Bug 513320 - Review Request: boxbackup - A fast, secure and automatic online backup system
Summary: Review Request: boxbackup - A fast, secure and automatic online backup system
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Tibbitts
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: FE-DEADREVIEW
TreeView+ depends on / blocked
 
Reported: 2009-07-23 02:12 UTC by Stewart Adam
Modified: 2015-09-14 01:23 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-14 01:23:49 UTC
Type: ---


Attachments (Terms of Use)

Description Stewart Adam 2009-07-23 02:12:09 UTC
Spec URL: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM URL: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.1.rc2.20090721svn.fc11.src.rpm
Description:
Box Backup is a completely automatic on-line backup system. Backed up files
are stored encrypted on a filesystem on a remote server, which does not need
to be trusted. The backup server runs as a daemon on the client copying only
the changes within files, and old versions and deleted files are retained. It
is designed to be easy and cheap to run a server and (optional) RAID is
implemented in userland for ease of use.

rpmlint has no output for the debuginfo or SRPM packages.

$ rpmlint boxbackup-0.11-0.1.rc2.20090721svn.fc11.x86_64.rpm
boxbackup.x86_64: E: non-standard-dir-perm /etc/boxbackup/bbackupd 0700
--> Tighter permissions because the backup client's certificates and encryption keys are stored here
boxbackup.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbackupd $prog
boxbackup.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbackupd $prog
--> Can be ignored, $prog is "bbackupd"
boxbackup.x86_64: W: incoherent-init-script-name bbackupd ('boxbackup', 'boxbackupd')
--> boxbackup and boxbackup-server make for better package names
1 packages and 0 specfiles checked; 1 errors, 3 warnings.

$ rpmlint boxbackup-server-0.11-0.1.rc2.20090721svn.fc11.x86_64.rpm
boxbackup-server.x86_64: W: non-standard-uid /etc/boxbackup/bbstored boxbackup
--> The box backup daemon drops privileges and runs as boxbackup, so /etc/boxbackup/bbstored should not be owned by root (see note about permissions below)
boxbackup-server.x86_64: E: non-standard-dir-perm /etc/boxbackup/bbstored 0700
--> This directory cannot be set to 755 to solve the ownership problem above because this folder stores the server's certificates and needs to be kept private.
boxbackup-server.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbstored $prog
boxbackup-server.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbstored $prog
--> Can be ignored, $prog is "bbstored"
boxbackup-server.x86_64: W: incoherent-init-script-name bbstored ('boxbackup-server', 'boxbackup-serverd')
--> boxbackup and boxbackup-server make for better package names

Comment 1 Jason Tibbitts 2009-08-19 19:33:34 UTC
This  fails to build for me:

+ test -e configure
+ ./bootstrap
./bootstrap: line 3: aclocal: command not found
./bootstrap: line 4: autoheader: command not found
./bootstrap: line 5: autoconf: command not found

Looks like missing dependencies.  Scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=1615423

Comment 2 Stewart Adam 2009-08-20 20:29:15 UTC
Thanks for pointing this out. I've fixed this and I'm doing a scratch build now, if it succeeds I will post updated links.

Comment 3 Stewart Adam 2009-08-20 23:20:01 UTC
Alright, build dependencies fixed. I also disabled the test bench as it requires a large amount of system resources as well as a specific firewall configuration (see comment in SPEC).

SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.3.rc2.20090721svn.fc11.src.rpm
Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1618669

Comment 4 Stewart Adam 2009-09-17 02:04:33 UTC
Updated to build to SVN r2559, which includes the changes made in 0.11rc4:

SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.1.rc4.20090916svn.src.rpm

This SRPM also fixes the issue of .svn directories being included as %doc files.

Comment 5 Alexander Boström 2010-01-04 09:59:35 UTC
License http://www.boxbackup.org/license.html looks like "BSD with advertising", though it's not exactly the same. It's probably a good idea to let fedora-legal confirm that it's "close enough". See
http://fedoraproject.org/wiki/Licensing:Main#Good_Licenses

Comment 6 Tom "spot" Callaway 2010-01-13 19:56:53 UTC
Indeed, that license is non-free. The reason is because of the wording:

  3. All use of this software and associated advertising materials must 
     display the following acknowledgement:
         This product includes software developed by Ben Summers.

