Bug 1128384 - Review Request: obs-signd - The OBS sign daemon
Summary: Review Request: obs-signd - The OBS sign daemon
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-09 21:20 UTC by Josef Stribny
Modified: 2016-01-04 05:53 UTC (History)
4 users (show)

Fixed In Version: obs-signd-2.2.1-4.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-27 07:54:30 UTC
msuchy: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Josef Stribny 2014-08-09 21:20:05 UTC
Spec URL: http://data-strzibny.rhcloud.com/obs/obs-signd.spec
SRPM URL: http://data-strzibny.rhcloud.com/obs/obs-signd-2.2.1-1.src.rpm
Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=7268563

Description: This daemon can be used to sign anything via gpg by communicating with a remote server to avoid the need to host the private key on the same server.
Fedora Account System Username: jstribny

Comment 1 Adam Samalik 2014-08-19 15:12:22 UTC
I did the review, but I am not approved package reviewer - so please maybe check it :-)

## MUST ##

[x]: rpmlint must be run on the source rpm and all binary rpms the build produces. The output should be posted in the review.
[x]: The package must be named according to the Package Naming Guidelines.
[x]: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. 
[x]: The package must meet the Packaging Guidelines - EXCLUDING [!]s from this report
[x]: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines.
[x]: The License field in the package spec file must match the actual license.
[x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
[x]: The spec file must be written in American English.
[x]: The spec file for the package MUST be legible.
[!]: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.
[x]: The package MUST successfully compile and build into binary rpms on at least one primary architecture.
[x]: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line.
[x]: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense.
[x]: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
[x]: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in%post and %postun.
[x]: Packages must NOT bundle copies of system libraries.
[x]: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker.
[x]: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
[x]: A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations)
[!]: Permissions on files must be set properly. Executables should be set with executable permissions, for example.
[!]: Each package must consistently use macros.
[x]: The package must contain code, or permissible content.
[x]: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity).
[x]: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present.
[x]: Static libraries must be in a -static package.
[x]: Development files must be in a -devel package.
[x]: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release}
[x]: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
[x]: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation.
[x]: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time.
[x]: All filenames in rpm packages must be valid UTF-8.

## SHOULD ##

[x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
[x]: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
[x]: The reviewer should test that the package builds in mock.
[x]: The package should compile and build into binary rpms on all supported architectures.
[ ]: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.
[x]: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity.
[x]: Usually, subpackages other than devel should require the base package using a fully versioned dependency.
[x]: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb.
[x]: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.
[!]: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.


## ADDITIONAL INFO ##

Package doesn't match the upstream:
-----------------------------------
$ diff pkg git
diff pkg/sign.c git/sign.c
942a943
>   int optval;
992a994,995
>   optval = 1;
>   setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &optval, sizeof(optval));
diff pkg/signd git/signd
492a493
>   setsockopt(CS, SOL_SOCKET, SO_KEEPALIVE, pack("l",1));


Consistent use of macros:
-------------------------
there are some uses of full path instead of macros like:
%config(noreplace) /etc/sign.conf

also mixing of $BOTH %{_styles}:
  install -m 0644 sig*.${f}.gz $RPM_BUILD_ROOT%{_mandir}/man${f}/


Rpmlint
-------
Checking: obs-signd-2.2.1-1.x86_64.rpm
          obs-signd-2.2.1-1.src.rpm
obs-signd.x86_64: W: spelling-error %description -l en_US gpg -> pg, gig, gag
obs-signd.x86_64: W: non-standard-gid /usr/bin/sign obsrun
obs-signd.x86_64: E: setuid-binary /usr/bin/sign root 04750L
obs-signd.x86_64: E: non-standard-executable-perm /usr/bin/sign 04750L
obs-signd.x86_64: E: non-standard-executable-perm /usr/bin/sign 04750L
obs-signd.src: W: spelling-error %description -l en_US gpg -> pg, gig, gag
obs-signd.src:65: E: hardcoded-library-path in /usr/lib/obs
obs-signd.src: W: invalid-url Source0: obs-signd-2.2.1.tar.bz2
2 packages and 0 specfiles checked; 4 errors, 4 warnings.



