Bug 564143 - Review Request: fetch-crl - Downloads Certificate Revocation Lists
Summary: Review Request: fetch-crl - Downloads Certificate Revocation Lists
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mattias Ellert
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-11 22:24 UTC by Steve Traylen
Modified: 2010-03-24 18:00 UTC (History)
2 users (show)

Fixed In Version: fetch-crl-2.8.2-1.el5
Clone Of:
Environment:
Last Closed: 2010-03-23 02:05:14 UTC
Type: ---
Embargoed:
mattias.ellert: fedora-review+
j: fedora-cvs+


Attachments (Terms of Use)

Description Steve Traylen 2010-02-11 22:24:37 UTC
Spec URL: http://cern.ch/straylen/rpms/fetch-crl/fetch-crl.spec
SRPM URL: http://cern.ch/straylen/rpms/fetch-crl/fetch-crl-2.8.1-2.fc12.src.rpm
Description:
This tool and associated cron entry ensure that Certificate Revocation
Lists (CRLs) are periodically retrieved from the web sites of the respective
Certification Authorities.
It assumes that the installed CA files follow the hash.crl_url convention.

Comment 1 Mattias Ellert 2010-02-21 09:37:26 UTC
How does this work with the new packaging from IGTF that uses names and two set of symlinks with hash values?

$ rpm -ql ca_NorduGrid
/etc/grid-security/certificates
/etc/grid-security/certificates/1f0e8352.0
/etc/grid-security/certificates/1f0e8352.info
/etc/grid-security/certificates/1f0e8352.namespaces
/etc/grid-security/certificates/1f0e8352.signing_policy
/etc/grid-security/certificates/NorduGrid.crl_url
/etc/grid-security/certificates/NorduGrid.info
/etc/grid-security/certificates/NorduGrid.namespaces
/etc/grid-security/certificates/NorduGrid.pem
/etc/grid-security/certificates/NorduGrid.signing_policy
/etc/grid-security/certificates/d0cd0b27.0
/etc/grid-security/certificates/d0cd0b27.info
/etc/grid-security/certificates/d0cd0b27.namespaces
/etc/grid-security/certificates/d0cd0b27.signing_policy

Comment 2 Steve Traylen 2010-02-21 12:01:00 UTC
Re comment #1

The NorduGrid.crl_url file is processed to create just one

CRL file.

/etc/grid-security/certificates/d0cd0b27.r0

with which ever hash openssl is using.

The "other" crl with the different hash is never created.

Certainly creating both would be a good new feature for fetch-crl.


Verbose log below.

fetch-crl[26519]: 20100221T125647+0100 Starting CRL retrieval process at 20100221T125647+0100
fetch-crl[26519]: 20100221T125647+0100 Using OpenSSL version OpenSSL 1.0.0-fips-beta5 20 Jan 2010 at /usr/bin/openssl
fetch-crl[26519]: 20100221T125647+0100 processing '/etc/grid-security/certificates/NorduGrid.crl_url'
fetch-crl[26519]: 20100221T125648+0100 updating CRL 'NorduGrid Certification Authority (d0cd0b27)'
fetch-crl[26519]: 20100221T125649+0100 File /etc/grid-security/certificates/d0cd0b27.r0 valid: yes
fetch-crl[26519]: 20100221T125649+0100 Completed CRL retrieval process at 20100221T125649+0100


Steve

Comment 3 Mattias Ellert 2010-02-22 12:26:43 UTC
Fedora review fetch-url 2010-02-22

$ rpmlint *.rpm
fetch-crl.noarch: W: spelling-error %description -l en_US cron -> corn, con, crone
fetch-crl.noarch: W: spelling-error %description -l en_US url -> URL, curl, purl
fetch-crl.src: W: spelling-error %description -l en_US cron -> corn, con, crone
fetch-crl.src: W: spelling-error %description -l en_US url -> URL, curl, purl
2 packages and 0 specfiles checked; 0 errors, 4 warnings.

Totally ignorable.

+ package name follows guidelines
+ specfile name after package
+ package license (EU Datagrid) is Fedora approved
+ package license matches license statements in the sources
+ no LICENSE file in sources, the README file does mention the license though
  and this is included as %doc
+ specfile is written in legible English

3004316879 19081 fetch-crl-2.8.1.tar.gz
3004316879 19081 srpm/fetch-crl-2.8.1.tar.gz

+ source matches upstream
+ package builds in mock (Fedora 12)
+ package owns directories it creates
+ no duplicates in %files
+ permissions are sane and %files has %defattr
+ %clean clears buildroot

? minor inconsistent use of macros: e.g. there is both
  fetch-crl-%{version} and %{name}-%{version} used
  redundant / in $RPM_BUILD_ROOT/%{_sysconfdir}
  redundant / in $RPM_BUILD_ROOT/%{_initddir}

+ package does not own other's directories
+ %install clears buildroot
+ filenames are utf-8

There seems to be copies of files in %doc that are already installed
elsewhere for no clear reason. I would suggest removing the copies in %doc.