This differs from the standard BSD with advertising in that it includes the words "all use of this software". This is probably just a case of poor license drafting, but even if he means that interactive programs must display an acknowledgement, as written the clause goes beyond that.

The obvious way to make this free would be to reword it to match BSD with advertising (as sick as it makes me to type that):

  3. All advertising materials mentioning features or use of this software must
     display the following acknowledgement:
         This product includes software developed by Ben Summers.

Even better would be for it to drop the advertising clause altogether and use stock BSD, because it also eliminates the GPL incompatibility caused by the advertising clause.

As it stands now, this is blocked for Fedora.

Comment 7 Jason Tibbitts 2010-01-14 21:32:29 UTC
Blocking FE-Legal as there's not much point in reviewing this in its current state.

Comment 8 Stewart Adam 2010-01-15 02:40:11 UTC
I've spoken with upstream, here's a link to discussion on the box backup mailing list: http://lists.boxbackup.org/pipermail/boxbackup/2010-January/000005.html

It seems that they were already thinking about this as well, so once Ben (the main contributor to box backup) agrees then the license can be switched to GPL or BSD.

Comment 9 Stewart Adam 2010-02-02 20:24:57 UTC
Box Backup is now dual-licensed: the core libraries are BSD and the rest is GPL-like, with optional exceptions for linking against the Microsoft VSS SDK and OpenSSL.

Chris's post about the change is here:
http://lists.boxbackup.org/pipermail/boxbackup/2010-January/000034.html

The full changes in the license can be viewed in trac:
http://www.boxbackup.org/trac/changeset/2600

Does this look OK to accept into Fedora now?

Comment 10 Tom "spot" Callaway 2010-02-04 18:03:46 UTC
Looks good, please pass along my thanks to upstream on a thorough and well thought out relicensing effort.

Lifting FE-Legal.

Comment 11 Martin Ebourne 2010-02-05 03:12:22 UTC
FYI I'm happy to be a co-maintainer on this one if you like. I'm already a Fedora package maintainer, and an upstream developer for Box Backup (and the original RPM packager). Thanks for your work to submit this for Fedora Stewart.

Comment 12 Stewart Adam 2010-02-05 03:14:33 UTC
Sure, that would be great!

Comment 13 Jason Tibbitts 2010-11-02 02:35:11 UTC
Did anything ever happen here?  It would be good to get at least an updated spec/srpm set with the relicensed code.

Comment 14 Stewart Adam 2010-11-04 18:41:28 UTC
(In reply to comment #13)
> Did anything ever happen here?  It would be good to get at least an updated
> spec/srpm set with the relicensed code.
I'll try to build an updated package for this weekend.

Comment 15 Stewart Adam 2010-11-13 23:40:43 UTC
SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.1.rc8.fc14.src.rpm
Scratch build for dist-f14: http://koji.fedoraproject.org/koji/taskinfo?taskID=2599478

I have changed the UID to 52 since 50 & 51 have been taken since the review started and I also updated the license tag to reflect the licensing changes in the project (binaries are now under GPLv2+, with certain exceptions, or 3-clause BSD).

The licensing for the source code is a bit complex, however it is described in the LICENSE-DUAL.txt and LICENSE-GPL.txt files included as %doc.

The project also doesn't compile any shared libraries, only a few CLI utilities and a daemon so the licensing for binary distribution becomes extremely simple: GPLv2+ with exceptions, or BSD.

Comment 16 Jason Tibbitts 2010-11-15 16:07:18 UTC
Can you explain why this absolutely requires a static UID?  Will a dynamically allocated UID not work?  We have very, very few UIDs we can allocate so we really don't want to do so unless it is absolutely necessary.

Comment 17 Jason Tibbitts 2010-11-15 16:08:50 UTC
Oh, and also, that fedora-usermgmt stuff is really a terribly bad idea.  Does the officially recognized procedure not work for this package for some reason?  https://fedoraproject.org/wiki/Packaging:UsersAndGroups

Comment 18 Stewart Adam 2010-11-22 05:16:18 UTC
Sorry about the usermgmt stuff, I followed an example from another package without realizing it was non-standard. I've switched to a dynamically created user as well as fixed a minor error in the server package's README file.

SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.2.rc8.fc14.src.rpm

Comment 19 Jason Tibbitts 2010-11-23 17:44:12 UTC
I thought I saw on IRC that someone was going to review this last week, but nothing seems to have happened so I'll make some further comments.

The makefile hides important data; adding 'V=1' to the make call makes it more useful.

I'll trust the previous licensing work and assume that license tag and such are correct.

Your scriptlets don't seem to correspond to the recommended ones from http://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets
It seems to me that you do the restart on upgrade at the wrong time.  It should be in the new package %post, not the old package %preun.  What you have restarts the old server, uninstalls it and installs the new one.  (Of course, the whole initscript thing is changing for f15, but we don't have any systemd guidelines yet).

Here's the rpmlint output:
  boxbackup.x86_64: E: non-standard-dir-perm /etc/boxbackup/bbackupd 0700L
  boxbackup.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbackupd $prog
  boxbackup.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbackupd $prog
  boxbackup.x86_64: W: incoherent-init-script-name bbackupd
   ('boxbackup', 'boxbackupd')
These are all OK.

  boxbackup-debuginfo.x86_64: W: spurious-executable-perm /usr/src/debug
   /boxbackup-0.11rc8/lib/win32/getopt.h
It's odd that the header is executable, and doubly odd that it's in the package at all.  Why is the stuff in lib/win32 being built?


(cd ../../lib/win32; make -q RELEASE=1 NODEPS=1 || make RELEASE=1 NODEPS=1)
make[2]: Entering directory `/builddir/build/BUILD/boxbackup-0.11rc8/lib/win32'
g++ -DBOX_RELEASE_BUILD -O2 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -Wundef 
-DBOX_VERSION="\"0.11rc8\""  -DBOX_MODULE="\"lib/win32\"" -c emu.cpp -o ../../release/lib/win32/emu.o
g++ -DBOX_RELEASE_BUILD -O2 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -Wundef -DBOX_VERSION="\"0.11rc8\""  -DBOX_MODULE="\"lib/win32\"" -c getopt_long.cpp -o ../../release/lib/win32/getopt_long.o
(echo -n > ../../release/lib/win32/win32.a; rm ../../release/lib/win32/win32.a)
ar cq ../../release/lib/win32/win32.a ../../release/lib/win32/emu.o ../../release/lib/win32/getopt_long.o
ranlib ../../release/lib/win32/win32.a
make[2]: Leaving directory `/builddir/build/BUILD/boxbackup-0.11rc8/lib/win32'

  boxbackup-server.x86_64: W: non-standard-uid /etc/boxbackup/bbstored boxbackup
  boxbackup-server.x86_64: E: non-standard-dir-perm
   /etc/boxbackup/bbstored 0700L
  boxbackup-server.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbstored $prog
  boxbackup-server.x86_64: W: incoherent-subsys /etc/rc.d/init.d/bbstored $prog
  boxbackup-server.x86_64: W: incoherent-init-script-name bbstored
   ('boxbackup-server', 'boxbackup-serverd')
These are all OK.

Why are the files in /etc/boxbackup/ completely empty?

Comment 20 Stewart Adam 2010-11-23 20:27:49 UTC
(In reply to comment #19)
> I thought I saw on IRC that someone was going to review this last week, but
> nothing seems to have happened so I'll make some further comments.
> 
> The makefile hides important data; adding 'V=1' to the make call makes it more
> useful.
Done.

> 
> I'll trust the previous licensing work and assume that license tag and such are
> correct.
I've double checked this and to the best of my knowledge (IANAL) it is OK. The only possible problem I see is that the GPL license has exceptions for MS VSS and OpenSSL, so strictly speaking it isn't standard GPL nor "GPLv2+ with exceptions" as defined in the Fedora licensing page... In the LICENSE-DUAL.TXT it's referred to as "Box Backup GPL".

> Your scriptlets don't seem to correspond to the recommended ones from
> http://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets
Sorry about that! I must have misread the %postun for %preun and appended it to the other scriptlets... Fixed it.

