Bug 461305 - Review Request: pam_kcoda - coda auth/cred/session PAM module
Review Request: pam_kcoda - coda auth/cred/session PAM module
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Gwyn Ciesla
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-05 14:13 EDT by Neil Horman
Modified: 2009-03-31 09:18 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-31 09:18:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
limburgher: fedora‑review+
huzaifas: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Neil Horman 2008-09-05 14:13:23 EDT
Spec URL: http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM URL: http://nhorman.fedorapeople.org/pam_kcoda-0.4-1.fc8.src.rpm
Description: This is a PAM module that allows a user to obtain coda tokens when authenticated against a krb5 realm.
Comment 1 Gwyn Ciesla 2008-09-09 13:45:34 EDT
rpmlint on SRPM:

pam_kcoda.src: W: no-url-tag
The URL tag is missing.

rpmlint on RPMS:

pam_kcoda.i386: W: no-documentation
The package contains no documentation (README, doc, etc). You have to include
documentation files.

pam_kcoda.i386: W: no-url-tag
The URL tag is missing.

pam_kcoda.i386: W: unstripped-binary-or-object /lib/security/pam_kcoda.so
pam_kcoda-debuginfo.i386: E: empty-debuginfo-package
This debuginfo package contains no files.  This is often a sign of binaries
being unexpectedly stripped too early during the build, rpmbuild not being
able to strip the binaries, the package actually being a noarch one but
erratically packaged as arch dependent, or something else.  Verify what the
case is, and if there's no way to produce useful debuginfo out of it, disable
creation of the debuginfo package.

pam_kcoda-debuginfo.i386: W: no-url-tag
The URL tag is missing.


I'd like to see something in the spec explaining the patches and whether or not they've been submitted upstream.

The license tag claims GPLv1, the README specifies GPL, but the license included is BSD.  This will need to be clarified.  The URL tag would help with this.

Provides a shared library, should include:
%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

Running a mock build to check BR. . .
Comment 2 Gwyn Ciesla 2008-09-09 14:04:36 EDT
Mock build, BRs OK.  Just address the above and we're good.
Comment 3 Neil Horman 2008-09-09 16:24:39 EDT
added a url to the spec

I checked the License, GPLv1 is listed in the REadme and the pam_kcoda.c file.  Not sure where you saw a BSD license.  Given the url tag, I think GPL is the safe conclusion

I did include the only docs to come with the pkg (the readme), I marked it as a %doc in the new package below

I'm not sure why the debuginfo stuff isn't getting populated.  The pma_kcoda.so file isn't stripped, even after packaging (verify with an install and file /lib64/security/pam_kcoda.so)


New files for you, thanks!

SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-2.fc8.src.rpm
Comment 4 Gwyn Ciesla 2008-09-10 09:40:26 EDT
Look in pam_koda.c, lines 50-60. 

BSD License:
http://swik.net/License:BSD/BSD+License+Text

See what I mean?  And it doesn't include a copy of the GPL anywhere.

As for debuginfo, see: https://fedoraproject.org/wiki/Packaging/Debuginfo, and see if that sheds any light.  If you can't get -debuginfo populate, disable generation of the -debugingo package.
Comment 5 Mamoru TASAKA 2008-09-10 10:48:45 EDT
Only for debuginfo issue:

(In reply to comment #4)
> If you can't get -debuginfo populate, disable generation of the -debugingo package.
  We should not allow this. All packages must create debuginfo rpm correctly unless they
  are noarch rpms, monos, or so.

  2 issues:
  - build log actually shows that Fedora specific compilation flags are not honored
    correctly:
----------------------------------------------------------
+ CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fPIC'
+ export CFLAGS
+ make
mkdir -p ./dynamic
gcc -O2 -Dlinux -DLINUX_PAM -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -pedantic -fPIC -DPAM_DYNAMIC  -c pam_kcoda.c -o dynamic/pam_kcoda.o
-----------------------------------------------------------
    So -g debug option flag is not used.
    'make %{?_smp_mflags} CC="gcc $RPM_OPT_FLAGS"' seems to work
  - pam_kcoda.so is installed with 0644 permission. find-debuginfo.sh will tries to strip binaries
    only with executable permission flag. pam_kcoda.so should be installed with 0755 permission
    (change SHLIBMODE).
Comment 6 Gwyn Ciesla 2008-09-10 10:55:03 EDT
Fair enough.  +1.
Comment 7 Neil Horman 2008-09-10 11:07:56 EDT
>Look in pam_koda.c, lines 50-60. 
Look at lines 47-48 of the same file, indicating GPL License.  The stuff on
lines 50-60 isn't the BSD license, thats just the standard disclaimer. This is
the full BSD license:
http://www.opensource.org/licenses/bsd-license.php

Which isn't included anywhere in the code or accomanying documentation

Although it is odd that they don't include a COPYING file.  Unfortunately, the
maintainers still haven't responded to me on any of my queries.

I've gone through the debuginfo link you provided, and none of those tips seems
to be the cause of the empty debuginfo package, so I'm disabling it for now:

New Files for you.  Thanks!

SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-3.fc8.src.rpm
Comment 8 Gwyn Ciesla 2008-09-10 12:07:38 EDT
Ok, hopefully they can clarify what the license should be.  Let me know.  We need to know what version of the GPL it should be.  Including a copy of the relevant version would be the best.
Comment 9 Neil Horman 2008-09-10 12:19:53 EDT
I've gotten a bounce from the email listed in the docs.  Some googling has found me an alternate email to try.  I copied you on the note asking for licence clarification.
Comment 10 Neil Horman 2008-09-10 14:35:09 EDT
sorry, I fat fingered your email on my note to him, and your copy bounced, This is the reply from the author:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neil Horman wrote:
> I'm in the process of trying to get
> pam_kcoda packaged for fedora:

cool ;) - pam_kcoda was one of my first FLOSS projects while student;
Ivan Popov took over maintaining the software in 2001 and added Kerberos
support - I have not heard from him since years now.

