Spec URL: https://pemensik.fedorapeople.org/bind9-next.spec SRPM URL: https://pemensik.fedorapeople.org/bind9-next-9.19.8-1.fc37.src.rpm Description: BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. Fedora Account System Username: pemensik
This package built on koji: https://koji.fedoraproject.org/koji/taskinfo?taskID=96290961
Copr build: https://copr.fedorainfracloud.org/coprs/build/5243738 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2161942-bind9-next/fedora-rawhide-x86_64/05243738-bind9-next/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
This review introduces alternative package version to existing package 'bind' [1]. It should provide development versions of BIND9, as they are called on upstream download page [2]. Because Development term is often used for headers and libraries, I have chosen to suffix this version with -next instead of -dev. It provides also development headers used by bind-dyndb-ldap package and bind9-dev-devel package would look strange. This package is intended to have always future development versions. Means more new features arrive there, but also more changes to existing options or deprecated features might happen. It should offer now version 9.19.x, later rebase to 9.21.x and so on. 1. https://src.fedoraproject.org/rpms/bind 2. https://www.isc.org/download/
Separate component would also allow building EPEL versions for RHEL later. Unlike stable BIND9 releases development releases would not be supported in RHEL. Separate bind9-next component would be eliglible for EPEL inclusion even when bind package is included in RHEL.
I have also maintained test versions for some time at my personal COPR repository: https://copr.fedorainfracloud.org/coprs/pemensik/bind9-next/
Hi, here is my review. Please search for [?] and [!], there is couple of them. Besides that the auto-generated Issues section is totally confusing me, please have a look there as well to double check. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - Package is not relocatable. Comment: Not really an issue as it is not intended to be. - Sources used to build the package match the upstream source, as provided in the spec URL. Note: Upstream MD5sum check error, diff is in /var/lib/copr- rpmbuild/results/bind9-next/diff.txt See: https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ Huh? I can't see the problem. Can you spot it? ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Development (unversioned) .so files in -devel subpackage, if present. Unversioned so-files in private %_libdir subdirectory are okay. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Using prebuilt packages [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. [x]: License file installed when any subpackage combination is installed. [?]: Package requires other packages for directories it uses. Note: No known owner of /var/named/chroot/usr/share Seems like this one needs attention? I'm confused because this directory is not present in the built RPM. [?]: Package must own all directories that it creates. Note: Directories without known owners: /etc/logrotate.d, /var/named/chroot/usr/share Ditto. I'm confused because chroot/usr/share directory is not present in the built RPM. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [x]: %config files are marked noreplace or the reason is justified. Built-in zones are config but should not be touched, and are outside of /etc, so it's okay to not have (noreplace) on them. [x]: Each %files section contains %defattr if rpm < 4.4 [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. Provides sound reasonable, given it's alternative version of BIND. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 808960 bytes in 31 files. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: No %config files under /usr. [x]: Package does not use a name that already exists. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: systemd_post is invoked in %post, systemd_preun in %preun, and systemd_postun in %postun for Systemd service files. Note: Systemd service file(s) in bind9-next, bind9-next-chroot [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [!]: Reviewer should test that the package builds in mock. [!]: Uses parallel make %{?_smp_mflags} macro. [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [!]: Final provides and requires are sane (see attachments). Please see rpmlint output in COPR. It complains about E: missing-dependency-to-logrotate for logrotate Besides that, can you double check the rest, most notably W: obsolete-not-provided ? That one looks okay to me, but please double check. [?]