Bug 1503915 - Review Request: roca-detect - test RSA public keys for ROCA vulnerability
Summary: Review Request: roca-detect - test RSA public keys for ROCA vulnerability
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miro Hrončok
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-19 04:14 UTC by Stuart D Gathman
Modified: 2018-10-31 13:57 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-09-21 05:33:26 UTC
mhroncok: fedora-review+


Attachments (Terms of Use)

Description Stuart D Gathman 2017-10-19 04:14:02 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f26/x86_64/roca-detect-1.0.7-2.fc26.noarch.rpm
Description: This tool is related to the [ACM CCS 2017 conference paper #124 Return of the Coppersmith’s Attack: Practical Factorization of Widely Used RSA
Moduli](https://crocs.fi.muni.cz/public/papers/rsa_ccs17).

Example output when run on /etc/pki/rpm-gpg/* on a Fedora 26 system (with rpmfusing and other extra repos):

2017Oct19 00:13:22 ### SUMMARY ####################
2017Oct19 00:13:22 Records tested: 158
2017Oct19 00:13:22 .. PEM certs: . . . 0
2017Oct19 00:13:22 .. DER certs: . . . 0
2017Oct19 00:13:22 .. RSA key files: . 0
2017Oct19 00:13:22 .. PGP master keys: 177
2017Oct19 00:13:22 .. PGP total keys:  272
2017Oct19 00:13:22 .. SSH keys:  . . . 0
2017Oct19 00:13:22 .. APK keys:  . . . 0
2017Oct19 00:13:22 .. JSON keys: . . . 0
2017Oct19 00:13:22 .. LDIFF certs: . . 0
2017Oct19 00:13:22 .. JKS certs: . . . 0
2017Oct19 00:13:22 .. PKCS7: . . . . . 0
2017Oct19 00:13:22 No fingerprinted keys found (OK)
2017Oct19 00:13:22 ################################

Fedora Account System Username: sdgathman

Comment 1 Stuart D Gathman 2017-10-19 04:20:42 UTC
Note that the test suite fails when building on F25.  I don't plan on debugging this, as F25 will be EOL by the time this gets reviewed.

Comment 2 Stuart D Gathman 2017-10-19 04:21:55 UTC
The package does build and run correctly on CentOS-7 with EPEL.

Comment 3 Igor Gnatenko 2017-10-19 06:21:40 UTC
> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
drop this

> Group: Development/Libraries
not needed

> Prefix: %{_prefix}
drop this

> Vendor: Dusan Klinec <dusan.klinec@gmail.com>
drop this

> python setup.py build
%py2_build

> python setup.py install --single-version-externally-managed -O1 --root=$RPM_BUILD_ROOT --record=INSTALLED_FILES
%py2_install

* all python requires should be python2- prefixed
* any reason to make it py2 instead of py3?

Comment 4 Stuart D Gathman 2017-10-19 14:08:27 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f26/x86_64/roca-detect-1.0.7-3.fc26.noarch.rpm

Dropped unwanted metadata
%py2_build does not work on f26 - added comment

%py2_install does not work on f26 - added comment

python3 does not (yet) have all needed packages for the application in f26.  This can be revisited with later releases,

Comment 5 Stuart D Gathman 2017-10-19 14:30:44 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f27/x86_64/roca-detect-1.0.7-3.fc26.noarch.rpm

Ran build and self-test on f27.

Changed shebang in /usr/bin/roca-detect to python2.

Comment 6 Stuart D Gathman 2018-09-03 17:38:56 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.1-1.fc28.src.rpm

Update to new upstream release.  Switch to python3 as default.

Comment 7 Neal Gompa 2018-09-03 17:42:04 UTC
If you want to change Python versions easily with the macros, you can do the following:

%global __python %{__python3}

....

%build
%py_build
...
%install
%py_install
...
%files
%{python_sitelib}/*
...