>   boxbackup-debuginfo.x86_64: W: spurious-executable-perm /usr/src/debug
>    /boxbackup-0.11rc8/lib/win32/getopt.h
> It's odd that the header is executable, and doubly odd that it's in the package
> at all.  Why is the stuff in lib/win32 being built?
It looks as if that file acts as a sort of abstraction layer. If on Unix, it maps the EMU_{F,L,}STAT structs to the system ones and stops because of this line:
#if ! defined EMU_INCLUDE && defined WIN32

The rest of Box Backup references EMU_* and so it will automatically get the right one depending on the platform. I believe something similar happens in getopt_long.cpp because neither _MSC_VER or __MINGW32__ should be defined.

> Why are the files in /etc/boxbackup/ completely empty?
/etc/boxbackup/bbstored and /etc/boxbackup/bbbackupd are the locations that the services store the account data and user/server certificates so that will vary from machine to machine and it needs to be initialized correctly by the user (I provide instructions on how to do so in the README.fedora files for each package)

I suppose it would be possible to provide a sample configuration and let the user create the certificates, but then we'd be dictating where backups are stored on the server machine and disabling the userland raid feature. I think it is much easier to let Box Backup handle all of it - the tools included easily and quickly create the necessary configuration and certificates once the user provides information about the server (or client) machine.

SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.3.rc8.fc14.src.rpm

Comment 21 Jason Tibbitts 2010-12-14 19:47:48 UTC
Hate to do this, but now that I look at the license stuff I'm having trouble figuring out what's what.  The COPYING.txt file indicates that a bunch of stuff is under their specific "GPLv2+ with exceptions" license, and that some of the code is dual licensed "GPL (v something) or BSD", and of course it says "unless stated otherwise in the file" so you have to check all of the files.

So it looks to me to be a bit more complicated than just "BSD or GPLv2+ with exceptions".  You will need to figure out which parts of the final packages are under which license(s) and indicate that, generally with a comment in the spec near the License: tag but if it gets overly complex you can move it off to a file included as documentation.

I'm guessing since spot already signed off on these that there's no problem with compatibility between the different license stuff, since you can always use the dual-licensed stuff under the BSD license in order to link it with the GPLv2+ with exceptions stuff.

It seems that nothing owns /etc/boxbackup.


* source files match upstream.  sha256sum:
  7bd734b5ab37f67aa88029635306e586b9e33bffe4ded5760f9d299b2b03e01b
   boxbackup-0.11rc8.tgz
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* summaries are OK.
* descriptions are OK.
* dist tag is present.
? license field matches the actual license.
* license is open source-compatible.
* license text included in package.
* latest version is being packaged.
* BuildRequires are proper.
* compiler flags are appropriate.
* package builds in mock (rawhide, x86_64).
* package installs properly.
* debuginfo package looks complete.
* rpmlint has acceptable complaints.
* final provides and requires are sane:
  boxbackup-0.11-0.3.rc8.fc15.x86_64.rpm
   config(boxbackup) = 0.11-0.3.rc8.fc15
   boxbackup = 0.11-0.3.rc8.fc15
   boxbackup(x86-64) = 0.11-0.3.rc8.fc15
  =
   /bin/bash  
   /bin/sh  
   /usr/bin/perl  
   chkconfig  
   config(boxbackup) = 0.11-0.3.rc8.fc15
   initscripts  
   libcrypto.so.10()(64bit)  
   libdb-4.8.so()(64bit)  
   libedit.so.0()(64bit)  
   libgcc_s.so.1()(64bit)  
   libgcc_s.so.1(GCC_3.0)(64bit)  
   libssl.so.10()(64bit)  
   libstdc++.so.6()(64bit)  
   libstdc++.so.6(CXXABI_1.3)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4.11)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4.14)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4.9)(64bit)  
   libz.so.1()(64bit)  
   openssl >= 0.9.7a
   perl(strict)  
   shadow-utils  

