Bug 553852 - Review Request: pki-tps - The Dogtag PKI System Token Processing System
Summary: Review Request: pki-tps - The Dogtag PKI System Token Processing System
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Parag AN(पराग)
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: Dogtag-to-Fedora
TreeView+ depends on / blocked
Reported: 2010-01-09 04:33 UTC by Kevin Wright
Modified: 2015-07-13 04:56 UTC (History)
11 users (show)

Fixed In Version: pki-tps-1.3.0-7.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-02-04 04:39:28 UTC
panemade: fedora-review+
kevin: fedora-cvs+

Attachments (Terms of Use)

Description Kevin Wright 2010-01-09 04:33:58 UTC
first pass at getting this built in fedora

Comment 1 Kevin Wright 2010-01-22 00:59:05 UTC
Description: The Dogtag PKI System Token Processing System

Spec URL: http://people.redhat.com/kwright/pki-tps/pki-tps.spec
SRPM URL: http://people.redhat.com/kwright/pki-tps/pki-tps-1.3.0-4.fc11.src.rpm

Comment 2 Kevin Wright 2010-01-28 06:56:13 UTC
updated spec file and src.rpm:

Spec URL: http://people.redhat.com/kwright/pki-tps/pki-tps.spec
SRPM URL: http://people.redhat.com/kwright/pki-tps/pki-tps-1.3.0-5.fc11.src.rpm

Comment 3 Parag AN(पराग) 2010-01-28 10:59:36 UTC
I still see some issues when I removed line
AutoReqProv:    no


--> Running transaction check
---> Package perl-XML-Parser.i686 0:2.36-6.fc12 set to be updated
---> Package pki-tps.i686 0:1.3.0-4.fc12 set to be updated
--> Processing Dependency: perl(..::sow/cfg.pl) for package: pki-tps-1.3.0-4.fc12.i686
--> Processing Dependency: perl(.::cfg.pl) for package: pki-tps-1.3.0-4.fc12.i686
--> Finished Dependency Resolution
pki-tps-1.3.0-4.fc12.i686 from /pki-tps-1.3.0-4.fc12.i686 has depsolving problems
  --> Missing Dependency: perl(..::sow/cfg.pl) is needed by package pki-tps-1.3.0-4.fc12.i686 (/pki-tps-1.3.0-4.fc12.i686)
pki-tps-1.3.0-4.fc12.i686 from /pki-tps-1.3.0-4.fc12.i686 has depsolving problems
  --> Missing Dependency: perl(.::cfg.pl) is needed by package pki-tps-1.3.0-4.fc12.i686 (/pki-tps-1.3.0-4.fc12.i686)

When I checked this issue on google, I see http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/System_Passwords.html#running-without-the-password.conf-file and there " Configuring Existing TPS Instances to Prompt for Passwords" and step 6 suggests
the primary change is to replace any relative file paths with full paths. For example, replace this line:

require "./cfg.pl"


require "/var/lib/pki-tps/cgi-bin/sow/cfg.pl"

So, I wonder if we need same and patch the source?

But then I see cfg.pl is not getting installed.

Comment 4 Matthew Harmsen 2010-01-28 22:57:00 UTC
What you are alluding to cannot be done, as "/var/lib/pki-tps/cgi-bin/sow/cfg.pl" refers to an "instance-specific" path that is not generated until an instance is created.

However, I am currently working on a fix to be able to remove "AutoReqProv:    no" from the pki-tps.spec file.

What will be needed is that the following two lines:

    require "../sow/cfg.pl";
    require "./cfg.pl";

will need to be replaced by "slot" variables whose values are filled in during instance creation in the "pkicreate" script (which is part of the "pki-setup" package).  In this case, the entire line will be substituted in, so the automated requirement and provision processing performed by '/usr/lib/rpm/perl.req' and '/usr/lib/rpm/perl.prov' can be turned back on, and the explicit 'perl' Requires may be removed from the 'pki-tps.spec' file.

Comment 6 Chris Weyl 2010-01-29 16:46:17 UTC
A couple thoughts here, bearing in mind that it's been a while since I've reviewed a hardcore non-perl package, so I'm liable to miss something :)  In arch-specific dir/paths referenced below I'll be using the 64-bit variants, as that's the machine I'm working on right now.

* In %build, make is called w/o options, not as "make %{?_smp_mflags}".  Any reason we can't include this?  (e.g. "build breaks when run in parallel")

* It looks like you're installing some sort of web-app as well as apache modules, but there don't appear to be any config files installed where apache can find them.

* Given that this is a binary (that is, arch-specific) package, disabling auto req/provides is not a good idea, as shlib / perl requires (at the least) need to be picked up and honored.  You're installing shlibs in a system path (/usr/lib64) and a private path (/usr/lib64/httpd/modules).  AutoReq/prov off in this situation is not permitted.

* You're also packaging a bunch of perl pakcages _outside_ perl's standard library path (aka @INC).  Perl provides coming from directories outside @INC need to be filtered out, one cannot simply "use" them w/o specifying the path.  Requires coming from directories outside of @INC _are_ valid unless they're private reqs that are part of that same package (e.g. perl(Parse::RecDescent) is a valid req of this package, but perl(PKI::TPS::CAInfoPanel) is not.)

