514104 – Review Request: sigul - A signing server and related software client

Bug 514104 - Review Request: sigul - A signing server and related software client

Summary: Review Request: sigul - A signing server and related software client

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	Package Review
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dennis Gilmore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-28 01:23 UTC by Jesse Keating
Modified:	2013-01-10 03:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-07-29 03:23:28 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	dennis: fedora-review+ j: fedora-cvs+

Attachments	(Terms of Use)

Description Jesse Keating 2009-07-28 01:23:36 UTC

Spec URL: http://jkeating.fedorapeople.org/review/sigul.spec
SRPM URL: http://jkeating.fedorapeople.org/review/sigul-0.96-2.src.rpm
Description: 

A signing server, which lets authorized users sign data without having any
access to the necessary private key, a client for the server, and a "bridge"
that connects the two.


Rpmlint only complains about nonstandard uid/gid which is ignorable, and about not being able to read the config file, which is on purpose as it may have account password information.

Comment 1 Dennis Gilmore 2009-07-28 02:01:30 UTC

ill review this

Comment 2 R P Herrold 2009-07-28 02:29:20 UTC

One of the stated design goals of Mitr was:

https://fedoraproject.org/wiki/User:Mitr
linked off: https://fedorahosted.org/sigul/

No direct access to koji or package repositories 

and yet there is express an koji Requires.

This seems .... not conformant to that goal?

-- Russ herrold

Comment 3 Jesse Keating 2009-07-28 02:40:39 UTC

It uses the Koji API and public urls to download content and upload signed headers.  What it doesn't require, unlike our own signing software, was an nfs mount to the koji package store.  The term 'direct' here meant a mount on the system.

Koji isn't a hard requirement, sigul can be used to sign things like rpms passed in by the client and return them to the client, bypassing koji all together.  Our usage in Fedora though will be with a koji system.

Comment 4 Dennis Gilmore 2009-07-28 21:52:24 UTC

rpmlint  gives the following warnings/errors 

sigul.noarch: W: non-standard-gid /etc/sigul/server.conf sigul
sigul.noarch: E: non-readable /etc/sigul/server.conf 0640
sigul.noarch: W: non-standard-uid /var/lib/sigul sigul
sigul.noarch: W: non-standard-gid /var/lib/sigul sigul
sigul.noarch: E: non-standard-dir-perm /var/lib/sigul 0700
sigul.noarch: W: non-standard-uid /var/lib/sigul/gnupg sigul
sigul.noarch: W: non-standard-gid /var/lib/sigul/gnupg sigul
sigul.noarch: E: non-standard-dir-perm /var/lib/sigul/gnupg 0700
sigul.noarch: W: non-standard-gid /etc/sigul/bridge.conf sigul
sigul.noarch: E: non-readable /etc/sigul/bridge.conf 0640
2 packages and 0 specfiles checked; 4 errors, 6 warnings.

I think given the nature of the program that they are all ok

builds fine in mock on F-11

as noted in the spec teh tarball is not yet uploaded to fedorahosted.

spec is clear legible and in english.

Approved

Comment 5 Jesse Keating 2009-07-29 03:10:22 UTC

New Package CVS Request
=======================
Package Name: sigul
Short Description: A signing server and related software client
Owners: jkeating mitr
Branches: EL-5 F-11
InitialCC:

Comment 6 Jason Tibbitts 2009-07-29 03:11:50 UTC

CVS done.

Comment 7 Jesse Keating 2009-07-29 03:23:28 UTC

And built for rawhide.  Cheers!

Note You need to log in before you can comment on or make changes to this bug.