Comment 8 Miro Hrončok 2018-09-03 19:46:55 UTC
OK. Let me take this. Here are my suggestions:

1. I find the spec file very hard to read. I suggest you give it some air with empty lines on appropriate places and reorder some lines to more common order. See for example https://src.fedoraproject.org/rpms/uflash/blob/master/f/uflash.spec

2. The spec file references Fedora 26 several times, but that is EOL.

3. If you really need to have if RHEL conditionals for python2 / python3, follow what Neal says above.

4. Use the %py3_build and %py3_install (or %py_build and %py_install) macros.

5. Use a publicly accessible website for URL.

6. Don't put # in description.

7. Please no INSTALLED_FILES.

8. Use %{buildroot} instead of $RPM_BUILD_ROOT

9. Is there no /usr/bin/roca-detect created by upstream's setup.py? Why the cat?

10. As %check gets executed after %install I suggest you move it bellow.

11. Give the patch a number, use %autosetup if possible.

Comment 9 Stuart D Gathman 2018-09-04 01:52:30 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.1-3.fc28.src.rpm

Adjusted as requested, except as noted below:

3. As noted above and in SPEC comments, %py_build and %py_install fail.  Also, Neal's definition of __python fails, %{__python} gets substituted with a literal "%{__python3}" - causing all kinds of havoc.  I compromised and defined it as /usr/bin/python3 (should have used %{_bindir}, but I've spent too long).

4. See 3.

9. The "EASY" introducer supplied by upstream requires setuptools >= 1.0 (doesn't work in epel), requires setuptools at runtime, and is horribly complex compared to a simple wrapper script.  The cat is so that the proper python version is easily substituted in.  The upstream /usr/bin name is roca-detect-tls.  I took the liberty of shortening it.

11.  I gave the patch an explicit 0 (is that *really* important?).  It is important to me to give the patch backup files an extension that I can easily feed back into gendiff.

Comment 10 Miro Hrončok 2018-09-04 07:52:07 UTC
3. Add BuildRequires: python3-devel, it will bring the macros in. When not defined, they are evaluated to literal %py_build and % is a job control character for shell. The same for %{__python3} - you get it literal because you don't BR python3-devel. Please read https://fedoraproject.org/wiki/Packaging:Python#Dependencies

4. See 3.

9. Please stay close to upstream. Require setuptools. Feel free to supply changes to the epel branch later. The complexity is there for a reason. The proper python version will be used if you use the proper macros. DO NOT change upstream executable names. Work with upstream if you think it is desired. Create symbolic links for shortcuts if absolutely desired.

11. It's not important. It's juts good manners. I also suggest you use %autosetup with -S git and use git instead of gendiff, but that's juts a suggestion (feel free to ignore it).

Comment 11 Miro Hrončok 2018-09-04 07:55:33 UTC
12. Be more explicit than %{python_sitelib}/*. https://pagure.io/packaging-committee/issue/782

Comment 12 Stuart D Gathman 2018-09-04 16:59:06 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.1-4.fc28.src.rpm

3,4. I was wondering why %py_build worked on my native code python packages, but not on this one.  Thanks!

9. Kept upstream wrapper name and added symlink for my shortcut.  I stayed with the trivial distro specific wrapper script, however.  This is absolutely no purpose served by pulling in setuptools at runtime solely to make a 3 line wrapper script into a government project.

Comment 13 Stuart D Gathman 2018-09-04 17:09:01 UTC
Well, the purpose of the complex wrapper is to have the same script run on a variety of distros and python versions.  However, that purpose doesn't apply to a Fedora package.

Comment 14 Miro Hrončok 2018-09-04 20:31:00 UTC
3,4.

    %py_build	# Fails with "fg: no job control"
    #{__python} setup.py build

Please just keep the %py_build macro. (Same for install.)


1. This still stands


6. There is more markdown in %description, plese use plaintext.


9. I don't agree, but apparently there is nothing I can do to stop you. At least, please make the script PEP8 compliant and set the shebang line to:

    #!%{__python} %{py_shbang_opts}

Comment 15 Stuart D Gathman 2018-09-04 23:16:22 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.1-5.fc28.src.rpm

1. Added tabs after tags and double space between sections to SPEC.  I aim to please.

3,4.  I wasn't going to leave the commented out code in there.  Really, I wasn't! 

