Bug 1295685 - Review Request: python-bcrypt - Modern password hashing for your software and your servers
Review Request: python-bcrypt - Modern password hashing for your software and...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Parag AN(पराग)
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-05 04:04 EST by Pierre-YvesChibon
Modified: 2016-02-26 02:24 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-26 02:24:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
panemade: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description Pierre-YvesChibon 2016-01-05 04:04:35 EST
Spec URL: http://pingou.fedorapeople.org/RPMs//python-bcrypt.spec
SRPM URL: http://pingou.fedorapeople.org/RPMs//python-bcrypt-2.0.0-1.fc21.src.rpm

Description:
Modern password hashing for your software and your servers
Comment 1 Pierre-YvesChibon 2016-01-05 04:07:48 EST
Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=12415079
Comment 2 Upstream Release Monitoring 2016-01-05 04:10:02 EST
pingou's scratch build of python-bcrypt-2.0.0-1.fc21.src.rpm for rawhide completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12416131
Comment 3 Parag AN(पराग) 2016-01-06 00:24:08 EST
looks like a conflict with py-bcrypt package due to same installation file /usr/lib64/python2.7/site-packages/bcrypt/_bcrypt.so

I think we can add conflicts in this package to py-bcrypt.

Then there are couple of issues
1) Spec file according to URL is the same as in SRPM.
     Note: Spec file as given by url is not the same as in SRPM (see
     attached diff).
Diff spec file in url and in SRPM
---------------------------------
--- /home/parag/1295685-python-bcrypt/srpm/python-bcrypt.spec   2016-01-05 21:08:50.067867587 +0530
+++ /home/parag/1295685-python-bcrypt/srpm-unpacked/python-bcrypt.spec  2016-01-05 12:48:24.000000000 +0530
@@ -78,5 +78,4 @@
 %{python3_sitearch}/%{modname}-%{version}*

-
 %changelog
 * Tue Jan 05 2016 Pierre-Yves Chibon <pingou@pingoured.fr> - 2.0.0-1


2) rpmlint output as
python2-bcrypt.x86_64: W: unexpanded-macro Obsoletes python-%{module} < 2.0.0-1.fc24 %{module}
python2-bcrypt.x86_64: W: unexpanded-macro Obsoletes python-%{module}(x86-64) < 2.0.0-1.fc24 %{module}
python2-bcrypt.x86_64: W: unexpanded-macro Provides python-%{module} = 2.0.0-1.fc24 %{module}
python2-bcrypt.x86_64: W: unexpanded-macro Provides python-%{module}(x86-64) = 2.0.0-1.fc24 %{module}
python2-bcrypt.x86_64: E: non-standard-executable-perm /usr/lib64/python2.7/site-packages/bcrypt/_bcrypt.so 775
python3-bcrypt.x86_64: E: non-standard-executable-perm /usr/lib64/python3.5/site-packages/bcrypt/_bcrypt.cpython-35m-x86_64-linux-gnu.so 775
python-bcrypt.src:64: W: macro-in-comment %check
python-bcrypt.src:65: W: macro-in-comment %{__python2}
python-bcrypt.src:66: W: macro-in-comment %{__python3}
4 packages and 0 specfiles checked; 2 errors, 7 warnings.

==>  some places modname used and at some places module is used. Please fix this. Also fix the permission issue by adding following at end of %install
find %{buildroot}%{python2_sitearch} -name '*.so' -exec chmod 755 {} ';'
find %{buildroot}%{python3_sitearch} -name '*.so' -exec chmod 755 {} ';'


3) License should be "ASL 2.0 and Public Domain".
Comment 4 Pierre-YvesChibon 2016-01-06 04:36:25 EST
1/ Fixed in the new srpm

2/ I guess you meant:
find %{buildroot}%{python2_sitearch} -name '*.so' -exec chmod 644 {} ';'
find %{buildroot}%{python3_sitearch} -name '*.so' -exec chmod 644 {} ';'
Since 755 is the current state.

3/ Fixed in the new srpm


Changelog:
 * Wed Jan 06 2016 Pierre-Yves Chibon <pingou@pingoured.fr> - 2.0.0-2
 - Fix the license as the package has some Public Domain files
 - Ensure the .so files are not executable

Spec URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt.spec
SRPM URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt-2.0.0-1.fc21.src.rpm
Comment 5 Pierre-YvesChibon 2016-01-06 04:36:55 EST
And the correct links (wrong copy/paste):

Spec URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt.spec
SRPM URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt-2.0.0-2.fc21.src.rpm
Comment 6 Parag AN(पराग) 2016-01-06 05:24:51 EST
Thanks for the update but i do see same issues.

