Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08885864-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08885864-credcheck/credcheck-3.0-1.fc43.src.rpm Description: | The credcheck PostgreSQL extension provides few general credential checks, | which will be evaluated during the user creation, during the password change | and user renaming. By using this extension, we can define a set of rules: | | allow a specific set of credentials | reject a certain type of credentials | deny password that can be easily cracked | enforce use of an expiration date with a minimum of day for a password | define a password reuse policy | define the number of authentication failure allowed before a user is banned | | This extension provides all the checks as configurable parameters. | The default configuration settings, will not enforce any complex checks | and will try to allow most of the credentials. | By using SET credcheck.<check-name> TO <some value>; command, enforce new | settings for the credential checks. The settings can only be changed | by a superuser. Fedora Account System Username: psloboda
Copr build: https://copr.fedorainfracloud.org/coprs/build/8885943 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08885943-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
The package has been uploaded to copr here: https://copr.fedorainfracloud.org/coprs/psloboda/credcheck/builds/ The package is also located on my github: https://github.com/PavolSloboda/credcheck_spec The package has been checked by the fedora-review tool: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08885864-credcheck/fedora-review/review.txt - These are update files provided by the upstream they contain code to be able to upgrade from the version specified in the file name to the version specified in the file name, if the versions contain the same code the files are empty. | credcheck.x86_64: E: zero-length /usr/share/credcheck/credcheck--0.1.0--0.1.1.sql | credcheck.x86_64: E: zero-length /usr/share/credcheck/credcheck--0.1.1--0.2.0.sql | credcheck.x86_64: E: zero-length /usr/share/credcheck/credcheck--1.0.0--1.1.0.sql | credcheck.x86_64: E: zero-length /usr/share/credcheck/credcheck--1.1.0--1.2.0.sql - The spec file contains no %check section because the package requires a working postgresql database to be used and therefore to be tested. | credcheck.spec: W: no-%check-section - These are update files as mentioned above, if the update uses the same code as another one the file contents will be identical. | credcheck.x86_64: W: files-duplicate /usr/share/credcheck/credcheck--2.2.0--2.3.0.sql /usr/share/credcheck/credcheck--2.0.0--2.1.0.sql:/usr/share/credcheck/credcheck--2.1.0--2.2.0.sql | credcheck.x86_64: W: files-duplicate /usr/share/credcheck/credcheck--2.7.0--2.8.0.sql /usr/share/credcheck/credcheck--2.3.0--2.4.0.sql:/usr/share/credcheck/credcheck--2.4.0--2.5.0.sql:/usr/share/credcheck/credcheck--2.5.0--2.6.0.sql:/usr/share/credcheck/credcheck--2.6.0--2.7.0.sql - These are caused by the %selinux_modules_uninstall and %selinux_modules_install macros respectively. | credcheck.x86_64: W: dangerous-command-in-%postun rm | credcheck.x86_64: W: dangerous-command-in-%post rm
I'll take this as a reviewer
===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Development (unversioned) .so files in -devel subpackage, if present. Note: Unversioned so-files in private %_libdir subdirectory (see attachment). Verify they are not in ld path. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Using prebuilt packages [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "PostgreSQL License". 43 files have unknown license. Detailed output of licensecheck in /var/lib/copr- rpmbuild/results/credcheck/licensecheck.txt [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 24701 bytes in 1 files. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. [!]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ### My notes > - The spec file contains no %check section because the package requires a working postgresql database to be used and therefore to be tested. This can be achieved using the `postgresql-test-rpm-macros` subpackage [1] similarly e.g., package postgis is testing itself [2] (look for the "runselftest"). Question: Is there a reason why you're using conditions like `%if %{deny_easy_pass} == 1` instead of `%if %{without deny_easy_pass}` (%bcond_without deny_easy_pass)? TIP: The %global (%bcond if you choose to follow the standard) variables are defined at the start of the specfile (in your case the "%global deny_easy_pass 1"). Also, I'm not sure what this macro means. It's good practice to explain it in comments above the variable so other contributors to the package know exactly what it is used for. TIP2: Maybe you could use the %autosetup macro [3]. It makes the package easier to maintain. You can move the condition to the `Patch0` itself. TIP3: Since %post and %postun are both conditioned, you can wrap it into one condition. > Source1: %{name}.te Please provide comments on what this is and why it is needed. If it has been taken from some other package/project, link it there. > Patch0: enable_cracklib.patch Same as per Source1 > %{_datadir}/selinux/packages/targeted/%{name}.pp > %dir %{_datadir}/selinux > %dir %{_datadir}/selinux/packages > %dir %{_datadir}/selinux/packages/targeted These files should be placed in the `%{_datadir}/%{name}` directory so it doesn't conflict with anything that could use this directory. [1] https://src.fedoraproject.org/rpms/postgresql16/blob/rawhide/f/postgresql16.spec#_351 [2] https://src.fedoraproject.org/rpms/postgis/blob/rawhide/f/postgis.spec#_323 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_autosetup Once you resolve these issues please set needinfo to me, so we can proceed.