  boxbackup-server-0.11-0.3.rc8.fc15.x86_64.rpm
   config(boxbackup-server) = 0.11-0.3.rc8.fc15
   boxbackup-server = 0.11-0.3.rc8.fc15
   boxbackup-server(x86-64) = 0.11-0.3.rc8.fc15
  =
   /bin/bash  
   /bin/sh  
   /usr/bin/perl  
   config(boxbackup-server) = 0.11-0.3.rc8.fc15
   libcrypto.so.10()(64bit)  
   libdb-4.8.so()(64bit)  
   libedit.so.0()(64bit)  
   libgcc_s.so.1()(64bit)  
   libgcc_s.so.1(GCC_3.0)(64bit)  
   libssl.so.10()(64bit)  
   libstdc++.so.6()(64bit)  
   libstdc++.so.6(CXXABI_1.3)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4.11)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4.14)(64bit)  
   libstdc++.so.6(GLIBCXX_3.4.9)(64bit)  
   libz.so.1()(64bit)  
   perl(strict)  

* no bundled libraries.
X fails to own /etc/boxbackup.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no generically named files
* scriptlets are OK (service management, user creation).
* code, not content.
* documentation is small, so no -doc subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* no static libraries.
* no libtool .la files.

Comment 22 Jason Tibbitts 2011-01-20 01:13:55 UTC
Any update here?

Comment 23 Stewart Adam 2011-01-24 20:27:35 UTC
Sorry about the delays, I've investigated the license problem and upload an updated package up soon. For Fedora it looks like it will be only GPLv2+ with exceptions, since the compiles include lib/backupclient which (among others) is GPLv2+ only.

Comment 24 Stewart Adam 2011-02-19 22:30:00 UTC
SPEC: http://firewing.fedorapeople.org/pub/SPECS/boxbackup.spec
SRPM: http://firewing.fedorapeople.org/pub/SRPMS/boxbackup-0.11-0.4.rc8.fc14.src.rpm

I have changed the License tag to "Box Backup GPL", which is the name upstream gave for the GPLv2-like license with the linking exceptions for OpenSSL and MS VSS. This makes rpmlint output a new warning:
boxbackup.src: W: invalid-license Box Backup GPL

Although I believe we can ignore this as spot gave the OK. Perhaps we ask him to look it over quickly again just to be sure?


As for the ownership of /etc/boxbackup, the troublesome part is that both the client and the server packages store their files in sub-directories of /etc/boxbackup so I've made both packages own it.

rpmlint also complains about this:
boxbackup.x86_64: W: non-standard-uid /etc/boxbackup boxbackup
boxbackup.x86_64: E: non-standard-dir-perm /etc/boxbackup 0700L
I've done used nonstandard permissions (boxbackup:root 0700) to prevent outside users from taking peeks at the backup configuration (for either the client or server) or from gaining access to the certificates/encryption keys.

Comment 25 Jason Tibbitts 2011-02-20 16:36:32 UTC
Well, we don't invent new license tags without going through legal.  Generally we'd use "GPLv2 with exceptions" for that kind of thing but if you think it deserves a new tag, we'll block FE-Legal again and see what spot says.

Comment 26 Tom "spot" Callaway 2011-02-21 15:16:59 UTC
Yeah, I would prefer we use GPLv2 with exceptions, as they really haven't created a new license here (at least not for the purposes of tracking).

Comment 28 Jason Tibbitts 2012-05-09 19:36:09 UTC
Hmm, this is still blocking FE-Legal so I haven't really looked at it until now, but isn't the legal issue resolved with that last update?

The package is outdated now and some packaging guidelines have moved on a bit, but if the legal issue is resolved and the package is updated then I'm willing to finish this up.  Just let me know.

Comment 29 Tom "spot" Callaway 2012-05-09 19:41:08 UTC
Lifting FE-Legal, as this seems to be okay now.

Comment 30 Stewart Adam 2012-05-10 06:13:25 UTC
Great, thanks - I'll read over the changes made to the guidelines and post an updated RPM soon.

Comment 31 Stewart Adam 2015-09-12 20:11:54 UTC
Note: I've stopped using Box Backup and no longer have an interested in maintaining this package. I'll leave this open for someone else to pick up if they wish.


Note You need to log in before you can comment on or make changes to this bug.