Bug 1467651 - Review Request: cvechecker - Tool for compare packages installed in your system with CVE database
Review Request: cvechecker - Tool for compare packages installed in your syst...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Zbigniew Jędrzejewski-Szmek
Fedora Extras Quality Assurance
:
: cvechecker (view as bug list)
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2017-07-04 08:49 EDT by Zamir SUN
Modified: 2017-08-14 17:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-14 17:50:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
zbyszek: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description Zamir SUN 2017-07-04 08:49:29 EDT
Spec URL: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker.spec
SRPM URL: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker-3.7-1.fc25.src.rpm
Description: Tool for compare packages installed in your system with CVE database
Fedora Account System Username: zsun
Comment 1 Zamir SUN 2017-07-04 08:51:30 EDT
*** Bug 1062808 has been marked as a duplicate of this bug. ***
Comment 2 Zbigniew Jędrzejewski-Szmek 2017-07-04 10:00:41 EDT
> %global debug_package %{nil}
Are you sure that's needed? If yes, it deserves a comment in the spec file.

> make
Is parallel build not supported? If it is, use %make_build, otherwise, add a comment.

> %{__install}
You can just say 'install' — that's both less typing *and* clearer.

> %defattr(-,root,root)
Not needed.

Checking: cvechecker-3.7-1.fc27.x86_64.rpm
          cvechecker-3.7-1.fc27.src.rpm
cvechecker.x86_64: W: unstripped-binary-or-object /usr/bin/cvechecker
Hm. That's the first time I encounter this. Maybe this will go away if you create a debug package?

cvechecker.x86_64: W: only-non-binary-in-usr-lib
cvechecker.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
cvechecker.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
OK.

cvechecker.src:13: W: macro-in-comment %{url}
cvechecker.src:13: W: macro-in-comment %{_commit}
cvechecker.src:13: W: macro-in-comment %{_commit}
Please use %%.

cvechecker.src:14: W: mixed-use-of-spaces-and-tabs (spaces: line 6, tab: line 14)
Please fix.

2 packages and 0 specfiles checked; 0 errors, 8 warnings.

Looks all good.

(It seems that cvechecker likes to run as root. It'd be much better to create a dedicated user for it, since downloading stuff as root from the web is also a concern, but that's an upstream issue.)
Comment 3 Zamir SUN 2017-07-04 10:19:30 EDT
Thanks for the quick response.
SPEC updated in place: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker.spec
New SRPM: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker-3.7-2.fc25.src.rpm
Comment 4 Zamir SUN 2017-07-04 10:21:28 EDT
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2)
> (It seems that cvechecker likes to run as root. It'd be much better to
> create a dedicated user for it, since downloading stuff as root from the web
> is also a concern, but that's an upstream issue.)
I am not familiar with packaging with dedicated user, so currently I'm not adding this way. Will work on this later once I figured out how to do it.
Comment 5 Zbigniew Jędrzejewski-Szmek 2017-07-04 11:13:33 EDT
+ package name is OK
+ license is acceptable for Fedora (GPLv3)
+ license is specified correctly
+ builds and installs OK
+ fedora-review finds no issues
+ %check is present and passes
+ no scriptlets necessary
+ rpmlint has only false positives

> Group:          Applications/System
Not needed [https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections].

> %attr(0644,root,root)
You probably don't need those either, unless the build system sets some strange permissions on those files.

Package is APPROVED.
Comment 6 Gwyn Ciesla 2017-07-05 07:00:39 EDT
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/cvechecker
Comment 7 Zamir SUN 2017-07-05 09:54:23 EDT
(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> > Group:          Applications/System
> Not needed
> [https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections].
Thanks. Will remove this section in -3.
Comment 8 Fedora Update System 2017-08-05 22:40:37 EDT
cvechecker-3.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-146693c8dc
Comment 9 Fedora Update System 2017-08-05 22:40:46 EDT
cvechecker-3.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-146693c8dc
Comment 10 Fedora Update System 2017-08-07 02:26:03 EDT
cvechecker-3.8-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b44ef74c4
Comment 11 Fedora Update System 2017-08-14 17:50:37 EDT
cvechecker-3.8-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.