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08904865-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08904865-credcheck/credcheck-3.0-1.fc43.src.rpm > This can be achieved using the `postgresql-test-rpm-macros` subpackage [1] similarly e.g., package postgis is testing itself [2] (look for the "runselftest"). I have looked into the package and tried the provided method but the credcheck package does not provide the make check directive an the regress tests needed to run that directive, only the make installcheck directive which can be ran only after the installation finishes. Implementation of the regress tests would require the rewrite of the test suite and another patch to the makefile to accommodate them. > Question: Is there a reason why you're using conditions like `%if %{deny_easy_pass} == 1` instead of `%if %{without deny_easy_pass}` (%bcond_without deny_easy_pass)? Thank you, I have looked into it and changed the conditions to more suitable ones. As for the other tips and comments, I have changed the spec file to accommodate them. Thank you for the tips.
Created attachment 2085028 [details] The .spec file difference from Copr build 8885943 to 8904962
Copr build: https://copr.fedorainfracloud.org/coprs/build/8904962 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08904962-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
> cp %{SOURCE1} %{buildroot}%{_datadir} You should preserve the original timestamp. See https://docs.fedoraproject.org/en-US/packaging-guidelines/#_timestamps I recommend using `cp -a` or `cp -p`. The selinux part should be improved. You do not have `Requires` and you do not relabel files that changed context. I wanted to point you to relevant documentation, but to my surprise there is none. But you can get inspiration from other packages: https://src.fedoraproject.org/rpms/incus/blob/rawhide/f/incus.spec https://src.fedoraproject.org/rpms/dnsconfd/blob/rawhide/f/dnsconfd.spec (randomly selected) As you are not packager yet, you should follow https://docs.fedoraproject.org/en-US/package-maintainers/Package_Review_Process/#review_process and your first review should block FE-NEEDSPONSOR tracking bug. (I done this for you now).
I find that the documentation of selinux packaging is WIP (for 7 years) https://pagure.io/packaging-committee/issue/726
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08906127-credcheck/credcheck.spec SRPM ULR: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08906127-credcheck/credcheck-3.0-1.fc43.src.rpm > You should preserve the original timestamp. See https://docs.fedoraproject.org/en-US/packaging-guidelines/#_timestamps I recommend using `cp -a` or `cp -p`. > The selinux part should be improved. You do not have `Requires` and you do not relabel files that changed context. I wanted to point you to relevant documentation, but to my surprise there is none. Thank you, I fixed it in this version. > As you are not packager yet, you should follow https://docs.fedoraproject.org/en-US/package-maintainers/Package_Review_Process/#review_process and your first review should block FE-NEEDSPONSOR tracking bug. (I done this for you now). Thanks, didn't notice it there.
