This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 230262 - Review Request: jss - Java Security Services (JSS)
Review Request: jss - Java Security Services (JSS)
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dennis Gilmore
Fedora Package Reviews List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-27 15:57 EST by Rob Crittenden
Modified: 2009-11-03 16:55 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-04 13:44:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dennis: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2007-02-27 15:57:31 EST
Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec
SRPM URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-1.src.rpm
Description: 

Java Security Services (JSS) is a java native interface which provides a bridge
for java-based applications to use native Network Security Services (NSS).

NOTE: JSS is a JCE-provider and needs to be signed in order to perform certain operations. Even though gcj doesn't enforce the signing requirement many of the JSS self-tests fail miserably, presumably due to deficiencies in gcj.

The reason for requiring signing is to provide a level of confidence that the implemented provider you are using to perform your crypto operation is trusted.

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CertForm.txt

"Only CSPs signed by a trusted entity can be plugged into the JCE framework."

So the bottom line is that this JSS will work for some operations (like SSL client and server) but not for key generation and signing.
Comment 1 Anthony Green 2007-03-15 13:34:06 EDT
The C compiler should be invoked with $RPM_OPT_FLAGS (obviously in addition to
whatever other flags this package requires).


I'm seeing lots of errors during the build, although I do get a valid RPM in the
end.  The errors all look something like this...

cd org; make export
make[1]: Entering directory
`/usr/src/redhat/BUILD/jss-4.2.4/mozilla/security/jss/org'
syntax error at -e line 3, near "while"
syntax error at -e line 7, near "}"
Execution of -e aborted due to compilation errors.
cd mozilla; make export
make[2]: Entering directory
`/usr/src/redhat/BUILD/jss-4.2.4/mozilla/security/jss/org/mozilla'
syntax error at -e line 3, near "while"
syntax error at -e line 7, near "}"
Execution of -e aborted due to compilation errors.


How do I run the JSS self-tests?

Comment 2 Rob Crittenden 2007-03-15 15:09:53 EDT
The errors are in the upstream source. They are related to dependency finding so
doesn't affect the building.

The JSS self-tests expect that NSS and NSPR have been built along with JSS so
you have to do small amount of hacking to get around it. You can run the tests
after the make is done in the %build step by adding this:

mkdir mozilla/tests_results
perl -pi -e "s:\\\$nss_lib_dir   = \\\"\\\$dist_dir/lib\\\":\\\$nss_lib_dir   =
\\\"%{_libdir}\\\":" mozilla/security/jss/org/mozilla/jss/tests/all.pl
perl mozilla/security/jss/org/mozilla/jss/tests/all.pl dist mozilla/dist/*.OBJ

Ugly but it works.

Added RPM_OPT_FLAGS so they are picked up. I did not add the above to the spec.

Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec
SRPM URL:
http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-2.src.rpm
Comment 3 Andrew Bartlett 2007-05-09 23:00:23 EDT
Looking over http://fedoraproject.org/wiki/Packaging/ReviewGuidelines I see a
few things:

The licence versions should be spelled out more clearly.

rpmlint passes with no errors

The Source0 should be a full URL

I'll look at more later, but for now it compiles (with a disturbing nubmer of
warnings) on FC5.
Comment 4 Warren Togami 2007-05-09 23:11:54 EDT
As discussed in the past, it may be impossible to ship this in Fedora or RHEL
signed because that is in conflict with our licenses and guarantees of
reproducibility.  The resulting software would not be "Free".
Comment 5 Rob Crittenden 2007-05-10 09:38:47 EDT
As discussed we will ship an unsigned jar in Fedora. This is adequate for use in
an SSL context but it will fail as a JCE provider.

The license is the Mozilla tri-license. I used the same license string as the
existing NSS and NSPR packages (MPL/GPL/LGPL)

There is no tar file that I could find so I updated the spec to include
instructions on pulling it from CVS.

I also added some information on why the jar can't be signed.

Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec
SRPM URL:
http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-3.src.rpm
Comment 6 Andrew Bartlett 2007-05-10 21:04:55 EDT
The comment in the spec file about the unsigned JAR should indicate that this
optional extra step is only required for proprietory JREs.

Walking down the checklist again:

Shouldn't this package run ldconfig, as it places a file in ${_libdir}?
If not (is this library only ever dlopen()ed?), perhaps this should be
documented in the spec file?
Comment 7 Rob Crittenden 2007-05-14 09:50:13 EDT
These were both already mentioned in the spec but I made them more explicit.

Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec
SRPM URL:
http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-4.src.rpm
Comment 8 Warren Togami 2007-05-14 14:18:24 EDT
Further Clarification regarding signing of JSS JARs.

Due to Fedora's reproducibility requirements, we are unable to ship signed JAR's
in Fedora as it would no longer be reproducible FOSS.  Software shipped within
Fedora does not need JSS to be signed, so we are OK this regard.  If 3rd party
software requires a signed JSS JAR, then another copy would need to be packaged
and distributed by that third party.  That 3rd party JSS jar should be capable
of installation in parallel with the Fedora JSS without conflicting.
Comment 9 Rob Crittenden 2007-05-14 14:24:09 EDT
A signed package is really a super-set of this one so I think a properly signed
version could Obsolete this one rather than installing in parallel.
Comment 10 Warren Togami 2007-05-14 14:46:38 EDT
How about deciding upon exactly how a proper signed package would replace this
package now?