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in bind9-next-libs , bind9-next-license , bind9-next-utils , bind9-next- dnssec-utils , bind9-next-devel , bind9-next-chroot , bind9-next-dlz- filesystem , bind9-next-dlz-ldap , bind9-next-dlz-mysql , bind9-next- dlz-sqlite3 I suppose this is okay because there is the -chroot variant. Can you confirm I got it right? [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. Some patches are missing justification, like -PIE with FIXME on it. Especially the -next version should ideally have no patches. Pretty please! https://docs.fedoraproject.org/en-US/packaging-guidelines/#_patch_guidelines [x]: Scriptlets must be sane, if used. [x]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: Sources 1, 3, 16, 17, 18, 19, 20, 23, 25, 27, 35, 36, 37, 38, 41, 42, 43, 44, 46, 48 and 49 are not passed to gpgverify - but that's okay as they are distro files. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. Well, pass to an extent possible. Without network in Koji it's going to be just pretension of %check anyway. [!]: Packages should try to preserve timestamps of original installed files. install -p should be prefered, see https://docs.fedoraproject.org/en-US/packaging-guidelines/#_timestamps [x]: Files in /run, var/run and /var/lock uses tmpfiles.d when appropriate [!]: Spec use %global instead of %define unless justified. Note: %define requiring justification: %define bind_export_libs isc dns isccfg irs, %define upname_compat() %if "%{name}" != "%{upname}" %if 0%{?fedora} >= 37 Provides: %1 = %{epoch}:%{version}-%{release} %endif Obsoletes: %1 < 32:9.17.0 Conflicts: %1 %endif, %define _configure "../configure", %define unit_prepare_build() find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';', %define systemtest_prepare_build() cp -Tuav bin/tests "%{1}/bin/tests/", %define chroot_fix_devices() if [ $1 -gt 1 ]; then for DEV in "%{1}/dev"/{null,random,zero}; do if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; then /bin/chmod 0664 "$DEV" /bin/chgrp named "$DEV" fi done fi Guideline likes %global over %define. Can you improve it? https://docs.fedoraproject.org/en-US/packaging-guidelines/#_global_preferred_over_define [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. ===== EXTRA items ===== Generic: [x]: Spec file according to URL is the same as in SRPM. [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Package should not use obsolete m4 macros
Spec URL: https://pemensik.fedorapeople.org/bind9-next.spec SRPM URL: https://pemensik.fedorapeople.org/srpm/bind9-next-9.19.8-2.fc38.src.rpm dist-git: https://src.fedoraproject.org/fork/pemensik/rpms/bind/tree/bind9-dev (In reply to Petr Špaček from comment #6) > Hi, here is my review. Please search for [?] and [!], there is couple of > them. > > Besides that the auto-generated Issues section is totally confusing me, > please have a look there as well to double check. > > Issues: > ======= > - Package is not relocatable. > Comment: Not really an issue as it is not intended to be. > > - Sources used to build the package match the upstream source, as provided > in the spec URL. > Note: Upstream MD5sum check error, diff is in /var/lib/copr- > rpmbuild/results/bind9-next/diff.txt > See: https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ > > Huh? I can't see the problem. Can you spot it? Have no idea what this means. Never seen that and do not understand it either. > > > ===== MUST items ===== > > C/C++: > [x]: Package does not contain kernel modules. > [x]: Package contains no static executables. > [x]: Development (unversioned) .so files in -devel subpackage, if present. > Unversioned so-files in private %_libdir subdirectory are okay. > [x]: If your application is a C or C++ application you must list a > BuildRequires against gcc, gcc-c++ or clang. > [x]: Header files in -devel subpackage, if present. > [x]: Package does not contain any libtool archives (.la) > [x]: Rpath absent or only used for internal libs. > > Generic: > [x]: Package successfully compiles and builds into binary rpms on at least > one supported primary architecture. > Note: Using prebuilt packages > [x]: Package is licensed with an open-source compatible license and meets > other legal requirements as defined in the legal section of Packaging > Guidelines. > [x]: License field in the package spec file matches the actual license. > [x]: License file installed when any subpackage combination is installed. > [?]: Package requires other packages for directories it uses. > Note: No known owner of /var/named/chroot/usr/share > Seems like this one needs attention? I'm confused because this directory is > not present in the built RPM. > > [?]: Package must own all directories that it creates. > Note: Directories without known owners: /etc/logrotate.d, > /var/named/chroot/usr/share > Ditto. I'm confused because chroot/usr/share directory is not present in the > built RPM. That is the error. If installed, it creates that directory. When uninstalled, unowned directory is left there and not properly deleted. Because it is not official part of the package. > ... > ===== SHOULD items ===== > > Generic: > [!]: Reviewer should test that the package builds in mock. > [!]: Uses parallel make %{?