Bug 587978 - (whatweb) Review Request: whatweb - Web scanner to identify what websites are running
Review Request: whatweb - Web scanner to identify what websites are running
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Randall "Randy" Berry
Fedora Extras Quality Assurance
: Reopened
Depends On: 632917 632919
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2010-05-01 19:00 EDT by Michal Ambroz
Modified: 2017-12-10 00:41 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-16 21:10:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
randyn3lrx: fedora‑review?


Attachments (Terms of Use)
License Check (218.00 KB, text/plain)
2012-08-28 02:13 EDT, Randall "Randy" Berry
randyn3lrx: review?
Details
md5sum (253 bytes, text/plain)
2012-08-28 02:16 EDT, Randall "Randy" Berry
no flags Details

  None (edit)
Description Michal Ambroz 2010-05-01 19:00:15 EDT
SPEC URL: http://rebus.fedorapeople.org/12/SPECS/whatweb.spec
SRPM URL: http://rebus.fedorapeople.org/12/SRPMS/whatweb-0.4.2-1.fc12.src.rpm

Description:
Identify content management systems (CMS), blogging platforms, stats/analytic
packages, JavaScript libraries, servers and more. When you visit a website in
your browser the transaction includes many unseen hints about how the web-server
is set up and what software is delivering the web-page. Some of these hints are
obvious, ex. “Powered by XYZ” and others are more subtle. WhatWeb recognizes
these hints and reports what it finds.

Hello,
Please could you review the package whatweb?

Output from rpmlint:
$ rpmlint whatweb-0.4.2-1.fc12.noarch.rpm whatweb-0.4.2-1.fc12.src.rpm
2 packages and 0 specfiles checked; 0 errors, 0 warnings.

Koji F12: http://koji.fedoraproject.org/koji/taskinfo?taskID=2154469
Koji F13: http://koji.fedoraproject.org/koji/taskinfo?taskID=2154471
Comment 1 Terje Røsten 2010-05-02 14:18:25 EDT
Add dep on ruby:

$ whatweb
/usr/bin/env: ruby: No such file or directory
Comment 2 Mamoru TASAKA 2010-05-02 14:32:49 EDT
You should package anemone seperately:
http://anemone.rubyforge.org/
Comment 3 Michal Ambroz 2010-05-02 17:54:59 EDT
(In reply to comment #1)
> Add dep on ruby:
Strange - I wanted to add dependency by following guideline for ruby. Apparently it was not enough adding the:
Requires:       ruby(abi) = 1.8

Thank you Terje for noticing that - I will add file dependency for ruby binary as well.
SPEC URL: http://rebus.fedorapeople.org/12/SPECS/whatweb.spec
SRPM URL: http://rebus.fedorapeople.org/12/SRPMS/whatweb-0.4.2-2.fc12.src.rpm


(In reply to comment #2)
> You should package anemone seperately:
> http://anemone.rubyforge.org/    
Original anemone project has got some extra dependencies.
Version present in whatweb is standalone patched version of anemone without some dependencies. 

Best regards.
Michal Ambroz
Comment 4 Mamoru TASAKA 2010-05-03 00:20:22 EDT
(In reply to comment #3)
> (In reply to comment #1)

> (In reply to comment #2)
> > You should package anemone seperately:
> > http://anemone.rubyforge.org/    
> Original anemone project has got some extra dependencies.
> Version present in whatweb is standalone patched version of anemone without
> some dependencies. 

So please explain why you want to avoid additional dependency for
this package. I don't think that so huge additonal dependency will
be added. Using copy of external project is generally forbidden
on Fedora and it should be packaged:

https://fedoraproject.org/wiki/Packaging/Guidelines#Duplication_of_system_libraries
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
Comment 5 Mamoru TASAKA 2010-05-03 00:26:07 EDT
As written on the above URLs, one of the biggest reasons is that
when a new version of the package is released for (security) bug fixes
or so, it gets very hard for us to track if such bug fixes are also
applied to ones internally bundled in other packages.
Comment 6 Michal Ambroz 2010-05-03 05:02:11 EDT
Hello Mamoru,
thank you for your comments. 
I will consider packing anemone and patching the whatweb to use sytem library of anemone.

