Spec URL: http://www.gnat.ca/dspam.spec SRPM URL: http://www.gnat.ca/dspam-3.9.0-BETA4.src.rpm Description: The DSPAM agent masquerades as the email server's local delivery agent and filters/learns spams using an advanced Bayesian statistical approach (based on Baye's theorem of combined probabilities) which provides an administratively maintenance-free, easy-learning Anti-Spam service custom tailored to each individual user's behavior. Advanced because on top of standard Bayesian filtering is also incorporated the use of Chained Tokens, de-obfuscation, and other enhancements. DSPAM works great with Sendmail and Exim, and should work well with any other MTA that supports an external local delivery agent (postfix, qmail, etc.)
( From the message of the submitter on fedora-devel-list blocking needsponsor )
*** Bug 435121 has been marked as a duplicate of this bug. ***
I recommend you to read fedora packaging guidelines. https://fedoraproject.org/wiki/PackageMaintainers
I have been. The file I posted has been updated probably 4 times since I posted it. I basically got it to the point where rpmlint no longer issued any warnings and I just learned I could run rpmlint on the actual rpms as well so I'm cleaning those up as well. I've also looked over the duplicate bug that was closed and tried to learn a bit from there as well. I will continue to update this spec as I find pieces that don't meet the guidelines but some of it is simply that I'm not familiar enough with the guidelines as I go through it to notice infractions.
Very few rpmlint messages now... * Mon Nov 16 2009 Nathanael Noblet <nathanael> - 3.9.0-BETA4 - Revise permission on /etc/dspam.conf and /var/lib/dspam - Remove compression on documentation - Move driver documentation to subpackages - Remove sqlite_drv.txt if neither sqlite driver is being built - Remove .la and .a files - Disable install-strip for the debuginfo package * Sun Nov 15 2009 Stevan Bajic <stevan> - 3.9.0-BETA4 - Splitting into libdspam package and driver package - Moving static libs and libtool archives into libdspam-devel package - Enabling build of single storage driver statically linked into DSPAM - Enabling build of single storage driver as dynamically loaded module - Compressing SQL files and documentation - Added version tag to change log - Renamed cron and logrotate scripts to follow Fedora packing guidelines - Added post/postun for libdspam and all libdspam storage drivers - Replaced all tabs with softtabs (don't know if this is needed but Nathanael had it that way) - Enabled install-strip - Extended package description
what are your fedora account user name ? Can you post a updated spec file + src.rpm file ?
account user name is gnat. The spec file + src.rpm file is at the url provided. I've been updating them directly each time I make a change.
please bump the version and post a updated version after each change. spec file. src.rpm also a koji scratch build should be welcome
Looks like it completed successfully. Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=1811003
looks like my english is too bad, because I have asked you to post spec file + src.rpm + koji scratch build, I am sorry, you don't want to follow my instructions then I don't want to help you! I think no one will help you, if you don't follow instructions please stop wasting the time of others good luck!
In the first post is the following: Spec URL: http://www.gnat.ca/dspam.spec SRPM URL: http://www.gnat.ca/dspam-3.9.0-BETA4.src.rpm The message *just* before yours is: Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=1811003 For my koji scratch build. I fail to see how I'm not following instructions.
I will from now on bump the version as I work on it, but currently what is posted up there is the latest and greatest.
Updated version info as per the naming guidelines. http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.1.BETA4.fc12.src.rpm Nothing has changes except the version number. About all the conditionals. I can remove them if required. However upstream would like to stay in sync with this rpm package, so was hoping we could keep the conditionals in there incase someone wanted to get the srpm and build with some conditionals to get a different package. Originally the spec file had one default of not building any of the sub packages. It has now been setup with the most sensible defaults allowing users to pick their backend storage on fedora. If the conditionals are a problem (I looked and saw nothing in the guidelines about it). I can remove them, however as stated above upstream would then keep its own copy of the spec for whatever reason and fedora users that wanted to rebuild dspam with other options for whatever reason would have to hack the specfile. Let me know if conditionals like that are a no no, like I said I didn't see anything in the guidelines about it.
Please remove the conditionals especially things like "# use "rpmbuild --with single_dyn_drv" or "rpm --define '_with_single_dyn_drv 1'" (for RPM 3.x)" It doesn't make any sense whatsoever for a new package in Fedora to have a conditional for a non current RPM release. All the conditionals just looks very convoluted. You can keep a minimum number of them if really required with comments on where this is useful.
Removed all conditionals. http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.4.BETA4.fc12.src.rpm I'm also trying to find out about the two setgid binaries rpmlint complains about.
I'm also wondering what to do about the URL: Source0: tags... The files are on sourceforge and I've seen posts on fedora-devel list about making sure that URL/Source0 can actually download the file. Are there other spec files with sourceforge downloads I can look at?
every fedora distro have perl and sed. Requires: sed Requires: perl no need to have this is requires, also you can remove versioning in requires mysql-devel >= 4.0 etc...
