Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-1.fc9.src.rpm Project URL: http://ccrypt.sourceforge.net/ Description: ccrypt is a utility for encrypting and decrypting files and streams. It was designed as a replacement for the standard unix crypt utility, which is notorious for using a very weak encryption algorithm. ccrypt is based on the Rijndael cipher, which is the U.S. government's chosen candidate for the Advanced Encryption Standard. This cipher is believed to provide very strong security. Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1069879 rpmlint output: [fab@laptop024 i386]$ rpmlint ccrypt* 2 packages and 0 specfiles checked; 0 errors, 0 warnings. [fab@laptop024 SRPMS]$ rpmlint ccrypt-1.7-1.fc9.src.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. Package build failed on ppc 64 http://koji.fedoraproject.org/koji/getfile?taskID=1069883&name=build.log -------<%--------- *** stack smashing detected ***: ./maketables terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail-0x8cc08)[0x400001fc118] /lib64/libc.so.6(__stack_chk_fail-0x8cc4c)[0x400001fc0c4] ./maketables[0x10001170] /lib64/libc.so.6[0x400000fc1b8] /lib64/libc.so.6(__libc_start_main-0x1848f0)[0x400000fc3d0] -------%>---------
My review. I cannot sponsor you as I'm not (yet) an approved packager. Once this package gets approved contact a sponsor from the official list. To that end, have you done any unoffical reviews of other's packages? If so, please post links. If not, do a few, and post links. Package: 94e1a15eec27d8db271df733230aae5e ccrypt-1.7-1.fc9.src.rpm $ rpm -i ~/Download/ccrypt-1.7-1.fc9.src.rpm Clean. $ md5sum ../SOURCES/ccrypt-1.7.tar.gz 19526e31a7d234e29d54dbcc876605d5 ../SOURCES/ccrypt-1.7.tar.gz $ md5sum ~/Download/ccrypt-1.7.tar.gz 19526e31a7d234e29d54dbcc876605d5 /home/gdha/Download/ccrypt-1.7.tar.gz Source tarball is the same in SRPM package as on the official web-site. Good. $ rpmbuild -bs ccrypt.spec Wrote: /home/gdha/RPM/SRPMS/ccrypt-1.7-1.fc9.src.rpm $ rpmbuild -ba SPECS/ccrypt.spec Clean build on x86. Requires: libcrypt.so.1 (noticed this requirement during build) To be checked... $ rpm -qpl /home/gdha/RPM/RPMS/i386/ccrypt-1.7-1.fc9.i386.rpm /usr/bin/ccat /usr/bin/ccdecrypt /usr/bin/ccencrypt /usr/bin/ccrypt /usr/share/doc/ccrypt-1.7 /usr/share/doc/ccrypt-1.7/AUTHORS /usr/share/doc/ccrypt-1.7/COPYING /usr/share/doc/ccrypt-1.7/ChangeLog /usr/share/doc/ccrypt-1.7/NEWS /usr/share/doc/ccrypt-1.7/README /usr/share/doc/ccrypt-1.7/cypfaq01.txt /usr/share/man/man1/ccat.1.gz /usr/share/man/man1/ccdecrypt.1.gz /usr/share/man/man1/ccencrypt.1.gz /usr/share/man/man1/ccrypt.1.gz - MUST: rpmlint must be run on every package. The output should be posted in the review. Clean. - MUST: The package must be named according to the Package Naming Guidelines . Good. - MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption on Package Naming Guidelines Good. - MUST: The package must meet the Packaging Guidelines . Good. - MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines . Good. - MUST: The License field in the package spec file must match the actual license. Good. - MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc. Good. - MUST: The spec file must be written in American English. Good. - MUST: The spec file for the package MUST be legible. If the reviewer is unable to read the spec file, it will be impossible to perform a review. Fedora is not the place for entries into the Obfuscated Code Contest (http://www.ioccc.org/). Good. Wondering if the following line is relevant for the description: "which is the U.S. government's chosen candidate for the Advanced Encryption Standard." Your call. - MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. Good. - MUST: The package must successfully compile and build into binary rpms on at least one supported architecture. Good. - MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch needs to have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number should then be placed in a comment, next to the corresponding ExcludeArch line. New packages will not have bugzilla entries during the review process, so they should put this description in the comment until the package is approved, then file the bugzilla entry, and replace the long explanation with the bug number. The bug should be marked as blocking one (or more) of the following bugs to simplify tracking such issues: FE-ExcludeArch-x86 , FE-ExcludeArch-x64 , FE-ExcludeArch-ppc , FE-ExcludeArch-ppc64 Will you be able to fix the build problem on PPC? Otherwise, add a tag to exclude it. Via koji I was able to build on ppc. - MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense. You need the glibc-devel package for -lcrypt - MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden. Good. - MUST: Every binary RPM package which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. If the package has multiple subpackages with libraries, each subpackage should also have a %post/%postun section that calls /sbin/ldconfig. An example of the correct syntax for this is: %post -p /sbin/ldconfig %postun -p /sbin/ldconfig NA. - MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. NA. - MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. Refer to the Guidelines for examples. Good. - MUST: A package must not contain any duplicate files in the %files