1) e.g. See this line from build.log
Provides: python-%{module} = 2.0.0-2.fc23 python2-bcrypt = 2.0.0-2.fc23 python2-bcrypt(x86-64) = 2.0.0-2.fc23

module is not expanded because that macro is not exists. Looks like there is still a mix between modname and module

2) The suggested 755 permissions is correct. It was 775 permissions if you check the rpmlint output above. Now when you changed it to 644, rpm failed to extract the needed debuginfo information and unable to even finish the building binary rpm. Please use
find %{buildroot}%{python2_sitearch} -name '*.so' -exec chmod 755 {} ';'
find %{buildroot}%{python3_sitearch} -name '*.so' -exec chmod 755 {} ';'


fedora-review failed to finish due to this 644 permission set.
Btw, the issue is still not addressed in above update. py-bcrypt package conflicts with this python-bcrypt.
Comment 7 Pierre-YvesChibon 2016-01-06 05:48:27 EST
I'll fix the macros and add the conflict but I'm confused about the permission story then:

rpmling says:
> non-standard-executable-perm /usr/lib64/python2.7/site-packages/bcrypt/_bcrypt.so 775
So it's 755 and it's non-standard, ok

Then you say:
> Also fix the permission issue by adding following at end of %install
> find %{buildroot}%{python2_sitearch} -name '*.so' -exec chmod 755 {} ';'
But that makes chmod 755, so we're chmod'ing 755 a file that is 755 already?

I'm a little confused there
Comment 8 Parag AN(पराग) 2016-01-06 08:36:24 EST
hmm looks like this is one more case for not to use fedora-review tool but manually inspect the package and review it.

If used fedora-review and generated rpms and ran a rpmlint on it then it shows permission 775 and if installed same package, permissions remain same 775.

I just did a copr build and installed python3-bcrypt from my copr repository and found no issues in installed package as well as built rpm package.

One more thing I want to note here, just based on fedora-review output, few package reviews done already in Fedora are using those 2 lines fix in their spec file. E.g. check python-simplewrap , python-opencl, python-pygit2, python-kdcproxy etc. So,fedora-review is confusing reviewer and package owner.

Anyway you can leave this permission issue fix.
Comment 9 Pierre-YvesChibon 2016-01-06 13:48:41 EST
Spec URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt.spec
SRPM URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt-2.0.0-2.fc21.src.rpm

* Wed Jan 06 2016 Pierre-Yves Chibon <pingou@pingoured.fr> - 2.0.0-3
- Add conflicts to py-bcrypt since they both provide a bcrypt python module
- Fix macro that were using %%{module} instead of %%{modname}
- In fact the .so files must be executable, so ensure they are such
Comment 10 Parag AN(पराग) 2016-01-07 02:09:07 EST
fedora-review complains permission issue, in the srpm I see this 
find %{buildroot}%{python2_sitearch} -name '*.so' -exec chmod 644 {} ';'
find %{buildroot}%{python3_sitearch} -name '*.so' -exec chmod 644 {} ';'
Comment 11 Pierre-YvesChibon 2016-01-07 05:50:42 EST
Indeed, looks like I keep doing the same copy/paste error

This time, the updated links :) :
Spec URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt.spec
SRPM URL: http://pingou.fedorapeople.org/RPMs/python-bcrypt-2.0.0-3.fc21.src.rpm
Comment 12 Parag AN(पराग) 2016-01-07 09:23:43 EST
Thanks :)

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- Package installs properly.
  Note: Installation errors (see attachment)
  See: https://fedoraproject.org/wiki/Packaging:Guidelines
==> I am not sure why fedora-review package installation test failed. At least same srpm built on F23, installed without problem.


===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[-]: Development (unversioned) .so files in -devel subpackage, if present.
     Note: Unversioned so-files in private %_libdir subdirectory (see
     attachment). Verify they are not in ld path.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Apache (v2.0)", "Unknown or generated", "*No copyright* Apache
     (v2.0)". 29 files have unknown license. Detailed output of
     licensecheck in /home/parag/1295685-python-bcrypt/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[ ]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[-]: Package requires other packages for directories it uses.
     Note: No known owner of /usr/lib64/python3.5/site-packages,
     /usr/lib64/python3.5
[-]: Package must own all directories that it creates.
     Note: Directories without known owners: /usr/lib64/python3.5/site-
     packages, /usr/lib64/python3.5
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[!]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[ ]: Package is not known to require an ExcludeArch tag.
[ ]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 2 files.
[ ]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

Python:
[x]: Python eggs must not download any dependencies during the build
     process.
[x]: A package which is used by another package via an egg interface should
     provide egg info.
[x]: Package meets the Packaging Guidelines::Python
[x]: Package contains BR: python2-devel or python3-devel
[x]: Binary eggs must be removed in %prep