For source URL, refer to https://fedoraproject.org/wiki/Packaging/SourceURL There are several thousands of spec files at http://cvs.fedoraproject.org/viewvc/rpms/
A note on Requires at https://fedoraproject.org/wiki/Packaging/Guidelines#Requires
http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.5.BETA4.fc12.src.rpm Thanks for the link re: Source0 * Wed Nov 18 2009 Nathanael Noblet <nathanael> - 3.9.0-0.5.BETA4 - Cleanup Requires - Stop building web ui as some perl dependancies are unmet - Fixed Source0 url
for me no reason to use versioning. BuildRequires: sqlite-devel >= 3.0 BuildRequires: autoconf >= 2.5 BuildRequires: automake >= 1.7 also at the bottom # make some dirs this is not necessary, you can use install -Dp -m , this will create directory's if necessary.
you can move dspam-web-ui.conf out of spec file and use it as SOURCE4, this will make your spec file small and more readable.
According to packaging guidelines: "The Vendor tag should not be used. It is set automatically by the build system" If you build only for Fedora, you can drop "Buildroot: %{_tmppath}/%{name}-%{version}-root" and after the %install line, drop "[ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT" after the %clean line, change to %{__rm} -rf $RPM_BUILD_ROOT !=/ check is unnecessary. RPM takes care of that.
Another question: Why are you packaging the BETA release instead of the latest stable version?
> If you build only for Fedora, you can drop > > "Buildroot: %{_tmppath}/%{name}-%{version}-root" please leave the build root, I want it for EL-5 look -> https://fedoraproject.org/wiki/Packaging:Guidelines#BuildRoot_tag
I've tried removing the # make some dirs parts so for example I now have %{__install} -Dp -m 644 src/tools.mysql_drv/*.sql.gz $RPM_BUILD_ROOT%{_datadir}/%{name}/sql-scripts/mysql/ But it fails /usr/bin/install: target `/home/gnat/Projects/Packages/BUILDROOT/dspam-3.9.0-0.6.BETA4.fc12.x86_64/usr/share/dspam/sql-scripts/mysql/' is not a directory: No such file or directory I've tried looking at man install, so I'm a bit confused the -D should work should it not? About the BETA release. 3.8.0 is REALLY old, and upstream has basically taken 3.8 and applied a bunch of fixes and community patches. Upstream had gone dead twice in the last 3 years. The original author had his software purchased by a company. That company did nothing, and released it fully open to the community that wanted to continue development. Packaging 3.8 would be a waste of time as 3.9 should be out soon enough, and is really 3.8 + fixes.
for what reason you're running this ? %build aclocal -I m4 sh ./autogen.sh autoheader automake --add-missing autoconf umask 022 I think inside o autogen.sh it's run all required commands. It's also seems to work without this, have you tried ?
http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.6.BETA4.fc12.src.rpm * Thu Nov 19 2009 Nathanael Noblet <nathanael> - 3.9.0-0.6.BETA4 - Use install -Dp -m instead of pre-creating the directories - Move dspam-webui.conf to Source4 - Removed some of the autoX calls
http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.7.BETA4.fc12.src.rpm * Thu Nov 19 2009 Nathanael Noblet <nathanael> - 3.9.0-0.7.BETA4 - Changed BuildRoot definition - Don't test for buildroot in install section
also in release 0.7... - Remove setgid on dspamc - Moved css* binaries to disabled dspam-web subpackage
http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.8.BETA4.fc12.src.rpm * Thu Nov 19 2009 Nathanael Noblet <nathanael> - 3.9.0-0.8.BETA4 - Restored css* binaries they are hash driver utilities I'm talking with upstream about renaming their hash utils from csscompress to dspam-hash-compress or something along those lines, the names are deceiving and conflict with CRM114 if it ever got packaged.