Theoretical Packages
====================
jss-4.2.9-7.el6
    JSS for RHEL6 unsigned
jss-4.2.9-7.el6.SIGNED
    Same thing, except with SIGNED appended to end of the Release tag.  This
would "win" rpmvercmp and replace the unsigned version.  This package has an
additional virtual provides.

Provides: jss(SIGNED)

That way other packages that require jss(SIGNED) can Require it by name.
Comment 11 Rob Crittenden 2007-05-14 15:28:59 EDT
I like it.
Comment 12 Margaret Lum 2007-05-15 00:49:24 EDT
New Package CVS Request
=======================
Package Name: jss
Short Description: Java Security Services (JSS) is a java native interface which
provides a bridge for java-based applications to use native Network Security
Services (NSS).
Owners: rcritten@redhat.com,mlum@redhat.com
Branches: FC-6 FC-7
InitialCC:
nkwan@redhat.com,richm@redhat.com,nkinder@redhat.com,mharmsen@redhat.com,sparkins@redhat.com

Comment 13 Dennis Gilmore 2007-05-15 08:38:50 EDT
The package needs review and approval first mlum please do not request cvs 
before package is approved
Comment 14 Rich Megginson 2007-05-15 21:57:01 EDT
I think we need to have a LICENSE file in the rpm e.g.
%doc LICENSE
Other than that, it's good to go.
Comment 15 Warren Togami 2007-05-15 23:31:32 EDT
You didn't set fedora-cvs to ?, but judging by the above comments and
fedora-review set to +, I'm following through with your CVS request.

Comment 16 Dennis Gilmore 2007-05-16 00:02:31 EDT
I found some small issues with the review i started on it.

as rich says LICENSE file should be included 

Requires:       nss >= 3.11.4
Requires:       nspr >= 4.6.4
are not needed rpm detects the Requires itself.

Requires: java libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6
(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libdl.so.2()(64bit) 
libnspr4.so()(64bit) libnss3.so()(64bit) libnss3.so(NSS_3.10.2)(
64bit) libnss3.so(NSS_3.2)(64bit) libnss3.so(NSS_3.3)(64bit) 
libnss3.so(NSS_3.4)(64bit) libnss3.so(NSS_3.5)(64bit) libnss3.so(NSS_3.6)
(64bit) libplc4.so()(64bit) libplds4.so()(64bit) libpthread.so.0()(64bit
) libsmime3.so()(64bit) libsmime3.so(NSS_3.2)(64bit) libsmime3.so(NSS_3.3)
(64bit) libssl3.so()(64bit) libssl3.so(NSS_3.2)(64bit) nspr >= 4.6.4 nss >= 
3.11.4 rtld(GNU_HASH)

builds in mock on devel x86_64 
rpmlint is quiet
i would like to see sparc64 added to the %ifarch x86_64 ppc64 ia64 s390x line

fix these small issues and ill approve jss
Comment 17 Rob Crittenden 2007-05-16 09:07:23 EDT
The Requires: are there because we need a minimum level of NSS and NSPR, not
just any old version.

I included the 3 license files and added sparc64. If the current Requires line
is ok I'll upload a fixed spec and srpm.
Comment 18 Rob Crittenden 2007-05-16 22:00:41 EDT
NSS has versioned symbols so the minimum version is set when something is built
against it so Dennis is right, we don't need Requires.

Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec
SRPM URL:
http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-5.src.rpm
Comment 19 Dennis Gilmore 2007-05-16 23:24:57 EDT
Issues fixed  I approve JSS
Comment 20 Margaret Lum 2007-05-16 23:56:08 EDT
New Package CVS Request
=======================
Package Name: jss
Short Description: Java Security Services (JSS) is a java native interface which
provides a bridge for java-based applications to use native Network Security
Services (NSS).
Owners: rcritten@redhat.com,mlum@redhat.com
Branches: FC-6 FC-7 (IIRC, there is a branch for FC-7 on 5/17?)
InitialCC:
nkwan@redhat.com,richm@redhat.com,nkinder@redhat.com,mharmsen@redhat.com,sparkins@redhat.com

Comment 21 Dennis Gilmore 2007-05-17 00:17:37 EDT
cvs done
Comment 22 Rob Crittenden 2007-05-22 09:31:15 EDT
Package Change Request
======================
Package Name: jss
New Branches: FC-7

This package was approved during the FC-7 freeze and a build had not been done
in devel. When the branch and tagging happened no FC-7 branch was created, I
presume because it hadn't been built yet. So it essentially has skipped FC-7 and
has just FC-6 and FC-8 tags.
Comment 23 Jens Petersen 2007-05-26 23:27:44 EDT
The Fedora 7 branch is called F-7

Branch added.
Comment 24 Michael Stahnke 2009-11-03 15:55:33 EST
New Package CVS Request
=======================
Package Name: jss
Short Description: Java Security Services (JSS) is a java native interface which
provides a bridge for java-based applications to use native Network Security
Services (NSS).
Owners: stahnma
Branches: EL4 EL5
Comment 25 Kevin Fenzi 2009-11-03 16:55:14 EST
cvs done.

Note You need to log in before you can comment on or make changes to this bug.