### usbauth-notifier ### Spec URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00726580-usbauth-notifier/usbauth-notifier.spec SRPM URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00726580-usbauth-notifier/usbauth-notifier-1.0-1.fc27.src.rpm Description: A notifier for the usbauth firewall against BadUSB attacks. The user could manually allow or deny USB devices. Every user that wants use the notifier must be added to the usbauth group. ####################### Hi I want to add the packages libusbauth-configparser, usbauth, usbauth-notifier to Fedora. I need a review and a sponsor for packaging these packages. The usbauth packages already part of openSUSE Tumbleweed, Debian Sid and Ubuntu 18.04 (pre). This work was initially created for SUSE in 2015. Part of it was the USB interface authorization for the Linux kernel. It's contained in Linux since kernel version 4.4. There are the following packages libusbauth-configparser, usbauth, usbauth-notifier. GIT Repository: https://github.com/kochstefan/usbauth-all.git NOTICE aboud usbguard and usbauth: The usbguard project provides an USB firewall, too. It is already packaged within debian. The usbguard development was supported by RedHat and usbauth was supported by SUSE. Historical, usbguard was published while the working on usbauth has already been started. The main difference is that usbguard works with USB devices and usbauth works with USB interfaces. usbauth could allow/deny usb interfaces using the new usb interface authorization mechanism that is part of linux 4.4 and above. See also: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.4.94&qt=grep&q=interface+auth Examples: * allow a storage functionality of a USB device and deny USB Ethernet of the same device * allow audio/video functionality of an USB TV card and deny using the remote control functionality * allow USB printing/scanning and deny USB storage usage of a multifunction printer (BTW: the interface mechanism supports denying user space triggered actions (using USB claiming) like scanning) usbguard could allow/deny USB devices using the usb device authorization mechanism of the Linux kernel. It allows to denying a whole device if one interface of it is considered as bad (usbauth supports this, too) usbguard allows creating actions that is not supported by usbauth. If you can understand German language you could read a detailed description: https://epub.uni-bayreuth.de/3048/1/koch2017sicherheitsaspekte.pdf Thank you Stefan Koch
A first review was done by Robert-André Mauchin with Bug 1553496 (complete usbauth suite review request). I have changed the spec files now. There are new build available on COPR. See Bugs: 1554020 libusbauth-configparser review request 1554021 usbauth review request 1554022 usbauth-notifier review request (these bugs will replace bug 1553496)
Sorry to have forgotten you. - Please space out your changelog entry, they are difficult to read - I would rather have you not mix Suse stuff with Fedora stuff. - Install the license file with %license, not %doc %doc README %license COPYING - Your %changelog entry must contain the release-version: * Sat Mar 10 2018 stefan.koch10 - 1.0-1 - Add a BR for gcc - Split the description to stay below 80 characters - Use %autosetup or %setup -q to make the setup quiet: - Use %find_lang in %install to install the translations: %install %make_install %find_lang %name %files -f %name.lang Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - Permissions on files are set properly. Note: See rpmlint output See: http://fedoraproject.org/wiki/Packaging/Guidelines#FilePermissions - If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. Note: No gcc, gcc-c++ or clang found in BuildRequires See: https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B - If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: License file COPYING is not marked as %license See: http://fedoraproject.org/wiki/Packaging/LicensingGuidelines#License_Text ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "GPL (v2)", "Unknown or generated". 14 files have unknown license. Detailed output of licensecheck in /home/bob/packaging/review /usbauth-notifier/review-usbauth-notifier/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [x]: Package does not own files or directories owned by other packages. Note: Dirs in package are owned also by: /etc/xdg/autostart(filesystem) [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: The spec file handles locales properly. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 30720 bytes in 2 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package requires other packages for directories it uses. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package contains desktop file if it is a GUI application. [x]: Package does not contain duplicates in %files. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: Package contains systemd file(s) if in need. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: Buildroot is not present Note: Invalid buildroot found: %{_tmppath}/%{name}-%{version}-build See: http://fedoraproject.org/wiki/Packaging/Guidelines#BuildRoot_tag [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [-]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in usbauth- notifier-debuginfo , usbauth-notifier-debugsource [?]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Package should not use obsolete m4 macros [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: usbauth-notifier-1.0-1.fc30.x86_64.rpm usbauth-notifier-debuginfo-1.0-1.fc30.x86_64.rpm usbauth-notifier-debugsource-1.0-1.fc30.x86_64.rpm usbauth-notifier-1.0-1.fc30.src.rpm usbauth-notifier.x86_64: E: description-line-too-long C A notifier for the usbauth firewall against BadUSB attacks. The user could manually allow or deny USB devices. usbauth-notifier.x86_64: W: incoherent-version-in-changelog tefan.koch10 ['1.0-1.fc30', '1.0-1'] usbauth-notifier.x86_64: W: non-conffile-in-etc /etc/xdg/autostart/usbauth-notifier.desktop usbauth-notifier.x86_64: W: non-standard-gid /usr/bin/usbauth-npriv usbauth usbauth-notifier.x86_64: E: setuid-binary /usr/bin/usbauth-npriv root 4750 usbauth-notifier.x86_64: E: non-standard-executable-perm /usr/bin/usbauth-npriv 4750 usbauth-notifier.x86_64: E: non-standard-executable-perm /usr/bin/usbauth-npriv 4750 usbauth-notifier.x86_64: W: non-standard-gid /usr/lib/usbauth-notifier usbauth-notifier usbauth-notifier.x86_64: E: non-standard-dir-perm /usr/lib/usbauth-notifier 750 usbauth-notifier.x86_64: W: non-standard-gid /usr/lib/usbauth-notifier/usbauth-notifier usbauth usbauth-notifier.x86_64: E: setgid-binary /usr/lib/usbauth-notifier/usbauth-notifier usbauth 2755 usbauth-notifier.x86_64: E: non-standard-executable-perm /usr/lib/usbauth-notifier/usbauth-notifier 2755 usbauth-notifier.x86_64: W: file-not-in-%lang /usr/share/locale/de/LC_MESSAGES/usbauth-notifier.mo usbauth-notifier.x86_64: W: file-not-in-%lang /usr/share/locale/zh_TW/LC_MESSAGES/usbauth-notifier.mo usbauth-notifier.src: E: description-line-too-long C A notifier for the usbauth firewall against BadUSB attacks. The user could manually allow or deny USB devices. usbauth-notifier.src:64: W: setup-not-quiet usbauth-notifier.src: W: invalid-url Source0: usbauth-notifier-1.0.tar.bz2 4 packages and 0 specfiles checked; 8 errors, 9 warnings.
