Bug 1223990 - Review Request: openssl101e - A general purpose cryptography library with TLS implementation
Summary: Review Request: openssl101e - A general purpose cryptography library with TLS...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: Package Review
Version: el5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Andrew Beekhof
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-21 22:11 UTC by Robert Scheck
Modified: 2016-01-06 19:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-23 01:50:30 UTC
Type: Bug
andrew: fedora-review+


Attachments (Terms of Use)
Diff between current OpenSSL from RHEL 6 and this package (12.75 KB, patch)
2015-09-16 07:08 UTC, Robert Scheck
no flags Details | Diff

Description Robert Scheck 2015-05-21 22:11:36 UTC
Spec URL: http://labs.linuxnetz.de/bugzilla/openssl101e.spec
SRPM URL: http://labs.linuxnetz.de/bugzilla/openssl101e-1.0.1e-1.el5.src.rpm
Description: The OpenSSL toolkit provides support for secure communications 
between machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and protocols.


This package is intended only for EPEL 5 to provide some kind of forward
compatibility for specific applications. RHEL 5 is only shipping the very
old openssl-0.9.8e-34.el5_11. So this is openssl-1.0.1e-30.el6.8 from RHEL
6 modified to be installable along with the regular package. The package
itself was as less modified as possible to make the differences hopefully
easily reviewable.

Comment 2 Andrew Beekhof 2015-09-04 12:16:08 UTC
Didn't quote finish the review today. Will pick up again on Monday.

Comment 4 Andrew Beekhof 2015-09-16 03:55:55 UTC
Key:
 + pass
 - fail
 ? needs feedback/clarification
 NA Not applicable


MUST
+ rpmlint must be run on the source rpm and all binary rpms the build produces. The output should be posted in the review.

# rpmlint /var/lib/mock/epel-5-x86_64/result/*.rpm ./openssl101e.spec
openssl101e.src: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e.src: W: strange-permission hobble-openssl 0755L
openssl101e.src: W: strange-permission make-dummy-cert 0755L
openssl101e.src: W: strange-permission renew-dummy-cert 0755L
openssl101e.src:289: W: mixed-use-of-spaces-and-tabs (spaces: line 3, tab: line 289)
openssl101e.src: W: invalid-url Source0: openssl-1.0.1e-hobbled.tar.xz
openssl101e.x86_64: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e.x86_64: W: incoherent-version-in-changelog 1.0.1e-2 ['1.0.1e-2.el5.centos', '1.0.1e-2.centos']
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libcrypto.so.10.hmac
openssl101e.x86_64: W: file-not-utf8 /usr/share/doc/openssl101e-1.0.1e/CHANGES
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libcrypto.so.1.0.1e.hmac
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libssl.so.10.hmac
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libssl.so.1.0.1e.hmac
openssl101e.x86_64: W: no-manual-page-for-binary openssl101e
openssl101e.x86_64: W: install-file-in-docs /usr/share/doc/openssl101e-1.0.1e/INSTALL
openssl101e-debuginfo.x86_64: W: spurious-executable-perm /usr/src/debug/openssl-1.0.1e/crypto/bn/bn_const.c
openssl101e-devel.x86_64: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e-devel.x86_64: W: only-non-binary-in-usr-lib
openssl101e-devel.x86_64: W: no-documentation
openssl101e-perl.x86_64: W: no-documentation
openssl101e-perl.x86_64: W: no-manual-page-for-binary c_rehash101e
openssl101e-static.x86_64: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e-static.x86_64: W: no-documentation
./openssl101e.spec:289: W: mixed-use-of-spaces-and-tabs (spaces: line 3, tab: line 289)
./openssl101e.spec: W: invalid-url Source0: openssl-1.0.1e-hobbled.tar.xz
6 packages and 1 specfiles checked; 0 errors, 25 warnings.

'invalid-url' is adequately explained in the spec file, although a link to the original tarball might be a good.
It would be nice if 'mixed-use-of-spaces-and-tabs' was fixed but 'spelling-error' is clearly bogus.
Could I get some comment on 'strange-permission' and 'hidden-file-or-dir' though?
Some other minor cleanups seem to be called for.


+ The package must be named according to the Package Naming Guidelines .

Consistent with the section on 'Multiple packages with the same base name'

+ The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. 
+ The package must meet the Packaging Guidelines .
+ The package must be licensed with a Fedora approved license and meet the Licensing Guidelines .
+ The License field in the package spec file must match the actual license. 
+ If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %license.
+ The spec file must be written in American English. 
+ The spec file for the package MUST be legible. 
+ The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.

