Bug 562470 - (openvas-client) Review Request: openvas-client - Client component of Open Vulnerability Assessment (OpenVAS) Scanner
Review Request: openvas-client - Client component of Open Vulnerability Asses...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Xavier Bachelot
Fedora Extras Quality Assurance
:
: 538299 (view as bug list)
Depends On: openvas-libraries
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2010-02-06 16:09 EST by Stjepan Gros
Modified: 2010-06-22 13:21 EDT (History)
8 users (show)

See Also:
Fixed In Version: openvas-client-3.0.0-7.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-22 13:19:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
xavier: fedora‑review+
tibbs: fedora‑cvs+


Attachments (Terms of Use)
Changes in openvas-libraries related to the changes in client (845 bytes, patch)
2010-03-03 04:06 EST, Stjepan Gros
no flags Details | Diff

  None (edit)
Description Stjepan Gros 2010-02-06 16:09:11 EST
Spec URL: http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client.spec
SRPM URL: http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client-3.0.0-1.fc12.src.rpm
Description:
OpenVAS-Client is a client component that is used to access and control
OpenVAS server. It is also used to perform analysis task of results
provided by the server component.
Comment 1 Stjepan Gros 2010-02-06 16:17:51 EST
*** Bug 538299 has been marked as a duplicate of this bug. ***
Comment 2 Xavier Bachelot 2010-02-18 19:12:08 EST
Few comments :
- -b 0 in %setup is useless
- %{_sysconfdir}/openvas/openvas-client_log.conf should be marked as %config(noreplace)
- manfiles should end with .* rather than .gz in case the compression format
ever changes.
- Missing BuildRequires: desktop-file-utils. See https://fedoraproject.org/wiki/Packaging/Guidelines#desktop
- You must not add a vendor tag to the desktop file.

Adding Huzaifa to the CC list.
Comment 4 Xavier Bachelot 2010-03-02 18:32:25 EST
* Missing BuildRequires: on zlib-devel, gnutls-devel, gtk2-devel, openssl-devel, libpcap-devel, gpgme-devel.

* rpmlint is not silent :
openvas-client.i686: E: executable-marked-as-config-file /etc/openvas/openvas-client_log.conf
openvas-client.i686: E: script-without-shebang /etc/openvas/openvas-client_log.conf
2 packages and 0 specfiles checked; 2 errors, 0 warnings.

However, this is bogus, the issue is rather the conf file has bad perms (0755 instead of 0644).

* %{_sysconfdir}/openvas is not owned.
Comment 5 Stjepan Gros 2010-03-03 04:00:06 EST
I fixed configuration file problems. Here are new spec and srpm files:

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client-3.0.0-4.fc12.src.rpm

Directory ownership of /etc/openvas I moved to the libraries as both, scanner and client, use this directory so if both are installed there would be a collision. For a reference, here is a new SPEC file for the libraries, the change is actually a minor one:

http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-libraries.spec
Comment 6 Stjepan Gros 2010-03-03 04:06:49 EST
Created attachment 397514 [details]
Changes in openvas-libraries related to the changes in client

Here is a small patch against spec file for openvas libraries in the CVS that makes libraries owner of /etc/openvas directory.
Comment 7 Xavier Bachelot 2010-03-03 04:18:01 EST
Not sure moving the ownership of the sysconfdir to the libraries is the preferred solution. There is nothing wrong with the sysconfdir being owned by both the openvas-client and openvas-scanner.
Comment 8 Stjepan Gros 2010-03-04 04:23:46 EST
My reasoning was that the user will install libraries and also either scanner or client, or both. Because it's obvious that only libraries will be installed in a very few cases (if any) I thought that this is the better solution. Also, wouldn't it be confusing if I query to which package /etc/openvas belongs and I get two answers? I newer encountered such a case, which of course, doesn't mean it don't exists.