# remove .la files find $RPM_BUILD_ROOT -name *.la | xargs rm -rf # remove .a files find $RPM_BUILD_ROOT -name *.a | xargs rm -rf I preffer this way. find $RPM_BUILD_ROOT -name *.la -exec rm {} \; find $RPM_BUILD_ROOT -name *.a -exec rm {} \;
* Wed Nov 25 2009 Nathanael Noblet <nathanael> - 3.9.0-0.9.BETA4 - Modified the line removing .la and .a files http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.9.BETA4.fc12.src.rpm
Some notes A. Description, etc. * Naming - Please explain why you want to name subpackages in libdspam(-foo) style. On Fedora usually subpackages are named as "dspam-libs" or "dspam-devel" or "dspam-hash" or so. ! By the way, but for "libdspam" and "libdspam-devel", the naming of libdspam-foo subpackages are definitely wrong because none of these package contains system-wide libraries. - Files under %_libdir/dspam are just plugins and not system-wide libraries. Also see below (about calling ldconfig) - "%package -n dspam-web" can simply be "%package web" * Dependency between subpackages https://fedoraproject.org/wiki/Packaging/Guidelines#Requiring_Base_Package - "dspam" binary rpm should have "dspam-libs = %{version}-%{release}" - "dspam-hash" should have "dspam = %{version}-%{release}" (and other subpackage should have similar dependency). ! Note that dependency between subpackages should usually be EVR (Epoch-Version-Release) specific, not just version. * Other dependency - "Requires: pkgconfig" (for -devel subpackage) is no longer needed (for F-11/12/13) https://fedoraproject.org/wiki/PackagingDrafts/PkgconfigAutoRequires (This is still a draft, however will be accepted on 2009-12-03). - For perl module related dependency, please use virtual provides names instead of using rpm names directly. https://fedoraproject.org/wiki/Packaging/Perl#Perl_Requires_and_Provides B. %prep, %build, %install, %check * Timestamp - Please consider to use --------------------------------------------------------------- make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" --------------------------------------------------------------- to keep timestamps on installed files. This method usually works for Makefiles generated by recent autotools. C. scriptlets / service * "source"ing /etc/profile - Why do you "source" /etc/profile? (note that rpm executes these scriptlets in subshells and subshell exits when those scriptlets are done) * Calling /sbin/ldconfig - You don't have to call /sbin/ldconfig for rpms not containing system-wide libraries (i.e. needed only for dspam-libs binary rpm) * restart service on %postun - is wrong because "restart" activates service even if the service was off before (this should be condrestart) https://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets * Missing Requires - Add missing "Requires(post): chkconfig" or so: https://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets * service-default-enabled https://fedoraproject.org/wiki/Packaging/SysVInitScript#.23_chkconfig:_line - rpmlint shows: ------------------------------------------------------------- dspam.i686: W: service-default-enabled /etc/rc.d/init.d/dspam ------------------------------------------------------------- i.e. currently dspam service is enabled by default once dspam rpm is enabled, which is usually not desided. Usually service should be off by default, i.e. change the line ------------------------------------------------------------- # chkconfig: 345 70 30 ------------------------------------------------------------- to ------------------------------------------------------------- # chkconfig: - 70 30 ------------------------------------------------------------- D. %files * %defattr - Now we usually use %defattr(-.root.root,-) * Owner/Group/Permission --------------------------------------------------------------- -r-x--s--x 1 root root 88252 Nov 29 16:10 /usr/bin/dspam --------------------------------------------------------------- - However your spec file shows: --------------------------------------------------------------- 120 %configure \ 137 --with-dspam-owner='%{dspam_user}' \ 138 --with-dspam-group='%{dspam_group}' \ --------------------------------------------------------------- and build.log shows: --------------------------------------------------------------- 779 chown: changing ownership of `/builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/usr/bin/dspam': Operation not permitted 784 chgrp: changing group of `/builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/usr/bin/dspam': Operation not permitted 801 chown: changing ownership of `/builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/var/lib/dspam': Operation not permitted 802 chgrp: changing group of `/builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/var/lib/dspam': Operation not permitted 815 chown: changing ownership of `/builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/var/log/dspam': Operation not permitted 816 chgrp: changing group of `/builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/var/log/dspam': Operation not permitted --------------------------------------------------------------- So the owner/group of these files/directories seem wrong (in the binary rpms). Set these explicitly by %attr. - Also build.log shows: --------------------------------------------------------------- 798 chmod "770" /builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/var/lib/dspam; \ 812 chmod "770" /builddir/build/BUILDROOT/dspam-3.9.0-0.9.BETA4.fc13.i386/var/log/dspam; \ --------------------------------------------------------------- However, currently these directories have 0755 permission (in the binary rpm). Please check if permissions are set correctly. * %files entry unification - By the way %files entry --------------------------------------------------------------- %files %dir foo/ foo/* --------------------------------------------------------------- (where foo/ is a directory) can be unified as --------------------------------------------------------------- %files foo/ --------------------------------------------------------------- This style contains the directory foo/ itself and all files/directories/etc under foo/. * Macros - Use %{_initddir} for %_sysconfdir/rc.d/init.d: https://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_on_the_filesystem * Directory ownership issue - The following directories are not owned by any packages: -------------------------------------------------------------- /usr/share/dspam/ /usr/share/dspam/sql-scripts/ -------------------------------------------------------------- E. Misc * Permission of files in srpm -------------------------------------------------------------- dspam.src: W: strange-permission dspam-logrotate 0600 dspam.src: W: strange-permission dspam-cron 0775 dspam.src: W: strange-permission dspam-init.d 0600 -------------------------------------------------------------- - Usually we request that all files in srpm should be 0644.
