Description of problem: rpmgrill results for one of my recent builds shows warnings which don't seem valid. I'm not sure if bugzilla is the proper place to report such issues — if not, please redirect. Version-Release number of selected component (if applicable): don't know, whatever is running on koji builders From: https://taskotron.fedoraproject.org/artifacts/all/06d4d6f6-0a32-11e7-ad3a-5254008e42f6/task_output/rpmgrill.json which is for https://bodhi.fedoraproject.org/updates/FEDORA-2017-27d711e213: "module" : "SecurityPolicy", "order" : 16, "results" : [ { "arch" : "armv7hl", "code" : "SuspiciousPath", "context" : { "excerpt" : [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" ], "path" : "/usr/bin/systemd-analyze" }, "diag" : "Potentially insecure PATH element <tt>/local</tt>", "subpackage" : "systemd" }, IMHO that's bogus, /usr/local/bin is expected to be in $PATH. systemd sets it this way ;) { "module" : "Manifest", "order" : 30, "results" : [ { "arch" : "armv7hl,i686,x86_64", "code" : "NonFHS", "diag" : "FHS-protected directory <tt><b>/etc/tmpfiles.d</b></tt>", "subpackage" : "systemd" } ], "run_time" : 0, "status" : "completed" }, I don't know what "FHS-protected directory" means, but both systemd and other packages are supposed to put stuff in /etc/tmpfiles.d. { "module" : "ManPages", "order" : 45, "results" : [ { "arch" : "armv7hl,i686,x86_64", "code" : "ManPageMissing", "diag" : "No man page for <tt>/etc/sysctl.conf</tt>", "subpackage" : "systemd" }, { "arch" : "armv7hl,i686,x86_64", "code" : "ManPageMissing", "diag" : "No man page for <tt>/etc/yum/protected.d/systemd.conf</tt>", "subpackage" : "systemd" } ], "run_time" : 6, "status" : "completed" }, There is a man page for sysctl.conf, just in a different package. /etc/yum/protected.d is described in dnf.plugin.protected_packages(8). I think trying to guess if man pages for specific pages is risky. In particular anything that has a path like /etc/something.d/* should be filtered out, since the man page might be for something, or something.d, and it's hard to guess automatically. "results" : [ { "arch" : "src", "code" : "UseraddNoUid", "context" : { "excerpt" : [ "useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump" ], "lineno" : 448, "path" : "systemd.spec", "sub" : "%pre" }, "diag" : "Invocation of <tt>useradd</tt> without specifying a UID; this may be OK, because /usr/share/doc/setup/uidgid defines no UID for <var>systemd-coredump</var>" }, Soft-static system uids are mostly an exception. We used to hand them out left and right for no good reason, but that's changed many years ago. So this warning should be silenced, especially if "/usr/share/doc/setup/uidgid defines no UID". { "arch" : "armv7hl,i686,x86_64", "code" : "SupplementalGroups", "context" : { "path" : "/usr/bin/systemd-run" }, "diag" : "Use of supplemental groups", "subpackage" : "systemd" }, This one is just unclear. What does it mean? rpmgrill is cool, but it'd help if the amount of false positives was reduced... It'd be better to err on the side of false negatives than false positives imho, so that people don't learn to ignore the results.
This is the right place to report this, however at this point rpmgrill is officially in maintenance mode. Unless someone fixes it in their spare time it'll be something to fix on a "rainy day" unofficially.
That's ... unfortunate. rpmgrill automated test are being added to bodhi, and those results will be more visible and play a more prominent role in the future. Obviously there's a lot of false positives, and when this is multiplied by the number of packages in the distro, we get a lot maintainer time wasted investigating unhelpful suggestions. Rpmgrill should be dropped from the automated tests (which would be sad, because it *does* provide useful information), or maintained.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Ping. What's the state of this RFE? Those useless warnings get really annoying in bodhi and taskotron. (In reply to Roman Joost from comment #1) > This is the right place to report this, however at this point rpmgrill is > officially in maintenance mode. Unless someone fixes it in their spare time > it'll be something to fix on a "rainy day" unofficially.
Status is unchanged since Roman's initial response: rpmgrill is, to the best of my knowledge, in maintenance-only mode.
Another friendly reminder. Any news?
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.