Bug 1274948 - Review Request: pki-usgov-dod-cacerts - A collection of U.S. Government CA Certs that DOD uses
Summary: Review Request: pki-usgov-dod-cacerts - A collection of U.S. Government CA Ce...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-24 01:10 UTC by Stephen J Pollei
Modified: 2016-01-26 18:28 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-01-26 18:28:03 UTC
msuchy: fedora-review+


Attachments (Terms of Use)

Description Stephen J Pollei 2015-10-24 01:10:44 UTC
Spec URL: https://github.com/pollei/fedora-rpm-specs/blob/7f28c9dd5f8270e2309ccc51092f678438d0ac3a/pki-usgov-dod-cacerts.spec
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/spollei/dod_firefox_cfg/fedora-23-x86_64/00129953-pki-usgov-dod-cacerts/pki-usgov-dod-cacerts-0.0.4-2.fc23.src.rpm
Description: A collection of U.S. Government CA Certs that DOD uses
Fedora Account System Username: spollei
Security: it's security sensitive package
Sponser: this is my first Package, so, i need an sponsor

Builds in copr and koji
https://copr.fedoraproject.org/coprs/spollei/dod_firefox_cfg/
https://github.com/pollei/fedora-rpm-specs

rpmlint:
  W: pem-certificate /etc/pki/usgov_dod/cacerts/
  package name            pki-usgov-dod-cacerts
I didn't want package name too short so either
1) keep name store in /etc/pki/pki-usgov-dod-cacerts/cacerts
2) shorten name to usgov-dod

logs:
  https://kojipkgs.fedoraproject.org/work/tasks/3144/11563144/build.log
  https://kojipkgs.fedoraproject.org/work/tasks/3144/11563144/root.log
  https://kojipkgs.fedoraproject.org/work/tasks/3144/11563144/state.log
rpms:
  https://kojipkgs.fedoraproject.org/work/tasks/3144/11563144/pki-usgov-dod-cacerts-0.0.4-2.fc23.noarch.rpm
srpms:
  https://kojipkgs.fedoraproject.org/work/tasks/3144/11563144/pki-usgov-dod-cacerts-0.0.4-2.fc23.src.rpm

        http://koji.fedoraproject.org/koji/taskinfo?taskID=11563139

Various military websites use these certs for example:
  https://www.ebenefits.va.gov/ uses dmdc.osd.mil for cac-card login
  https://www.us.army.mil/ https://web.mail.mil/


There are many different places that other advice and howto download and configure a Linux system to use the certs. Some quite old.


http://iase.disa.mil/pki-pke/getting_started/Pages/linux.aspx
https://militarycac.com/linux.htm 
http://zxq9.com/dodcac/F13-32/Fedora13.html
http://militarycac.com/files/Firefox_DoD_Configuration/dod_configuration-1.3.7.xpi
https://software.forge.mil/sf/projects/community_cac

uses xul that is going away, last update was maybe 2013

https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/
[[we have decided to deprecate add-ons that depend on XUL, XPCOM, and XBL. ... within 12 to 18 months from now.]]

Comment 1 Miroslav Suchý 2016-01-07 14:08:13 UTC
Taking.

Those two comments are superfluous. Just leave that one comment about license and remove those two remaining.

Be consistent about spacing between section. One (or two lines) are usually used. You use 6 lines before %files and 0 lines before %prep. 
Additionally putting new lines randomly in spec make it hard to read (e.g before BR and Source0).

New line in %description counts as space. No need to put space at the beginning of line. You are missing dot at the and of sentence in description.

Please use:
  /etc/pki/pki-usgov-dod-cacerts 
as directory name.

> %config(noreplace) /etc/pki/usgov_dod/cacerts/
This is not config - despite being in /etc/ which is usually for config. If you update some cert you want to overwrite it on user machine.
So please omit %config(noreplace).

Some certificates (e.g. DOD_CA-18-32-58468.pem) contain outdated certificates. What is the reason for including such files?