listing. Good. - MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line. Good. - MUST: Each package must have a %clean section, which contains rm -rf %{buildroot} ( or $RPM_BUILD_ROOT ). Good. - MUST: Each package must consistently use macros, as described in the macros section of Packaging Guidelines . Good. - MUST: The package must contain code, or permissable content. This is described in detail in the code vs. content section of Packaging Guidelines . Good. - MUST: Large documentation files should go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity) NA. - MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. Good. - MUST: Header files must be in a -devel package. NA. - MUST: Static libraries must be in a -static package. NA. - MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for directory ownership and usability). NA. - MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package. NA. - MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release} NA. - MUST: Packages must NOT contain any .la libtool archives, these should be removed in the spec. Good. - MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. This is described in detail in the desktop files section of the Packaging Guidelines . If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. NA. - MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. NA. - MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot} ( or $RPM_BUILD_ROOT ). See Prepping BuildRoot For %install for details. Good. - MUST: All filenames in rpm packages must be valid UTF-8. Good. - SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Good. - SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. Good. - SHOULD: The the package builds in mock. # mock -r default rebuild SRPMS/ccrypt-1.7-1.fc9.src.rpm Good on i386. - SHOULD: The package should compile and build into binary rpms on all supported architectures. $ koji build --arch=x86_64 --scratch dist-f10 SRPMS/ccrypt-1.7-1.fc9.src.rpm Good. $ koji build --arch=ppc --scratch dist-f10 SRPMS/ccrypt-1.7-1.fc9.src.rpm Good. (See http://koji.fedoraproject.org/koji/taskinfo?taskID=1071232 ) - SHOULD: The package functions as described. Good. - SHOULD: If scriptlets are used, those scriptlets must be sane. NA. - SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency. NA. - SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. NA. - SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself. Good.
(In reply to comment #1) > My review. I cannot sponsor you as I'm not (yet) an approved packager. > Once this package gets approved contact a sponsor from the official list. Thanks, I don't need a sponsor. > Requires: libcrypt.so.1 (noticed this requirement during build) > To be checked... see below > Good. Wondering if the following line is relevant for the description: > "which is the U.S. government's chosen candidate for the Advanced > Encryption Standard." Your call. I removed some sentences. > Will you be able to fix the build problem on PPC? Otherwise, add a tag to > exclude it. > Via koji I was able to build on ppc. I will exclude ppc64 for the moment. This is my second package with issues about openssl on ppcX. > - MUST: All build dependencies must be listed in BuildRequires, except for any > that are listed in the exceptions section of the Packaging Guidelines ; > inclusion of those as BuildRequires is optional. Apply common sense. > > You need the glibc-devel package for -lcrypt I don't think that I need glibc-devel. The koji log shows that the check for -lcrypt is ok without BR glibc-devel. But maybe I'm mistaken... http://koji.fedoraproject.org/koji/getfile?taskID=1100286&name=build.log Updated files: Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-2.fc9.src.rpm
(In reply to comment #2) > > > Good. Wondering if the following line is relevant for the description: > > "which is the U.S. government's chosen candidate for the Advanced > > Encryption Standard." Your call. > > I removed some sentences. Thanks - it is much better. > > > Will you be able to fix the build problem on PPC? Otherwise, add a tag to > > exclude it. > > Via koji I was able to build on ppc. > > I will exclude ppc64 for the moment. This is my second package with issues > about openssl on ppcX. Thanks - acceptable for me. > > > - MUST: All build dependencies must be listed in BuildRequires, except for any > > that are listed in the exceptions section of the Packaging Guidelines ; > > inclusion of those as BuildRequires is optional. Apply common sense. > > > > You need the glibc-devel package for -lcrypt > > I don't think that I need glibc-devel. The koji log shows that the check for > -lcrypt is ok without BR glibc-devel. But maybe I'm mistaken... Hum, is indeed strange, but your comment is correct. It works nice without it. So, unless somebody complains do not use in the spec file. > > http://koji.fedoraproject.org/koji/getfile?taskID=1100286&name=build.log > > Updated files: > > Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec > SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-2.fc9.src.rpm The SRPM URL was wrong! The correct URL is: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-2.fc10.src.rpm Next actions are: 1/ final approval of the spec and RPM/SRPM packages of an "official" approver is still needed 2/ finding a sponsor, but you did not need one according to your comment #2 Thanks, go ahead - for me it's fine.