6.  Removed square brackets and parens from description.

9. I was eager to see what %{py_shbang_opts} would add.  The -s seems quite reasonable.  I'll use that for wrappers from now on.  Thanks!  A trivial wrapper seems the one place where multiple imports on one line would be entirely appropriate - but I split into two lines, and now the trivial wrapper is fully pep8 compliant.  I can't complain much since you caved on using a distro specific wrapper.

For reference, here is the EASY script I am replacing.  It works on Windows, but not on Fedora without a lot of hacking (and additional runtime dependencies).  By far the smallest hack to upstream is to simply replace it with a trivial wrapper.  (I won't convince you, but thought I'd try.)

#!/usr/bin/python3
# EASY-INSTALL-ENTRY-SCRIPT: 'roca-detect==1.2.1','console_scripts','roca-detect-tls'
__requires__ = 'roca-detect==1.2.1'
import re
import sys
from pkg_resources import load_entry_point

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
    sys.exit(
        load_entry_point('roca-detect==1.2.1', 'console_scripts', 'roca-detect-tls')()
    )

The roca-detect EASY script would run roca.detect.py, and roca-detect-tls EASY script (new in upstream version 1.2.1) runs roca.detect_tls.py (but is broken on Fedora).  The roca-detect-tls entry works if you symlink to it directly.  But they both use the forbidden (for good reason) /usr/bin/env shbang.   The detect.py cli scans local files, the detect_tls.py cli makes actual network connections.  

The upshot is that roca-detect-tls is actually a different function from roca-detect.

Proposal:

How do you feel about patching both upstream cli scripts to replace the env shbang with %{__python} %{py_shbang_opts} - and making the /usr/bin entries simply symlink to them?  I'll go ahead and do that, test, and then come back here for your reaction.

Comment 16 Stuart D Gathman 2018-09-04 23:53:43 UTC
Ok, testing reveals that the roca-detect-tls scripts does not work with python3.  Only the roca-detect script works with py3.  I can:

1. leave out roca-detect-tls
2. try to patch it to work with python3
3. revert to python2

Comment 17 Stuart D Gathman 2018-09-05 00:02:26 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.1-6.fc28.src.rpm

It turned out to be a 1 char fix to make roca-detect-tls work in python3.  I'll report upstream.  I also patched in additional help for roca-detect-tls since there are no man pages.

Comment 18 Miro Hrončok 2018-09-06 21:00:22 UTC
9. additional runtime dependencies is setuptools? still, I urge you to use entry points instead of handcrafted script



Have you actually updated the specfile?

Comment 19 Stuart D Gathman 2018-09-07 15:33:39 UTC
Oops, copied spec to wrong server.  Fixed now.  I got rid of the handcrafted script.  Now I just symlink directly to the upstream python CLI - after fixing the "env python" shebang.  Another reason why the "EASY" abomination is pointless - trivially replaced with a symlink...

Comment 20 Stuart D Gathman 2018-09-07 16:48:08 UTC
(In reply to Miro Hrončok from comment #18)
> 9. additional runtime dependencies is setuptools? still, I urge you to use
> entry points instead of handcrafted script

It's not just the runtime dependency.  The "EASY" scripts also do not run out of the box on Fedora, requiring *far* more extensive patches to fix the problems than a 3 line wrapper.  And now even the wrapper is gone - all I've done is patch the 'env python' shebang (which is against Fedora rules), and replace the EASY scripts with symlinks.  The only purpose of the EASY scripts is for platforms (like Windows - where the scripts actually work) with no symlink apparently.

Comment 21 Miro Hrončok 2018-09-09 18:05:28 UTC
I have hard time understanding what are you talking about. Upstream uses a pretty standard console_scripts entry_point used by hundreds of packages within Fedora and thousand of upstream Python packages. Why do you fight against it so much?

It should work in Fedora out of the box without any patches and the shebang should be set by the %py3_install command.

Please answer the following questions:

> do not run out of the box on Fedora

How does this manifest the problem? What is the error message or incorrect behavior?