(In reply to comment #4)
> https://fedoraproject.org/wiki/Packaging/Guidelines#Duplication_of_system_libraries
I believe this link is not relevant as there is currenlty no anemone library in Fedora.

>https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries  
However according this there probably should be one.

Best regards
Michal Ambroz
Comment 7 Michal Ambroz 2010-08-23 18:24:53 EDT
SPEC URL: http://rebus.fedorapeople.org/13/SPECS/whatweb.spec
SRPM URL: http://rebus.fedorapeople.org/13/SRPMS/whatweb-0.4.5-1.fc13.src.rpm

Rebuild of new version 0.4.5 of whatweb.
I still didn't manage to patch to separate anemone library from whatweb.

Michal Ambroz
Comment 8 Mamoru TASAKA 2010-08-30 14:05:07 EDT
(In reply to comment #7)
> I still didn't manage to patch to separate anemone library from whatweb.
> 

First please submit rubygem-anemome review request.
Then I guess replacing
------------------------------------------------
require 'lib/anemone/anemone.rb'
------------------------------------------------
in whatweb script to
------------------------------------------------
require 'rubygems'
require 'anemone'
------------------------------------------------
should work (if anemone 0.4.0 still supports anemone 0.2.0 API:
anemone bundled in whatweb 0.4.5 is 0.2.0, while the latest anemone
is 0.4.0)
Comment 9 Mamoru TASAKA 2010-09-11 12:15:00 EDT
ping?
Comment 10 Michal Ambroz 2010-09-11 16:52:46 EDT
U have submitted for review package rubygems-robots, which is needed for rubygems-anemone.
Bug 632912.
Comment 11 Michal Ambroz 2010-09-11 17:52:29 EDT
U have submitted for review package rubygems-shoulda, which is needed for rubygems-robots, which is needed for rubygems-anemone.
Bug 632917.
Comment 12 Michal Ambroz 2010-09-11 18:24:22 EDT
I have submitted for review package rubygems-anemone, which is needed for whatweb.
Bug 632919
Comment 13 Michal Ambroz 2010-09-11 18:53:08 EDT
SPEC URL: http://rebus.fedorapeople.org/SPECS/whatweb.spec
SRPM URL: http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.5-2.fc13.src.rpm

Patch to use system-wide rubygems anemone library rather than local copy of anemone library.

Koji F13: http://koji.fedoraproject.org/koji/taskinfo?taskID=2462168

$ rpmlint whatweb-0.4.5-2.fc13.src.rpm whatweb-0.4.5-2.fc13.noarch.rpm
2 packages and 0 specfiles checked; 0 errors, 0 warnings.

Best regards
Michal Ambroz
Comment 14 Michal Ambroz 2010-09-22 20:03:06 EDT
Whatweb doesn't work with the upstream anemone version.
Issue reported to whatweb developer, waiting for fix.
Comment 15 Bug Zapper 2010-11-03 11:52:32 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 16 Michal Ambroz 2011-03-27 19:16:46 EDT
New version of whatweb released.
This version still requires embedded old patched version of anemone.

http://rebus.fedorapeople.org/RPMS/whatweb-0.4.6-1.fc14.noarch.rpm
http://rebus.fedorapeople.org/SPECS/whatweb.spec
http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.6-1.fc14.src.rpm

Michal Ambroz
Comment 17 Michal Ambroz 2011-04-05 18:27:47 EDT
New version of whatweb released.
This version requires embedded old patched version of anemone.

http://rebus.fedorapeople.org/SPECS/whatweb.spec
http://rebus.fedorapeople.org/RPMS/whatweb-0.4.7-1.fc14.noarch.rpm
http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.7-1.fc14.src.rpm
Comment 18 Michal Ambroz 2012-04-16 21:10:54 EDT
I am sorry - It is not in my powers to separate the anemone library from the package. The package works for me as is and separation is not supported by the upstream.

