225659 – Merge Review: cracklib

Bug 225659 - Merge Review: cracklib

Summary: Merge Review: cracklib

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	Package Review
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jason Tibbitts
QA Contact:	Fedora Package Reviews List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F9MergeReviewTarget
TreeView+	depends on / blocked

Reported:	2007-01-31 17:52 UTC by Nobody's working on this, feel free to take it
Modified:	2009-02-19 19:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-02-19 19:04:32 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	j: fedora-review+

Attachments	(Terms of Use)
specfile diff which includes suggested fixes for merge review issues (3.42 KB, patch) 2007-02-11 11:21 UTC, Jef Spaleta	no flags	Details \| Diff
View All

Description Nobody's working on this, feel free to take it 2007-01-31 17:52:34 UTC

Fedora Merge Review: cracklib

http://cvs.fedora.redhat.com/viewcvs/devel/cracklib/
Initial Owner: nalin

Comment 1 Jef Spaleta 2007-02-11 11:19:46 UTC

review checklist for cracklib 

Sumary NOT APPROVED. See the notes below for full details. Attached to this
report is a diff of the specfile which includes all of my suggested changes. 
The package owner should review the diff if there are items which can not be
incorporated, bring it up as a comment to this report for discussion. 

NOTE:
Not all the blockers have been address in the specfile diff. There are items
which the package owner must address which are not obvious specfile fixes.


+ GOOD   - BAD
+ rpmlint... see the notes at the end. I've rolled in changes into the spec from
the rpmlint log info
+ packagename is fine
+ specfile name is fine
+ license check 
Artistic , matches source license for SOURCE0, and LICENSE file included 
in %doc spec is english-ish
- md5sum check of sources
9a8c9eb26b48787c84024ac779f64bb2  cracklib-2.8.9.tar.gz from SOURCE0 URL
9a8c9eb26b48787c84024ac779f64bb2 
/home/jspaleta/rpmbuild/SOURCES/cracklib-2.8.9.tar.gz

md5sum check:
ASSurnames.gz: OK
cartoon.gz: OK
common-passwords.txt.gz: OK
Congress.gz: OK
cracklib-2.8.9.tar.gz: OK
cracklib-words.gz: FAILED
Domains.gz: OK
Dosref.gz: OK
etc-hosts.gz: OK
famous.gz: OK
fast-names.gz: OK
female-names.gz: OK
Ftpsites.gz: OK
Given-Names.gz: OK
Jargon.gz: OK
LCarrol.gz: OK
male-names.gz: OK
Movies.gz: OK
myths-legends.gz: OK
names.french.gz: OK
names.hp.gz: OK
other-names.gz: OK
Paradise.Lost.gz: OK
Python.gz: OK
sf.gz: OK
shakespeare.gz: OK
surnames.finnish.gz: OK
Trek.gz: OK

d18e670e5df560a8745e1b4dede8f84f  cracklib-words.gz from SOURCE1 URL
575a44add4db95b43c7abb46b307950f  /home/jspaleta/rpmbuild/SOURCES/cracklib-words.gz

+ mock build  as done by matt
http://linux.dell.com/files/fedora/FixBuildRequires/mock-results-core/i386/cracklib-2.8.9-8.src.rpm/result/
- buildrequires
removed gzip as exception provided by buildsys...fixed in specfile diff
+ shared libs exist and ldconfig is run in the correct script actions
+ not designed to be relocatable
+ no duplicates in the files section
+ file permissions look okay to me
- static libs are currently included in the -devel package.. 
this is a no no unless you have a good reason

+ docs section looks fine
- devel subpackage, includes .so and headerfiles... and a static .a which it
should not, unless it really really needs to.
+ no gui apps
+ no obvious duplicate file/directory ownership

BAD
*cracklib-words.gz included sources does NOT match upstream according to the
checksum. This is a little sticky, since the upstream file is not versioned nor
in a versioned directory. if upstream continues to update this file
its difficult to make a version comparison to some known state.

