Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.7-1.fc12.src.rpm Description: Tool that provides a demonstration of HTTPS stripping attacks that were presented at Black Hat DC 2009 by Moxie Marlinspike. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial
Package Review ============== Key: - = N/A x = Check ! = Problem ? = Not evaluated === REQUIRED ITEMS === [x] Package is named according to the Package Naming Guidelines. [x] Spec file name must match the base package %{name}, in the format %{name}.spec. [x] Package meets the Packaging Guidelines. [x] Package successfully compiles and builds into binary rpms on at least one supported architecture. Tested on: EL6/x86_64 [x] Rpmlint output: source RPM: sslstrip.src: W: summary-not-capitalized C tool that provides a demonstration of HTTPS stripping attacks => cosmetic, please fix before importing the package in CVS sslstrip.src: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike sslstrip.src: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite => bogus sslstrip.src: W: no-cleaning-of-buildroot %install => old rpmlint, new fedora rules sslstrip.src:13: W: mixed-use-of-spaces-and-tabs (spaces: line 13, tab: line 2) => cosmetic, please fix before importing the package in CVS 1 packages and 0 specfiles checked; 0 errors, 5 warnings. binary RPM: sslstrip.noarch: W: summary-not-capitalized C tool that provides a demonstration of HTTPS stripping attacks => will get fixed once the first warning above is fixed sslstrip.noarch: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike sslstrip.noarch: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite => bogus 1 packages and 0 specfiles checked; 0 errors, 3 warnings. [x] Package is not relocatable. [x] Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x] License field in the package spec file matches the actual license. License type: GPLv3+ [x] If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x] Spec file is legible and written in American English. [x] Sources used to build the package match the upstream source, as provided in the spec URL. SHA1SUM of source file: 7219328b4d43d96b7a0d629355fd818310d61c9b sslstrip-0.7.tar.gz [x] Package is not known to require ExcludeArch [!] All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. => python-devel is not needed. BR: python is enough [-] The spec file handles locales properly. [-] ldconfig called in %post and %postun if required. [x] Package must own all directories that it creates. [x] Package requires other packages for directories it uses. [x] Package does not contain duplicates in %files. [x] Permissions on files are set properly. [x] Package consistently uses macros. [x] Package contains code, or permissable content. [-] Large documentation files are in a -doc subpackage, if required. [x] Package uses nothing in %doc for runtime. [-] Header files in -devel subpackage, if present. [-] Static libraries in -devel subpackage, if present. [-] Package requires pkgconfig, if .pc files are present. [-] Development .so files in -devel subpackage, if present. [-] Fully versioned dependency in subpackages, if present. [x] Package does not contain any libtool archives (.la). [-] Package contains a properly installed %{name}.desktop file if it is a GUI application. [x] Package does not own files or directories owned by other packages. [x] Final provides and requires are sane. === SUGGESTED ITEMS === [x] Latest version is packaged. [x] Package does not include license text files separate from upstream. [-] Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x] Reviewer should test that the package builds in mock. Tested on: EL6 [x] Package should compile and build into binary rpms on all supported architectures. Tested on: EL6 ( the package is noarch) [x] Package functions as described. [-] Scriptlets must be sane, if used. [-] The placement of pkgconfig(.pc) files is correct. [-] File based requires are sane. [x] %check is present and the test passes. === OPTIONAL ITEMS === [x] Buildroot is correct (%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)) [x] Package has a %clean section, which contains rm -rf $RPM_BUILD_ROOT. === Issues === 1. BR python-devel is not needed, just python is enough 2. a small need of cosmetics is needed in %Summary (s/tool/Tool) and the BuildArch line ( you've used tabs everywhere but before "noarch") 3. python-twisted-web is a runtime require, not BR 4. Docs are included twice: /usr/share/doc/sslstrip-0.7 /usr/share/doc/sslstrip-0.7/COPYING /usr/share/doc/sslstrip-0.7/README /usr/share/sslstrip/COPYING /usr/share/sslstrip/README === Notes === 1. if you take care of .egg-info, the package builds just fine in EPEL-5 (see http://koji.fedoraproject.org/koji/taskinfo?taskID=2330964). 2. please inform the upstream author that version 0.7 of sslstrip prints a wrong version at startup time: [root@wolfy ~]# sslstrip -l 1001 /usr/lib64/python2.6/site-packages/twisted/internet/_sslverify.py:5: DeprecationWarning: the md5 module is deprecated; use hashlib instead import itertools, md5 sslstrip 0.6 by Moxie Marlinspike running...
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.7-3.fc13.src.rpm All notes have been fixed. Apologies for the delay. -AdamM
Hello. When will be available this package in Fedora repos?
(In reply to comment #2) > Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec > SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.7-3.fc13.src.rpm > > All notes have been fixed. Apologies for the delay. > > -AdamM Sorry for the huge delay, wrong mail config on my side made tons of messages pass by unseen. Adam, since sslstrip-0.9 is available for 2 weeks and http://koji.fedoraproject.org/koji/taskinfo?taskID=3102819 shows that the package from comment#2 fails to build, if I promise to take care of the review [much] faster this time, can you please update the package to the current version and provide a new link here ?
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.9-1.fc15.src.rpm Fixed up and updated to latest upstream release. No worries on the delay, life happens :) -AdamM
The new package builds fine in EPEl6 (http://koji.fedoraproject.org/koji/taskinfo?taskID=3118749 ) and F15 ( http://koji.fedoraproject.org/koji/taskinfo?taskID=3118747 ). However - rpmlint complains again about the documentation COPYING and README having the exec bit set - the package installs fine but... [wolfy@wolfy ~]$ sslstrip Traceback (most recent call last): File "/usr/bin/sslstrip", line 27, in <module> from twisted.web import http ImportError: No module named twisted.web Apparently you need to add a hardrequire on python-twisted-web ( which in turn will bring in python-twisted-core which provides twisted.internet, which is also required by sslstrip )
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.9-2.fc15.src.rpm Fixed up the permissions, that was a complete oversight on my part. Sorry about the python-twisted-web dep miss, I just got lucky/unlucky and had that already installed on the machine I tested on. Also a major goof, fixed now. Many thanks for the review! -AdamM
Only remaining word from rpmlint is: [wolfy@wolfy tmp]$ rpmlint sslstrip*rpm sslstrip.noarch: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike sslstrip.noarch: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite sslstrip.src: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike sslstrip.src: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite 2 packages and 0 specfiles checked; 0 errors, 4 warnings. which is obviously a false alert. Everything seems fine now [*] so the package is APPROVED [*] - builds fine in koji - works as expected - no regressions compared to previous versions. PS 1. you'll get bonus points for including this tool in EPEL :) 2. please inform the upstream author that the file DnsCache.py does not include the license info
I'm a big fan of EPEL, bonus points are on the roadmap :D
New Package SCM Request ======================= Package Name: sslstrip Short Description: tool that provides a demonstration of HTTPS stripping attacks Owners: maxamillion Branches: f14 f15 el6
Git done (by process-git-requests).
sslstrip-0.9-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/sslstrip-0.9-2.fc14
sslstrip-0.9-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/sslstrip-0.9-2.fc15
sslstrip-0.9-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/sslstrip-0.9-2.el6
sslstrip-0.9-2.el6 has been pushed to the Fedora EPEL 6 testing repository.
sslstrip-0.9-2.el6 has been pushed to the Fedora EPEL 6 stable repository.
sslstrip-0.9-2.fc15 has been pushed to the Fedora 15 stable repository.
sslstrip-0.9-2.fc14 has been pushed to the Fedora 14 stable repository.