I am stepping down from pushing this package to Fedora.
Best regards 

Michal Ambroz
Comment 19 Michal Ambroz 2012-07-08 12:12:41 EDT
Reopening the package review request.
It seems that the whatweb is in next upcoming version dropping the support for the anemone library as whole.

http://rebus.fedorapeople.org/SPECS/whatweb.spec
http://rebus.fedorapeople.org/RPMS/whatweb-0.4.8-0.git20120708.1.fc17.noarch.rpm 
http://rebus.fedorapeople.org/SRPMS/whatweb-0.4.8-0.git20120708.1.fc17.src.rpm

Michal Ambroz
Comment 20 Randall "Randy" Berry 2012-08-28 02:12:51 EDT
Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



==== Generic ====
[x]: EXTRA Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: EXTRA Spec file according to URL is the same as in SRPM.
[x]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[ ]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[ ]: MUST Package contains no bundled libraries.
[ ]: MUST Changelog in prescribed format.
[ ]: MUST Sources contain only permissible code or content.
[!]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: defattr(....) present in %files section. This is OK if packaging
     for EPEL5. Otherwise not needed
[ ]: MUST Macros in Summary, %description expandable at SRPM build time.
[ ]: MUST Package contains desktop file if it is a GUI application.
[ ]: MUST Development files must be in a -devel package
[ ]: MUST Package requires other packages for directories it uses.
[ ]: MUST Package uses nothing in %doc for runtime.
[ ]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[ ]: MUST Package complies to the Packaging Guidelines
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install. 
     Note: rm -rf is only needed if supporting EPEL5. This is acceptable if you plan to package for EPEL5 
[ ]: MUST Large documentation files are in a -doc subpackage, if required.
[x]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[x]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "GPL" For detailed output of licensecheck (see attachment)
[x]: MUST Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: MUST Package is named using only allowed ascii characters.
[x]: MUST Package is named according to the Package Naming Guidelines.
[ ]: MUST Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[ ]: MUST Package obeys FHS, except libexecdir and /usr/target.
[ ]: MUST If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[ ]: MUST Package must own all directories that it creates.
[ ]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[ ]: MUST Package is not relocatable.
[ ]: MUST Requires correct, justified where necessary.
[x]: MUST Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[!]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
     Note: See below.
[x]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[ ]: MUST Package contains systemd file(s) if in need.
[x]: MUST File names are valid UTF-8.
[x]: SHOULD Reviewer should test that the package builds in mock.
[!]: SHOULD Buildroot is not present
     Note: Buildroot is not needed unless packager plans to package for EPEL5
[!]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean is needed only if supporting EPEL5
[ ]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[ ]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[ ]: SHOULD Package functions as described.
[ ]: SHOULD Latest version is packaged.
[ ]: SHOULD Package does not include license text files separate from
     upstream.
[ ]: SHOULD Patches link to upstream bugs/comments/lists or are otherwise
     justified.
[x]: SHOULD SourceX tarball generation or download is documented.
[!]: SHOULD SourceX / PatchY prefixed with %{name}.
     Note: Source0 (urbanadventurer-WhatWeb-1dc2cff.tar.gz)
[x]: SHOULD SourceX is a working URL.
[ ]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[ ]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[ ]: SHOULD %check is present and all tests pass.
[ ]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[!]: SHOULD Spec use %global instead of %define.
     Note: %define gituser urbanadventurer %define gitname WhatWeb %define
     gitversion 1dc2cff

