Bug 1232433 - Review Request: python-certifi - Python package for providing Mozilla's CA Bundle
Summary: Review Request: python-certifi - Python package for providing Mozilla's CA Bu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
Jonathan Underwood
URL:
Whiteboard:
Depends On:
Blocks: 1230968
TreeView+ depends on / blocked
 
Reported: 2015-06-16 18:19 UTC by William Moreno
Modified: 2015-07-29 01:43 UTC (History)
3 users (show)

Fixed In Version: python-certifi-2015.04.28-5.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-27 16:33:39 UTC
Type: ---
jonathan.underwood: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description William Moreno 2015-06-16 18:19:55 UTC
Spec URL: http://rmsconsultoresnicaragua.com/rpmdev/python-certifi.spec
SRPM URL: http://rmsconsultoresnicaragua.com/rpmdev/python-certifi-2015.04.28-1.fc22.src.rpm
Description: Python package for providing Mozilla's CA Bundle
Fedora Account System Username: williamjmorenor

Comment 1 Jonathan Underwood 2015-06-17 13:45:54 UTC
OK, first question. This package ships some CA certs under /usr/lib/python... Fedora has a goal of sharing CAcerts system wide, and an application or library bundling its own cacerts is potentially a security problem. Unfortunately there aren't any packaging guidelines about this as far as I can see. Here are some useful links:

https://fedoraproject.org/wiki/Features/SharedSystemCertificates

https://lists.fedoraproject.org/pipermail/devel/2014-January/193617.html

So, my questions are:

1) Why isn't this package using the system wide cacert bundle?

2) If there's a good answer to (1), why aren't the certs stored under /etc/pki/python-certifi or somesuch application directory?

I'm cc'ing Stef on this bug in the hope he might offer some guidance here (Kai's email address no longer seems valid).

Comment 2 William Moreno 2015-06-17 14:49:44 UTC
Look like I can remove the bundle certificate and use a symlink, in python-requests if done in this way:

http://pkgs.fedoraproject.org/cgit/python-requests.git/tree/python-requests.spec

But I will wait for aditional comments.

Comment 3 Jonathan Underwood 2015-06-17 15:14:43 UTC
Yes, that does seem like a good approach.

Comment 4 Jonathan Underwood 2015-06-17 16:06:34 UTC
Note also that this package actually was previously in Fedora, and has been orphaned and remove. dead.package contains:

2014-06-04 - This package was already retired in pkgdb/blocked in koji, but no dead.package file existed. The original retirement reason is unclear.

pkgdb entry:

https://admin.fedoraproject.org/pkgdb/package/python-certifi/

Un-orphaning it requires a package review anyway, and your packaging is much better as it adds in py3 support.

Comment 5 Jonathan Underwood 2015-06-17 16:22:39 UTC
Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- Package does not use a name that already exists.
  Note: A package with this name already exists. Please check
  https://admin.fedoraproject.org/pkgdb/acls/name/python-certifi
  See:
  https://fedoraproject.org/wiki/Packaging/NamingGuidelines#Conflicting_Package_Names

---> Package was previously orphaned.

- Package bundles cacerts (n the wrong location) - better to symlink
  to system cacert bundle, and add appropriate Requires.


- Package contains files with shellbangs at the top which need
removing - see rpmlint output  below.

- Other issues below.


===== MUST items =====

Generic:
[!]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.

The spec file has the License field specifying ISC as the license. But
the LICENSE file in the source states:

This Source Code Form is subject to the terms of the Mozilla Public License,
v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
one at http://mozilla.org/MPL/2.0/.

So, I think the license field is incorrect.

Also, the LICENSE file doesn't actually contain the full text of the
license, just merely a URL to download it from. Packaging guidelines
state that a full copy of the LICENSE file is included with the
source, so you'll need to work with upstream to include the full license.

[!]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[!]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated". 7 files have unknown license. Detailed
     output of licensecheck in /home/jgu/Fedora/1232433-python-
     certifi/licensecheck.txt
[!]: License file installed when any subpackage combination is installed.

