Bug 458643 - Review Request: dansguardian - Content filtering web proxy
Summary: Review Request: dansguardian - Content filtering web proxy
Status: CLOSED DUPLICATE of bug 500013
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Felix Kaechele
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-08-11 10:10 UTC by Bernie Innocenti
Modified: 2009-07-15 10:26 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-05-10 07:29:34 UTC
Type: ---

Attachments (Terms of Use)
GCC 4.4 Fix (488 bytes, patch)
2009-03-08 21:47 UTC, Felix Kaechele
no flags Details | Diff

Description Bernie Innocenti 2008-08-11 10:10:08 UTC
Spec URL: http://www.codewiz.org/pub/fedora/pkgs/dansguardian.spec
SRPM URL: http://www.codewiz.org/pub/fedora/pkgs/dansguardian-
DansGuardian is a web filtering engine that checks the content within
the page itself in addition to the more traditional URL filtering.

DansGuardian is a content filtering proxy. It filters using multiple methods,
including URL and domain filtering, content phrase filtering, PICS filtering,
MIME filtering, file extension filtering, POST filtering.

Comment 1 Jason Tibbitts 2008-08-11 11:50:50 UTC
Please note that there are some who believe this software to be unacceptable for Fedora due to the distribution restrictions of the upstream website http://dansguardian.org/?page=download:

Before downloading, please read the copyright for DansGuardian 2. DansGuardian is not free to download from this website for commercial use. 

I happen to not be one of them, but either way this should be commented on by either the legal folks or perhaps the board.  Blocking FE-Legal.

Comment 2 Bernie Innocenti 2008-08-12 05:52:25 UTC
(In reply to comment #1)
> "
> Before downloading, please read the copyright for DansGuardian 2. DansGuardian
> is not free to download from this website for commercial use. 
> "

Yeah I have seen this notice too.  It's such a funny and naive business model :-)

I also don't think it affects people obtaining the source and binary from me or from Fedora, but let's wait for legal's opinion.

Comment 3 Jason Tibbitts 2008-08-12 12:41:30 UTC
Well, the argument I saw on IRC (which is not my argument, so please don't ask me to defend it) is that people who obtain this package from Fedora may not be able to obtain the upstream source under the same terms as Fedora.  In other words, you may not legally be able to take the spec, run spectool -g and build your own package.  It's an interesting argument but I'm not sure it applies since Fedora itself is entitled to all of the usual software freedoms which are required (modification and redistribution are permitted, obviously since the source is GPL).

Comment 4 Michel Alexandre Salim 2008-08-26 21:41:40 UTC
What if the spec that Fedora ships does *not* contain the full URL to the source tarball? Put the full URL under a comment, noting that access to that URL is restricted to non-commercial use.

Since Fedora is a non-commercial project, the Fedora maintainer's downloading of the source from upstream is legit. But let's wait and see what -legal says about this.

Comment 5 Gwyn Ciesla 2008-09-09 16:56:45 UTC
We just ran into this with UQM.  If the license is non-commercial only, it's too restrictive and cannot by included in Fedora.

Comment 6 Jason Tibbitts 2008-09-09 17:12:20 UTC
The license isn't non-commercial only; I'm not sure where that impression would come from.  It's GPL; the upstream website is simply restrictive about who they distribute it to, but they impose no redistribution restrictions on us.

Comment 7 Gwyn Ciesla 2008-09-09 17:21:50 UTC
Is not redistribution with a distro, for which money occasionally changes hands, not commercial use?

What about if this were to make it in to RHEL?

Very curious to see legal's response.

Comment 8 Tom "spot" Callaway 2008-10-09 19:42:06 UTC
Okay, so I tried to reach Daniel Barron, but was unsucessful.

Based on that, RH Legal advises us to do this:

Get rid of the initial sentence in the license header (in every place that it appears in the source):

   //Please refer to http://dansguardian.org/?page=copyright2
   //for the license for this code.

Replace it with this:

   //Copyright (C) Daniel Barron.

You can do this in a patch, you do not need to make a modified tarball.

Mark the package as GPLv2+, because that is what we will be distributing under.

Lifting FE-Legal.

Comment 9 Felix Kaechele 2008-10-22 08:50:14 UTC
Are you still interested in maintaining this? I use this on a regular basis at my school.
I would like to take over the maintenance for this package if you aren't interested anymore.

Comment 10 Pavel Lisý 2008-11-15 18:20:01 UTC
What is actual state of packaging this? 

I really want it in F10 and I can help if it is needed.

Comment 11 Bernie Innocenti 2008-12-14 06:45:09 UTC
(In reply to comment #10)
> What is actual state of packaging this? 
> I really want it in F10 and I can help if it is needed.

I think we're waiting for the reviewer to approve the package.

Comment 12 Felix Kaechele 2008-12-14 09:38:49 UTC
Funny that the reviewer itself has never commented on this bug. I'd be willing to take over the review if the original reviewer doesn't want to do so.

Comment 13 Sayamindu Dasgupta 2008-12-14 10:43:12 UTC
(In reply to comment #12)
> Funny that the reviewer itself has never commented on this bug. I'd be willing
> to take over the review if the original reviewer doesn't want to do so.

Sorry for the delay, I have been swamped with a lot of work for the past few months. I did raise the issue regarding this package in the fedora-legal mailing list, and it looks like it is legal to redistribute the software.

If you want to review the package, feel free to assign it to yourself.