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in
     python2-bcrypt , python3-bcrypt , python-bcrypt-debuginfo
[?]: Package functions as described.
[x]: Latest version is packaged.
[-]: Package does not include license text files separate from upstream.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[!]: Rpmlint is run on all installed packages.
     Note: Mock build failed
     See: http://fedoraproject.org/wiki/Packaging/Guidelines#rpmlint
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Installation errors
-------------------
INFO: mock.py version 1.2.14 starting (python version = 3.4.3)...
Start: init plugins
INFO: selinux enabled
Finish: init plugins
Start: run
Start: chroot init
INFO: calling preinit hooks
INFO: enabled root cache
INFO: enabled dnf cache
Start: cleaning dnf metadata
Finish: cleaning dnf metadata
INFO: enabled ccache
Mock Version: 1.2.14
INFO: Mock Version: 1.2.14
Finish: chroot init
INFO: installing package(s): /home/parag/1295685-python-bcrypt/results/python2-bcrypt-2.0.0-3.fc24.x86_64.rpm /home/parag/1295685-python-bcrypt/results/python3-bcrypt-2.0.0-3.fc24.x86_64.rpm /home/parag/1295685-python-bcrypt/results/python-bcrypt-debuginfo-2.0.0-3.fc24.x86_64.rpm /home/parag/1295685-python-bcrypt/results/python-bcrypt-debuginfo-2.0.0-3.fc24.x86_64.rpm
ERROR: Command failed. See logs for output.
 # /usr/bin/dnf --installroot /var/lib/mock/fedora-rawhide-x86_64/root/ --releasever 24 --setopt=deltarpm=false install /home/parag/1295685-python-bcrypt/results/python2-bcrypt-2.0.0-3.fc24.x86_64.rpm /home/parag/1295685-python-bcrypt/results/python3-bcrypt-2.0.0-3.fc24.x86_64.rpm /home/parag/1295685-python-bcrypt/results/python-bcrypt-debuginfo-2.0.0-3.fc24.x86_64.rpm /home/parag/1295685-python-bcrypt/results/python-bcrypt-debuginfo-2.0.0-3.fc24.x86_64.rpm --setopt=tsflags=nocontexts


Rpmlint
-------
Checking: python2-bcrypt-2.0.0-3.fc24.x86_64.rpm
          python3-bcrypt-2.0.0-3.fc24.x86_64.rpm
          python-bcrypt-debuginfo-2.0.0-3.fc24.x86_64.rpm
          python-bcrypt-2.0.0-3.fc24.src.rpm
python-bcrypt.src:70: W: macro-in-comment %check
python-bcrypt.src:71: W: macro-in-comment %{__python2}
python-bcrypt.src:72: W: macro-in-comment %{__python3}
4 packages and 0 specfiles checked; 0 errors, 3 warnings.




Requires
--------
python2-bcrypt (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    libpthread.so.0()(64bit)
    libpython2.7.so.1.0()(64bit)
    python(abi)
    python-cffi
    python-six
    rtld(GNU_HASH)

python3-bcrypt (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    libpthread.so.0()(64bit)
    libpython3.5m.so.1.0()(64bit)
    python(abi)
    python3-cffi
    python3-six
    rtld(GNU_HASH)

python-bcrypt-debuginfo (rpmlib, GLIBC filtered):



Provides
--------
python2-bcrypt:
    python-bcrypt
    python-bcrypt(x86-64)
    python2-bcrypt
    python2-bcrypt(x86-64)

python3-bcrypt:
    python3-bcrypt
    python3-bcrypt(x86-64)

python-bcrypt-debuginfo:
    python-bcrypt-debuginfo
    python-bcrypt-debuginfo(x86-64)



Unversioned so-files
--------------------
python2-bcrypt: /usr/lib64/python2.7/site-packages/bcrypt/_bcrypt.so
python3-bcrypt: /usr/lib64/python3.5/site-packages/bcrypt/_bcrypt.cpython-35m-x86_64-linux-gnu.so

Source checksums
----------------
https://pypi.python.org/packages/source/b/bcrypt/bcrypt-2.0.0.tar.gz :
  CHECKSUM(SHA256) this package     : 8b2d197ef220d10eb74625dde7af3b10daa973ae9a1eadd6366f763fad4387fa
  CHECKSUM(SHA256) upstream package : 8b2d197ef220d10eb74625dde7af3b10daa973ae9a1eadd6366f763fad4387fa


Generated by fedora-review 0.6.0 (3c5c9d7) last change: 2015-05-20


When import this package, just add more information about licensing like
#crypt_blowfish code is in Public domain and all other code in ASL 2.0

APPROVED.
Comment 13 Gwyn Ciesla 2016-01-15 09:31:22 EST
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/python-bcrypt
Comment 14 Fedora Update System 2016-01-19 11:48:37 EST
python-bcrypt-2.0.0-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9a9a2ff0d9
Comment 15 Fedora Update System 2016-01-20 18:58:10 EST
python-bcrypt-2.0.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9a9a2ff0d9
Comment 16 Fedora Update System 2016-02-26 02:24:49 EST
python-bcrypt-2.0.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.