Red Hat Bugzilla – Bug 587978
Review Request: whatweb - Web scanner to identify what websites are running
Last modified: 2017-12-10 00:41:48 EST
SPEC URL: http://rebus.fedorapeople.org/12/SPECS/whatweb.spec SRPM URL: http://rebus.fedorapeople.org/12/SRPMS/whatweb-0.4.2-1.fc12.src.rpm Description: Identify content management systems (CMS), blogging platforms, stats/analytic packages, JavaScript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the web-server is set up and what software is delivering the web-page. Some of these hints are obvious, ex. “Powered by XYZ” and others are more subtle. WhatWeb recognizes these hints and reports what it finds. Hello, Please could you review the package whatweb? Output from rpmlint: $ rpmlint whatweb-0.4.2-1.fc12.noarch.rpm whatweb-0.4.2-1.fc12.src.rpm 2 packages and 0 specfiles checked; 0 errors, 0 warnings. Koji F12: http://koji.fedoraproject.org/koji/taskinfo?taskID=2154469 Koji F13: http://koji.fedoraproject.org/koji/taskinfo?taskID=2154471
Add dep on ruby: $ whatweb /usr/bin/env: ruby: No such file or directory
You should package anemone seperately: http://anemone.rubyforge.org/
(In reply to comment #1) > Add dep on ruby: Strange - I wanted to add dependency by following guideline for ruby. Apparently it was not enough adding the: Requires: ruby(abi) = 1.8 Thank you Terje for noticing that - I will add file dependency for ruby binary as well. SPEC URL: http://rebus.fedorapeople.org/12/SPECS/whatweb.spec SRPM URL: http://rebus.fedorapeople.org/12/SRPMS/whatweb-0.4.2-2.fc12.src.rpm (In reply to comment #2) > You should package anemone seperately: > http://anemone.rubyforge.org/ Original anemone project has got some extra dependencies. Version present in whatweb is standalone patched version of anemone without some dependencies. Best regards. Michal Ambroz
(In reply to comment #3) > (In reply to comment #1) > (In reply to comment #2) > > You should package anemone seperately: > > http://anemone.rubyforge.org/ > Original anemone project has got some extra dependencies. > Version present in whatweb is standalone patched version of anemone without > some dependencies. So please explain why you want to avoid additional dependency for this package. I don't think that so huge additonal dependency will be added. Using copy of external project is generally forbidden on Fedora and it should be packaged: https://fedoraproject.org/wiki/Packaging/Guidelines#Duplication_of_system_libraries https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
As written on the above URLs, one of the biggest reasons is that when a new version of the package is released for (security) bug fixes or so, it gets very hard for us to track if such bug fixes are also applied to ones internally bundled in other packages.
Hello Mamoru, thank you for your comments. I will consider packing anemone and patching the whatweb to use sytem library of anemone. (In reply to comment #4) > https://fedoraproject.org/wiki/Packaging/Guidelines#Duplication_of_system_libraries I believe this link is not relevant as there is currenlty no anemone library in Fedora. >https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries However according this there probably should be one. Best regards Michal Ambroz
SPEC URL: http://rebus.fedorapeople.org/13/SPECS/whatweb.spec SRPM URL: http://rebus.fedorapeople.org/13/SRPMS/whatweb-0.4.5-1.fc13.src.rpm Rebuild of new version 0.4.5 of whatweb. I still didn't manage to patch to separate anemone library from whatweb. Michal Ambroz
(In reply to comment #7) > I still didn't manage to patch to separate anemone library from whatweb. > First please submit rubygem-anemome review request. Then I guess replacing ------------------------------------------------ require 'lib/anemone/anemone.rb' ------------------------------------------------ in whatweb script to ------------------------------------------------ require 'rubygems' require 'anemone' ------------------------------------------------ should work (if anemone 0.4.0 still supports anemone 0.2.0 API: anemone bundled in whatweb 0.4.5 is 0.2.0, while the latest anemone is 0.4.0)
ping?
U have submitted for review package rubygems-robots, which is needed for rubygems-anemone. Bug 632912.
U have submitted for review package rubygems-shoulda, which is needed for rubygems-robots, which is needed for rubygems-anemone. Bug 632917.
