%{?_isa}.


> There are no static libraries included in the -devel package.

Then the %description should not mention "static libraries".




> We do not need to add %{?_isa} to other subpackage Requires,

We do:

  https://fedoraproject.org/wiki/Packaging:Guidelines#Requiring_Base_Package

It's the same explicit Requires as in -devel packages (to keep subpackages in sync with eachother as to avoid surprising developers when releasing bug-fix updates of libraries - we want them to get a matching pair of packages). It's the only way to have strict dependencies between subpackages and library base packages. Unless library symbol versioning is used.

One major flaw with that is, in external packages we rely on the automatic soname deps to pull in _any_ package that provides the needed lib:

  https://fedoraproject.org/wiki/Packaging:Guidelines#Explicit_Requires

It's up to the maintainers to add explicit Requires, if it must be a specific version-release of the lib for something to work correctly.


> they will be handled automatically by rpmbuild.

Arch-specific versioned explicit Requires are more strict than a basic SONAME dependency. Also note that there's an automatic lib dependency between -devel package and base lib package based on the soname. It's just not strict enough (wrt %release).


> %install
> %{__rm} -rf %{buildroot}

https://fedoraproject.org/wiki/Packaging:Guidelines#BuildRoot_tag


> %files
> %doc README INSTALL LICENSES TODO

https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text


> %files devel
> %{_includedir}/spf2/spf*.h

https://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership


> %defattr(-,root,root,-)

%defattr is not needed anymore for any of the target dists:
https://fedoraproject.org/wiki/Packaging:Guidelines#File_Permissions

Comment 16 Steve Jenkins 2015-04-06 01:00:33 UTC
Matt:

At the risk of asking a possibly overly obvious question, I'm assuming you're planning on building for all active branches EL5-7 and F20-Rawhide)? Thx.

Comment 17 Matt Domsch 2015-04-06 05:24:15 UTC
Michael, thank you for the review comments.  I have fixed these now.

Spec URL: https://domsch.com/linux/fedora/libspf2/libspf2.spec
SRPM URL: https://domsch.com/linux/fedora/libspf2/libspf2-1.2.10-4.20150405gitd57d79fd.fc21.src.rpm



Steve, I hadn't considered EL5. I've got it building fine on EL6 so presumably EL7 will also, and F21 so presumably rawhide.

As it stands the autotools stuff is ugly.  I'm having to patch each version for the autotools available in it.  Maybe I can do that once for the lowest version of each and then it "just works" for newer OS versions so I'd only need to do so twice.  Running the bootstrap / autoreconf in %prep isn't ideal either and would suck in autotools build deps.

Comment 18 Christopher Meng 2015-04-06 10:24:02 UTC
I'm going to leave this bug since Steve has shown more interests on it.

And Steve, next time when you take over the review, please notify me first.

Comment 19 Matt Domsch 2015-04-06 11:59:57 UTC
The packaging request had gone cold for the better part of a year, mostly because I didn't think it was necessary any longer, partly because I didn't have time to work on it a year ago.  Steve is packaging the first consumer of it in OpenDKIM which just came to light as needing it.  I'm glad for everyone (Christopher, Felix, SFteve, and Michael) who have taken the time to improve on this package.

Comment 20 Steve Jenkins 2015-04-06 15:54:02 UTC
Apologies, Christopher. Matt's correct in that  I figured you were likely off doing other awesome things because this had been shelved for so long, but I still should have at least fired off a courtesy email to you to see if you were interested in jumping back in before just grabbing it.

Comment 21 Steve Jenkins 2015-04-06 16:05:37 UTC
(In reply to Matt Domsch from comment #17)
> Steve, I hadn't considered EL5. I've got it building fine on EL6 so
> presumably EL7 will also, and F21 so presumably rawhide.
> 
> As it stands the autotools stuff is ugly.  I'm having to patch each version
> for the autotools available in it.  Maybe I can do that once for the lowest
> version of each and then it "just works" for newer OS versions so I'd only
> need to do so twice.  Running the bootstrap / autoreconf in %prep isn't
> ideal either and would suck in autotools build deps.

That makes sense. Including EL5 would be ideal (since I get the sense that majority of RedHat-based production mail servers are on EL systems), but I won't pitch a fit if you determine it's not worth the hassle.

I've changed the review flag to +, so if you're good to go, I think this baby is ready for the SCM Admin request.

Thank you everyone for so expeditiously resurrecting this package and getting it back on track. Easter pun intended. :)

Comment 22 Matt Domsch 2015-04-06 22:27:10 UTC
New Package SCM Request
=======================
Package Name: libspf2
Short Description: Implementation of the Sender Policy Framework for SMTP authorization
Upstream URL: http://www.libspf2.org/
Owners: mdomsch
Branches: el6 epel7 f20 f21
InitialCC: steve

Comment 23 Gwyn Ciesla 2015-04-07 13:36:06 UTC
Please use FAS in InitialCC, not email.

Comment 24 Matt Domsch 2015-04-07 15:19:30 UTC
Package Change Request
======================
Package Name: libspf2
New Branches: f22
Owners: mdomsch
InitialCC:

Comment 25 Gwyn Ciesla 2015-04-07 15:37:45 UTC
Git done (by process-git-requests).

Comment 26 Fedora Update System 2015-04-08 14:45:15 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.fc22

Comment 27 Fedora Update System 2015-04-08 14:46:06 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.fc21

Comment 28 Fedora Update System 2015-04-08 14:47:04 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.fc20

Comment 29 Fedora Update System 2015-04-08 14:47:34 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.el7

Comment 30 Fedora Update System 2015-04-08 14:48:07 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.el6

Comment 31 Fedora Update System 2015-04-08 18:36:49 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc22 has been pushed to the Fedora 22 testing repository.

Comment 32 Matt Domsch 2015-04-13 18:24:09 UTC
Package Change Request
======================
Package Name: libspf2
New Branches: el5
Owners: mdomsch
InitialCC:

Comment 33 Gwyn Ciesla 2015-04-13 19:23:07 UTC
Git done (by process-git-requests).

Comment 34 Fedora Update System 2015-04-13 20:59:00 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.el5

Comment 35 Fedora Update System 2015-04-22 22:43:44 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc21 has been pushed to the Fedora 21 stable repository.

Comment 36 Fedora Update System 2015-04-22 22:55:05 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc20 has been pushed to the Fedora 20 stable repository.

Comment 37 Fedora Update System 2015-04-22 22:56:26 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.fc22 has been pushed to the Fedora 22 stable repository.

Comment 38 Fedora Update System 2015-06-01 17:05:31 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.el5 has been pushed to the Fedora EPEL 5 stable repository.

Comment 39 Fedora Update System 2015-06-01 17:05:43 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.el7 has been pushed to the Fedora EPEL 7 stable repository.

Comment 40 Fedora Update System 2015-06-01 17:05:51 UTC
libspf2-1.2.10-5.20150405gitd57d79fd.el6 has been pushed to the Fedora EPEL 6 stable repository.


Note You need to log in before you can comment on or make changes to this bug.