_smp_mflags} macro. %make_build macro contains those flags, see rpm -E %make_build. But pushed make_build to remaining places also, -j may override them when needed. > [-]: If the source package does not include license text(s) as a separate > file from upstream, the packager SHOULD query upstream to include it. > [!]: Final provides and requires are sane (see attachments). > Please see rpmlint output in COPR. It complains about > E: missing-dependency-to-logrotate for logrotate I want just to include logrotate file in bind, but do not depend or suggest logrotate. Default configuration logs to systemd journal and that does not need any logrotate. Owned the logrotate directory, but that is all I want. > > Besides that, can you double check the rest, most notably W: > obsolete-not-provided ? That one looks okay to me, but please double check. > > [?]: Fully versioned dependency in subpackages if applicable. > Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in > bind9-next-libs , bind9-next-license , bind9-next-utils , bind9-next- > dnssec-utils , bind9-next-devel , bind9-next-chroot , bind9-next-dlz- > filesystem , bind9-next-dlz-ldap , bind9-next-dlz-mysql , bind9-next- > dlz-sqlite3 > I suppose this is okay because there is the -chroot variant. Can you confirm > I got it right? I think it is confused by: Requires: %{name}-license = %{epoch}:%{version}-%{release} or Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} I think they are okay. > > [x]: Package functions as described. > [x]: Latest version is packaged. > [x]: Package does not include license text files separate from upstream. > > [!]: Patches link to upstream bugs/comments/lists or are otherwise > justified. > Some patches are missing justification, like -PIE with FIXME on it. > Especially the -next version should ideally have no patches. Pretty please! > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_patch_guidelines Okay, I admit that is my intention. This weird thingy were added in commit: https://src.fedoraproject.org/rpms/bind/c/bbeea42ab3194cda396fdf32e9ee516cec4bb3ca I guess I will have to do more research what exactly it tried to fix and whether it still make sense to do. If it does, it clearly should be offered upstream. Commenting out that patch file, but keeping it in my repo. > > [x]: Scriptlets must be sane, if used. > [x]: Sources are verified with gpgverify first in %prep if upstream > publishes signatures. > Note: Sources 1, 3, 16, 17, 18, 19, 20, 23, 25, 27, 35, 36, 37, 38, > 41, 42, 43, 44, 46, 48 and 49 are not passed to gpgverify - but that's > okay as they are distro files. That is correct, those are downstream files and are not signed by anyone. That is okay, signatures are useful on executed code. That is covered. > [x]: Package should compile and build into binary rpms on all supported > architectures. > [x]: %check is present and all tests pass. > Well, pass to an extent possible. Without network in Koji it's going to be > just pretension of %check anyway. > > [!]: Packages should try to preserve timestamps of original installed > files. > install -p should be prefered, see > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_timestamps Oh, never noticed that, fixed! > > [x]: Files in /run, var/run and /var/lock uses tmpfiles.d when appropriate > > [!]: Spec use %global instead of %define unless justified. > Note: %define requiring justification: %define bind_export_libs isc > dns isccfg irs, %define upname_compat() %if "%{name}" != "%{upname}" > %if 0%{?fedora} >= 37 Provides: %1 = %{epoch}:%{version}-%{release} > %endif Obsoletes: %1 < 32:9.17.0 Conflicts: %1 %endif, %define > _configure "../configure", %define unit_prepare_build() find lib -name > 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' find lib -name 'testdata' > -type d -exec cp -Tav '{}' "%{1}/{}" ';' find lib -name 'testkeys' > -type d -exec cp -Tav '{}' "%{1}/{}" ';', %define > systemtest_prepare_build() cp -Tuav bin/tests "%{1}/bin/tests/", > %define chroot_fix_devices() if [ $1 -gt 1 ]; then for DEV in > "%{1}/dev"/{null,random,zero}; do if [ -e "$DEV" -a "$(/bin/stat > --printf="%G %a" "$DEV")" = "root 644" ]; then /bin/chmod 0664 "$DEV" > /bin/chgrp named "$DEV" fi done fi > > Guideline likes %global over %define. Can you improve it? > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > #_global_preferred_over_define I think they are used as macro function, where %define is still appropriate. Removed one place where it was used just instead global value, but were unused. > > [x]: Buildroot is not present >
Created attachment 1939173 [details] The .spec file difference from Copr build 5243738 to 5253437
Copr build: https://copr.fedorainfracloud.org/coprs/build/5253437 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2161942-bind9-next/fedora-rawhide-x86_64/05253437-bind9-next/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
This is looking good. I think the only remaining nit is patch bind-9.18-unittest-netmgr-unstable.patch I think that one should not be necessary anymore either, netmgr tests should be stable by now.