I have submitted for review package rubygems-anemone, which is needed for whatweb. Bug 632919
SPEC URL: http://rebus.fedorapeople.org/SPECS/whatweb.spec SRPM URL: http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.5-2.fc13.src.rpm Patch to use system-wide rubygems anemone library rather than local copy of anemone library. Koji F13: http://koji.fedoraproject.org/koji/taskinfo?taskID=2462168 $ rpmlint whatweb-0.4.5-2.fc13.src.rpm whatweb-0.4.5-2.fc13.noarch.rpm 2 packages and 0 specfiles checked; 0 errors, 0 warnings. Best regards Michal Ambroz
Whatweb doesn't work with the upstream anemone version. Issue reported to whatweb developer, waiting for fix.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
New version of whatweb released. This version still requires embedded old patched version of anemone. http://rebus.fedorapeople.org/RPMS/whatweb-0.4.6-1.fc14.noarch.rpm http://rebus.fedorapeople.org/SPECS/whatweb.spec http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.6-1.fc14.src.rpm Michal Ambroz
New version of whatweb released. This version requires embedded old patched version of anemone. http://rebus.fedorapeople.org/SPECS/whatweb.spec http://rebus.fedorapeople.org/RPMS/whatweb-0.4.7-1.fc14.noarch.rpm http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.7-1.fc14.src.rpm
I am sorry - It is not in my powers to separate the anemone library from the package. The package works for me as is and separation is not supported by the upstream. I am stepping down from pushing this package to Fedora. Best regards Michal Ambroz
Reopening the package review request. It seems that the whatweb is in next upcoming version dropping the support for the anemone library as whole. http://rebus.fedorapeople.org/SPECS/whatweb.spec http://rebus.fedorapeople.org/RPMS/whatweb-0.4.8-0.git20120708.1.fc17.noarch.rpm http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.8-0.git20120708.1.fc17.src.rpm Michal Ambroz
Package Review ============== Key: - = N/A x = Pass ! = Fail ? = Not evaluated ==== Generic ==== [x]: EXTRA Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: EXTRA Spec file according to URL is the same as in SRPM. [x]: MUST Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: MUST Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [ ]: MUST %build honors applicable compiler flags or justifies otherwise. [x]: MUST All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [ ]: MUST Package contains no bundled libraries. [ ]: MUST Changelog in prescribed format. [ ]: MUST Sources contain only permissible code or content. [!]: MUST Each %files section contains %defattr if rpm < 4.4 Note: defattr(....) present in %files section. This is OK if packaging for EPEL5. Otherwise not needed [ ]: MUST Macros in Summary, %description expandable at SRPM build time. [ ]: MUST Package contains desktop file if it is a GUI application. [ ]: MUST Development files must be in a -devel package [ ]: MUST Package requires other packages for directories it uses. [ ]: MUST Package uses nothing in %doc for runtime. [ ]: MUST Package is not known to require ExcludeArch. [x]: MUST Permissions on files are set properly. [x]: MUST Package does not contain duplicates in %files. [ ]: MUST Package complies to the Packaging Guidelines [x]: MUST Spec file lacks Packager, Vendor, PreReq tags. [!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf is only needed if supporting EPEL5. This is acceptable if you plan to package for EPEL5 [ ]: MUST Large documentation files are in a -doc subpackage, if required. [x]: MUST If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: MUST License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "GPL" For detailed output of licensecheck (see attachment) [x]: MUST Package consistently uses macro is (instead of hard-coded directory names). [x]: MUST Package is named using only allowed ascii characters. [x]: MUST Package is named according to the Package Naming Guidelines. [ ]: MUST Package does not generate any conflict. Note: Package contains no Conflicts: tag(s) [ ]: MUST Package obeys FHS, except libexecdir and /usr/target. [ ]: MUST If the package is a rename of another package, proper Obsoletes and Provides are present. [ ]: MUST Package must own all directories that it creates. [ ]: MUST Package does not own files or directories owned by other packages. [x]: MUST Package installs properly. [ ]: MUST Package is not relocatable. [ ]: MUST Requires correct, justified where necessary. [x]: MUST Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [!]