> requiring *far* more extensive patches to fix the problems

What would you need to patch to make it work?

> The only purpose of the EASY scripts is for platforms (like Windows - where the scripts actually work) with no symlink apparently.

Where are you getting this information?

Comment 22 Stuart D Gathman 2018-09-10 02:34:37 UTC
(In reply to Miro Hrončok from comment #21)
Look, I really appreciate the nits you've pointed out, and I've learned a lot. But let me turn it around.  Upstream provides two directly executable CLI python scripts in %{py_sitelib}.  I symlink them to /usr/bin for convenience.  Why are you so against that?  All my packages have one or more symlinks for convenience, I've never encountered any resistance from reviewers over it before.

My (admittedly snide, sorry) remark about the teleology of EASY scripts was based on my observation that they work on Windows, do not work for me out of the box on Fedora (I know you said installing some additional stuff would let them work), and when I trace through the source to debug, I find they end up doing the equivalent of simply symlinking the actual CLI scripts.  Is there a Fedora rule against using symlinks to conveniently access python CLI scripts?  Without the symlink, you could also just type "python3 -m roca.detect" as the equivalent of the /usr/bin/roca-detect symlink.

Comment 23 Miro Hrončok 2018-09-10 08:28:52 UTC
My resistence is based on a fact that you are trying to workaround what I see as a no-problem and that you are diverging from upstream.

No, there is no rule that you cannot remove one part of upstream software and replace it with something else because you think it's better. However I always though that this is something that is discouraged in Fedora and all our downstream changes must be highly justifiable, or on it's way to upstream.

https://fedoraproject.org/wiki/Staying_close_to_upstream_projects

If you are unwilling to accept this, I am unwilling to accept the package and am stepping down form the review. I guess there will be others who are not so prudent.

Comment 24 Stuart D Gathman 2018-09-10 16:15:00 UTC
No problem.  The need for this package is decaying anyway, as it is being incorporated into key generation software.

Comment 25 Stuart D Gathman 2018-09-10 16:48:23 UTC
For  posterity, here is how the "EASY" entry point breaks:

roca-detect-tls
Traceback (most recent call last):
  File "/usr/bin/roca-detect-tls", line 11, in <module>
    load_entry_point('roca-detect==1.2.1', 'console_scripts', 'roca-detect-tls')()
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 476, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2700, in load_entry_point
    return ep.load()
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2318, in load
    return self.resolve()
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2324, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python3.6/site-packages/roca/detect_tls.py", line 23, in <module>
    from detect import RocaFingerprinter, logger, LOG_FORMAT
ModuleNotFoundError: No module named 'detect'


The problem is that the actual CLI scripts expect to be run directly, and when loaded as a module by EASY, relative imports break.  If I patch the import, then that breaks running the entry script directly.  Some sort of conditional logic is needed on the imports for the EASY introducer to work correctly.  It is insane to debug and workround the EASY bugs - when a symlink accomplishes the intended result on Fedora systems.  

I am making the symlinks a conditional build option for building with and without EASY.  Since EASY is broken as is, I am making the symlinks the default.

Comment 26 Stuart D Gathman 2018-09-10 16:54:10 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.1-7.fc28.src.rpm

Add build option to use broken EASY entry point provided by upstream.  Not enabled by default since it doesn't work.

Comment 27 Miro Hrončok 2018-09-10 16:58:54 UTC
That is an upstream bug that was fixed in 1.2.6 https://github.com/crocs-muni/roca/issues/43

Comment 28 Stuart D Gathman 2018-09-10 17:08:38 UTC
1.2.1 is the latest release.  There are more recent tags (not releases).  SHould I use the latest tag: 1.2.12 ?

Comment 29 Miro Hrončok 2018-09-10 17:13:43 UTC
"release" is just a github thing built on top of tags. I recommend asking upstream whether they consider the "releases" to be somehow more or of they just sometimes forget to create them.

Comment 30 Stuart D Gathman 2018-09-10 17:45:35 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.12-1.fc28.src.rpm

Moved to latest upstream tag.  Symlink option is no longer default since EASY scripts now work.  If I think of it after getting my other work done, I'd like to explore whether replacing EASY scripts with symlinks should be a more accepted packaging option.

