Bug 567131 - Review Request: shibboleth - Web Single Sign On
Review Request: shibboleth - Web Single Sign On
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
NotReady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-21 14:46 EST by Steve Traylen
Modified: 2011-09-09 08:37 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-26 07:33:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steve Traylen 2010-02-21 14:46:19 EST
Spec URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth.spec
SRPM URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth-2.3.1-1.fc13.src.rpm
Description: 
The Shibboleth System is a standards based, open source software
package for web single sign-on across or within organizational
boundaries. It allows sites to make informed authorization decisions
for individual access of protected online resources in a
privacy-preserving manner.


$ rpmlint SPECS/shibboleth.spec \
          SRPMS/shibboleth-2.3.1-1.fc13.src.rpm \
          RPMS/noarch/shibboleth-doc-2.3.1-1.fc13.noarch.rpm \
          RPMS/x86_64/shibboleth-*

shibboleth.x86_64: W: non-standard-uid /var/log/shibboleth shibd
shibboleth.x86_64: W: non-standard-gid /var/log/shibboleth shibd
shibboleth.x86_64: W: non-standard-uid /var/run/shibboleth shibd
shibboleth.x86_64: W: non-standard-gid /var/run/shibboleth shibd
shibboleth.x86_64: W: log-files-without-logrotate /var/log/shibboleth
shibboleth.x86_64: W: no-reload-entry /etc/rc.d/init.d/shibd
shibboleth.x86_64: W: incoherent-init-script-name shibd ('shibboleth', 'shibbolethd')
shibboleth-devel.x86_64: W: no-documentation
5 packages and 1 specfiles checked; 0 errors, 8 warnings.

The uid warnings are expected since shibd runs as user shibd so needs
to be able to write to these directories.

The log-files-without-logrotate warning is expected since log4cpp is 
taking care of the log file rotation and eventual deletion.

Steve
Comment 1 Steve Traylen 2010-02-22 14:23:17 EST
Following comments about one of the patches submitted upstream
this contains a replacement patch. It does the alter the packaging 
in any particular way.

Spec URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth.spec
SRPM URL:
http://cern.ch/straylen/rpms/shibboleth/shibboleth-2.3.1-2.fc13.src.rpm
Comment 2 Mattias Ellert 2010-02-22 16:40:31 EST
Fedora review shibboleth 2010-02-22

rpmlint results - same as above

The no-reload-entry warning can be fixed. The guidelines says:
"if the service does not support this, do nothing"
http://fedoraproject.org/wiki/Packaging:SysVInitScript#Required_Actions
So adding the following would resolve this:

  reload)
        ;;

The init script also does not support some more of the "required
actions" listed at the above reference (though rpmlint is not
complaining): condrestart, try-restart, force-reload.

You have worked around the missing condrestart in %postun by calling
status + restart instead, so it is not critical for the installation.

+ package named according to guidelines
+ specfile named after package
+ package license "ASL 2.0" is Fedora approved
+ package license matches license statements in the sorces

? The corresponding package in Debian says:

"The original upstream source was repackaged to remove the WS-Trust.xsd
schema, which was not distributed under a DFSG-free license."

Should this be done for Fedora too?

The file is strange. The license doesn't seem to grant right to
modify, but the comment at the top says "modified copy".

The corresponding file on the oasis server seems to have a less
questionable license:

http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3.xsd

"This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind."

+ The license file (LICENSE.txt) is included in %doc
+ specfile is written in legible English

$ cksum shibboleth-sp-2.3.1.tar.gz srpm/shibboleth-sp-2.3.1.tar.gz 
432835999 806177 shibboleth-sp-2.3.1.tar.gz
432835999 806177 srpm/shibboleth-sp-2.3.1.tar.gz

+ sources matches upstream
+ builds in mock

? Looks like some build requires are missing:

configure: WARNING: dot not found - will not generate graphics for doxygen documentation
→ missing build requires graphviz ?

checking sql.h usability... no
checking sql.h presence... no
checking for sql.h... no
→ build requires unixODBC should be unixODBC-devel ?

checking for FastCGI support... no
→ there is a build requires on fcgi-devel, but the default is "no"
→ missing configure flag --with-fastcgi=yes ?

checking for Memcached support... no
→ missing build requires libmemcached-devel ?
→ missing configure flag --with-memcached=yes (default is "no" here too) ?

+ ldconfig called appropriately
+ package owns directories it creates

? package should require xml-common since it installs files in /usr/share/xml

+ no duplicates in %files
+ permissions are sane and %files have %defattr
+ %clean clears buildroot

? The pid directory created in the specfile %{_var}/%{name}/run looks strange,
shouldn't it be the other way around: %{_var}/run/%{name}?
The %{_var}/run/%{name} directory seems to be created anyway and is
the one that gets packaged. The one created in the specfile is not.

? The specfile uses the %{_XXXdir} macros for everything except for
/var where %{_var} is used instead of %{_localstatedir}
(not really a big problem - if it is one at all)

+ %doc is not runtime essential
+ subpackages requires main with fully qualified version
+ .la files removed
+ package does not own other's directories
+ %install clear buildroot
+ filenames are utf-8
Comment 3 Steve Traylen 2010-03-30 08:09:08 EDT
This review is a bit stuck since i have become aware of this:

https://bugs.internet2.edu/jira/browse/CPPXT-9

essentially there are known problems with nss linked curl.

Steve
Comment 4 Mattias Ellert 2011-04-24 02:31:49 EDT
No news in more than a year - giving back the review.
Comment 5 Bruno Wolff III 2011-07-23 09:25:06 EDT
The limitations of nss_compat_ossl are covered here:
http://fedoraproject.org/wiki/Nss_compat_ossl
Based on comments in https://bugs.internet2.edu/jira/browse/CPPXT-9 , not being able to use file based certificates may be the biggest limitation. It may be that the way to move forward on this, is to start by adding that support to nss_compat_ossl.

Note You need to log in before you can comment on or make changes to this bug.