I think I caught everything you pointed out except with the following: 1) I didn't do much about file/dir permissions yet but will. I have questions I'll post in a separate comment. 2) I didn't rename the libdspam to dspam-libs because you can install the library independent of dspam, it can be used in other projects/programs. If someone were to write a plugin for evolution or thunderbird. the dspam package is only necessary for an MTA, whereas the library can be used in all sorts of places. 3) The libdspam-X are required by the library for storage of all the token data it produces. So I'm not sure what to call them other than libdspam-X, I could rename them to dspam-plugin-X or dspam-storage-X but that implies you need the dspam package which you don't. So if you could advise what to do here. %changelog * Sun Nov 29 2009 Nathanael Noblet <nathanael> - 3.9.0-0.10.BETA4 - Change dspam init to not be enabled by default - Add EVR dependancy from all sub packages - Removed pkgconfig requirement - package -n dspam-web renamed to package web - Updated perl requires even though dspam-web is not being built currently - Added post/preun requirements to chkconfig and initscripts - Updated defattr lines - use _initrddir instead of _sysconfdir/rc.d/init.d (RHEL compat) - updated source file permissions - get libdspam to own the sql-scripts directory http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.10.BETA4.fc12.src.rpm
When you say the following: ============ START QUOTE ========================================== * %files entry unification - By the way %files entry --------------------------------------------------------------- %files %dir foo/ foo/* --------------------------------------------------------------- (where foo/ is a directory) can be unified as --------------------------------------------------------------- %files foo/ --------------------------------------------------------------- This style contains the directory foo/ itself and all files/directories/etc under foo/. ============ END QUOTE =========================================== I started looking at some of the files entries and am not sure about some of them for example. Should %{_bindir}/* be %{_bindir}/? Wouldn't that mean I would own the bindir? So I assume you want that applied only to directories I would own. Which brings me to my next question about that. <snip> %dir %{_datadir}/%{name}/sql-scripts/mysql %doc %attr(0644,root,root) %{_datadir}/%{name}/sql-scripts/mysql/* </snip> Can I combine that into one line? I assume I can't because I want the attr to apply to the files and not the directory..
For -0.10: * Naming (In reply to comment #35) > 2) I didn't rename the libdspam to dspam-libs because you can install the > library independent of dspam, it can be used in other projects/programs. If > someone were to write a plugin for evolution or thunderbird. the dspam package > is only necessary for an MTA, whereas the library can be used in all sorts of > places. - Fedora already many examples about this. e.g. There are some apprecations which requires mysql-libs, but not mysql or mysql-server. And there are many other examples. > 3) The libdspam-X are required by the library for storage of all the token data > it produces. So I'm not sure what to call them other than libdspam-X, I could > rename them to dspam-plugin-X or dspam-storage-X but that implies you need the > dspam package which you don't. So if you could advise what to do here. - You can name as dspam-plugin-foo or dspam-foo and this does not mean that dspam(-plugin)-foo requires dspam binary rpm (unless you write so in the spec file) * Directory ownership issue - This time the following directories are not owned by any packages: ---------------------------------------------------------------- /usr/share/dspam/ /var/lib/dspam/txt/ ---------------------------------------------------------------- (In reply to comment #36) > Which brings me to my next question about that. > <snip> > %dir %{_datadir}/%{name}/sql-scripts/mysql > %doc %attr(0644,root,root) %{_datadir}/%{name}/sql-scripts/mysql/* > </snip> > > Can I combine that into one line? I assume I can't because I want the attr to > apply to the files and not the directory.. - I avoid to use %attr as much as possible. (0644,root,root) permission on files are default's permission so if you set this permission _in advance_, you don't have to write %attr(0644,root,root) explicitly. i.e. set permission at %install like --------------------------------------------------------------- chmod 0644 %buildroot%_datadir/%name/*/*/* --------------------------------------------------------------- and I don't usually write %attr(0644,root,root) for files and %attr(0755,root,root) for directories. Another thing: * Documents - Add "LICENSE" files to -libs package (because including "LICENSE" text to %doc is a must if it exists and all dspam related packages require -libs package) - And consider to move document files in dspam binary rpm to -libs package (because one can install dspam-libs package only) And please check permission/owner/group is corrently set for all files ( especially, I don't think permission of /usr/bin/dspam is set correctly. Currently /usr/bin/dspam has (2511,root,root) permission (i.e. has setgid bit and group is root), which means when this script is executed, the process is always run with root group.
ping?
still here and kicking... We just had to migrate our server to a new dual server setup so I've been super busy... I'll address the rest of the issues.
Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1908312 * Wed Jan 7 2010 Nathanael Noblet <nathanael> - 3.9.0-0.13.RC2 - Updated cron script - Added dspam-front script that will return a proper error code to avoid bounces - Fixed ownership issues of /var/lib/dspam/txt - Checked ownership/permissions of sql scripts - Don't compress sql purge scripts * Fri Dec 18 2009 Nathanael Noblet <nathanael> - 3.9.0-0.12.RC2 - Bumped upstream version - Fixed requirements to be dspam-libs instead of libdspam * Mon Dec 7 2009 Nathanael Noblet <nathanael> - 3.9.0-0.11.BETA4 - Renamed libdspam to dspam-libs - Moved docs to -libs package - Added LICENSE file - Fixed some directory ownership issues http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.13.RC2.src.rpm
I've checked and the odd permissions on /var/lib/dspam in necessary for security purposes. The dspam binary is setgid on purpose. It isn't strictly necessary in *all* ways it can be configured, however the most common ways use that. I'll get more clarification as to what it does setgid vs non setgid methods of operation. We use it on our production servers in that mode. Is there anything else left?