The LICENSE file isn't installed (even though it has the problem
mentioned above).


[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[!]: Requires correct, justified where necessary.

Unbundling the certs will require adding an extra Require to pull in
the cacerts.

[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Package is not known to require an ExcludeArch tag.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 2 files.
[!]: Package complies to the Packaging Guidelines

See above.

[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

Python:
[x]: Python eggs must not download any dependencies during the build
     process.
[x]: A package which is used by another package via an egg interface should
     provide egg info.
[x]: Package meets the Packaging Guidelines::Python
[x]: Package contains BR: python2-devel or python3-devel
[x]: Binary eggs must be removed in %prep

===== SHOULD items =====

Generic:
[!]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in
     python3-certifi
[x]: Package functions as described.
[x]: Latest version is packaged.
[!]: Package does not include license text files separate from upstream.
[x]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: python-certifi-2015.04.28-1.fc22.noarch.rpm
          python3-certifi-2015.04.28-1.fc22.noarch.rpm
          python-certifi-2015.04.28-1.fc22.src.rpm
python-certifi.noarch: E: non-executable-script /usr/lib/python2.7/site-packages/certifi/core.py 0644L /usr/bin/env
python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/mkcert.pem
python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/cacert.pem
python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/old_root.pem
python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/mkcert.pem
python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/cacert.pem
python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/old_root.pem
python3-certifi.noarch: E: non-executable-script /usr/lib/python3.4/site-packages/certifi/core.py 0644L /usr/bin/env
3 packages and 0 specfiles checked; 2 errors, 6 warnings.




Rpmlint (installed packages)
----------------------------
python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/mkcert.pem
python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/cacert.pem
python3-certifi.noarch: W: pem-certificate /usr/lib/python3.4/site-packages/certifi/old_root.pem
python3-certifi.noarch: E: non-executable-script /usr/lib/python3.4/site-packages/certifi/core.py 0644L /usr/bin/env
python-certifi.noarch: E: non-executable-script /usr/lib/python2.7/site-packages/certifi/core.py 0644L /usr/bin/env
python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/mkcert.pem
python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/cacert.pem
python-certifi.noarch: W: pem-certificate /usr/lib/python2.7/site-packages/certifi/old_root.pem
2 packages and 0 specfiles checked; 2 errors, 6 warnings.



Requires
--------
python3-certifi (rpmlib, GLIBC filtered):
    python(abi)

python-certifi (rpmlib, GLIBC filtered):
    python(abi)
    python3



Provides
--------
python3-certifi:
    python3-certifi

python-certifi:
    python-certifi



Source checksums
----------------
https://pypi.python.org/packages/source/c/certifi/certifi-2015.04.28.tar.gz :
  CHECKSUM(SHA256) this package     : 99785e6cf715cdcde59dee05a676e99f04835a71e7ced201ca317401c322ba96
  CHECKSUM(SHA256) upstream package : 99785e6cf715cdcde59dee05a676e99f04835a71e7ced201ca317401c322ba96


Generated by fedora-review 0.6.0 (3c5c9d7) last change: 2015-05-20
Command line :/usr/bin/fedora-review -b 1232433
Buildroot used: fedora-22-x86_64
Active plugins: Python, Generic, Shell-api
Disabled plugins: Java, C/C++, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP, Ruby
Disabled flags: EXARCH, DISTTAG, EPEL5, BATCH, EPEL6

Comment 6 Jonathan Underwood 2015-06-17 16:34:12 UTC
Note the guidelines for unretiring a package as well:

https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_an_Orphaned_Package_Procedure

Comment 7 Jonathan Underwood 2015-06-24 12:35:26 UTC
OK, doesn't look like we're going to get a response from Stef. I think the unbundling and symlinking your suggestion is the way to go. Can you address all of the issues raisedd above, and we'll get this finished and work on the rest of the stack you've submitted for review.

Comment 8 William Moreno 2015-07-04 22:42:24 UTC
Spec URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi.spec
SRPM URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi-2015.04.28-2.fc22.src.rpm

I have patched python-certifi to serve the certificates provided by ca-certificates, this is the same aproach used in python-request.

