Spec URL: http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol.spec SRPM URL: http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol-1.273-1.fc9.noarch.rpm Description: FireHOL uses an extremely simple but powerful way to define firewall rules which it turns into complete stateful iptables firewalls. FireHOL is a generic firewall generator, meaning that you can design any kind of local or routing stateful packet filtering firewalls with ease. Install FireHOL if you want an easy way to configure stateful packet filtering firewalls on Linux hosts and routers. You can run FireHOL with the 'helpme' argument, to get a configuration file for the system run, which you can modify according to your needs. The default configuration file will allow only client traffic on all interfaces.
rpmlint output: firehol.noarch: W: service-default-enabled /etc/init.d/firehol firehol.noarch: E: subsys-not-used /etc/init.d/firehol 1 packages and 1 specfiles checked; 1 errors, 1 warnings.
Fixes: - Use _initrddir. - pre and post fixes. - Disable automatical startup. http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol.spec http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol-1.273-3.fc9.src.rpm
Some cleanups. http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol.spec http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol-1.273-4.fc10.src.rpm
rpmlint output: firehol.noarch: E: non-readable /etc/firehol/firehol.conf 0640 firehol.noarch: E: subsys-not-used /etc/rc.d/init.d/firehol 2 packages and 0 specfiles checked; 2 errors, 0 warnings. These can both be ignored, since 1. the firewall config is not supposed to be read by other than root and 2. there service that sticks around is iptables; FireHOL doesn't have anything of itself to monitor with a subsys.
I had a look over the package and everything seems to be OK. All must-items of the ReviewGuidelines checked.
(In reply to comment #5) > I had a look over the package and everything seems to be OK. All must-items of > the ReviewGuidelines checked. Then maybe you'd be willing to perform the review?
(In reply to comment #6) > Then maybe you'd be willing to perform the review? Done. Since I'm not a sponsor you still need to seek one. Maybe you should review other packages too. Did you create other packages? You could even send a mail to fedora-devel describing your package and what you have done etc. The more you tell about you and your package the earlier you will find a sponsor.
(In reply to comment #7) > (In reply to comment #6) > > Then maybe you'd be willing to perform the review? > > Done. Since I'm not a sponsor you still need to seek one. Maybe you should > review other packages too. Did you create other packages? You could even send a > mail to fedora-devel describing your package and what you have done etc. > > The more you tell about you and your package the earlier you will find a > sponsor. Is this a joke? :D I'm a sponsor myself, with 136 reviews. Most of the review bugs are by people who have been sponsored long ago and have packaging rights. Only the ones marked with FE-NEEDSPONSOR need sponsors to (formally) review them. I see you have acquired sponsoree status just five days ago, and you clearly have not understood yet completely how the package review process works. ** You really should go through the review checklist in the review bug (here). It's not just for me or you, it's also for other people who look at the reviews. A simple "Looks OK" is sloppy reviewing, since it's very likely you have forgot to check something. And it doesn't tell other people that you have really went through everything. Learn to walk before you run, OK? :) PS. Setting fedora-review to + is not enough, since anyone can remove or write over the flag. When you a package passes the review, write APPROVED in the comment field.
(In reply to comment #8) > I see you have acquired sponsoree status just five days ago, and you clearly > have not understood yet completely how the package review process works. Quite right. The Fedora bureaucracy is still new to me. But hey weren't we all once small? Calm down big boy. > You really should go through the review checklist in the review bug (here). > It's not just for me or you, it's also for other people who look at the > reviews. A simple "Looks OK" is sloppy reviewing, since it's very likely you > have forgot to check something. And it doesn't tell other people that you have > really went through everything. Like I already said in comment #5. I went through _all_ must (and should) items of https://fedoraproject.org/wiki/Packaging/ReviewGuidelines. And I did all steps of https://fedoraproject.org/wiki/Package_Review_Process which does not state that a comment like "APPROVED" should be written. > Learn to walk before you run, OK? :) Learning by doing. A wise man said this once before :) > PS. Setting fedora-review to + is not enough, since anyone can remove or write > over the flag. When you a package passes the review, write APPROVED in the > comment field. At least this one is a constructive comment.