Comment 2 Stephen J Pollei 2016-01-12 00:31:11 UTC
I can remove the extra comments of why it's public domain out easily.

OK I see your point about spacing, I did have haphazard spacing that was made worse by sed usage in https://github.com/pollei/fedora-rpm-specs/blob/master/make_git_spec.sh . I'll change the tspec and change the sed .

I'll fix the description, and use /etc/pki/pki-usgov-dod-cacerts without noreplace.

Expired certs can still be used in the process of checking old signatures on files and email. A lot of these expired certs are really bad as they use rsa1024 instead of rsa2048 or better, and they use sha1 not sha256 or better. So they are included only for completeness not as endorsement.

The newer certs use rsa2048, but still use sha1.
http://news.netcraft.com/archives/2016/01/08/us-military-still-shackled-to-outdated-dod-pki-infrastructure.html
http://tech.slashdot.org/story/15/10/27/0230228/us-military-websites-still-relying-on-sha-1
http://news.netcraft.com/archives/2015/10/26/u-s-military-cyber-security-fails-to-make-the-grade.html
http://news.netcraft.com/archives/2014/02/04/nist-continues-using-sha-1-algorithm-after-banning-it.html

So something to watch is that some of the certs are future dated and will fingers-crossed be still-born.

http://www.pcworld.com/article/2877672/the-end-for-1024bit-ssl-certificates-is-near-mozilla-kills-a-few-more.html
https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
http://tech.slashdot.org/story/15/11/05/2332206/microsoft-follows-mozilla-in-considering-early-ban-on-sha-1-certificates by 2016-06

It's actually because these certs suck so much that they have to be packaged separately and not used by default. Ideally DOD would update their certs to use acceptable cryptographic standards and use "Name Constraints" . Then they could be properly included in firefox CA list by default.

https://tools.ietf.org/html/rfc5280#section-4.2.1.10
Internet X.509 PKI Certificate -- Name Constraints
ASN1 OID 2.5.29.30

I'm in the middle of a few things, but I'll have new version by tomorrow.
Thanks for your review.

Comment 3 Upstream Release Monitoring 2016-01-12 03:15:57 UTC
spollei's scratch build of pki-usgov-dod-cacerts-0.0.5-1.fc23.src.rpm for f23 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12508401

Comment 4 Stephen J Pollei 2016-01-12 05:49:50 UTC
Spec URL: https://github.com/pollei/fedora-rpm-specs/blob/cf3013fd5ad6e63053bfc15ab991debefdeaff7e/pki-usgov-dod-cacerts.spec
SRPM URL: https://kojipkgs.fedoraproject.org//work/tasks/247/12510247/pki-usgov-dod-cacerts-0.0.6-2.fc23.src.rpm
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/spollei/dod_firefox_cfg/fedora-23-x86_64/00152960-pki-usgov-dod-cacerts/pki-usgov-dod-cacerts-0.0.6-2.fc23.src.rpm

Fixed the issues mentioned except I couldn't bare to use /etc/pki/pki-usgov-dod-cacerts/cacerts ; too superfluously and excessively redundant .

Also made a few changes to it so that it works from epel6 to rawhide .

Comment 5 Miroslav Suchý 2016-01-12 08:12:42 UTC
(In reply to Stephen J Pollei from comment #4)
> Fixed the issues mentioned except I couldn't bare to use
> /etc/pki/pki-usgov-dod-cacerts/cacerts ; too superfluously and excessively
> redundant .

You could not? This error (or warning?) comes from where?

Comment 6 Miroslav Suchý 2016-01-12 08:21:42 UTC
>%global commit0 8dc419c5644fc7305f757ec571406f5b2e0a96af
>%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

It is good habit to declare macros at the very top of the file.

># This package is security sensitive,
>#   certs are used to authenticate military websites
># security@lists.fedoraproject.org

I'm not sure if my comment about comments were clear.
I would remove this, but leave the comment why the license is public domain.