Comment 14 Felix Kaechele 2008-12-17 09:17:21 UTC
Here are some issues that need to be addressed imo (without trying to impose my personal style of writing specs :-) before I can start the "real" review process
- why do you %define real_name DansGuardian when it is never used in the spec any further?
- why does BuildRequires: gcc-c++, have a ',' at the end when there's nothing following?
- you should better include dansguardian.httpd and dansguardian.init into a source file. That would improve readability of the spec.
- you seem not to have written a patch as suggested in comment #8
- in %files why do you set %defattr(-, root, root, 0755) instead of %defattr(-, root, root, -)? Is it really necessary to mark all files executeable?
- same for %defattr(0700, nobody, nobody, 0755) a few lines after that
- don't put www files in /var/www. You should rather put them into /usr/share/dansguardian. Then you would also need to rewrite the apache config that is supplied. See the package phpMyAdmin for an example.

Comment 15 Bernie Innocenti 2008-12-21 12:07:01 UTC
All comments from Felix hopefully addressed in this new release:


Comment 16 Felix Kaechele 2009-01-20 11:15:45 UTC
I have to apologize for having you wait so long. But now I got enough time to do the review.

A few things to get the review going again:

- Could you please update to the latest stable version

- This is the rpmlint output I get when running on the binary RPM:

dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/systemv-init 0644
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/logrotation 0644
dansguardian.x86_64: E: executable-marked-as-config-file /etc/rc.d/init.d/dansguardian
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/bsd-init 0644
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/scripts/solaris-init 0644
dansguardian.x86_64: E: non-executable-script /usr/share/dansguardian/dansguardian.pl 0644
dansguardian.x86_64: W: conffile-without-noreplace-flag /etc/dansguardian/authplugins/ident.conf
dansguardian.x86_64: W: incoherent-subsys /etc/rc.d/init.d/dansguardian $prog
dansguardian.x86_64: W: incoherent-subsys /etc/rc.d/init.d/dansguardian $prog
dansguardian.x86_64: W: incoherent-subsys /etc/rc.d/init.d/dansguardian $prog

If you are unsure how to solve this issues you can try rpmlint -I. Example:

  rpmlint -I incoherent-subsys

Please also feel free to ask here.

Comment 17 Bernie Innocenti 2009-02-20 15:57:28 UTC
Updated rpm with all the above warnings fixed, plus a few more changes to build cleanly in dist-f10:


Comment 18 Pavel Lisý 2009-02-23 12:18:51 UTC
Do you think about making default firewall configuration? Similar settings are made in Ubuntu CE but through firehol package.

This is what I use for my children's computers in combination with tinyproxy (running under nobody user on 3128 port):

cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables-dansguardian-backup

sed \
-e '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/a\
# dansguargian settings\
# --- begin\
-A OUTPUT -d -p tcp -m tcp --dport 3128 -m owner ! --uid-owner nobody -j DROP\
# --- end\
' \
-e '/^\*filter/i\
# tinyproxy settings\
# --- begin\
:in_trproxy.1 - [0:0]\
:out_trproxy.1 - [0:0]\
-A PREROUTING -p tcp -m tcp --sport 1000:65535 --dport 80 -j in_trproxy.1\
-A in_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\
-A OUTPUT -p tcp -m tcp --sport 32768:61000 --dport 80 -j out_trproxy.1\
-A out_trproxy.1 -m owner --uid-owner nobody -j RETURN\
-A out_trproxy.1 -m owner --uid-owner root -j RETURN\
-A out_trproxy.1 -d -j RETURN\
-A out_trproxy.1 -p tcp -j REDIRECT --to-ports 8080\
# --- end\
' /etc/sysconfig/iptables-dansguardian-backup > /etc/sysconfig/iptables

This is useful when you want deny all http traffic outside except defined users (nobody = tinyproxy user, root = yum update, ...)
You don't need make proxy setting in browser too.

Comment 19 Felix Kaechele 2009-02-27 09:53:21 UTC
#18: I believe that you should contact Thomas Woerner on that. He maintains system-config-firewall. He might include it as a template into his package.

I hope to finish the review soon but there are still some issues that need to be addressed. More to follow. Sorry for having you wait so long.

Comment 20 Felix Kaechele 2009-03-08 21:47:51 UTC
Created attachment 334451 [details]
GCC 4.4 Fix

I have the review 90% done but there is one thing I'd like you to do before I can approve the package: Please update to the last upstream version and apply the patch (with -p1) I attached. It fixes the source to build with gcc 4.4. Please also do not forget to send this patch upstream.

Comment 21 Felix Kaechele 2009-04-11 22:05:28 UTC

Comment 22 Rahul Sundaram 2009-05-07 15:03:07 UTC
Ping once more. I will wait for a couple of weeks or otherwise close this review request.

Comment 23 Felix Kaechele 2009-05-07 15:08:15 UTC
I'll open a new one in that case with a new spec. So feel free to close this review if the original reporter doesn't respond.

Comment 24 Bernie Innocenti 2009-05-08 07:57:56 UTC
Please, feel free to take over this package from me, I don't use dansguardian any longer and I don't have much time to maintain it.  Sorry :-(

You could reassign this bug to yourself rather than opening a new one.

Comment 25 Felix Kaechele 2009-05-10 07:29:34 UTC
Opened a new review with a completely rewritten SPEC file.

*** This bug has been marked as a duplicate of bug 500013 ***

Comment 26 Fedora Update System 2009-07-15 10:26:17 UTC
dansguardian- has been submitted as an update for Fedora 11.

Note You need to log in before you can comment on or make changes to this bug.