%changelog * Wed Jan 7 2010 Nathanael Noblet <nathanael> - 3.9.0-0.14.RC2 - Updated cron script again - Added README.fedora for fedora specific configuration information http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.14.RC2.src.rpm
For -0.14: * -n specification - For example "%package -n dspam-libs" can simply be "%package libs" (and the latter form is commonly used). Another example is that "%post -n dspam-libs -p /sbin/ldconfig" can simply be "%post libs -p /sbin/ldconfig". * Directory ownership issue - This time the following directories are not owned by any packages: --------------------------------------------------------------------- /usr/share/dspam/sql-scripts --------------------------------------------------------------------- * Timestamp http://fedoraproject.org/wiki/Packaging:Guidelines#Timestamps - When using "cp" or "install" commands, add "-p" option to keep timestamps on installed files. * Again owner/group/permission (In reply to comment #41) > I've checked and the odd permissions on /var/lib/dspam in necessary for > security purposes. > > The dspam binary is setgid on purpose. It isn't strictly necessary in *all* > ways it can be configured, however the most common ways use that. I'll get more > clarification as to what it does setgid vs non setgid methods of operation. We > use it on our production servers in that mode. - To be clear, what I am said is that currently the group of /usr/bin/dspam is root and I guess this is wrong when this binary has setgid, because with this setgid/group executing /usr/bin/dspam is always done with root group. build.log says: --------------------------------------------------------------------- 826 if test x"nobody" != xnone; then \ 827 chown "nobody" /builddir/build/BUILDROOT/dspam-3.9.0-0.14.RC2.i386/usr/bin/dspam; \ 828 fi 829 chown: changing ownership of `/builddir/build/BUILDROOT/dspam-3.9.0-0.14.RC2.i386/usr/bin/dspam': Operation not permitted 831 if test x"mail" != xnone; then \ 832 chgrp "mail" /builddir/build/BUILDROOT/dspam-3.9.0-0.14.RC2.i386/usr/bin/dspam; \ 833 fi 834 chgrp: changing group of `/builddir/build/BUILDROOT/dspam-3.9.0-0.14.RC2.i386/usr/bin/dspam': Operation not permitted --------------------------------------------------------------------- So I guess /usr/bin/dspam should have %attr(2511,nobody,mail). Would you again check permission/owner/group of all files/directories? ! Note - Also, for binaries/directories which have some special permission/group/owner, you should write these permission/group/owner with explicit %attr directive in the spec file like --------------------------------------------------------------------- %files ... %attr(0770,root,%{dspam_group}) %dir %{dspam_logdir}/ %attr(0770,root,%{dspam_group}) %dir %{dspam_homedir}/ %attr(%{dspam_mode},%{dspam_user},%{dspam_group}) %dir %{_var}/run/dspam ... ... %{_bindir}/css* %attr(%{dspam_mode},%{dspam_user},%{dspam_group}) %{_bindir}/dspam %{_bindir}/dspam[-_c]* ... --------------------------------------------------------------------- (i.e. if the permission/group/owner is not (0755,root,root) (for directory/ executable files) or (0644,root,root) (normal files), you must use %attr explicitly in the spec file)
* Fri Jan 8 2010 Nathanael Noblet <nathanael> - 3.9.0-0.15.RC2 - Added README.cssclean to dspam-hash - Fixed logrotate script using non-existant dspam user - Cleaned up package -n naming - Corrected dspam, and other directory permissions to nobody:mail - Moved css* to dspam-hash as they are only needed with that driver - removed nonsense configure parameter enabling and disabling syslog http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.15.RC2.src.rpm ----------------------------------------------------------- You were correct the dspam binary needed nobody:mail I didn't notice it wasn't the right owner as my setup doesn't run it in the daemon mode and specifically sets it to nobody:mail via postfix master.cf. ########### Questions: ########### 1) I'm wondering how you find the non-owned directories. After you showed me the other ones I tried to make sure I had them all but couldn't seem to find a command that gives that output via google... 2) The cron script for dspam requires that the user edit it to provide the path to the sql-script/backend they are using. So I would like it that upon upgrade, that file isn't overwritten however when marking it as %config(noreplace) I get rpmlint warnings about executable marked as config. Is there a proper way to have that file not be replaced by rpm on upgrades? I have one last issue I'm tracking down in the actual usage of the program as it should be placing logs in /var/log/dspam but they are being put in /var/lib/dspam at the moment even though the configure script is being told where so dspam should be behaving. Other than that dspam seems to be working well in my VMs and live boxes upgraded from a 3-4 year old self created rpm of 3.8.0.
The user 'nobody' is not possible for a packaged daemon. Daemons should run unprivileged; using common accounts like 'nobody' or 'bin' or 'daemon' allows independent daemons (e.g. dspam and dnsmasq) to influence each other (e.g. by 'ptrace'). Please use a dedicated account.