You are missing 
  BuildRequires: perl
needed for kcs7_split.pl
While it is at the end tranistively loaded via other BR it should be there.

Otherwise it looks good and once we settle on that /etc/pki path I think this can be approved.

Comment 7 Upstream Release Monitoring 2016-01-12 15:06:57 UTC
spollei's scratch build of pki-usgov-dod-cacerts-0.0.6-3.fc23.src.rpm for f23 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12517170

Comment 9 Miroslav Suchý 2016-01-12 21:17:13 UTC
Here comes full formal review. I found three more minor things.

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


===== MUST items =====

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[-]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: License field in the package spec file matches the actual license.
[x]: Package requires other packages for directories it uses.
[!]: Package must own all directories that it creates.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[x]: %config files are marked noreplace or the reason is justified.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[!]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Package is not known to require an ExcludeArch tag.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 10240 bytes in 1 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: No %config files under /usr.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane.
[x]: Package functions as described.
[?]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[-]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[!]: Packages should try to preserve timestamps of original installed
     files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).


Issues:
You are missing:
  %dir %{_sysconfdir}/pki/pki-usgov-dod-cacerts
so the directory is not owned by your package.

In %install and %files you should use %{_sysconfdir} macro instead of /etc/

In %install you should use "cp -a" to preserve original timestamp of files.

Comment 10 Upstream Release Monitoring 2016-01-12 22:57:09 UTC
spollei's scratch build of pki-usgov-dod-cacerts-0.0.6-4.fc23.src.rpm for f23 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12521299

Comment 11 Stephen J Pollei 2016-01-12 23:01:32 UTC
OK I made a 0.0.6-4 with those changes

https://raw.githubusercontent.com/pollei/fedora-rpm-specs/a57785d3113eb7dc84865218298ee14778fb548f/pki-usgov-dod-cacerts.spec

https://copr.fedoraproject.org/coprs/spollei/dod_firefox_cfg/build/153177/
http://koji.fedoraproject.org/koji/taskinfo?taskID=12521300
copr and koji ran

I tried running my own review but it failed
`fedora-review --prebuilt -rn pki-usgov-dod-cacerts-0.0.6-4.fc23.src.rpm --define DISTTAG=f23`

ERROR: 'Multiple srpms found for pki-usgov-dod-cacerts'

Comment 12 Miroslav Suchý 2016-01-13 00:18:23 UTC
This:
fedora-review -rn pki-usgov-dod-cacerts-0.0.6-4.fc24.src.rpm
works for me.

APPROVED

Now follow the process. 
I sponsored you into packager group.
If you ever have questions and you need some guidenance about fedora processes or infrastructure do not hesitate to contact me directly.

Comment 13 Stephen J Pollei 2016-01-13 03:13:31 UTC
That's great news. I do need to learn a lot more about the process, I've never used fedpkg or bodhi before.

https://fedoraproject.org/wiki/Join_the_package_collection_maintainers
I think I can carefully follow the instructions.
1) https://admin.fedoraproject.org/pkgdb/ "Request new package"
2) mkdir -p ~/devel/fedora-scm ; cd ~/devel/fedora-scm ; fedpkg clone pki-usgov-dod-cacerts
3) fedpkg import foo.src.rpm ; git commit -m "Initial import (#1274948)." ; git push ; fedpkg build

I know almost nothing about bodhi, but I shouldn't need it to get it into rawhide. I also don't think I need comps.xml as it's a niche package.

Comment 14 Gwyn Ciesla 2016-01-13 17:10:27 UTC
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/pki-usgov-dod-cacerts

Comment 15 Fedora Update System 2016-01-15 03:11:43 UTC
pki-usgov-dod-cacerts-0.0.6-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1a87db5f8e

Comment 16 Fedora Update System 2016-01-15 18:52:40 UTC
pki-usgov-dod-cacerts-0.0.6-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1a87db5f8e

Comment 17 Fedora Update System 2016-01-26 18:28:01 UTC
pki-usgov-dod-cacerts-0.0.6-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.