> Calm down big boy. I second that. > > A simple "Looks OK" is sloppy reviewing, Not at all. This point is entirely moot. Whether it's a very brief "Looks OK" or "APPROVED" or a huge list of MUST/SHOULD/OK/NOTOK/FAIL/BLAH items that copies the entire ReviewGuidelines Wiki page, it doesn't matter. All that matters is whether a reviewer has checked the package actually. The reviewer takes responsibility for serious mistakes. But don't forget that there are two people. The packager is the second one, who ought to review the package, too. ;) > # Don't start the firewall automatically > sed -i -e 's,# chkconfig: 2345 99 92,# chkconfig: - 20 80,' firehol.sh That's sloppy. sed -i is worse than a clean patch file. If the source file changes, your sed transformation no longer applies. Silently. On the contrary, a patch would fail and terminate the build. Adding a guard after the sed transformation is highly recommended.
(In reply to comment #9) > of https://fedoraproject.org/wiki/Packaging/ReviewGuidelines. And I did all > steps of https://fedoraproject.org/wiki/Package_Review_Process which does not > state that a comment like "APPROVED" should be written. It might be not emphasized enough, but you also need to assign the bug to you (the Assigned To field). I just did this for you.
(In reply to comment #10) > > # Don't start the firewall automatically > > sed -i -e 's,# chkconfig: 2345 99 92,# chkconfig: - 20 80,' firehol.sh > > That's sloppy. sed -i is worse than a clean patch file. If the source file > changes, your sed transformation no longer applies. Silently. On the contrary, > a patch would fail and terminate the build. Adding a guard after the sed > transformation is highly recommended. True, didn't come to think of that when I packaged this a year ago when I was a newcomer in Fedora. (In reply to comment #11) > (In reply to comment #9) > > > of https://fedoraproject.org/wiki/Packaging/ReviewGuidelines. And I did all > > steps of https://fedoraproject.org/wiki/Package_Review_Process which does not > > state that a comment like "APPROVED" should be written. > > It might be not emphasized enough, but you also need to assign the bug to you > (the Assigned To field). I just did this for you. ... and change the status to ASSIGNED, which I just did.
Well, thanks for the review, it had been waiting for a long time! Sorry if I sounded harsh, I did not mean to discourage you; I was just a bit surprised about your comments about sponsorship. I've fixed the sed issue. http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol.spec http://theory.physics.helsinki.fi/~jzlehtol/rpms/firehol-1.273-5.fc11.src.rpm New Package CVS Request ======================= Package Name: firehol Short Description: A powerful yet easy to use iptables frontend Owners: jussilehtola Branches: F-10 F-11 EL-4 EL-5 InitialCC:
(In reply to comment #13) > Well, thanks for the review, it had been waiting for a long time! That was one of my reasons to choose this request. > Sorry if I sounded harsh, I did not mean to discourage you; I was just a bit > surprised about your comments about sponsorship. No problem. Actually this is my first review and a funny story together ;-) I started "5 days" ago and everybody told me to tell as much as possible about myself and my package to find and convince a sponsor/reviewer. I just wanted to give this tip/hind on because this request was waiting quite long. Now to the real interesting stuff: review of firehol-1.273-5.fc11.src.rpm (sha256sum 4ee2dd849a38948fc9c2ed8463089628429b9e81423633892b2b88e77ffdd61e) [ OK ] MUST: rpmlint must be run on every package. The output should be posted in the review. $ rpmlint SPECS/firehol.spec SRPMS/firehol-1.273-5.fc11.src.rpm RPMS/noarch/firehol-1.273-5.fc11.noarch.rpm firehol.noarch: E: non-readable /etc/firehol/firehol.conf 0640 firehol.noarch: E: subsys-not-used /etc/rc.d/init.d/firehol 2 packages and 1 specfiles checked; 2 errors, 0 warnings. Actually firehol uses /var/lock/subsys where it touches "firehol" and "iptables" when it starts. I guess rpmlint does not recognize that because it is hidden in the bash script. A grep after "FIREHOL_LOCK_DIR" in /etc/init.d/firehol explains this. [ OK ] MUST: The package must be named according to the Package Naming Guidelines . [ OK ] MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. [ OK ] MUST: The package must meet the Packaging Guidelines . [ OK ] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines . [ OK ] MUST: The License field in the package spec file must match the actual license. [ OK ] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc. [ OK ] MUST: The spec file must be written in American English. [ OK ] MUST: The spec file for the package MUST be legible. [ OK ] MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. sha256sum: e8d3b4ac3e54097c0e0f14bfab773a75d43b522fa123a42088b7f23f13495ea2 