*pass-file.gz doesn't appear to have an upstream URL even though its listed as a
source, so there is no upstream to md5sum to check against.  If there is no
upstream for this file, this should be at least noted as a comment in the
specfile. I don't think this its super critical considering this is a dictionary
file and not the functional codebase itself... but it definitely should be noted
in the specfile that its an inhouse creation and why it was created.  This one I
can't fix in my specfile diff because I don't know why that file is there.

*gzip as a buildrequires, removed in specfile diff as a buildsys provided exception

* is there a compelling reason to include the static libcrack.a in the -devel
package? The guidelines frown very heavily on including static libraries, and
there needs to be a compelling reason to do so. Removed from the package in the
specfile diff

*cracklib-dicts needs cracklib because of the symlinks in /usr/sbin/
...fixed in specfile diff.

rpmlint log from dell
...reviewer comments inline

rpmlint on cracklib-2.8.9-8.i386.rpm
W: cracklib summary-ended-with-dot A password-checking library.
... fixed in specfile diff
E: cracklib tag-not-utf8 %changelog
... fixed in specfile diff
W: cracklib one-line-command-in-%trigger /sbin/ldconfig
... not sure about this one

rpmlint on cracklib-2.8.9-8.src.rpm
W: cracklib summary-ended-with-dot A password-checking library.
E: cracklib tag-not-utf8 %changelog
E: cracklib non-utf8-spec-file cracklib.spec
... fixed in specfile diff
W: cracklib mixed-use-of-spaces-and-tabs (spaces: line 102, tab: line 108)
... fixed in specfile diff

rpmlint on cracklib-devel-2.8.9-8.i386.rpm
W: cracklib-devel summary-ended-with-dot Development files needed for building
applications which use cracklib.
... fixed in diff
E: cracklib-devel tag-not-utf8 %changelog
W: cracklib-devel no-documentation
... bogus not important

rpmlint on cracklib-python-2.8.9-8.i386.rpm
W: cracklib-python summary-ended-with-dot Python bindings for applications which
use cracklib.
... fixed in diff
E: cracklib-python tag-not-utf8 %changelog
W: cracklib-python no-documentation

rpmlint on cracklib-dicts-2.8.9-8.i386.rpm
W: cracklib-dicts summary-ended-with-dot The standard CrackLib dictionaries.
... fixed in diff
E: cracklib-dicts tag-not-utf8 %changelog
E: cracklib-dicts only-non-binary-in-usr-lib
... bogus all the /usr/lib/ files are links back to /usr/share/
W: cracklib-dicts no-documentation
W: cracklib-dicts dangling-relative-symlink /usr/sbin/packer cracklib-packer
... bogus as long as cracklib is installed
W: cracklib-dicts dangling-relative-symlink /usr/sbin/mkdict cracklib-format
... bogus as long as cracklib is installed

Comment 2 Jef Spaleta 2007-02-11 11:21:10 UTC

Created attachment 147852 [details]
specfile diff which includes suggested fixes for merge review issues

Comment 3 Nalin Dahyabhai 2007-02-13 01:06:43 UTC

Thanks for the detailed review!

I don't have a good reason for leaving the static library in there, so it's
gone.  I've updated the cracklib-words.gz file and noted its retrieval time in
the .spec file, and noted that the pass-file.gz comes from bugzilla.  The
trigger script now specifies ldconfig as its interpreter, so it shouldn't need
the shell at that stage.  I think that's got it sorted, building 2.9-9 as a
candidate fix.

Please let me know if you (or anyone else reading this) spots anything I've missed.

Comment 4 Jason Tibbitts 2008-12-04 19:57:01 UTC

Wow, this one hasn't been touched for a while.  Jef, did you want to continue this review?

Comment 5 Jason Tibbitts 2009-01-15 02:18:31 UTC

Hmm, nothing from Jef.  I took a quick look, though, and while the spec looks very nice and clean, I do have a couple of comments.