I have added an new revised build at: https://copr.fedorainfracloud.org/coprs/kochstefan/usbauth-all/build/849748
%files -f %name.lang %files - Squash this into one statement: %files -f %name.lang - This should not be needed: %_datadir/locale/*/LC_MESSAGES/usbauth-notifier.mo It should be included in %name.lang populated by %find_lang %name - %_usr → %{_prefix} - %verify(not mode) Not useful - Why is it installed in %_usr/lib instead of %{_libdir}? This should be fixed upstream. - Add Requires(pre): shadow-utils
I have added a revised build at: https://copr.fedorainfracloud.org/coprs/kochstefan/usbauth-all/build/893247 usbauth-notifier is currently installed to /usr/lib/usbauth-notifier/usbauth-notifier because of - there are a lot of files in it, even if /usr/lib64 is available on 64 bit systems ... - I need an architecture independent and distribution (Fedora, openSUSE, Debian) independent path (the path is used by binaries and configuration-files, too) - /usr/bin not possible because subdirectory usbauth-notifier is needed (special permissions are set) - /usr/lib/libexec might be an option, but is not available for openSUSE and debian Can you recommend some other path that does not change for architecture and distribution?
I don't see how the number of files is relevant, if the code contains archful data you need to put it in %{_libdir}, if the files are noarch, then it goes into %{_datadir}. If it's a binary, put it in %{_bindir}. Why do you hardcode /usr/lib into your code? In any case it must respect the FHS: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_filesystem_layout
The referenced package guidelines say: "The Filesystem Hierarchy Standard does not include any provision for libexecdir, but Fedora packages MAY store appropriate files there. Libexecdir (aka, /usr/libexec on Fedora systems) should only be used as the directory for executable programs that are designed primarily to be run by other programs rather than by users." So I have moved the binary from /usr/lib/usbauth-notifier/usbauth-notifier to /usr/libexec/usbauth-notifier/usbauth-notifier, now. After this change, depending files use paths using the libexec autoconf/automake variables. usbauth-notifier is executed by using xdg autostart. There is a new build at https://copr.fedorainfracloud.org/coprs/kochstefan/usbauth-all/build/895957
I still think you shouldn't hardcode the path in your source code, what if one ser builds it and installs it in /usr/local? Nothing works anymore. Take a look at configmake.h and how it is used in Bison: https://github.com/lcytxw/bison-3.0.4/blob/master/Makefile#L5402 Package approved.
Thank you for the good example. The build 895957 does not use hardcoded paths anymore. Have you found one? Commit: https://github.com/kochstefan/usbauth-all/commit/76ee5774b0d8f1d1281720dba01db421a86f8f83 It uses within Makefile.am (as example): usbauth_npriv_CFLAGS = -include config.h -DSBINDIR=\""$(sbindir)"\" -DLIBEXECDIR=\""$(libexecdir)"\" and .c source: #define NOTIFIER_PATH LIBEXECDIR "/usbauth-notifier/usbauth-notifier" This is described here: "A corollary is that you should not use these variables except in makefiles. For instance, instead of trying to evaluate datadir in configure and hard-coding it in makefiles using e.g., ‘AC_DEFINE_UNQUOTED([DATADIR], ["$datadir"], [Data directory.])’, you should add -DDATADIR='$(datadir)' to your makefile's definition of CPPFLAGS (AM_CPPFLAGS if you are also using Automake)." Soruce: https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html
Refreshing flag
(fedscm-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/usbauth-notifier
Because of a rpmgrill.manifest error I have moved the usbauth-npriv binary from bindir to libexecdir: "/usr/bin/usbauth-npriv", "Owned by group '<tt>usbauth</tt>'; files in /usr/bin must be group 'root'", "subpackage" : "usbauth-notifier" The last build is at: https://bodhi.fedoraproject.org/updates/FEDORA-2019-65ec840e4c There remain two rpmgrill.setxid errors, but I seems that there is no whitelist within fedora. "File <var>/usr/libexec/usbauth-npriv</var> is setuid root but is not on the setxid whitelist.", "subpackage" : "usbauth-notifier" "File <var>/usr/libexec/usbauth-notifier/usbauth-notifier</var> is setgid usbauth but is not on the setxid whitelist.", "subpackage" : "usbauth-notifier"
Package is available in repos