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. Note: See below. [x]: MUST Spec file is legible and written in American English. [x]: MUST Spec file name must match the spec package %{name}, in the format %{name}.spec. [ ]: MUST Package contains systemd file(s) if in need. [x]: MUST File names are valid UTF-8. [x]: SHOULD Reviewer should test that the package builds in mock. [!]: SHOULD Buildroot is not present Note: Buildroot is not needed unless packager plans to package for EPEL5 [!]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: Clean is needed only if supporting EPEL5 [ ]: SHOULD If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: SHOULD Dist tag is present. [x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [ ]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q --requires). [ ]: SHOULD Package functions as described. [ ]: SHOULD Latest version is packaged. [ ]: SHOULD Package does not include license text files separate from upstream. [ ]: SHOULD Patches link to upstream bugs/comments/lists or are otherwise justified. [x]: SHOULD SourceX tarball generation or download is documented. [!]: SHOULD SourceX / PatchY prefixed with %{name}. Note: Source0 (urbanadventurer-WhatWeb-1dc2cff.tar.gz) [x]: SHOULD SourceX is a working URL. [ ]: SHOULD Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [ ]: SHOULD Package should compile and build into binary rpms on all supported architectures. [ ]: SHOULD %check is present and all tests pass. [ ]: SHOULD Packages should try to preserve timestamps of original installed files. [!]: SHOULD Spec use %global instead of %define. Note: %define gituser urbanadventurer %define gitname WhatWeb %define gitversion 1dc2cff Issues: [!]: MUST Each %files section contains %defattr if rpm < 4.4 Note: defattr(....) present in %files section. This is OK if packaging for EPEL5. Otherwise not needed See: http://fedoraproject.org/wiki/Packaging/Guidelines#FilePermissions [!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf is only needed if supporting EPEL5 See: None [!]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. Note: Upstream MD5sum check error. See: http://fedoraproject.org/wiki/Packaging/SourceURL Rpmlint ------- Checking: whatweb-0.4.8-0.git20120708.1.fc16.src.rpm whatweb-0.4.8-0.git20120708.1.fc16.noarch.rpm whatweb.src:15: W: macro-in-comment %{name} whatweb.src:15: W: macro-in-comment %{version} whatweb.src: W: file-size-mismatch urbanadventurer-WhatWeb-1dc2cff.tar.gz = 1238667, https://github.com/urbanadventurer/WhatWeb/tarball/master/urbanadventurer-WhatWeb-1dc2cff.tar.gz = 1254743 2 packages and 0 specfiles checked; 0 errors, 3 warnings. Rpmlint (installed packages) ---------------------------- Cannot parse rpmlint output: Requires -------- whatweb-0.4.8-0.git20120708.1.fc16.noarch.rpm (rpmlib, GLIBC filtered): /bin/bash /bin/sh /usr/bin/env /usr/bin/ruby ruby(abi) >= 1.8 Provides -------- whatweb-0.4.8-0.git20120708.1.fc16.noarch.rpm: whatweb = 0.4.8-0.git20120708.1.fc16 MD5-sum check ------------- https://github.com/urbanadventurer/WhatWeb/tarball/master/urbanadventurer-WhatWeb-1dc2cff.tar.gz : CHECKSUM(SHA256) this package : fcedeb9373d104f9c09a23e66e2f2bdf892829d2a7b354112b190e6caabb0c4f CHECKSUM(SHA256) upstream package : 9efffec153c594c3a767dc81f0d97babdc62172d82d6bf69f4096d7744c19010 diff -r also reports differences Generated by fedora-review 0.2.2 (9f8c0e5) last change: 2012-08-09 Command line :/usr/bin/fedora-review -b=587978 External plugins:
Created attachment 607410 [details] License Check
Created attachment 607411 [details] md5sum
SPEC URL: http://rebus.fedorapeople.org/SPECS/whatweb.spec SRPM URL: http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.8-0.git20150507.48b9682.1.fc21.src.rpm Bump to current git snapshot.
Ping?
SPEC URL: https://rebus.fedorapeople.org/SPECS/whatweb.spec SRPM URL: https://rebus.fedorapeople.org/SRPMS/whatweb-0.4.8-0.git20160611.1.fc23.src.rpm Bump to current git snapshot.
SPEC URL: https://rebus.fedorapeople.org/SPECS/whatweb.spec SRPM URL: https://rebus.fedorapeople.org/SRPMS/whatweb-0.4.9-1.fc27.src.rpm Bump to current upstream release. >[!]: MUST Each %files section contains %defattr if rpm < 4.4 defattr removed >[!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the cleaning of the buildroot removed >[!]: MUST Sources used to build the package match the upstream source, as The release should MD5 match much better than git commit ad-hoc snapshot (please note that gzip contains timestamps so it might not be MD5 same). >[!]: SHOULD Buildroot is not present removed >[!]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or removed >[!]: SHOULD SourceX / PatchY prefixed with %{name}. link to release source is now resulting in whatweb-0.4.9.tar.gz >[!]: SHOULD Spec use %global instead of %define. define changed to global Best regards Michal Ambroz