Download/firehol-1.273.tar.bz2 e8d3b4ac3e54097c0e0f14bfab773a75d43b522fa123a42088b7f23f13495ea2 SOURCES/firehol-1.273.tar.bz2 [ OK ] MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture. [ OK ] MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line. Not relevant, since noarch. [ OK ] MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense. No "BuildRequires" available. Only "Requires" which are OK. [ OK ] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden. OK because no locales available. [ OK ] MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. OK because only shell scripts get installed. [ OK ] MUST: Packages must NOT bundle copies of system libraries. [ OK ] MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. OK because only shell scripts are used. [ OK ] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. $ rpmls RPMS/noarch/firehol-1.273-5.fc11.noarch.rpm | grep ^d drwxr-xr-x /etc/firehol drwxr-xr-x /etc/firehol/services drwxr-xr-x /usr/libexec/firehol drwxr-xr-x /usr/share/doc/firehol-1.273 drwxr-xr-x /usr/share/doc/firehol-1.273/doc drwxr-xr-x /usr/share/doc/firehol-1.273/examples drwxr-xr-x /var/spool/firehol [ OK ] MUST: A Fedora package must not list a file more than once in the spec file's %files listings. [ OK ] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line. All permissions seem to be fine (checked via rpmls). [ OK ] MUST: Each package must have a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). [ OK ] MUST: Each package must consistently use macros. [ OK ] MUST: The package must contain code, or permissable content. [ OK ] MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity). [ OK ] MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. [ OK ] MUST: Header files must be in a -devel package. OK because only shell scripts are shipped. [ OK ] MUST: Static libraries must be in a -static package. OK like above. [ OK ] MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for directory ownership and usability). OK since no pkgconfig is used. [ OK ] MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package. [ OK ] MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release} [ OK ] MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built. [ OK ] MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. [ OK ] MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. [ OK ] MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot} (or $RPM_BUILD_ROOT). [ OK ] MUST: All filenames in rpm packages must be valid UTF-8. [ OK ] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [ NA ] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. [ OK ] SHOULD: The reviewer should test that the package builds in mock. Builds fine with mock on fedora-11-ppc. [ NA ] SHOULD: The package should compile and build into binary rpms on all supported architectures. Since it is a noarch package it's not really interesting I guess. Only shell scripts get copied no compilation at all. [ OK ] SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example. More or less OK. I did a few starts and stops. The rules are loaded properly. [ OK ] SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency. [ OK ] SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb. OK since pkgconfig isn't used. [ OK ] SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself. ############################################################################# I noticed one thing during extensive testing. A few arguments to the init script aren't supported. The init script guidlines (https://fedoraproject.org/wiki/Packaging/SysVInitScript#Required_Actions) insist on the following missing arguments: - try-restart (I guess this is not a big problem since condrestart is available) - reload (may be negligible too) Additionally condrestart didn't work for me like expected. For example: $ /etc/init.d/firehol start FireHOL: Saving your old firewall to a temporary file: [ OK ] FireHOL: Processing file /etc/firehol/firehol.conf: [ OK ] FireHOL: Activating new firewall (41 rules): [ OK ] $ ls -l /var/lock/subsys/firehol -rw-r--r--. 1 root root 0 2009-09-22 17:36 /var/lock/subsys/firehol $ /etc/init.d/firehol stop FireHOL: Clearing Firewall: [ OK ] $ ls -l /var/lock/subsys/firehol ls: cannot access /var/lock/subsys/firehol: No such file or directory $ iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination $ /etc/init.d/firehol condrestart FireHOL: Saving your old firewall to a temporary file: [ OK ] FireHOL: Processing file /etc/firehol/firehol.conf: [ OK ] FireHOL: Activating new firewall (41 rules): [ OK ] $ iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ... and a lot of rules are up I would have expected that condrestart does nothing since I stopped the service before. Maybe this is a bug in upstream? Otherwise looks OK.
