Red Hat Bugzilla – Bug 1301286
Review Request: firejail - A SUID sandbox program
Last modified: 2018-03-30 23:19:58 EDT
Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-1.fc23.src.rpm Fedora Account System Username: jamielinux Description: Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, and mount table.
The firejail package must own %{_datadir}/bash-completion directory because it install files there and the directory is not owned by any dependency.
Thanks Petr. Spec URL: https://jamielinux.fedorapeople.org/firejail/firejail.spec SRPM URL: https://jamielinux.fedorapeople.org/firejail/firejail-0.9.36-2.fc23.src.rpm * Tue Feb 02 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 0.9.36-2 - own bash-completion directory - fix libdir in disable-devel.inc
https://fedorapeople.org/~halfie/packages/firejail/firejail.spec This .spec files packages Firejail 0.9.38, and it also simplifies inclusion of various profiles. I am actually unable to run Firejail on Fedora. Running "firejail hexchat" does not launch hexchat on Fedora systems. While doing the same on Ubuntu launches hexchat just fine. How do I test this package further in Fedora?
Firejail packages from https://copr.fedorainfracloud.org/coprs/heikoada/firejail/ run fine on Fedora 24. Also see https://github.com/netblue30/firejail/issues/399 page.
It is very nice to see Firejail & it's GUI (firetools) available in official Fedora specially if we take in mind that Firejail is compatible with SELinux & it's much much easer to use from SELinux ...... Why such supersecure distro. like Fedora till now has no Firejail till now in their official repositories ?
Taking this review.
(In reply to Petr Pisar from comment #1) > The firejail package must own %{_datadir}/bash-completion directory because > it install files there and the directory is not owned by any dependency. This is wrong. The bash-completion directory is owned by the bash-completion package, so it should be required instead.
Spec review notes: > Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Please use the scheme detailed in the guidelines: https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags > %setup -qn %{name}-%{version} The "-n %{name}-%{version}" is redundant and pointless because this is already default. You can use "%setup -q" or "%autosetup" instead. Consider setting "%autosetup -p1" so that in the event you have patches, they'll be automatically applied correctly. > sed -i -e 's#/usr/lib#%{_libdir}#g' etc/disable-devel.inc This looks fine to me, but consider changing from hash marks to a different symbol, as it gets trick with shell evaluation. I usually use the '|' character as it is meaningless in a string and really bad syntax highlighters will highlight them, making it easier to see the separations. > make %{?_smp_mflags} Consider using "%make_build". It works on all currently supported Fedora and EPEL targets. > make install DESTDIR=%{buildroot} Consider using "%make_install".
I cannot continue the review until you publish a post with Spec and SRPM URLs with matching content. Currently the spec appears to have content that's newer than the SRPM you've published here.
(In reply to yousifjkadom@yahoo.com from comment #5) > It is very nice to see Firejail & it's GUI (firetools) available in official > Fedora specially if we take in mind that Firejail is compatible with SELinux > & it's much much easer to use from SELinux ...... > > Why such supersecure distro. like Fedora till now has no Firejail till now > in their official repositories ? Nothing gets added to the distribution unless someone is interested in bringing it in. Anyone can become a packager to add software to Fedora[1]. If there's software out there that you think would be great to have in Fedora, then by all means, make a package that conforms to our policies and guidelines[2] and submit it for review to be included in the distribution. [1]: https://fedoraproject.org/wiki/Join_the_package_collection_maintainers [2]: https://fedoraproject.org/wiki/Packaging:Guidelines
(In reply to Neal Gompa from comment #7) > (In reply to Petr Pisar from comment #1) > > The firejail package must own %{_datadir}/bash-completion directory because > > it install files there and the directory is not owned by any dependency. > > This is wrong. The bash-completion directory is owned by the bash-completion > package, so it should be required instead. This is wrong. Because hard-requiring bash-completion imposes enabling bash-completion for everybody. Even to those who do not want enabling it.
(In reply to Petr Pisar from comment #11) > (In reply to Neal Gompa from comment #7) > > (In reply to Petr Pisar from comment #1) > > > The firejail package must own %{_datadir}/bash-completion directory because > > > it install files there and the directory is not owned by any dependency. > > > > This is wrong. The bash-completion directory is owned by the bash-completion > > package, so it should be required instead. > > This is wrong. Because hard-requiring bash-completion imposes enabling > bash-completion for everybody. Even to those who do not want enabling it. Is there a bash-completion-filesystem package, then? That's usually the solution for things like that.
(In reply to Neal Gompa from comment #12) > Is there a bash-completion-filesystem package, then? That's usually the > solution for things like that. bash-completion-filesystem does not exist.
There's been no response in two years, dropping review and marking as DEADREVIEW.