Created attachment 2085063 [details] The .spec file difference from Copr build 8904962 to 8906182
Copr build: https://copr.fedorainfracloud.org/coprs/build/8906182 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08906182-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
> As you are not packager yet, you should follow https://docs.fedoraproject.org/en-US/package-maintainers/Package_Review_Process/#review_process and your first review should block FE-NEEDSPONSOR tracking bug. (I done this for you now). Actually, you don't need to do that anymore (take a look at the pgbadger package review process [1]). The automation creates a Pagure ticket when it recognizes that this is Pavol's first Fedora package once the review is done. Maybe we should remove it from the documentation you've linked Mirek. [1] https://bugzilla.redhat.com/show_bug.cgi?id=2345173#c16
Could you please move the SELinux-related stuff to the dedicated subpackage like mentioned in [1] [1] https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Adding_dependency_to_the_spec_file_of_corresponding_package
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08910533-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08910533-credcheck/credcheck-3.0-1.fc43.src.rpm > Could you please move the SELinux-related stuff to the dedicated subpackage like mentioned in [1] > [1] https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Adding_dependency_to_the_spec_file_of_corresponding_package Fixed in the newest build.
Created attachment 2085172 [details] The .spec file difference from Copr build 8906182 to 8910577
Copr build: https://copr.fedorainfracloud.org/coprs/build/8910577 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08910577-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914174-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914174-credcheck/credcheck-3.0-1.fc43.src.rpm Fixed a typo and added a Requires of the main package to the SELinux subpackage
Created attachment 2085412 [details] The .spec file difference from Copr build 8910577 to 8914224
Copr build: https://copr.fedorainfracloud.org/coprs/build/8914224 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08914224-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Nitpick: the description of the SELinux subpackage is missing a dot at the end of the last sentence.
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914557-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914557-credcheck/credcheck-3.0-1.fc43.src.rpm > Nitpick: the description of the SELinux subpackage is missing a dot at the end of the last sentence. Added the missing dot at the end of the description.
Created attachment 2085420 [details] The .spec file difference from Copr build 8914224 to 8914601
Copr build: https://copr.fedorainfracloud.org/coprs/build/8914601 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08914601-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914769-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914769-credcheck/credcheck-3.0-1.fc43.src.rpm Migrated from the .te format of rules to the .cil format of rules to make them more portable and to avoid the [!]: Uses parallel make %{?_smp_mflags} macro. warning during build.
Created attachment 2085428 [details] The .spec file difference from Copr build 8914601 to 8914788
Copr build: https://copr.fedorainfracloud.org/coprs/build/8914788 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08914788-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914872-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08914872-credcheck/credcheck-3.0-1.fc43.src.rpm Removed the unnecessary %pre selinux and %posttrans selinux sections which were made obsolete by the switch to cil and got rid of the unnecessary selinux dir in %build by installing straight from %{SOURCE1}.
Created attachment 2085430 [details] The .spec file difference from Copr build 8914788 to 8914886
Copr build: https://copr.fedorainfracloud.org/coprs/build/8914886 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2358822-credcheck/fedora-rawhide-x86_64/08914886-credcheck/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
After a conversation with the SELinux team, the implementation of the policies looks good. Also, it applies after installing and is removed after uninstalling the package. This package is now ready to be introduced to Fedora.
Hello @psloboda, since this is your first Fedora package, you need to get sponsored by a package sponsor before it can be accepted. A sponsor is an experienced package maintainer who will guide you through the processes that you will follow and the tools that you will use as a future maintainer. A sponsor will also be there to answer your questions related to packaging. You can find all active sponsors here: https://docs.pagure.org/fedora-sponsors/ I created a sponsorship request for you: https://pagure.io/packager-sponsors/issue/715 Please take a look and make sure the information is correct. Thank you, and best of luck on your packaging journey. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
Spec URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08951323-credcheck/credcheck.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/psloboda/credcheck/fedora-rawhide-x86_64/08951323-credcheck/credcheck-3.0-1.fc43.src.rpm Added the Recommends of the main package into the selinux subpackage for easier identification of relationships between these packages should only the second package be installed. Also added the BuildRequires of selinux-policy-%{selinuxtype} into the selinux subpackage to ensure the correct expansion of the selinux_modules_install and selinux_modules_uninstall macros in the selinux subpackage.
The Pagure repository was created at https://src.fedoraproject.org/rpms/credcheck