But, I can change it back, if you think it's better solution.
Comment 9 Michal Ambroz 2010-03-21 06:34:14 EDT
Hello guys,
If I can add opinion to the discussion - I would preffer the sysconfdir owned by 1 package and as the libraries is the common baseline, it seems logical it will be this package ovning the directory.
Best regards
Michal Ambroz
Comment 10 Michal Ambroz 2010-03-25 15:35:07 EDT
Hello,
I was testing the openvas-client so here are my 2 copper coins:

1) inconsistency in naming between the openvas packages
Most tools in openvas suite are named openvas-something except the client OpenVAS-Client .
The discrepancy is comming from the upstream package.
I would recommend to create symbolic link openvas-client just for comfort - big letters are sexy, but could be hard to remember when all the other tools from the suite are lowercase.

2) OpenVAS-Client is crushing with export to LaTeX of empty report
reported upstream 
http://wald.intevation.org/tracker/index.php?func=detail&aid=1343&group_id=29&atid=220

3) Export to pdf requires htmldoc
As report to pdf won't be probably the main exports used, 
however there is question whether there should be rpm dependency 
added to the spec file.

Best regards
Michal Ambroz
Comment 11 Xavier Bachelot 2010-04-16 18:43:44 EDT
(In reply to comment #10)

> 1) inconsistency in naming between the openvas packages
> Most tools in openvas suite are named openvas-something except the client
> OpenVAS-Client .
> The discrepancy is comming from the upstream package.
> I would recommend to create symbolic link openvas-client just for comfort - big
> letters are sexy, but could be hard to remember when all the other tools from
> the suite are lowercase.
> 
Agreed, a lower-case symlink would be handy.

> 2) OpenVAS-Client is crushing with export to LaTeX of empty report
> reported upstream 
> http://wald.intevation.org/tracker/index.php?func=detail&aid=1343&group_id=29&atid=220
> 
This fixes it and could be included as a patch :
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-client/openvas/latex_output.c?root=openvas&rev=7137&r1=5830&r2=7137&makepatch=1&diff_format=h

> 3) Export to pdf requires htmldoc
> As report to pdf won't be probably the main exports used, 
> however there is question whether there should be rpm dependency 
> added to the spec file.
> 
If it doesn't drag too much dependencies, it probably should. What happens if you try to use this feature and htmldoc is not available ?
Comment 12 Xavier Bachelot 2010-04-16 19:14:02 EDT
The files are currently unavailable, but here a couple notes based on an older version :
- rename Source1: OpenVAS.desktop to openvas-client.desktop to match the package name.
- License is GPLV2 and GPLv2+, there are files under both GPLv2 and GPLv2 or later license, the resulting binary is likely GPLv2. I need to double check the licensing guidelines to make sure.
http://fedoraproject.org/wiki/Licensing
- Group: System Environment/Libraries is wrong, I'd use something like Applications/System.
- Following Michal comment above about the non-lowercase OpenVAS-Client binary name, the manpage should also have a symlink to the lowercase equivalent. Actually, I think it would be even better to ask upstream to switch to lowercase.
Comment 13 Stjepan Gros 2010-04-18 05:40:03 EDT
Ok, the new package will be available tomorrow on the following links (currently, the server is down because some work is done on the power supply in the building):

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client-3.0.0-4.fc12.src.rpm

I renamed desktop file, changed group, added htmldoc require.

For symlinks, I looked in debian package and they also add symlinks. So, I created them. But I don't think there is a point in asking upstream to change the name of the binary. There is no point in changing it because some packager asks for it, there are plenty of other users that are probably used to it as it is.
Comment 15 Michal Ambroz 2010-04-25 08:25:59 EDT
I have added request to openvas-client bugzila to consider adding of the symlinks as it is done in fedora (and debian) package.
Comment 16 Michal Ambroz 2010-04-26 23:05:34 EDT
Building in koji fails.
https://koji.fedoraproject.org/koji/taskinfo?taskID=2139416

Missing dependencies:
BuildRequires:  zlib-devel
BuildRequires:  gtk2-devel
BuildRequires:  gpgme-devel
BuildRequires:  glib-devel
BuildRequires:  gnutls-devel

Pakage is still failing to build in koji FC13. file cflags in src directory is created too late so building of package is still failing:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2139686

Michal Ambroz
Comment 17 Michal Ambroz 2010-05-05 19:08:07 EDT
Hello colleagues, 
as Stjepan is probably busy I will post an update - please can someone review?