Stefan: Whats your Fedora Account system name? I can't seem to find you by your email address used here. You must be in the packager group to approve package reviews.
https://fedoraproject.org/wiki/Packaging/SysVInitScript#Required_Actions "condrestart (and try-restart): restart the service if the service is already running, if not, do nothing" So everything should be OK. (I must confess, I haven't checked those myself.)
@Stefan : when checking for unowned directories, don't use "grep ^d". It's insufficient @Kevin : account name is "stefansf" @Jussi : then a "service firehol stop ; service firehol condrestart" should not start the service, but according to comment 14 it does
(In reply to comment #17) > @Jussi : then a "service firehol stop ; service firehol condrestart" should not > start the service, but according to comment 14 it does Ugh. I really should not work this tired. I sent an email to the author, I don't have time now to debug the issue.
(In reply to comment #17) > @Stefan : when checking for unowned directories, don't use "grep ^d". It's > insufficient Jep you're right. I just posted the grep output to minimize it and to assure that I really did it. Maybe it would be more appropriate to paste the full output of rpmls: $ rpmls RPMS/noarch/firehol-1.273-5.fc11.noarch.rpm drwxr-xr-x /etc/firehol -rw-r----- /etc/firehol/firehol.conf drwxr-xr-x /etc/firehol/services -rwxr-xr-x /etc/rc.d/init.d/firehol drwxr-xr-x /usr/libexec/firehol -rwxr-xr-x /usr/libexec/firehol/adblock.sh -rwxr-xr-x /usr/libexec/firehol/buildrpm.sh -rwxr-xr-x /usr/libexec/firehol/firehol.sh -rwxr-xr-x /usr/libexec/firehol/get-iana.sh drwxr-xr-x /usr/share/doc/firehol-1.273 -rw-r--r-- /usr/share/doc/firehol-1.273/COPYING -rw-r--r-- /usr/share/doc/firehol-1.273/ChangeLog -rw-r--r-- /usr/share/doc/firehol-1.273/README -rw-r--r-- /usr/share/doc/firehol-1.273/TODO -rw-r--r-- /usr/share/doc/firehol-1.273/WhatIsNew drwxr-xr-x /usr/share/doc/firehol-1.273/doc -rw-r--r-- /usr/share/doc/firehol-1.273/doc/adding.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/commands.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/css.css -rw-r--r-- /usr/share/doc/firehol-1.273/doc/faq.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/fwtest.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/header.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/index.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/invoking.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/language.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/overview.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/search.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/services.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/support.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/trouble.html -rw-r--r-- /usr/share/doc/firehol-1.273/doc/tutorial.html drwxr-xr-x /usr/share/doc/firehol-1.273/examples -rw-r--r-- /usr/share/doc/firehol-1.273/examples/client-all.conf -rw-r--r-- /usr/share/doc/firehol-1.273/examples/home-adsl.conf -rw-r--r-- /usr/share/doc/firehol-1.273/examples/home-dialup.conf -rw-r--r-- /usr/share/doc/firehol-1.273/examples/lan-gateway.conf -rw-r--r-- /usr/share/doc/firehol-1.273/examples/office.conf -rw-r--r-- /usr/share/doc/firehol-1.273/examples/server-dmz.conf -rw-r--r-- /usr/share/man/man1/firehol.1.gz -rw-r--r-- /usr/share/man/man5/firehol.conf.5.gz drwxr-xr-x /var/spool/firehol I checked every file + directory and its permissions. Looks good to me.
cvs done.
firehol-1.273-5.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/firehol-1.273-5.el4
firehol-1.273-5.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/firehol-1.273-5.el5
firehol-1.273-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/firehol-1.273-5.fc10
firehol-1.273-5.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/firehol-1.273-5.fc11
firehol-1.273-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
firehol-1.273-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
firehol-1.273-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
firehol-1.273-5.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Package Change Request ====================== Package Name: firehol New Branches: epel7 Owners: cicku
Git done (by process-git-requests).