(In reply to comment #45) > The user 'nobody' is not possible for a packaged daemon. Daemons should run > unprivileged; using common accounts like 'nobody' or 'bin' or 'daemon' allows > independent daemons (e.g. dspam and dnsmasq) to influence each other (e.g. by > 'ptrace'). Please use a dedicated account. If you think this is a MUST, would you post some proposal on fedora-packaging list?
no; too much politics and pragmatisms.
(In reply to comment #45) > The user 'nobody' is not possible for a packaged daemon. Daemons should run > unprivileged; using common accounts like 'nobody' or 'bin' or 'daemon' allows > independent daemons (e.g. dspam and dnsmasq) to influence each other (e.g. by > 'ptrace'). Please use a dedicated account. And it's particularly important that files are not owned by the "nobody" account, as these could then be overwritten by any process running with that UID - such processes are intended to have minimal privileges and should certainly not be able to write to any system files.
* Sat Jan 9 2010 Nathanael Noblet <nathanael> - 3.9.0-0.16.RC2 - Created system user dspam via PackageUserRegistry instructions - Updated logrotate to use proper user and group - Updated dspam-cron with paths to sql-scripts directory and whitespace changes - Removed no longer necessary README.fedora http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.16.RC2.src.rpm I've got it working as it should be now, not useability issues from my end. Any more guideline issues or otherwise? I'm excited this is nearing completion, at least it feels like it to me.
Well, (In reply to comment #49) > - Created system user dspam via PackageUserRegistry instructions - Instead please follow https://fedoraproject.org/wiki/Packaging/UsersAndGroups This is the current guidelines for adding user/group. - Note that uid 51 is already preserved on Fedora (see: /usr/share/doc/setup-2.8.13/uidgid ) And usually you don't have to set this hardcodeded uid number. - We usually don't execute userdel/groupdel command during rpm transaction automatically because we think these commands are rather "dangerous" and these commands should be executed by sysadmin manually if needed. By the way %{dspam_home} macro is defined nowhere (perhaps you meant %{dspam_homedir}) (rpmlint is actually warning about this) (In reply to comment #44) > 1) I'm wondering how you find the non-owned directories. After you showed me > the other ones I tried to make sure I had them all but couldn't seem to find a > command that gives that output via google... - During package review I check unowned directories manually. Note: $ rpm -qlp dspam-XXXXXX.rpm | sort will give us hints for finding this. > 2) The cron script for dspam requires that the user edit it to provide the path > to the sql-script/backend they are using. So I would like it that upon upgrade, > that file isn't overwritten however when marking it as %config(noreplace) I get > rpmlint warnings about executable marked as config. Is there a proper way to > have that file not be replaced by rpm on upgrades? - Your comment seems to be saying that the sysadmin has to edit /etc/cron.daily/dspam and if so it is not desired. If this file needs some configuration these configuration should be written in the file under /etc/dspam (for example) like /etc/dspam/cron.conf and /etc/cron.daily/dspam should "source" that configuration file. Then /etc/dspam/cron.conf (for example) should be marked as %config(noreplace), while /etc/cron.daily/dspam should not have %config flag. > I have one last issue I'm tracking down in the actual usage of the program as > it should be placing logs in /var/log/dspam but they are being put in > /var/lib/dspam at the moment even though the configure script is being told > where so dspam should be behaving. Other than that dspam seems to be working > well in my VMs and live boxes upgraded from a 3-4 year old self created rpm of > 3.8.0. - I hope that you or the upstream will find the cause By the way I note that I have not tried to actually install dspam related packages yet because of the left issues discussed before.
* Mon Jan 11 2010 Nathanael Noblet <nathanael> - 3.9.0-0.17.RC2 - Updated method of creating users via Packaging/UsersAndGroups Also to note - you might have missed it in the 0.16 changelog, but both of the remaining issues have been resolved. The dspam cron file requires no editing, and the log rotating issue is also as dspam is expecting it. The cron file has the proper path in it in our source file as the cron file isn't part of the dspam distribution proper, I just modified the one I had been using. It is also what is rotating the system.log file as it needs a special tool to do it so as to not lose web ui stats. We don't as of yet install the web portion as it is missing dependancies that I wasn't wanting to tackle quite yet. I will get those in once dspam is in. Feel free to install and play with it.
* Tue Jan 12 2010 Nathanael Noblet <nathanael> - 3.9.0-0.18.RC2 - Removed user(dspam) requirement left behind - Fixed directory permissions and ownership for some missing directories http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.18.RC2.src.rpm Some final touch ups I found when playing around with the installation
For -0.18: * disttag - Well, somehow I forgot to mention, however please consider to use %{?dist} (see below). This is useful when maintaining one software in multiple branches on Fedora: https://fedoraproject.org/wiki/Packaging/DistTag * Owner/Group/Permission - Would you check the owner/group/permission of /var/run/dspam? I don't think setgid is needed for this directory and perhaps (0770,dspam,mail) is sufficient (however I don't know about dspam). * sysvscript ----------------------------------------------------- [root@localhost ~]# service dspam status ; echo $? ServerPID missing in DSPAM configuration /etc/dspam.conf 1 ----------------------------------------------------- - Well, any reason why ServerPID is not set by default (instead of setting this as "/var/run/dspam.pid" by default)?