I will do the formal review, it looks good as already found during the pre-review, but I have found 2 issues there: - a test-suite is included in the sources in the "check" directory, you should add a %check section containing "make check" into the spec file - the failure on ppc64 is a result of buggy code in maketables or a bug in GCC in combination with our security related compiler flags and you can ask for access to ppc654 system on fedora-devel for further investigation
(In reply to comment #4) > - the failure on ppc64 is a result of buggy code in maketables or a bug in GCC > in combination with our security related compiler flags and you can ask for > access to ppc654 system on fedora-devel for further investigation so it's buggy code -> the "r" array on line 133 (maketables.c) consists of too small members (word8) for storing word32 values as returned by function multrot2113
Thanks for your help. (In reply to comment #4) > - a test-suite is included in the sources in the "check" directory, you should > add a %check section containing "make check" into the spec file At the moment there is an issue with the 'check' -------<%--------- BC=8, KC=8, Inverse difference a0[i][j]=232, a1[j*4+i]=-30 BC=8, KC=8, Inverse difference a0[i][j]=8, a1[j*4+i]=109 Inverse: 32 differences Total: 647 differences The optimized Rijndael implementation does not agree with the reference implementation. FAIL: rijndael-check ccrypt: key does not match ./length-check.sh: test failed for file length 0. FAIL: length-check.sh ./ccrypt-check.sh:57: Action returned 4 instead of 0. ./ccrypt-check.sh: test failed. FAIL: ccrypt-check.sh Random seed: 1236549206 Passed. PASS: crypt3-check =================== 3 of 4 tests failed =================== make[2]: *** [check-TESTS] Fehler 1 make[2]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' make[1]: *** [check-am] Fehler 2 make[1]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' -------%>--------- (In reply to comment #5) > (In reply to comment #4) > > - the failure on ppc64 is a result of buggy code in maketables or a bug in GCC > > in combination with our security related compiler flags and you can ask for > > access to ppc654 system on fedora-devel for further investigation > > so it's buggy code -> > the "r" array on line 133 (maketables.c) consists of too small members (word8) > for storing word32 values as returned by function multrot2113 Added a patch for this. Now it works on ppc64.
(In reply to comment #6) > Thanks for your help. > > (In reply to comment #4) > > - a test-suite is included in the sources in the "check" directory, you should > > add a %check section containing "make check" into the spec file > > At the moment there is an issue with the 'check' > > -------<%--------- > > BC=8, KC=8, Inverse difference a0[i][j]=232, a1[j*4+i]=-30 > BC=8, KC=8, Inverse difference a0[i][j]=8, a1[j*4+i]=109 > Inverse: 32 differences > Total: 647 differences > The optimized Rijndael implementation does not agree with the reference > implementation. > FAIL: rijndael-check > ccrypt: key does not match > ./length-check.sh: test failed for file length 0. > FAIL: length-check.sh > ./ccrypt-check.sh:57: Action returned 4 instead of 0. > ./ccrypt-check.sh: test failed. > FAIL: ccrypt-check.sh > Random seed: 1236549206 > Passed. > PASS: crypt3-check > =================== > 3 of 4 tests failed > =================== > make[2]: *** [check-TESTS] Fehler 1 > make[2]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' > make[1]: *** [check-am] Fehler 2 > make[1]: Leaving directory `/home/fab/rpmbuild/BUILD/ccrypt-1.7/check' > > -------%>--------- > What platform is it? The tests did run successful on my Rawhide/x86_64.
F10/i386
Hm, in my opinion we should insist on a positive result from the built-in tests.
Yes, the built-in test should be passed successfully. I will try to get in touch with upstream about this issue.
Still are only 3 of 4 test successful passed for i386. There are a lot of compiler errors... Anyway updated files: Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.7-4.fc10.src.rpm Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1321176
Now upstream seems to have 1.8 formal release. Would you check that?
I will. Thanks Mamoru
The spec file should be online. At the moment I have a poor connection and I'm not able to upload the SRPM.
I was lucky here we go Spec URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt.spec SRPM URL: http://fab.fedorapeople.org/packages/SRPMS/ccrypt-1.8-1.fc11.src.rpm
Everything looks OK now, tests are passed, the ExcludeArch blocker bug can be removed. It could hardly be better :-) This package is APPROVED.
Thanks Dan for the review and your help with this package.
New Package CVS Request ======================= Package Name: ccrypt Short Description: Secure encryption and decryption of files and streams Owners: fab Branches: F-10 F-11 InitialCC:
CVS done.
ccrypt-1.8-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ccrypt-1.8-1.fc10
ccrypt-1.8-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ccrypt-1.8-1.fc11
ccrypt-1.8-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ccrypt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8200
ccrypt-1.8-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ccrypt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8209
ccrypt-1.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
ccrypt-1.8-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Package Change Request ====================== Package Name: ccrypt New Branches: epel7 el6 Owners: fab InitialCC:
Git done (by process-git-requests).