> https://bugzilla.redhat.com/show_bug.cgi?id=461305
> Your name is in the docs, but I just got a bounce from the address that was
> listed there.  Some quick googling led me to you at this address so I thought I
> would write and ask, if you are indeed the author of that package:
> http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_kcoda-v0.4.tgz

I'm the original author, but no license expert ;)

> And if you are, if you could clarify what version of the GPL you intended to
> distribute it under.  My impression is that you intended to distribute under the
> GPLv1 but I'd like to be sure.

Feel free to release pam_kcoda under GPL v2 or 3.., MIT or BSD license
whatever suits you best.
I wrote the original code in GPL v1 as was Coda (and PAM?) in 1999 -
IIRC Ivan asked to release it under BSD conditions and probably then the
license mess started..

> Could you by any chance update the upstream
> package with a COPYING file with a specific license, or clarify what your intent
> was, either in the above bugzilla or via email?

I have no idea how this ended up on
http://www.kernel.org/pub/linux/libs/pam/pre/modules/ and don't have
write permissions there [yet].

If necessary I con roll a new release mid next week (I'll be traveling
and am only sporadically online during the next days) . Do you know any
PAM devs?

cheers,
robin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjIAFAACgkQeVUk8U+VK0KLqwCgoCDRuJxkhKqhKVsPTFT19buI
x38An1DtWXjQ2HK7aJ4CpbNZ99sAJhfi
=Sfjy
-----END PGP SIGNATURE-----

So, if we change the spec License tag to be GPLv2+, will that be sufficient until a new version is released from Robin with a proper license file?
Comment 11 Gwyn Ciesla 2008-09-10 14:41:13 EDT
Honestly, it'd be simpler to wait for a new release that includes the version the author wants (hopefully GPLv2+, IMHO).  Then we can get a better URL for upstream, as well, and the one we have currently gives no info, just the bits.
Comment 12 Neil Horman 2008-09-10 16:01:26 EDT
Its going to be a few weeks on that, and we're not going to get a better URL.  My understanding is that Robin is just going to upload a new version to his space on kernel.org
Comment 13 Gwyn Ciesla 2008-09-12 08:21:17 EDT
If it's really to be that long, create a pam_koda-license-README.txt for %doc that  explicitly documents the above, and we'll run it by legal to see if that passes muster.
Comment 14 Neil Horman 2008-09-12 09:54:58 EDT
copy that, I'll post a new rpm shortly.
Comment 15 Neil Horman 2008-09-12 12:59:41 EDT
ok new files for review:
SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-4.fc8.src.rpm
Comment 16 Gwyn Ciesla 2008-09-12 13:21:46 EDT
pam_kcoda.i386: W: incoherent-version-in-changelog 0.4.3 0.4-4.fc9
The last entry in %changelog contains a version identifier that is not
coherent with the epoch:version-release tuple of the package.

Fix.

pam_kcoda.i386: W: unstripped-binary-or-object /lib/security/pam_kcoda.so

Manually stripping this in the spec should silence this.
Comment 17 Neil Horman 2008-09-12 14:22:48 EDT
Sorted.  New package/spec:

SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-5.fc8.src.rpm
Comment 18 Gwyn Ciesla 2008-09-12 14:31:35 EDT
Good enough.  Just waiting on legal then.
Comment 19 Neil Horman 2008-09-22 11:34:12 EDT
ping, any update here?
Comment 20 Gwyn Ciesla 2008-09-22 11:43:01 EDT
Still nothing from legal.  ETA on new release?
Comment 21 Neil Horman 2008-09-22 11:59:41 EDT
No, I expect that will be a few weeks, origional author indicated he would be traveling for a few weeks.  I'll try contact him again
Comment 22 Neil Horman 2008-10-01 11:04:33 EDT
I've heard from the upstream maintainer, who posted a new version with GPLv3 license langage.  I've got a package put together here:

SPEC: http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM: http://nhorman.fedorapeople.org/pam_kcoda-0.5-1.fc8.src.rpm

Clearing legal blocker.
Comment 23 Gwyn Ciesla 2008-10-01 11:13:06 EDT
The source still says GPLv2, as does COPYING.  Changlog in source says GPLv3, though that's a start.  Upstream may want to correct.

pam_kcoda.i386: E: library-not-linked-against-libc /lib/security/pam_kcoda.so
1 packages and 0 specfiles checked; 1 errors, 0 warnings.
Comment 24 Neil Horman 2008-10-01 12:02:11 EDT
upstream noticed at the same time you did.  New package w/ fixed licensing, and corrected linkage.

SPEC: http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM: http://nhorman.fedorapeople.org/pam_kcoda-0.5.1-1.fc8.src.rpm
Comment 25 Gwyn Ciesla 2008-10-01 12:31:33 EDT
That, my friend, is hysterical. :)

APPROVED.
Comment 26 Neil Horman 2008-10-01 14:50:36 EDT
Cool Thanks!

New Package CVS Request
=======================
Package Name: pam_kcoda
Short Description: pam module to automate autentication to coda servers
Owners: nhorman@redhat.com
Branches: devel F-9
InitialCC:
Comment 27 Huzaifa S. Sidhpurwala 2008-10-03 02:03:43 EDT
cvs done
Comment 28 Gwyn Ciesla 2009-03-31 09:18:58 EDT
Built, closing.

Note You need to log in before you can comment on or make changes to this bug.