Consistent with 'When Upstream uses Prohibited Code'

+  The package MUST successfully compile and build into binary rpms on at least one primary architecture. 
NA If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. NA Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line. 
+ All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense.
+ The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
+ Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. 
+ Packages must NOT bundle copies of system libraries.
+ If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. 

Does not claim to be relocatable
Does hardcode /usr in: --with-krb5-dir=/usr

+ A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. 

Directories are owned by openssl which is Required: by this package  

+ A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations)
? Permissions on files must be set properly. Executables should be set with executable permissions, for example. 

Question outstanding from rpmlint output

+  Each package must consistently use macros. 
+  The package must contain code, or permissible content. 
+  Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity). 
+  If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. 
+  Static libraries must be in a -static package. 
+  Development files must be in a -devel package. 
+  In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release} 
+  Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
NA Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. 
+ Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. 
+ All filenames in rpm packages must be valid UTF-8. 


SHOULD
NA If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. 
NA The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. 
+ The reviewer should test that the package builds in mock. 
+ The package should compile and build into binary rpms on all supported architectures. 
? The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.

I do not have a centos5 box to test on

+ If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity. 
+ Usually, subpackages other than devel should require the base package using a fully versioned dependency. 
+ The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb. 
NA If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself. 
- your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.

There is one missing as per rpmlint

Comment 5 Robert Scheck 2015-09-16 07:08:29 UTC
Created attachment 1073906 [details]
Diff between current OpenSSL from RHEL 6 and this package

I am a bit confused now: Basically this package is a clone of an existing
package that theoretically should have been walked through a review already,
plus a few less changes (as per this diff).

What has been removed (because it IMHO doesn't make sense to have conflicts)
compared to the regular openssl package that is needed for PKI stuff) are
the man pages and some (redundant) scripts. So in case some packages issues 
exist, the likely exist in openssl in Fedora (and RHEL), too :-(

Comment 6 Andrew Beekhof 2015-09-24 05:27:59 UTC
(In reply to Robert Scheck from comment #5)
> Created attachment 1073906 [details]
> Diff between current OpenSSL from RHEL 6 and this package
> 
> I am a bit confused now: Basically this package is a clone of an existing
> package that theoretically should have been walked through a review already,
> plus a few less changes (as per this diff).

Well... the original version went through a review way back when and maintainers are supposed to keep their packages compliant with the rules, but sometimes mistakes are made and rules change.

> 
> What has been removed (because it IMHO doesn't make sense to have conflicts)
> compared to the regular openssl package that is needed for PKI stuff) are
> the man pages and some (redundant) scripts. So in case some packages issues 
> exist, the likely exist in openssl in Fedora (and RHEL), too :-(

Very likely, however new packages need to meet the criteria of the day, or at least address why an exception is justified, before they can be accepted.

You may want to report them so you can incorporate the fixes or reuse their justifications.

wrt. man pages, does the new one differ much from the existing one? If not, perhaps create a simlink so that people can see what it is/does (without needing to know the original binary name).

Comment 7 Robert Scheck 2015-09-24 09:25:18 UTC
(In reply to Andrew Beekhof from comment #4)
> 'invalid-url' is adequately explained in the spec file, although a link to
> the original tarball might be a good.

I don't think Fedora isn't allowed to promote potentially legally encumbered
software directly, this is also why OpenSSL is hubbled (as the comment says).
Given latest Fedora doesn't do this as well, I would raise FE-Legal here, if
you insist to a link/URL to the original tarball.

> Could I get some comment on 'strange-permission' and 'hidden-file-or-dir'
> though?

These files are created by something like fipscheck(1). They are treated as
"hidden" because they start with a "." - which is how the concept works. But
I don't know (and don't see) why there are treated as 'strange-permission'.

(In reply to Andrew Beekhof from comment #6)
> wrt. man pages, does the new one differ much from the existing one? If not,
> perhaps create a simlink so that people can see what it is/does (without
> needing to know the original binary name).

Most of the man pages are the same or at least quite similar from what I can
see. Given the old man pages will be anyway always there, I am not sure if it
makes sense to supply the "new" ones being not really a benefit but having
strange names (because otherwise they would conflict with the main openssl
packages). The online documentation of OpenSSL is more up-to-date through. I
think (if at all) it only makes sense for "man openssl101e" given that is the
only binary being named different where one could expect another man page.

Something else left?

Comment 8 Robert Scheck 2015-09-28 22:42:26 UTC
Spec URL: http://labs.linuxnetz.de/bugzilla/openssl101e.spec
SRPM URL: http://labs.linuxnetz.de/bugzilla/openssl101e-1.0.1e-4.src.rpm

Fixes 'strange-permission' warning and adds the openssl101e man page.