Were this a new package that hadn't existed for approximately forever, I would complain about these files:
  /usr/include/crack.h
  /usr/include/packer.h
  /usr/sbin/mkdict
  /usr/sbin/packer
as being terribly generic.  However, if the first package in wins then this beats everything by default, and there's obviously no point in changing it now.

rpmlint does have a few complaints which can be essentially ignored:

  cracklib-devel.x86_64: W: no-documentation
  cracklib-dicts.x86_64: W: no-documentation
  cracklib-python.x86_64: W: no-documentation
True but not problematic.

  cracklib-dicts.x86_64: E: only-non-binary-in-usr-lib
This is true, but I don't really see a problem in what you're doing.  Does anything absolutely require those symlinks to be there?  If it didn't, you could conceivably make this subpackage noarch (once the buildsys support for that is finished).

  cracklib-dicts.x86_64: W: dangling-relative-symlink /usr/sbin/packer 
   cracklib-packer
  cracklib-dicts.x86_64: W: dangling-relative-symlink /usr/sbin/mkdict 
   cracklib-format
These are fine; the dependencies ensure that the symlinks aren't dangling.

  cracklib.x86_64: W: shared-lib-calls-exit /usr/lib64/libcrack.so.2.8.0 
   exit.5
This is kind of weird, and usually indicates a bug or thinko in the package, but isn't a packaging issue.

It also complains about a couple of things which could do with fixing:

  cracklib-dicts.x86_64: W: summary-ended-with-dot The standard CrackLib 
   dictionaries.
Terribly minor, but perhaps worth fixing if you're in the spec.

  cracklib.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/cracklib-unpacker 
   ['/usr/lib64']
  cracklib.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/cracklib-packer 
   ['/usr/lib64']
  cracklib.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/cracklib-check 
   ['/usr/lib64']
  cracklib-python.x86_64: E: binary-or-shlib-defines-rpath 
   /usr/lib64/python2.6/site-packages/_cracklibmodule.so ['/usr/lib64']
I don't know why these didn't turn up earlier.  Maybe libtool2 actually makes things worse?  In any case, the recommended hack of tweaking libtool didn't help, so I guess a call to chrpath is needed.

If the latter were fixed, I'd have no qualms about approving this.

Comment 6 Nalin Dahyabhai 2009-02-19 18:42:34 UTC

(In reply to comment #5)
>   cracklib-dicts.x86_64: E: only-non-binary-in-usr-lib
> This is true, but I don't really see a problem in what you're doing.  Does
> anything absolutely require those symlinks to be there?  If it didn't, you
> could conceivably make this subpackage noarch (once the buildsys support for
> that is finished).

The FascistCheck() function in the library takes an absolute path to the dictionaries to check, so there's an unknown number of packages out there that hard-code locations under /usr/lib /usr/lib64 (though, come to think of it, there could be some mistakenly referencing /usr/lib on 64-bit systems... ugh).

> It also complains about a couple of things which could do with fixing:
> 
>   cracklib-dicts.x86_64: W: summary-ended-with-dot The standard CrackLib 
>    dictionaries.
> Terribly minor, but perhaps worth fixing if you're in the spec.

Agreed, fixed.

>   cracklib.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/cracklib-unpacker 
>    ['/usr/lib64']
>   cracklib.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/cracklib-packer 
>    ['/usr/lib64']
>   cracklib.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/cracklib-check 
>    ['/usr/lib64']
>   cracklib-python.x86_64: E: binary-or-shlib-defines-rpath 
>    /usr/lib64/python2.6/site-packages/_cracklibmodule.so ['/usr/lib64']
> I don't know why these didn't turn up earlier.  Maybe libtool2 actually makes
> things worse?  In any case, the recommended hack of tweaking libtool didn't
> help, so I guess a call to chrpath is needed.

Weird indeed.  A local rebuild seems to keep cracklib-packer from being afflicted again, so I'm going to check in the summary change and throw it at the build system.
...
Hmm, looks good from here.

Comment 7 Jason Tibbitts 2009-02-19 19:04:32 UTC

I know there was a problem with libtool and rpath which has been fixed very recently (in 2.2.6-10) and indeed when I build this package now the rpath issue is gone.

So I'd say that everything looks good to me, and I'll twiddle the flags and close this out.

Note You need to log in before you can comment on or make changes to this bug.