Okay, cleaned up unused patches. Re-applied remaining fips-tests changes and created upstream MR from it. Renumbered them to start from 1. Spec URL: https://src.fedoraproject.org/fork/pemensik/rpms/bind/raw/bind9-dev/f/bind9-next.spec SRPM URL: https://pemensik.fedorapeople.org/srpm/bind9-next-9.19.8-3.fc38.src.rpm
Met also one unit test crash during test rebuild. I expect it would be rare, but filled issue anyway: https://gitlab.isc.org/isc-projects/bind9/-/issues/3817 Built also scratch build for epel9: https://koji.fedoraproject.org/koji/taskinfo?taskID=96492069 Should be used to verify tests can pass also in FIPS mode enabled. One minor issue detected on COPR is current sources fail to build documentation on epel8. But that should be handled later, not a review blocker.
Created attachment 1939667 [details] The .spec file difference from Copr build 5253437 to 5281323
Copr build: https://copr.fedorainfracloud.org/coprs/build/5281323 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2161942-bind9-next/fedora-rawhide-x86_64/05281323-bind9-next/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
Hmm, this version does not work under FIPS mode on current RHEL 9 at all. It crashes programs with: $ doc/misc/.libs/cfg_test --zonegrammar primary ... ../../../lib/isc/mem.c:993: REQUIRE(((ctx) != ((void *)0) && ((const isc__magic_t *)(ctx))->magic == ((('M') << 24 | ('e') << 16 | ('m') << 8 | ('C'))))) failed, back trace /root/rpmbuild/BUILD/bind-9.19.8/build/doc/misc/../../lib/isc/.libs/libisc-9.19.8.so(+0x2e6c3)[0x7ffff7a2e6c3] /root/rpmbuild/BUILD/bind-9.19.8/build/doc/misc/../../lib/isc/.libs/libisc-9.19.8.so(isc_assertion_failed+0x10)[0x7ffff7a2e450] /root/rpmbuild/BUILD/bind-9.19.8/build/doc/misc/../../lib/isc/.libs/libisc-9.19.8.so(isc__mem_free+0x91)[0x7ffff7a46741] /usr/lib64/ossl-modules/fips.so(+0x15074)[0x7ffff6a0a074] /lib64/ld-linux-x86-64.so.2(+0x9f5e)[0x7ffff7fd0f5e] /lib64/libc.so.6(+0x574b5)[0x7ffff76574b5] /lib64/libc.so.6(on_exit+0x0)[0x7ffff7657630] /lib64/libc.so.6(+0x3feb7)[0x7ffff763feb7] /lib64/libc.so.6(__libc_start_main+0x80)[0x7ffff763ff60] Which is under gdb: (gdb) bt #0 0x00007ffff76a154c in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff7654d46 in raise () from /lib64/libc.so.6 #2 0x00007ffff76287f3 in abort () from /lib64/libc.so.6 #3 0x00007ffff7a2e455 in isc_assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at ../../../lib/isc/assertions.c:50 #4 0x00007ffff7a46741 in isc__mem_free (ctx=<optimized out>, ptr=<optimized out>, flags=<optimized out>) at ../../../lib/isc/mem.c:993 #5 0x00007ffff6a0a074 in cleanup () at providers/fips/self_test.c:170 #6 0x00007ffff7fd0f5e in _dl_fini () at dl-fini.c:142 #7 0x00007ffff76574b5 in __run_exit_handlers () from /lib64/libc.so.6 #8 0x00007ffff7657630 in exit () from /lib64/libc.so.6 #9 0x00007ffff763feb7 in __libc_start_call_main () from /lib64/libc.so.6 #10 0x00007ffff763ff60 in __libc_start_main_impl () from /lib64/libc.so.6 #11 0x0000555555555995 in _start () Not necessary to be fixed now, but should be fixed eventually. Without FIPS mode enabled it works fine and passes all tests.
This crash is not a problem with package itself, and it seems that other points raised were addressed so I'm ACKing this. Thank you!
The review needs to be assigned to the reviewer. Setting POST and assigning to Petr, acked by comment #16.
The Pagure repository was created at https://src.fedoraproject.org/rpms/bind9-next
FEDORA-2023-803a3b98c4 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-803a3b98c4
FEDORA-2023-76a93ef3d2 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-76a93ef3d2
FEDORA-2023-803a3b98c4 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-803a3b98c4 \*` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-803a3b98c4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-76a93ef3d2 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-76a93ef3d2 \*` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-76a93ef3d2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-116ae883fe has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-116ae883fe
FEDORA-EPEL-2023-116ae883fe has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-116ae883fe See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-803a3b98c4 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-76a93ef3d2 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.