Bug 571816 - Review Request: clamav-unofficial-sigs - Scripts to download unoffical clamav signatures
Summary: Review Request: clamav-unofficial-sigs - Scripts to download unoffical clamav...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Tibbitts
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-09 16:05 UTC by Andrew Colin Kissa
Modified: 2015-07-20 16:41 UTC (History)
2 users (show)

Fixed In Version: clamav-unofficial-sigs-3.7.1-3.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-21 22:55:25 UTC
Type: ---
j: fedora-review+
kevin: fedora-cvs+


Attachments (Terms of Use)

Description Andrew Colin Kissa 2010-03-09 16:05:07 UTC
Spec URL: http://www.topdog-software.com/oss/SRPMS/fedora/clamav-unofficial-sigs/clamav-unofficial-sigs.spec
SRPM URL: http://www.topdog-software.com/oss/SRPMS/fedora/clamav-unofficial-sigs/clamav-unofficial-sigs-3.7-1.fc12.src.rpm
Description: 
This package contains scripts and configuration files
that provide the capability to download, test, and 
update the 3rd-party signature databases provide by 
Sanesecurity, SecuriteInfo, MalwarePatrol, OITC, 
INetMsg and ScamNailer.

Comment 4 Jason Tibbitts 2010-12-22 19:15:03 UTC
Since you have indicated that you are not going to be working on Fedora, is there any reason for this ticket to stay open?  Or, to put it another way, is there any point in reviewing this at this time?

Comment 5 Andrew Colin Kissa 2010-12-23 13:15:28 UTC
I have some free time during the xmas holidays, i will use that time to fix all my outstanding bugs as NO proven packager has taken them up.

So if you can review it i will work on it.

Comment 6 Jason Tibbitts 2010-12-23 18:29:23 UTC
Sure, I can review it.

There's not really much to this package; it builds fine and rpmlint has only the expected complaints about nonstandard uid and gits, as well as two complaints about missing manpages.  There is actually a manpage, but for some reason it has a different name than the actual executable.  Is there any specific reason for that?  Seems to be something of a mistake by upstream.

I'm pretty sure I traced down the clamav dependencies properly to make sure that the user will be present before this package is installed.  The clamav package is so terrible, however, that I might have missed something.

I'm not entirely sure why the executables in /usr/bin need to be owned by the clamupdate user.  Can you clarify?  The current situation leads to them being writable by clamupdate, which I don't think is a particularly good idea.

The %post scriptlet is decidedly not sane.  Every time this package is updated, a file which you've explicitly marked as %config(noreplace) will be modified if it includes the string "45".  Why not use the existing random wait functionality already in the software?

* source files match upstream.  sha256sum:
  7f8de46da43d8edd06ee1dcd1bc4563e61b23c9bbd368ccf0265576e46f4d90c
   clamav-unofficial-sigs-3.7.1.tar.gz
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* license field matches the actual license.
* license is open source-compatible.
* license text included in package.
* latest version is being packaged.
* BuildRequires are proper.
* package builds in mock (rawhide, x86_64).
* package installs properly.
* rpmlint has acceptable complaints.
* final provides and requires are sane:
   config(clamav-unofficial-sigs) = 3.7.1-1.fc15
   clamav-unofficial-sigs = 3.7.1-1.fc15
  =
   /bin/sh  
   bind-utils  
   clamav  
   config(clamav-unofficial-sigs) = 3.7.1-1.fc15
   curl  
   diffutils  
   gnupg  
   rsync  

* no bundled libraries.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no generically named files
X scriptlets are not sane.
* code, not content.
* documentation is small, so no -doc subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.

Comment 7 Andrew Colin Kissa 2010-12-23 18:59:19 UTC
* Upstream have named the command with a .sh because its a shell script, would linking /usr/bin/clamav-unofficial-sigs.sh to /usr/bin/clamav-unofficial-sigs be acceptable ?

* On the ownership you are correct about that will fix

* will fix the post scriptlet

Comment 9 Jason Tibbitts 2010-12-24 02:03:17 UTC
Looks OK to me.

I didn't save the previous package so I don't know if you were running the original cron job as clamupdate instead of root.  That might be something to consider (since it avoids exposing a root-owned process to whatever might come in over the network) but .  And just to be clear, my comments relating to ownership were just about the two files in /usr/bin, not the /var/lib and /var/log stuff, and I certainly didn't intend for you to undo any "run as something other than root" setup if that's what was in place originally.

Comment 11 Jason Tibbitts 2011-01-05 00:05:59 UTC
Looks good, thanks.

APPROVED

Comment 12 Andrew Colin Kissa 2011-01-05 06:34:49 UTC
New Package SCM Request
=======================
Package Name:clamav-unofficial-sigs 
Short Description:Scripts to download unoffical clamav signatures 
Owners:topdog 
Branches:f13 f14 el4 el5 el6 
InitialCC

Comment 13 Jason Tibbitts 2011-01-05 16:03:28 UTC
Git done (by process-git-requests).

Comment 14 Fedora Update System 2011-01-10 10:12:17 UTC
clamav-unofficial-sigs-3.7.1-3.el4 has been submitted as an update for Fedora EPEL 4.
https://admin.fedoraproject.org/updates/clamav-unofficial-sigs-3.7.1-3.el4

Comment 15 Fedora Update System 2011-01-10 10:12:24 UTC
clamav-unofficial-sigs-3.7.1-3.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/clamav-unofficial-sigs-3.7.1-3.fc14

Comment 16 Fedora Update System 2011-01-10 10:12:30 UTC
clamav-unofficial-sigs-3.7.1-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/clamav-unofficial-sigs-3.7.1-3.el5

Comment 17 Fedora Update System 2011-01-10 10:12:37 UTC
clamav-unofficial-sigs-3.7.1-3.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/clamav-unofficial-sigs-3.7.1-3.fc13

Comment 18 Fedora Update System 2011-01-10 17:08:22 UTC
clamav-unofficial-sigs-3.7.1-3.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update clamav-unofficial-sigs'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/clamav-unofficial-sigs-3.7.1-3.el4

Comment 19 Fedora Update System 2011-01-21 22:55:19 UTC
clamav-unofficial-sigs-3.7.1-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2011-01-21 23:00:49 UTC
clamav-unofficial-sigs-3.7.1-3.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2011-01-26 19:02:07 UTC
clamav-unofficial-sigs-3.7.1-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2011-01-26 19:02:24 UTC
clamav-unofficial-sigs-3.7.1-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Andrew Colin Kissa 2015-07-20 10:41:13 UTC
Package Change Request
======================
Package Name: clamav-unofficial-sigs
New Branches: epel7
Owners: topdog ondrejj

Comment 24 Kevin Fenzi 2015-07-20 16:41:48 UTC
Git done (by process-git-requests).


Note You need to log in before you can comment on or make changes to this bug.