Issues:
[!]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: defattr(....) present in %files section. This is OK if packaging
     for EPEL5. Otherwise not needed
See: http://fedoraproject.org/wiki/Packaging/Guidelines#FilePermissions
[!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf is only needed if supporting EPEL5
See: None
[!]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
     Note: Upstream MD5sum check error.
See: http://fedoraproject.org/wiki/Packaging/SourceURL

Rpmlint
-------
Checking: whatweb-0.4.8-0.git20120708.1.fc16.src.rpm
          whatweb-0.4.8-0.git20120708.1.fc16.noarch.rpm
whatweb.src:15: W: macro-in-comment %{name}
whatweb.src:15: W: macro-in-comment %{version}
whatweb.src: W: file-size-mismatch urbanadventurer-WhatWeb-1dc2cff.tar.gz = 1238667, https://github.com/urbanadventurer/WhatWeb/tarball/master/urbanadventurer-WhatWeb-1dc2cff.tar.gz = 1254743
2 packages and 0 specfiles checked; 0 errors, 3 warnings.


Rpmlint (installed packages)
----------------------------
Cannot parse rpmlint output:
Requires
--------
whatweb-0.4.8-0.git20120708.1.fc16.noarch.rpm (rpmlib, GLIBC filtered):
    
    /bin/bash  
    /bin/sh  
    /usr/bin/env  
    /usr/bin/ruby  
    ruby(abi) >= 1.8

Provides
--------
whatweb-0.4.8-0.git20120708.1.fc16.noarch.rpm:
    
    whatweb = 0.4.8-0.git20120708.1.fc16

MD5-sum check
-------------
https://github.com/urbanadventurer/WhatWeb/tarball/master/urbanadventurer-WhatWeb-1dc2cff.tar.gz :
  CHECKSUM(SHA256) this package     : fcedeb9373d104f9c09a23e66e2f2bdf892829d2a7b354112b190e6caabb0c4f
  CHECKSUM(SHA256) upstream package : 9efffec153c594c3a767dc81f0d97babdc62172d82d6bf69f4096d7744c19010
diff -r also reports differences


Generated by fedora-review 0.2.2 (9f8c0e5) last change: 2012-08-09
Command line :/usr/bin/fedora-review -b=587978
External plugins:
Comment 21 Randall "Randy" Berry 2012-08-28 02:13:08 EDT
Created attachment 607410 [details]
License Check
Comment 22 Randall "Randy" Berry 2012-08-28 02:16:16 EDT
Created attachment 607411 [details]
md5sum
Comment 24 Pavel Alexeev 2015-12-03 14:37:31 EST
Ping?
Comment 25 Michal Ambroz 2016-06-20 21:24:09 EDT
SPEC URL: https://rebus.fedorapeople.org/SPECS/whatweb.spec
SRPM URL: https://rebus.fedorapeople.org/SRPMS/whatweb-0.4.8-0.git20160611.1.fc23.src.rpm

Bump to current git snapshot.
Comment 26 Michal Ambroz 2017-12-10 00:41:48 EST
SPEC URL: https://rebus.fedorapeople.org/SPECS/whatweb.spec
SRPM URL: https://rebus.fedorapeople.org/SRPMS/whatweb-0.4.9-1.fc27.src.rpm

Bump to current upstream release.

>[!]: MUST Each %files section contains %defattr if rpm < 4.4
defattr removed

>[!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
cleaning of the buildroot removed

>[!]: MUST Sources used to build the package match the upstream source, as
The release should MD5 match much better than git commit ad-hoc snapshot (please note that gzip contains timestamps so it might not be MD5 same).

>[!]: SHOULD Buildroot is not present
removed

>[!]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or
removed

>[!]: SHOULD SourceX / PatchY prefixed with %{name}.
link to release source is now resulting in whatweb-0.4.9.tar.gz

>[!]: SHOULD Spec use %global instead of %define.
define changed to global


Best regards
Michal Ambroz

Note You need to log in before you can comment on or make changes to this bug.