Now: ------------------------------------------------------------- NOTE: Before being sponsored: This package will be accepted with another few work. But before I accept this package, someone (I am a candidate) must sponsor you. Once you are sponsored, you have the right to review other submitters' review requests and approve the packages formally. For this reason, the person who want to be sponsored (like you) are required to "show that you have an understanding of the process and of the packaging guidelines" as is described on : http://fedoraproject.org/wiki/PackageMaintainers/HowToGetSponsored Usually there are two ways to show this. A. submit other review requests with enough quality. B. Do a "pre-review" of other person's review request (at the time you are not sponsored, you cannot do a formal review) When you have submitted a new review request or have pre-reviewed other person's review request, please write the bug number on this bug report so that I can check your comments or review request. Fedora package collection review requests which are waiting for someone to review can be checked on my wiki page: http://fedoraproject.org/wiki/User:Mtasaka#B._Review_request_tickets (Check "No one is reviewing") Review guidelines are described mainly on: http://fedoraproject.org/wiki/Packaging/ReviewGuidelines http://fedoraproject.org/wiki/Packaging/Guidelines http://fedoraproject.org/wiki/Packaging/ScriptletSnippets ------------------------------------------------------------
* Tue Jan 12 2010 Nathanael Noblet <nathanael> - 3.9.0-0.19.RC2 - Added dist tag - Removed check for ServerPID in initscript as it is unecessary - Fixed permissions/ownership on /var/run/dspam http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.19.RC2.src.rpm I had distag in there at first but got issues with the changelog and removed it at some point. My bad. Its back. I don't run dspam as a server daemon so wasn't sure about that. I have run some tests, and it is unecessary to check that, so I've removed the check for ServerPID from the initscript. Because I've never used it as a daemon I wasn't looking at that directory. However you are correct 0770, dspam, mail is the correct usage. It is only needed really if they run a unix socket instead of the default tcp socket. Regarding the other reviews and such. I have a few more packages I need to submit, so I will attempt to submit perfect packages for some depenancies of dspam-web subpackage that we aren't enabling yet. I'll also see about providing some initial reviews for submitted packages.
Sorry the url should be http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.19.RC2.fc12.src.rpm
* Wed Jan 13 2010 Nathanael Noblet <nathanael> - 3.9.0-0.20 - Upstream release http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-0.20.fc12.src.rpm So I see from your list of "No one is reviewing" that someone submitted clamsmtpd. I have a self made rpm just like dspam before this... He stopped awhile ago I guess because of selinux issues. We have it working with selinux with help from the #selinux IRC room. So my question is. Would it be better to create a new review request maybe merging his and or my spec, or to put comments on that report on how to fix it? I'm guessing easiest would be to re-submit and close his ticket since it is so old.
I have not checked your latest srpm yet, however - About clamsmtpd (perhaps bug 218022) Well, this review request ticket has no progress for about 5 months, so if you have clamsmtpd srpm, please file a new review ticket and mark the old one as a duplicate.
For dspam: * Release - Release should be 0.20.RC2%{?dist}. Now I will wait for your submission of another review request or pre-review of other person's review request.
Ah, I also found another clamsmtpd review request submission (bug 555059), so please choose other.
they've released the rc2 as final ga... so no RC2 anymore...
However your spec file still refers to "%{name}-%{version}-RC2.tar.gz".. By the way, when using 3.9.0 formal, please reset the release number to "1${?dist}".
* Wed Jan 13 2010 Nathanael Noblet <nathanael> - 3.9.0-1 - Upstream release http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-1.fc12.src.rpm
please move /usr/bin/dspam_pg2int8 from core into -pgsql (it adds postgresql deps to core package). Can you try to pass 'LDFLAGS=-Wl,--as-needed' somehow? Current binaries are overlinked (see 'ldd -u -r /usr/bin/dspam*' output). There should be probably removed the worl-read permissions from the configuration files because they contain authentication data. I would like to have a lightweighted client package with only the '/usr/bin/dspamc' program; this can be used for clients which talk to a central dspam server but do not need all the other stuff (dspam user, /var/...).
You should either require 'which' or use the 'type -p' shell builtin in the initscript.
If I pass LDFLAGS as request, the EPEL version segfaults. Also about the iniscript, I'm thinking of simply putting them in hardcoded to the /etc/sysconfig/dspam file. I don't see why you'd want it to use other than the fedora provided one...
there seems to be a path traversal security issue (which is relevant because dspamd is running as root): $ dspamc --classify --user ../../../../../../etc -- < /tmp/sp # strace -f `pidof dspamd` stat64("/var/lib/dspam/data/././../../../../../..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 ... # ll / -rw-rw---- 1 root mail 1573112 15. Jan 18:24 etc.css -rw-rw---- 1 root mail 0 15. Jan 18:24 etc.lock -rw-rw---- 1 root mail 12 15. Jan 18:24 etc.stats
If dspamd ran as user dspam, that would mitigate the issue, however should the dspam authors fix it anyway? I assume dspam --user parameter shouldn't really accept path chars as opposed to a sane username?