$ cksum /usr/share/doc/fetch-crl-2.8.1/fetch-crl-boot.init /etc/rc.d/init.d/fetch-crl-boot 
1589392885 1219 /usr/share/doc/fetch-crl-2.8.1/fetch-crl-boot.init
1589392885 1219 /etc/rc.d/init.d/fetch-crl-boot
$ cksum /usr/share/doc/fetch-crl-2.8.1/fetch-crl-cron.cron /etc/cron.d/fetch-crl.cron 
1021051804 348 /usr/share/doc/fetch-crl-2.8.1/fetch-crl-cron.cron
1021051804 348 /etc/cron.d/fetch-crl.cron
$ cksum /usr/share/doc/fetch-crl-2.8.1/fetch-crl-cron.init /etc/rc.d/init.d/fetch-crl-cron 
3689563854 1020 /usr/share/doc/fetch-crl-2.8.1/fetch-crl-cron.init
3689563854 1020 /etc/rc.d/init.d/fetch-crl-cron
$ cksum /usr/share/doc/fetch-crl-2.8.1/fetch-crl.sysconfig /etc/fetch-crl.conf 
784442183 2213 /usr/share/doc/fetch-crl-2.8.1/fetch-crl.sysconfig
784442183 2213 /etc/fetch-crl.conf

Some implementations on cron ignore files in /etc/cron.d that have
periods in the filename. The default Fedora cron does not do this, but
for better portability you might want to drop the .cron extension from
/etc/cron.d/fetch-crl.cron

Comment 4 Steve Traylen 2010-02-22 15:06:39 UTC
Thanks for the comments, all valid and accepted.

http://cern.ch/straylen/rpms/fetch-crl/fetch-crl.spec
http://cern.ch/straylen/rpms/fetch-crl/fetch-crl-2.8.1-3.fc12.src.rpm

Comment 5 Mattias Ellert 2010-02-22 17:21:14 UTC
This looks good. There are still some redundant slashes around and you made a small mistake when fixing the URL tag. It now ends in %{name}-crl which should be just %{name}. But these minor things you can fix post review.

Package approved.

Comment 6 Steve Traylen 2010-02-22 18:04:26 UTC
Thanks for review. 

For the record, updated packages.

http://cern.ch/straylen/rpms/fetch-crl/fetch-crl.spec
http://cern.ch/straylen/rpms/fetch-crl/fetch-crl-2.8.1-4.fc12.src.rpm

It's nice that I first wrote this .spec file some seven years ago...

Steve

Comment 7 Steve Traylen 2010-02-22 18:05:48 UTC
New Package CVS Request
=======================
Package Name: fetch-crl
Short Description: Downloads Certificate Revocation Lists
Owners: stevetraylen
Branches: F-11 F-12 F-13 EL-4 EL-5
InitialCC:

Comment 8 Jason Tibbitts 2010-02-22 20:12:16 UTC
CVS done (by process-cvs-requests.py).

Comment 9 Fedora Update System 2010-02-24 12:37:59 UTC
fetch-crl-2.8.1-4.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.1-4.el4

Comment 10 Fedora Update System 2010-02-24 12:38:31 UTC
fetch-crl-2.8.1-4.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.1-4.el5

Comment 11 Fedora Update System 2010-02-24 12:38:59 UTC
fetch-crl-2.8.1-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.1-4.fc11

Comment 12 Fedora Update System 2010-02-24 12:39:34 UTC
fetch-crl-2.8.1-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.1-4.fc12

Comment 13 Fedora Update System 2010-02-24 12:40:04 UTC
fetch-crl-2.8.1-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.1-4.fc13

Comment 14 Fedora Update System 2010-02-24 17:35:07 UTC
fetch-crl-2.8.1-4.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-2309

Comment 15 Fedora Update System 2010-02-24 17:35:13 UTC
fetch-crl-2.8.1-4.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-2310

Comment 16 Fedora Update System 2010-02-25 12:45:19 UTC
fetch-crl-2.8.1-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F13/FEDORA-2010-2839

Comment 17 Fedora Update System 2010-02-26 03:39:31 UTC
fetch-crl-2.8.1-4.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2933

Comment 18 Fedora Update System 2010-02-26 03:45:33 UTC
fetch-crl-2.8.1-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-2956

Comment 19 Fedora Update System 2010-03-04 14:59:08 UTC
fetch-crl-2.8.2-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.el4

Comment 20 Fedora Update System 2010-03-04 14:59:43 UTC
fetch-crl-2.8.2-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.el5

Comment 21 Fedora Update System 2010-03-04 15:00:19 UTC
fetch-crl-2.8.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.fc11

Comment 22 Fedora Update System 2010-03-04 15:00:53 UTC
fetch-crl-2.8.2-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.fc12

Comment 23 Fedora Update System 2010-03-04 15:01:28 UTC
fetch-crl-2.8.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.fc13

Comment 24 Fedora Update System 2010-03-04 20:56:50 UTC
fetch-crl-2.8.2-1.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-2353

Comment 25 Fedora Update System 2010-03-04 20:56:55 UTC
fetch-crl-2.8.2-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-2355

Comment 26 Fedora Update System 2010-03-05 03:35:03 UTC
fetch-crl-2.8.2-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.fc13

Comment 27 Fedora Update System 2010-03-06 03:37:20 UTC
fetch-crl-2.8.2-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.fc12

Comment 28 Fedora Update System 2010-03-06 03:46:12 UTC
fetch-crl-2.8.2-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update fetch-crl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/fetch-crl-2.8.2-1.fc11

Comment 29 Fedora Update System 2010-03-23 02:05:09 UTC
fetch-crl-2.8.2-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2010-03-23 02:07:31 UTC
fetch-crl-2.8.2-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2010-03-23 02:14:36 UTC
fetch-crl-2.8.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2010-03-24 17:58:40 UTC
fetch-crl-2.8.2-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2010-03-24 18:00:04 UTC
fetch-crl-2.8.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.