Comment 9 Andrew Beekhof 2015-10-19 04:13:39 UTC
New output:

openssl101e.x86_64: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e.x86_64: W: incoherent-version-in-changelog 1.0.1e-4 ['1.0.1e-4.el5.centos', '1.0.1e-4.centos']
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libcrypto.so.10.hmac
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libcrypto.so.1.0.1e.hmac
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libssl.so.10.hmac
openssl101e.x86_64: W: hidden-file-or-dir /usr/lib64/.libssl.so.1.0.1e.hmac
openssl101e.x86_64: W: install-file-in-docs /usr/share/doc/openssl101e-1.0.1e/INSTALL
openssl101e-devel.x86_64: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e-devel.x86_64: W: only-non-binary-in-usr-lib
openssl101e-devel.x86_64: W: no-documentation
openssl101e-perl.x86_64: W: no-documentation
openssl101e-perl.x86_64: W: no-manual-page-for-binary c_rehash101e
openssl101e-static.x86_64: W: spelling-error %description -l en_US cryptographic -> cryptography, cryptographer, crystallographic
openssl101e-static.x86_64: W: no-documentation
openssl101e.spec:313: W: mixed-use-of-spaces-and-tabs (spaces: line 3, tab: line 313)
openssl101e.spec: W: invalid-url Source0: openssl-1.0.1e-hobbled.tar.xz
5 packages and 1 specfiles checked; 0 errors, 16 warnings.


Some nit-picks:

- rpmlint is wanting the %changelog version to be '1.0.1e-4.el5.centos'
- drop /usr/share/doc/openssl101e-1.0.1e/INSTALL
- is c_rehash101e necessary?  is there any case where it should be used over c_rehash? perhaps drop it (which would take care of the no-manual-page-for-binary) warning.

The other points:
- spelling-error: these are not errors
- invalid-url: as discussed, there are legal reasons to leave as-is 
- hidden-file-or-dir, only-non-binary-in-usr-lib: I don't think its appropriate to move these files around in a respin
- no-documentation: I can not find anything in the guidelines that suggests every sub-package needs docs.  I think we can ignore these as sufficient docs are included with the main package.


With the above changes I would claim this package meets the requirements.

Comment 10 Robert Scheck 2015-10-19 19:44:20 UTC
(In reply to Andrew Beekhof from comment #9)
> - rpmlint is wanting the %changelog version to be '1.0.1e-4.el5.centos'

This only happens as long as mock uses CentOS rather RHEL (while official
EPEL builds happen against RHEL), so this disappears by itself.

> - drop /usr/share/doc/openssl101e-1.0.1e/INSTALL

Done.

> - is c_rehash101e necessary?  is there any case where it should be used
> over c_rehash? perhaps drop it (which would take care of the
> no-manual-page-for-binary) warning.

Everything that uses openssl101e should use c_rehash101e, too. Background:
With OpenSSL 1.0.0 the old-style hashing using MD5 was changed to SHA-1.
But as usually both OpenSSL versions are around, c_rehash101e creates links
in old and current style by default (to avoid breaking compatibility).
However, before OpenSSL 1.0.2 there is no man page for c_rehash anyway in
upstream sources (= no man page for c_rehash in RHEL/CentOS 6).

> With the above changes I would claim this package meets the requirements.

Anything else left? Given the only change is now the removal of INSTALL
from %doc, do you need an updated package or would it be fine to perform
this minor change after import into VCS (but before building, thus this
gets trackable)?

Comment 11 Robert Scheck 2015-11-26 10:42:38 UTC
Andrew, sorry for pushing this a bit, but this package makes only sense while 
RHEL/CentOS 5 is still being actively used ;-) What is left to get this review
finished/approved?

Comment 12 Gwyn Ciesla 2015-12-07 14:28:41 UTC
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/openssl101e

Comment 13 Robert Scheck 2015-12-07 20:00:54 UTC
Andrew, thank you really very much for the review!

Comment 14 Fedora Update System 2015-12-07 20:13:12 UTC
openssl101e-1.0.1e-4.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1bef47ba4b

Comment 15 Fedora Update System 2015-12-08 07:47:46 UTC
openssl101e-1.0.1e-4.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update openssl101e'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1bef47ba4b

Comment 16 Fedora Update System 2015-12-22 08:37:06 UTC
openssl101e-1.0.1e-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-11c5c57d59

Comment 17 Fedora Update System 2015-12-22 22:48:26 UTC
openssl101e-1.0.1e-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-11c5c57d59

Comment 18 Fedora Update System 2015-12-23 01:50:26 UTC
openssl101e-1.0.1e-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-01-06 19:53:03 UTC
openssl101e-1.0.1e-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.