All build requirements were added to the SPEC file.
Makefiles were patched to reference cflags file necessary to
build of some objects.

SPEC URL: http://rebus.fedorapeople.org/12/SPECS/openvas-client.spec
SRPM URL: http://rebus.fedorapeople.org/12/SRPMS/openvas-client-3.0.0-6.fc12.src.rpm

Rpmlint is free of errors:
$ rpmlint openvas-client-3.0.0-6.fc12.src.rpm openvas-client-3.0.0-6.fc12.i686.rpm openvas-client-debuginfo-3.0.0-6.fc12.i686.rpm
3 packages and 0 specfiles checked; 0 errors, 0 warnings.

Koji build is successfull for FC12 and FC13:
Koji build for FC13: http://koji.fedoraproject.org/koji/taskinfo?taskID=2166099
Koji build for FC12: http://koji.fedoraproject.org/koji/taskinfo?taskID=2166123

Best regards
Michal Ambroz
Comment 18 Sergio Pascual 2010-05-27 10:11:09 EDT
(In reply to comment #9)
> Hello guys,
> If I can add opinion to the discussion - I would preffer the sysconfdir owned
> by 1 package and as the libraries is the common baseline, it seems logical it
> will be this package ovning the directory.
> Best regards
> Michal Ambroz    

What about creating a openvas-common subpackage that owns the common directories? There are quite a few -common subpackages with this purpose
Comment 19 Sergio Pascual 2010-05-27 10:14:16 EDT
I was testing the application. The users manual under help doesnt work, The popup menu says: PDF file //usr/share/doc/openvas-manual/users-manual.pdf not found.
Comment 20 Michal Ambroz 2010-05-28 12:07:49 EDT
Hello Sergio
(In reply to comment #19)
> I was testing the application. The users manual under help doesnt work, The
> popup menu says: PDF file //usr/share/doc/openvas-manual/users-manual.pdf not
> found.    

openvas-manual is replaced by openvas-compendium - it is not part of the client.
I believe this is not important at this stage - we do not have any openvas-compendium package sofar.
Comment 21 Xavier Bachelot 2010-06-01 16:38:55 EDT
This is the review for Michal's 3.0.0-6.

+ : OK
- : not OK
= : non applicable
? : not tested


+    * MUST: rpmlint must be run on every package. The output should be posted in the review.
3 packages and 0 specfiles checked; 0 errors, 0 warnings.
+    * MUST: The package must be named according to the Package Naming Guidelines.
+    * MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption.
+    * MUST: The package must meet the Packaging Guidelines.
+    * MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines .
-     * MUST: The License field in the package spec file must match the actual license.
licensecheck reports a mix of GPLv2 and GPLv2+. Also some files doesn't have a license header at all.
License tag should be GPLv2 and GPLv2+. Files without a license header should be fixed upstream, if you feel like asking them.
+    * MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
+    * MUST: The spec file must be written in American English.
+    * MUST: The spec file for the package MUST be legible.
-    * MUST: The sources used to build the package must match the upstream source, as provided in the spec URL.
Replace Source0: http://wald.intevation.org/frs/download.php/467/%{name}-%{version}.tar.gz
with Source0: http://wald.intevation.org/frs/download.php/685/%{name}-%{version}.tar.gz
I guess this stupid php downloader will probably cause more trouble in the future. It might worth not using the %{name}-%{version} macros in the Source to avoid errors.
+    * MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture.
=    * MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch.
+    * MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines.
=    * MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
=    * MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun.
+    * MUST: Packages must NOT bundle copies of system libraries.
=    * MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package.
+    * MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
+    * MUST: A Fedora package must not list a file more than once in the spec file's %files listings.
+    * MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line.
+    * MUST: Each package must consistently use macros.
+    * MUST: The package must contain code, or permissable content.
=    * MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity).
+    * MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present.
=    * MUST: Header files must be in a -devel package.
=    * MUST: Static libraries must be in a -static package.
=    * MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package.
=    * MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release}
+    * MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
+    * MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section.
+    * MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon.
+    * MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot} (or $RPM_BUILD_ROOT).
+    * MUST: All filenames in rpm packages must be valid UTF-8.