Essentially: perl(PKI*) needs to be filtered from both requires and provides, perl(*::cfg.pl) as well.

* And speaking of perl(*::cfg.pl) -- this must be flitered, in any form.  This is not a valid system-wide dependency that can be managed by rpm: no package will ever provide it.

* You're stripping symbols out of shlibs and binaries manually, rather than letting the debuginfo package generation process handle it.  Is the automatic process inadequate in some way?  If not, why not let the automatic process do it?

Comment 9 Kevin Wright 2010-02-01 23:46:08 UTC
Updates spec file and src.rpm:

Spec URL:  http://people.redhat.com/kwright/pki-tps/pki-tps.spec
SRPM URL:  http://people.redhat.com/kwright/pki-tps/pki-tps-1.3.0-7.fc11.src.rpm

Comment 10 Matthew Harmsen 2010-02-02 16:53:39 UTC
The spec file and SRPM posted in Comment 9 attempts to address the issues raised by Comment #3 and Comment #6.

Comment 11 Parag AN(पराग) 2010-02-03 09:06:56 UTC
Chris Thanks for your help here.

Comment 12 Parag AN(पराग) 2010-02-03 10:20:06 UTC
+ package builds in mock (rawhide i686).
koji Build =>http://koji.fedoraproject.org/koji/taskinfo?taskID=1960544
+ rpmlint is silent for SRPM and for RPM.
+ source files match upstream url (sha1sum)
dc16095b91c96d7257328ce4b29423f173c25c9e  pki-tps-1.3.0.tar.gz
+ package meets naming and packaging guidelines.
+ specfile is properly named, is cleanly written
+ Spec file is written in American English.
+ Spec file is legible.
+ dist tag is present.
+ license is open source-compatible.
+ License text is included in package.
+ %doc is present.
+ BuildRequires are proper.
+ %clean is present.
+ package installed properly.
+ Macro use appears rather consistent.
+ no headers or static libraries.
+ no .pc file present.
+ -devel subpackage
+ no .la files.
+ no translations are available
+ Does owns the directories it creates.
+ initscripts scriptlets present.
+ no duplicates in %files.
+ file permissions are appropriate.

Like Chris asked can we know how apache uses these conf files?

Comment 13 Matthew Harmsen 2010-02-04 00:40:19 UTC
The following files:


are NOT used directly by Apache at all.

Basically, they are used as "templates" that contain both fixed and substituted values whenever an "instance" of 'pki-tps' is created by the "pkicreate" program (which is part of the "pki-setup" runtime dependency used to create all six different types of Dogtag PKI subsystems - CA, KRA, OCSP, TKS, RA, and TPS).  

CA, KRA, OCSP, and TKS are created as instances of "Tomcat", while RA and TPS are created as instances of Apache.

Note that many instances of a given Dogtag PKI subsystem may be generated, and each need to contain their own unique name (and configuration files) - for example, 'pki-tps', 'pki-tps1', 'pki-tps2', etc.

For example, when creating an initial default instance of PKI TPS called 'pki-tps', the following command may be run:

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-tps         \
          -subsystem_type=tps                \
          -secure_port=7889                  \
          -non_clientauth_secure_port=7890   \
          -unsecure_port=7888                \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-tps        \
          -redirect logs=/var/log/pki-tps    \

This will cause these template files to be filled with initial appropriate values for the 'pki-tps' instance being created.  In this example, these "instance" configuration files used by Apache will be stored under the following names:


More values will be changed in the "CS.cfg" file once this 'pki-tps' instance has been configured.

For all PKI TPS instances, start/stop/status control of this Apache module will be managed by the master '/etc/init.d/pki-tpsd' file utilizing these instance-specific configuration files (e. g. - service pki-tpsd status pki-tps).

Comment 14 Parag AN(पराग) 2010-02-04 00:52:53 UTC
Thanks for brief reply.


Comment 15 Kevin Wright 2010-02-04 01:35:50 UTC
New Package CVS Request
Package Name: pki-tps
Short Description: The Dogtag PKI Token Processing System
Owners: kwright
Branches: F-11, F-12, EL-5
InitialCC: ausil

Comment 16 Kevin Fenzi 2010-02-04 02:31:59 UTC
CVS done (by process-cvs-requests.py).

Comment 17 Fedora Update System 2010-02-04 02:53:44 UTC
pki-tps-1.3.0-7.fc11 has been submitted as an update for Fedora 11.

Comment 18 Fedora Update System 2010-02-04 03:04:23 UTC
pki-tps-1.3.0-7.fc12 has been submitted as an update for Fedora 12.

Comment 19 Fedora Update System 2010-02-04 03:18:11 UTC
pki-tps-1.3.0-7.el5 has been submitted as an update for Fedora EPEL 5.

Comment 20 Fedora Update System 2010-02-22 22:36:36 UTC
pki-tps-1.3.0-7.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2010-02-23 05:35:18 UTC
pki-tps-1.3.0-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.