Comment 31 Miro Hrončok 2018-09-10 18:00:07 UTC
> I'd like to explore whether replacing EASY scripts with symlinks should be a
> more accepted packaging option.

Try https://pagure.io/packaging-committee/issues but be prepared to have some arguments.

Comment 32 Miro Hrončok 2018-09-10 18:15:51 UTC
Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- Packages MUST NOT have dependencies (either build-time or runtime) on
  packages named with the unversioned python- prefix unless no properly
  versioned package exists. Dependencies on Python packages instead MUST
  use names beginning with python2- or python3- as appropriate.
  Note: Unversionned Python dependency found.
  See: https://fedoraproject.org/wiki/Packaging:Python#Dependencies
  Note: "%if 0%{?rhel} <= 7" is true on Fedora.

- Missing requirement on python3dist(six) (upstream says it needs it).

- Incoherent version in changelog, see rpmlint output bellow.

- Wrong (unneeded) shebangs, see rpmlint output bellow.

- Packaged .gitignore, see rpmlint output bellow.


===== MUST items =====

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
[x]: Package contains no bundled libraries without FPC exception.
[!]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[!]: Requires correct, justified where necessary. (python-dateutil, six missing)
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 276480 bytes in 5 files.
[?]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

Python:
[x]: Python eggs must not download any dependencies during the build
     process.
[x]: A package which is used by another package via an egg interface should
     provide egg info.
[?]: Package meets the Packaging Guidelines::Python
[x]: Package contains BR: python2-devel or python3-devel
[x]: Binary eggs must be removed in %prep

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[!]: Final provides and requires are sane (see attachments).
[?]: Package functions as described.
[?]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Patches link to upstream bugs/comments/lists or are otherwise
     justified.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[?]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: %check is present and all tests pass.
[?]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: roca-detect-1.2.12-1.fc30.noarch.rpm
          roca-detect-1.2.12-1.fc30.src.rpm
roca-detect.noarch: W: incoherent-version-in-changelog 1.2.1-8 ['1.2.12-1.fc30', '1.2.12-1']
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert01.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert02.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert03.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert04.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert05.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert06.pem
roca-detect.noarch: E: wrong-script-interpreter /usr/lib/python3.7/site-packages/roca/tests/test_fingerprint.py /usr/bin/env python
roca-detect.noarch: E: non-executable-script /usr/lib/python3.7/site-packages/roca/tests/test_fingerprint.py 644 /usr/bin/env python
roca-detect.noarch: E: wrong-script-interpreter /usr/lib/python3.7/site-packages/roca/tests/test_tls.py /usr/bin/env python
roca-detect.noarch: E: non-executable-script /usr/lib/python3.7/site-packages/roca/tests/test_tls.py 644 /usr/bin/env python
roca-detect.noarch: E: version-control-internal-file /usr/share/doc/roca-detect/docs/.gitignore
roca-detect.noarch: E: zero-length /usr/share/doc/roca-detect/docs/.gitignore
roca-detect.noarch: W: no-manual-page-for-binary roca-detect
roca-detect.noarch: W: no-manual-page-for-binary roca-detect-tls
2 packages and 0 specfiles checked; 6 errors, 9 warnings.