Rpmlint (installed packages)
----------------------------
# rpmlint obs-signd
obs-signd.x86_64: W: spelling-error %description -l en_US gpg -> pg, gig, gag
obs-signd.x86_64: W: non-standard-gid /usr/bin/sign obsrun
obs-signd.x86_64: E: setuid-binary /usr/bin/sign root 04750L
obs-signd.x86_64: E: non-standard-executable-perm /usr/bin/sign 04750L
obs-signd.x86_64: E: non-standard-executable-perm /usr/bin/sign 04750L
1 packages and 0 specfiles checked; 3 errors, 2 warnings.
# echo 'rpmlint-done:'

Comment 2 Josef Stribny 2014-08-22 12:31:33 UTC
Thanks for the informal review.

> Package doesn't match the upstream:

Did you compare it with the right released tag (2.2.1)[1] or with master? I didn't do any modifications to those files. I added this step to the specfile's comments so it's clearer now.


> Consistent use of macros:

I united the macros and changed the paths without macros to use them.


> Rpmlint

This is how the obs-sign is designed to be run by upstream. Do you have any concrete objection on what rpmlint says?


Spec URL: http://data-strzibny.rhcloud.com/obs/obs-signd.spec
SRPM URL: http://data-strzibny.rhcloud.com/obs/obs-signd-2.2.1-2.src.rpm
Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=7438778


[1] https://github.com/openSUSE/obs-sign/tree/2.2.1

Comment 3 Miroslav Suchý 2014-08-25 12:23:53 UTC
This:
for f in `ls sig*.{5,8}`; do
  gzip -9 ${f}
done
is not needed as rpm will gzip or xz those man pages anyway.

Before adding user/group you should first check if it exist. See:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Dynamic_allocation

Otherwise it looks good to me.

Comment 5 Miroslav Suchý 2014-08-25 15:58:20 UTC
You can even remove
   2> /dev/null || :
in both cases as this will not fail now (because you check for the existence).

Can you please try if the program work with:
  %global _hardened_build 1
http://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#Compiler_flags

Please add dist tag to Release (this is actually only one last blocker).

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: License field in the package spec file matches the actual license.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: %config files are marked noreplace or the reason is justified.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: No %config files under /usr.
[x]: Package do not use a name that already exist
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: Package contains systemd file(s) if in need.
[x]: File names are valid UTF-8.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 0 bytes in 0 files.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[!]: Dist tag is present (not strictly required in GL).
[x]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane.
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Patches link to upstream bugs/comments/lists or are otherwise justified.
[x]: SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[-]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package is
     arched.
[x]: Spec file according to URL is the same as in SRPM.

Comment 7 Miroslav Suchý 2014-08-26 09:41:30 UTC
APPROVED

Comment 8 Josef Stribny 2014-08-26 12:34:43 UTC
New Package SCM Request
=======================
Package Name: obs-signd
Short Description: The OBS sign daemon
Upstream URL: https://github.com/openSUSE/obs-sign
Owners: jstribny
Branches: f21
InitialCC:

Comment 9 Gwyn Ciesla 2014-08-26 15:21:38 UTC
Git done (by process-git-requests).

Comment 10 Josef Stribny 2014-09-22 06:34:36 UTC
Package Change Request
======================
Package Name: obs-sign
New Branches: f20
Owners: jstribny
InitialCC: 

I forgot on f20. obs-signd will be used in Copr.

Comment 11 Gwyn Ciesla 2014-09-23 12:16:43 UTC
Package does not exist in pkgdb, should be a New Package Request.

Comment 12 Josef Stribny 2014-09-23 13:18:34 UTC
Oh, sorry, there was a typo. I missed the "d" at the end:

Package Change Request
======================
Package Name: obs-signd
New Branches: f20
Owners: jstribny
InitialCC:

Comment 13 Gwyn Ciesla 2014-09-23 14:34:46 UTC
Git done (by process-git-requests).


Note You need to log in before you can comment on or make changes to this bug.