Bug 567131 - Review Request: shibboleth - Web Single Sign On
Summary: Review Request: shibboleth - Web Single Sign On
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
Whiteboard: NotReady
Depends On:
TreeView+ depends on / blocked
Reported: 2010-02-21 19:46 UTC by Steve Traylen
Modified: 2011-09-09 12:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-04-26 11:33:04 UTC
Type: ---

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 737038 None None None Never

Internal Links: 737038

Description Steve Traylen 2010-02-21 19:46:19 UTC
Spec URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth.spec
SRPM URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth-2.3.1-1.fc13.src.rpm
The Shibboleth System is a standards based, open source software
package for web single sign-on across or within organizational
boundaries. It allows sites to make informed authorization decisions
for individual access of protected online resources in a
privacy-preserving manner.

$ rpmlint SPECS/shibboleth.spec \
          SRPMS/shibboleth-2.3.1-1.fc13.src.rpm \
          RPMS/noarch/shibboleth-doc-2.3.1-1.fc13.noarch.rpm \

shibboleth.x86_64: W: non-standard-uid /var/log/shibboleth shibd
shibboleth.x86_64: W: non-standard-gid /var/log/shibboleth shibd
shibboleth.x86_64: W: non-standard-uid /var/run/shibboleth shibd
shibboleth.x86_64: W: non-standard-gid /var/run/shibboleth shibd
shibboleth.x86_64: W: log-files-without-logrotate /var/log/shibboleth
shibboleth.x86_64: W: no-reload-entry /etc/rc.d/init.d/shibd
shibboleth.x86_64: W: incoherent-init-script-name shibd ('shibboleth', 'shibbolethd')
shibboleth-devel.x86_64: W: no-documentation
5 packages and 1 specfiles checked; 0 errors, 8 warnings.

The uid warnings are expected since shibd runs as user shibd so needs
to be able to write to these directories.

The log-files-without-logrotate warning is expected since log4cpp is 
taking care of the log file rotation and eventual deletion.


Comment 1 Steve Traylen 2010-02-22 19:23:17 UTC
Following comments about one of the patches submitted upstream
this contains a replacement patch. It does the alter the packaging 
in any particular way.

Spec URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth.spec

Comment 2 Mattias Ellert 2010-02-22 21:40:31 UTC
Fedora review shibboleth 2010-02-22

rpmlint results - same as above

The no-reload-entry warning can be fixed. The guidelines says:
"if the service does not support this, do nothing"
So adding the following would resolve this:


The init script also does not support some more of the "required
actions" listed at the above reference (though rpmlint is not
complaining): condrestart, try-restart, force-reload.

You have worked around the missing condrestart in %postun by calling
status + restart instead, so it is not critical for the installation.

+ package named according to guidelines
+ specfile named after package
+ package license "ASL 2.0" is Fedora approved
+ package license matches license statements in the sorces

? The corresponding package in Debian says:

"The original upstream source was repackaged to remove the WS-Trust.xsd
schema, which was not distributed under a DFSG-free license."

Should this be done for Fedora too?

The file is strange. The license doesn't seem to grant right to
modify, but the comment at the top says "modified copy".

The corresponding file on the oasis server seems to have a less
questionable license:


"This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind."

+ The license file (LICENSE.txt) is included in %doc
+ specfile is written in legible English

$ cksum shibboleth-sp-2.3.1.tar.gz srpm/shibboleth-sp-2.3.1.tar.gz 
432835999 806177 shibboleth-sp-2.3.1.tar.gz
432835999 806177 srpm/shibboleth-sp-2.3.1.tar.gz

+ sources matches upstream
+ builds in mock

? Looks like some build requires are missing:

configure: WARNING: dot not found - will not generate graphics for doxygen documentation
→ missing build requires graphviz ?

checking sql.h usability... no
checking sql.h presence... no
checking for sql.h... no
→ build requires unixODBC should be unixODBC-devel ?

checking for FastCGI support... no
→ there is a build requires on fcgi-devel, but the default is "no"
→ missing configure flag --with-fastcgi=yes ?

checking for Memcached support... no
→ missing build requires libmemcached-devel ?
→ missing configure flag --with-memcached=yes (default is "no" here too) ?

+ ldconfig called appropriately
+ package owns directories it creates

? package should require xml-common since it installs files in /usr/share/xml

+ no duplicates in %files
+ permissions are sane and %files have %defattr
+ %clean clears buildroot

? The pid directory created in the specfile %{_var}/%{name}/run looks strange,
shouldn't it be the other way around: %{_var}/run/%{name}?
The %{_var}/run/%{name} directory seems to be created anyway and is
the one that gets packaged. The one created in the specfile is not.

? The specfile uses the %{_XXXdir} macros for everything except for
/var where %{_var} is used instead of %{_localstatedir}
(not really a big problem - if it is one at all)

+ %doc is not runtime essential
+ subpackages requires main with fully qualified version
+ .la files removed
+ package does not own other's directories
+ %install clear buildroot
+ filenames are utf-8

Comment 3 Steve Traylen 2010-03-30 12:09:08 UTC
This review is a bit stuck since i have become aware of this:


essentially there are known problems with nss linked curl.


Comment 4 Mattias Ellert 2011-04-24 06:31:49 UTC
No news in more than a year - giving back the review.

Comment 5 Bruno Wolff III 2011-07-23 13:25:06 UTC
The limitations of nss_compat_ossl are covered here:
Based on comments in https://bugs.internet2.edu/jira/browse/CPPXT-9 , not being able to use file based certificates may be the biggest limitation. It may be that the way to move forward on this, is to start by adding that support to nss_compat_ossl.

Note You need to log in before you can comment on or make changes to this bug.