Rpmlint (installed packages)
----------------------------
sh: /usr/bin/python: No such file or directory
roca-detect.noarch: W: incoherent-version-in-changelog 1.2.1-8 ['1.2.12-1.fc30', '1.2.12-1']
roca-detect.noarch: W: invalid-url URL: https://crocs.fi.muni.cz/public/papers/rsa_ccs17 <urlopen error [Errno -2] Name or service not known>
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert01.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert02.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert03.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert04.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert05.pem
roca-detect.noarch: W: pem-certificate /usr/lib/python3.7/site-packages/roca/tests/data/cert06.pem
roca-detect.noarch: E: wrong-script-interpreter /usr/lib/python3.7/site-packages/roca/tests/test_fingerprint.py /usr/bin/env python
roca-detect.noarch: E: non-executable-script /usr/lib/python3.7/site-packages/roca/tests/test_fingerprint.py 644 /usr/bin/env python
roca-detect.noarch: E: wrong-script-interpreter /usr/lib/python3.7/site-packages/roca/tests/test_tls.py /usr/bin/env python
roca-detect.noarch: E: non-executable-script /usr/lib/python3.7/site-packages/roca/tests/test_tls.py 644 /usr/bin/env python
roca-detect.noarch: E: version-control-internal-file /usr/share/doc/roca-detect/docs/.gitignore
roca-detect.noarch: E: zero-length /usr/share/doc/roca-detect/docs/.gitignore
roca-detect.noarch: W: no-manual-page-for-binary roca-detect
roca-detect.noarch: W: no-manual-page-for-binary roca-detect-tls
1 packages and 0 specfiles checked; 6 errors, 10 warnings.



Requires
--------
roca-detect (rpmlib, GLIBC filtered):
    /usr/bin/python3
    python(abi)
    python-dateutil
    python3-cryptography
    python3-future
    python3-pgpdump



Provides
--------
roca-detect:
    python3.7dist(roca-detect)
    python3dist(roca-detect)
    roca-detect



Source checksums
----------------
https://github.com/crocs-muni/roca/archive/v1.2.12.tar.gz#/roca-detect-1.2.12.tar.gz :
  CHECKSUM(SHA256) this package     : 698987a3a260bf8eabf17767f0db6952bce42dff90ddbc3974e6248957fac3e7
  CHECKSUM(SHA256) upstream package : 698987a3a260bf8eabf17767f0db6952bce42dff90ddbc3974e6248957fac3e7


Generated by fedora-review 0.6.1 (3899f24) last change: 2018-09-06
Command line :./try-fedora-review -b 1503915 -m fedora-rawhide-x86_64
Buildroot used: fedora-rawhide-x86_64
Active plugins: Python, Generic, Shell-api
Disabled plugins: Java, C/C++, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP, Ruby
Disabled flags: EXARCH, BATCH, DISTTAG, EPEL5, EPEL7, EPEL6

Comment 33 Stuart D Gathman 2018-09-10 19:51:16 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.12-2.fc28.src.rpm

Fix the shebangs and permissions of the CLI test scripts, just in case user want to run individual tests without python3 -m (and to keep rpmlint happy).

Fix bogus changelog version. 

Remove version control files left by upstream.

Comment 34 Miro Hrončok 2018-09-10 20:43:35 UTC
I really don't get this conditional now:

%if 0%{?rhel} >= 7
Requires:	python-dateutil
%else
Requires:	%{python}-dateutil
%endif

What is it that you are trying to express? On RHEL7+, require python-dateutil, but on RHEL6, require python3-dateutil? Why?

--------------

Requires:	%{python}-future %{python}-cryptography %{python}-pgpdump
# Not required in normal usage, but recommended by upstream.
Requires:	python3dist(six)

This mixes 2 types of specifying Python dependencies. As well as this doesn't work with your python macros specified on top. Also, submit a pull request to upstream if the six dependency is bogus.

I recommend you switch to https://fedoraproject.org/wiki/Packaging:Python#Automatically_generated_dependencies

--------------

# fix env shbang in CLI scripts
sed -i -e '1,1 s,^#!.*$,#!%{__python} %{py_shbang_opts},' \
   `find roca -name "*.py" | xargs grep -l '^#!.*env python'`


You might very well just use pathfix.py as a one-liner. https://fedoraproject.org/wiki/Changes/Make_ambiguous_python_shebangs_error#Using_pathfix.py_to_fix_shebangs

--------------

find . -name .gitignore | xargs rm

Why not just -delete?

