Bug 193478 - Review Request: wordpress - database driven blogging software
Review Request: wordpress - database driven blogging software
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jarod Wilson
Fedora Package Reviews List
:
Depends On:
Blocks: FE-ACCEPT
  Show dependency treegraph
 
Reported: 2006-05-29 09:53 EDT by John Berninger
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-20 22:18:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Berninger 2006-05-29 09:53:05 EDT
Description: Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web.

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.2-0.src.rpm
Comment 1 Ville Skyttä 2006-05-30 17:49:42 EDT
Direct static code injection vulnerability in WordPress 2.0.2 and earlier:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2667
Comment 2 John Berninger 2006-05-30 20:35:31 EDT
Well, there doesn't appear to be a patch available, so this review will have to
wait until there is one.  I'm watching the svn and testers lists upstream.
Comment 3 John Berninger 2006-05-31 09:26:45 EDT
I'll have to correct myself - it appears this was patched on 5-26 in SVN.  I've
added that patch, rebuilt, and tested the given exploit, and the exploit now fails.

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.2-1.src.rpm
Comment 4 Ville Skyttä 2006-05-31 16:53:51 EDT
Happened to notice another one today, IP spoofing issue:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2702

(Note: just parroting my findings here, I have no experience with wordpress nor
am I planning to review it, and I've only _very_ quickly peeked into the SRPM,
so sorry in advance if this turns out to be noise.)
Comment 5 Jarod Wilson 2006-06-19 15:50:23 EDT
I'll go ahead and take on this review, since I'm familiar with the software.

My findings thus far:

1) There's a new version (2.0.3) out now (obsoletes the patch), need to update

2) Web apps should be installed in /usr/share/<name>, not /var/www, per fedora
extras guidelines

3) rpmlint complains about a bunch of empty files, they should be removed

4) config files should be broken out into /etc/ somewhere

5) %doc lines aren't quite correct, you should be removing them from the
installed packages and then sucking them in w/the %doc line, referring to them
by their relative path within the source

6) the Source0: url doesn't appear to actually work, upstream only post a
'latest.tar.gz' (rather annoying of them...)

I'm rather partial to proposing fixes for issues I come up with in review in the
form of an updated spec file, so you can see exactly what I'm suggesting:

http://wilsonet.com/packages/wordpress/
Comment 6 John Berninger 2006-06-19 16:58:03 EDT
Packages updated to 2.0.3, other suggestions integrated.  New packages:

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.3-1.src.rpm
Comment 7 Jarod Wilson 2006-06-19 22:25:15 EDT
One thing I forgot to mention: the way you specify all the files is a matter of preference, but if you're 
going to list them all out rather than simply having a single line '%{_datadir}/wordpress/', you must also 
have a line '%dir %{_datadir}/wordpress/' so that the created directories are also owned by the package.

Also note that the symlink %{_datadir}/wordpress/wp-config.php shouldn't be marked as a config file, 
and symlinks generally should be relative, rather than absolute (otherwise they're hanging within the 
buildroot).

Ah, the wordpress-httpd-conf file needs /var/www/wordpress replaced with /usr/share/wordpress.

Personally, I'd also just do away with the '%define installdir %{_datadir}' and simply replace all cases of %
{installdir} with %{_datadir}, because it just adds unnecessary and non-standard cruft.

Additional review details:

* package meets naming and packaging guidelines: okay
* specfile is properly named, is cleanly written and uses macros consistently: my only beef on that is 
the now unnecessary use of %{installdir}
* dist tag is present: okay
* build root is correct.
      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n): okay
* license field matches the actual license: GPL, okay
* license is open source-compatible, license text included in package: okay
* source files match upstream: okay
      $ md5sum latest.tar.gz wordpress-2.0.3.tar.gz
        0ad0696351cba9ef9b4a3dd97b1f327b  latest.tar.gz
        0ad0696351cba9ef9b4a3dd97b1f327b  wordpress-2.0.3.tar.gz
* latest version is being packaged: v2.0.3, okay
* BuildRequires are proper: okay
* package builds in mock: okay (fedora development, x86_64)
* rpmlint is silent: not quite yet, it complains about /usr/share/wordpress/wp-config.php being 
marked as a config file
* final provides and requires are sane: okay
    wordpress-2.0.3-1.fc6.noarch.rpm
    config(wordpress) = 2.0.3-1.fc6
    wordpress = 2.0.3-1.fc6
    =
    config(wordpress) = 2.0.3-1.fc6
    httpd  
    mysql-server  
    php >= 4.1.

* no shared libraries are present: okay
* package is not relocatable: okay
* owns the directories it creates: not yet, need to add /usr/share/wordpress to %files
* doesn't own any directories it shouldn't: okay
* no duplicates in %files: okay
* file permissions are appropriate: okay
* %clean is present: okay
* %check is present and all tests pass: n/a
* no scriptlets present: okay
* code, not content: okay
* documentation is small, so no -docs subpackage is necessary: okay
* %docs are not necessary for the proper functioning of the package: okay
* no headers: okay
* no pkgconfig files: okay
* no libtool .la files: okay
* not a GUI app: okay
* not a web app: okay
Comment 8 John Berninger 2006-06-20 02:25:08 EDT
Removed %{installdir} macro, symlink no longer marked config, correct4ed dir
ownerships

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.3-2.src.rpm
Comment 9 Jarod Wilson 2006-06-20 10:44:30 EDT
And you also corrected the httpd conf file. :) Everything looks good to go now,
package APPROVED.
Comment 10 John Berninger 2006-06-20 22:18:12 EDT
imported and built for FC4, FC5, and devel.

Note You need to log in before you can comment on or make changes to this bug.