I filed upstream report at https://sourceforge.net/tracker/?func=detail&aid=2932993&group_id=250683&atid=1126467 IMO running as non-root is mandatory for this kind of programs.
* Fri Jan 15 2010 Nathanael Noblet <nathanael> - 3.9.0-1.1 - Remove world readable perms on /etc/dspam.conf - Re-enabled dspam-web as the required dependancies exist - Added -client package - Created /etc/sysconfig/dspam file and modified initscript to use it by default http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-1.fc12.src.rpm
@Mamoru Tasaka I just submitted the clamsmtp review request. Then afterwards wanted to close the old ones I had found and marked as duplicate. Someone has submitted a new review a couple days ago. I feel that mine is further along but would you prefer I review his, or have you review mine? The relevant bugs are.. Mine: https://bugzilla.redhat.com/show_bug.cgi?id=557011 Other: https://bugzilla.redhat.com/show_bug.cgi?id=555059 The only thing mine is missing is selinux, which I'm in contact with them to have fixed. In any case, please advise what you'd rather I do to show that I've learned the guidelines better than my first submission...
Checked 3.9.0-1.1 * %setup - "%setup -q -n %{name}-3.9.0" can be simplified as "%setup -q" ! Comments - Remove comments like "# webui - disabled" * Macros - Use %{_datadir} instead of %{_usr}/share https://fedoraproject.org/wiki/Packaging/RPMMacros - And use %{_sysconfdir} instead of /etc . * file splitting - %_bindir/dspam-front shell script is not useful without %_bindir/dspam (as its contents shows) * %attr - "%attr(0755,root,root)" for directory, "%attr(0644,root,root)" for files, and "%attr(-,root,root)" are default attribute and these should be removed. * Duplicate %files entry ------------------------------------------------------------------ %dir %attr(0755,root,root) %{_usr}/share/dspam-webui/templates %attr(-,root,root) %{_usr}/share/dspam-webui/* ------------------------------------------------------------------ - Note that %{_usr}/share/dspam-webui/* contains %{_usr}/share/dspam-webui/templates , and so this causes the following warning from rpmbuild: ------------------------------------------------------------------ 1142 Processing files: dspam-web-3.9.0-1.1.fc13.i686 1143 warning: File listed twice: /usr/share/dspam-webui/templates ------------------------------------------------------------------
* Wed Jan 20 2010 Nathanael Noblet <nathanael> - 3.9.0-1.3 - Fixed web comments - Replaced usr/share with macro - Moved dspam-front back to the server portion where it belongs - Changed directory name from dspam-webui to dspam-web - Updated dspam-web.conf to point to proper paths - Added external dependency script to filter out wrong perl deps http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-1.3.fc12.src.rpm I'm just tracking down some issues with the actual web subpackage properly functioning. I've never used that particular feature of dspam on my servers so I'm just getting up to speed.
For -1.3: * Release number - By the way why do you use "1.3" for release number? For formally released tarball, release number in the spec file should be "X%{?dist}" where X is an integer. * Macros - Again please use %{_sysconfdir} instead of /etc . Except for that, this package looks good to me.
* Thu Jan 21 2010 Nathanael Noblet <nathanael> - 3.9.0-2 - Replaced last etc with _sysconfdir macro - Use single integer release version - Fixed dspam-web.conf to actually work by default when installed. - Updated configure.pl to point to the proper directory - Placed the relevant README's in both -libs and the main package as they are relevant for both http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-2.fc12.src.rpm
One thing: # service dspam status ; echo $? 75 It seems that Source5 (dspam-front) is installed as /etc/sysconfig/dspam and this is perhaps incorrect.
* Fri Jan 22 2010 Nathanael Noblet <nathanael> - 3.9.0-3 - Fixed missing source file affecting dspam daemon service http://www.gnat.ca/dspam.spec http://www.gnat.ca/dspam-3.9.0-3.fc12.src.rpm You are completely correct, that must have disappeared when I added the perl requires filter... All fixed up.
Okay, now approving. ----------------------------------------------------------- This package (dspam) is APPROVED by mtasaka ----------------------------------------------------------- Please follow the procedure written on: http://fedoraproject.org/wiki/PackageMaintainers/Join from "Install the Client Tools (Koji)". Now I am sponsoring you. If you want to import this package into Fedora 11/12, you also have to look at http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem/Bodhi-info-DRAFT (after once you rebuilt this package on koji Fedora rebuilding system). If you have questions, please ask me. Removing NEEDSPONSOR.
New Package CVS Request ======================= Package Name: dspam Short Description: dspam - bayesian filtering daemon, client, library and web ui Owners: gnat Branches: F-11 F-12 EL-5 InitialCC:
CVS done (by process-cvs-requests.py).
Closing.
Package Change Request ====================== Package Name: dspam New Branches: EL-4 Owners: gnat Just got a request for the package for EPEL4 so if I could have a cvs branch created for it please.
CVS done.