Comment 9 Jonathan Underwood 2015-07-05 08:58:43 UTC
I see you've also fixed the license field. You really should get into the habit of recording all changes you make in the spec file changelog. This also helps with review - most folks also post the changelog entry into the BZ review tickets along with the updated Spec URL and SRPM URL to help the reviewer quickly see what has been changed.

OK, so still to address:

1. Removing the shell bangs from lib files to silence rpmlint errors. Something like the following (untested) in %install:

#drop shebangs from python_sitearch
find %{buildroot}%{python_sitelib}/%{pypi_name} -name '*.py' \
    -exec sed -i '1{\@^#!/usr/bin/env python@d}' {} \;

Obviously you'll need to adapt that and do it for both python 2 and 3.


2. Raising the license file issue with upstream - please post a link to an upstream ticket.


Once those are adressed, this should be good to go.

Comment 10 Jonathan Underwood 2015-07-05 12:12:36 UTC
Also, do you not need to symlink to the system pem certs, or patch the python files to search for them in the system directory?

Comment 11 Jonathan Underwood 2015-07-05 12:18:37 UTC
Actually, looking at this, once you remove the pem files, this package is literally a couple of  lines of python wrapping around  a calls to os.path.split and os.path.join. I can't help feeling that it would actually be simpler to simply patch the appliaction to find the cacerts directly than package this. But, up to you.

Comment 12 William Moreno 2015-07-06 01:56:31 UTC
Spec URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi.spec
SRPM URL: https://williamjmorenor.fedorapeople.org/rpmdev/python-certifi-2015.04.28-3.fc22.src.rpm

---------
- 2015.04.28-3
- Remove shebang


There is not need to simlink with ca-certificates,  I only patch one line of the source:

-    return os.path.join(f, 'cacert.pem')
+    return "/etc/pki/tls/certs/ca-bundle.crt"

So the os.patch get executed but it will always retun the full patch to the certificates provides by ca-certificates. I run mkdocs without any problem with the patched package, maybe I will need to patch livereload to use ca-certificas without need of python-certifi but I will work in that later, for now this patch work fine.

I run the seb in %%prep so both the python 2 and 3 are build without the invalid shebang.

License is MPLv2.0 now I have not rpmlint messages after that.

I have asked upstream about include the license file in the tarball:

https://github.com/certifi/python-certifi/issues/24

Comment 13 Jonathan Underwood 2015-07-06 10:46:06 UTC
OK, great, APPROVED.

Comment 14 William Moreno 2015-07-06 14:11:39 UTC
Thanks for the review :)

Comment 15 William Moreno 2015-07-06 14:23:51 UTC
Package Change Request
======================
Package Name: python-certifi 
New Branches: master f22
Owners: williamjmorenor
InitialCC: williamjmorenor

This package was retired previusly but I want to become the maintainer of this package so this is a dependency of livereload and mkdocs.

I have opened a ticker to un block this branches in the release:

https://fedorahosted.org/rel-eng/ticket/6207

Comment 16 Gwyn Ciesla 2015-07-08 12:01:00 UTC
Git done (by process-git-requests).

Comment 17 Fedora Update System 2015-07-08 20:01:37 UTC
python-certifi-2015.04.28-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/python-certifi-2015.04.28-4.fc22

Comment 18 Fedora Update System 2015-07-09 04:12:34 UTC
python-certifi-2015.04.28-5.fc22,livereload-2.4.0-8.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/python-certifi-2015.04.28-5.fc22,livereload-2.4.0-8.fc22

Comment 19 Fedora Update System 2015-07-13 19:05:57 UTC
Package python-certifi-2015.04.28-5.fc22, livereload-2.4.0-8.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-certifi-2015.04.28-5.fc22 livereload-2.4.0-8.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-11367/python-certifi-2015.04.28-5.fc22,livereload-2.4.0-8.fc22
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2015-07-29 01:43:08 UTC
python-certifi-2015.04.28-5.fc22, livereload-2.4.0-8.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.