Comment 35 Stuart D Gathman 2018-09-10 20:58:49 UTC
(In reply to Miro Hrončok from comment #34)
> I really don't get this conditional now:
> 
> %if 0%{?rhel} >= 7
> Requires:	python-dateutil
> %else
> Requires:	%{python}-dateutil
> %endif
> 
> What is it that you are trying to express? On RHEL7+, require
> python-dateutil, but on RHEL6, require python3-dateutil? Why?

python-dateutil.noarch                   1.5-7.el7                      @base   
python2-dateutil.noarch                  1.5-0.el7                      epel    
python34-dateutil.noarch                 1:2.4.2-3.el7                  epel

I'll just remove all rhel7 support from the package review, and sneak it in after Fedora is approved.  I didn't get el6 to work, and may not spend time on it.

I'll try your other recommendations after I get a day job trouble ticket taken care of.  The pathfix.py looks quite handy - I need to do that a lot.

I only put in the python3dist(six) because you thought I needed it.  The actual substance is met by Requires: %{python}-future.  I put the software through its paces in mock, or in a minimal install where network is needed (roca-detect-tls) to verify dependencies.  I will try the autodependency, but I've had mixed results in the past.  But it's been a few years, maybe it'll work for this.

Comment 36 Stuart D Gathman 2018-09-11 22:53:55 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.12-3.fc28.src.rpm

Use pathfix.py and auto dependencies

Comment 37 Miro Hrončok 2018-09-11 22:59:18 UTC
I really don't like the %if 0 part of the spec file. Can you check if python_enable_dependency_generator is defined instead if you really must?

BuildRequires:	%{python}-setuptools %{python}-devel
BuildRequires: /usr/bin/pathfix.py

Here you mix tabs and spaces. I recommend sticking with spaces, but please pick one.

Otherwise this starts to look good.

Comment 38 Stuart D Gathman 2018-09-11 23:25:06 UTC
The autodependency pulls in python3-six, which isn't needed - but python2-six is needed for python2, and there are going to be lots of dual version packages so I don't mind it.  It builds for epel7 for python2, and still works - but the autodependency fails.  I'll need the manual dependencies for epel7.

Comment 39 Stuart D Gathman 2018-09-11 23:41:40 UTC
Spec URL: https://gathman.org/linux/SPECS/roca-detect.spec
SRPM URL: https://gathman.org/linux/f28/src/roca-detect-1.2.12-4.fc28.src.rpm

Mark manual dependency section as needed for epel7.  Builds as is on epel7 with correct dependencies.

Comment 40 Miro Hrončok 2018-09-12 09:57:38 UTC
OK.

Package APPROVED.

Thank for your patience with me.

Note that your RHEL >= 7 conditional might bite you with next major RHEL release.

Comment 41 Gwyn Ciesla 2018-09-12 19:57:28 UTC
(fedscm-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/roca-detect

Comment 42 Fedora Update System 2018-09-12 21:04:16 UTC
roca-detect-1.2.12-4.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a4704b6c52

Comment 43 Fedora Update System 2018-09-12 21:04:23 UTC
roca-detect-1.2.12-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2cce72d1ce

Comment 44 Fedora Update System 2018-09-12 21:04:31 UTC
roca-detect-1.2.12-4.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-68039ba023

Comment 45 Fedora Update System 2018-09-12 21:04:38 UTC
roca-detect-1.2.12-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1238d3177c

Comment 46 Fedora Update System 2018-09-13 05:36:42 UTC
roca-detect-1.2.12-4.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a4704b6c52

Comment 47 Fedora Update System 2018-09-13 17:48:35 UTC
roca-detect-1.2.12-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-68039ba023

Comment 48 Fedora Update System 2018-09-13 17:52:00 UTC
roca-detect-1.2.12-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1238d3177c

Comment 49 Fedora Update System 2018-09-14 15:48:01 UTC
roca-detect-1.2.12-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2cce72d1ce

Comment 50 Fedora Update System 2018-09-21 05:33:26 UTC
roca-detect-1.2.12-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 51 Fedora Update System 2018-09-21 07:41:51 UTC
roca-detect-1.2.12-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 52 Fedora Update System 2018-09-23 19:13:28 UTC
roca-detect-1.2.12-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 53 Fedora Update System 2018-10-31 13:57:03 UTC
roca-detect-1.2.12-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.