=    * SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
-    * SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
+    * SHOULD: The reviewer should test that the package builds in mock.
?    * SHOULD: The package should compile and build into binary rpms on all supported architectures.
+    * SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.
+    * SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity.
=    * SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency.
=    * SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb.
=    * SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.
+    * SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.

Also, it would be nice the missing manual pdf file error could be handled in some way. Maybe package the compendium and patch openvas-client to use it instead (although it seems the latest compendium release is outdated anyway). Definitely not a blocker, though.

Please fix Source0: and License: tags and then the package is APPROVED.
Sorry for the very long delay...
Comment 22 Stjepan Gros 2010-06-03 13:52:51 EDT
I fixed Source0 and License tags. But rpmlint shows the following warnings:

$ rpmlint openvas-client-3.0.0-7.fc13.x86_64.rpm
openvas-client.x86_64: W: unstripped-binary-or-object /usr/bin/OpenVAS-Client
openvas-client.x86_64: W: unstripped-binary-or-object /usr/bin/omp-cli
openvas-client.x86_64: W: manual-page-warning /usr/share/man/man1/OpenVAS-Client.1.gz 243: warning: `UR' not defined
openvas-client.x86_64: W: manual-page-warning /usr/share/man/man1/openvasclient-mkcert.1.gz 31: warning: `UR' not defined
openvas-client.x86_64: W: manual-page-warning /usr/share/man/man1/openvasclient-mkcert.1.gz 33: warning: `UE' not defined
openvas-client.x86_64: W: no-manual-page-for-binary omp-cli
1 packages and 0 specfiles checked; 0 errors, 6 warnings.

I think that warnings about manual pages could be ignored, but what about unstripped binary?
Comment 23 Xavier Bachelot 2010-06-03 17:23:09 EDT
I don't get these rpmlint warnings, neither with a local mock build nor with a koji scratch build (http://koji.fedoraproject.org/koji/taskinfo?taskID=2228313).
Comment 24 Stjepan Gros 2010-06-07 02:14:50 EDT
Ok, here are the new SPEC and SRPM files:

Spec URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client.spec
SRPM URL:
http://www.zemris.fer.hr/~sgros/stuff/fedora/openvas3/openvas-client-3.0.0-7.fc13.src.rpm

rpmling on F13 gives me the following output:


$ rpmlint openvas-client-3.0.0-7.fc13.x86_64.rpm 
openvas-client.x86_64: W: unstripped-binary-or-object /usr/bin/OpenVAS-Client
openvas-client.x86_64: W: unstripped-binary-or-object /usr/bin/omp-cli
openvas-client.x86_64: W: manual-page-warning /usr/share/man/man1/OpenVAS-Client.1.gz 243: warning: `UR' not defined
openvas-client.x86_64: W: manual-page-warning /usr/share/man/man1/openvasclient-mkcert.1.gz 31: warning: `UR' not defined
openvas-client.x86_64: W: manual-page-warning /usr/share/man/man1/openvasclient-mkcert.1.gz 33: warning: `UE' not defined
openvas-client.x86_64: W: no-manual-page-for-binary omp-cli
1 packages and 0 specfiles checked; 0 errors, 6 warnings.
Comment 25 Xavier Bachelot 2010-06-07 17:42:42 EDT
ok, I updated rpmlint to 0.97 and I'm now getting the man page warnings, but not the unstripped binaries warning, which are the only warnings I would worry about. Maybe something in your .rpmmacros disable the stripping ? I'd say go ahead, import and build the package, we'll see if this happens again, but my feeling is this is an issue in your setup, not in the spec.
For the others remaining warnings, the missing manual page for omp-cli is not a packaging bug and cannot be fixed easily, and anyway there's no packaging rule enforcing a manpage should be present for every binary. I'm a bit puzzled at the 'UR' and 'UE' not defined warning, but this looks harmless.
Comment 26 Michal Ambroz 2010-06-07 20:08:08 EDT
Hello I can confirm Xavier's findings. 

My OpenVAS-client is definitely stripped (strip comes from binutils-2.20.51.0.2-15.fc13.i686 package).

I have checked yesterday for 3.0.0-6, now I have compiled the 3.0.0-7 to confirm

$rpmlint openvas-client-3.0.0-7.fc13.i686.rpm openvas-client-debuginfo-3.0.0-7.fc13.i686.rpm
openvas-client.i686: W: manual-page-warning /usr/share/man/man1/OpenVAS-Client.1.gz 243: warning: `UR' not defined
openvas-client.i686: W: manual-page-warning /usr/share/man/man1/openvasclient-mkcert.1.gz 31: warning: `UR' not defined
openvas-client.i686: W: manual-page-warning /usr/share/man/man1/openvasclient-mkcert.1.gz 33: warning: `UE' not defined
openvas-client.i686: W: no-manual-page-for-binary omp-cli
2 packages and 0 specfiles checked; 0 errors, 4 warnings.

$ file /usr/bin/OpenVAS-Client 
/usr/bin/OpenVAS-Client: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

It is really stripped.
Comment 27 Michal Ambroz 2010-06-07 20:24:34 EDT
Koji build of 3.0.0-7 is successfull:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2236964

Files from koji build for x84_64 are stripped as well
$ file OpenVAS-Client omp-cli 
OpenVAS-Client: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
omp-cli:        ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

Best regards
Michal Ambroz
Comment 28 Michal Ambroz 2010-06-16 04:23:46 EDT
Hello guys,
seems Stjepan is busy (1 week no response), the package is reviewed and main concern (non-stripped binaries) is not reproducible. As we agreed earlier on the principles of co-maintenance I am submitting the CVS request on Stjepan's behalf.


New Package CVS Request
=======================
Package Name: openvas-client
Short Description: Client component of Open Vulnerability Assessment (OpenVAS) Scanner
Owners: sgros huzaifas xavierb rebus
Branches: F-12 F-13 EL-5 EL-6 devel
InitialCC: 

Thank you
Michal Ambroz
Comment 29 Jason Tibbitts 2010-06-18 12:36:24 EDT
CVS done (by process-cvs-requests.py).
Comment 30 Fedora Update System 2010-06-22 00:10:53 EDT
openvas-client-3.0.0-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openvas-client-3.0.0-7.fc12
Comment 31 Fedora Update System 2010-06-22 00:11:02 EDT
openvas-client-3.0.0-7.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openvas-client-3.0.0-7.fc13
Comment 32 Michal Ambroz 2010-06-22 00:31:45 EDT
Hello,
I have rebuild for F-12 F-13 F-14. Builds for F-12 and F-13 were sumbittend for signing for the updates. Build for EL-5 and EL-6 failed, because openvas-libraries are not in those branches yet.

Please help with testing if you have some spare time.

Best regards
Michal Ambroz
Comment 33 Fedora Update System 2010-06-22 13:19:08 EDT
openvas-client-3.0.0-7.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2010-06-22 13:21:12 EDT
openvas-client-3.0.0-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.