Bug 596449 - Review Request: NetworkManager-openswan - NetworkManager VPN plugin for Openswan (IPsec)
Summary: Review Request: NetworkManager-openswan - NetworkManager VPN plugin for Opens...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Chen Lei
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-26 18:53 UTC by Avesh Agarwal
Modified: 2018-04-11 13:54 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-07-26 17:08:13 UTC
Type: ---
Embargoed:
supercyper1: fedora-review+
kevin: fedora-cvs+


Attachments (Terms of Use)
NetworkManager-openswan spec file (2.80 KB, text/plain)
2010-05-26 18:54 UTC, Avesh Agarwal
no flags Details
NetworkManager-openswan srpm (418.27 KB, application/x-rpm)
2010-05-26 18:54 UTC, Avesh Agarwal
no flags Details
NetworkManager-openswan srpm (414.88 KB, application/x-gzip)
2010-05-26 20:20 UTC, Avesh Agarwal
no flags Details

Description Avesh Agarwal 2010-05-26 18:53:15 UTC
Spec URL: <spec info here>
SRPM URL: <srpm info here>
Description:

I have created a NetworkManager-openswan package, and I would appreciate a review so that I can get into Fedora Extras!

This package is a plugin to Network Manager for configuring VPN connections using Openswan (an IPsec open source).

Comment 1 Avesh Agarwal 2010-05-26 18:54:23 UTC
Created attachment 416977 [details]
NetworkManager-openswan spec file

Comment 2 Avesh Agarwal 2010-05-26 18:54:53 UTC
Created attachment 416978 [details]
NetworkManager-openswan srpm

Comment 3 Bill Nottingham 2010-05-26 19:28:54 UTC
Some non-packaging review points:

- NM-vpnc describes itself in the UI as for 'Cisco Compatible VPN'
- This describes itself in the UI as for 'IPSec based VPNs (Openswan)'

1) this should use 'VPNs' instead of 'VPN'
2) I don't know that '(Openswan)' is a useful detail to show the user

Also, it appears that this only supports Cisco-style xauth+ike VPNs. As I understand it, Openswan supports a variety of auth mechanisms (certificates, etc.) that this isn't exposing.

Comment 4 Avesh Agarwal 2010-05-26 19:45:30 UTC
(In reply to comment #3)
> Some non-packaging review points:
> 
> - NM-vpnc describes itself in the UI as for 'Cisco Compatible VPN'
> - This describes itself in the UI as for 'IPSec based VPNs (Openswan)'
> 
> 1) this should use 'VPNs' instead of 'VPN'
NetworkManager-openswan has "VPNs". Not sure if i understood you correctly. 

> 2) I don't know that '(Openswan)' is a useful detail to show the user
> 
Showing Openswan is necessary, because it is only specific to Openswan. So users should be able to know that this plugin only works with Openswan.

> Also, it appears that this only supports Cisco-style xauth+ike VPNs. As I
> understand it, Openswan supports a variety of auth mechanisms (certificates,
> etc.) that this isn't exposing.    

You are right. I am exposing only XAUTH and PSK based VPNs right now mainly like "road-warrior connections". But that does not mean that it not only works with Cisco VPN servers. It can also work other vpn servers that supports XAUTH+PSK. By doing this would help a lot to get feedback from various users who mostly use it with Cisco VPN servers. As I have NetworkManager-openswan helper in place now, adding other features would mainly require GUI changes only, and some minor changes in the helper.

Comment 5 Bill Nottingham 2010-05-26 20:03:28 UTC
(In reply to comment #4)

> > - NM-vpnc describes itself in the UI as for 'Cisco Compatible VPN'
> > - This describes itself in the UI as for 'IPSec based VPNs (Openswan)'
> > 
> > 1) this should use 'VPNs' instead of 'VPN'
> NetworkManager-openswan has "VPNs". Not sure if i understood you correctly. 

It should be changed to 'VPN' to be consistent.

> > 2) I don't know that '(Openswan)' is a useful detail to show the user
> > 
> Showing Openswan is necessary, because it is only specific to Openswan. So
> users should be able to know that this plugin only works with Openswan.

No, the plugin will talk to any IPSEC gateway that implements the same xauth/PSK authentication. If you mean it only works with openswan as a backend for this NM vpn plugin, that should be expressed just with RPM dependencies, not with a UI string - the user shouldn't have to care that openswan is being used under the hood.

Comment 6 Avesh Agarwal 2010-05-26 20:19:51 UTC
(In reply to comment #5)
> (In reply to comment #4)
> 
> > > - NM-vpnc describes itself in the UI as for 'Cisco Compatible VPN'
> > > - This describes itself in the UI as for 'IPSec based VPNs (Openswan)'
> > > 
> > > 1) this should use 'VPNs' instead of 'VPN'
> > NetworkManager-openswan has "VPNs". Not sure if i understood you correctly. 
> 
> It should be changed to 'VPN' to be consistent.

Ok. changed.

> 
> > > 2) I don't know that '(Openswan)' is a useful detail to show the user
> > > 
> > Showing Openswan is necessary, because it is only specific to Openswan. So
> > users should be able to know that this plugin only works with Openswan.
> 
> No, the plugin will talk to any IPSEC gateway that implements the same
> xauth/PSK authentication. If you mean it only works with openswan as a backend
> for this NM vpn plugin, that should be expressed just with RPM dependencies,
> not with a UI string - the user shouldn't have to care that openswan is being
> used under the hood.    

ok, changed.

Thanks.
Avesh

Comment 7 Avesh Agarwal 2010-05-26 20:20:42 UTC
Created attachment 417020 [details]
NetworkManager-openswan srpm

Comment 8 Chen Lei 2010-05-27 03:56:06 UTC
Why not to upload SPEC and SRPM to some pulic space?

e.g. fedorapeople dropbox

See https://fedoraproject.org/wiki/Infrastructure/fedorapeople.org

Comment 9 Chen Lei 2010-05-27 04:04:40 UTC
It'll be better to change %define snapshot .git20100411 to %define snapshot .20100411git or .%{gitdate}git%{githash}.

The naming style for the NetworkManger seems a little different compared to other packages in fedora.

See http://fedoraproject.org/wiki/PackageNamingGuidelines#Pre-Release_packages

Comment 10 Tomas Mraz 2010-05-27 06:36:12 UTC
You've attached tar.gz instead of src.rpm.
Please put the updated .src.rpm to the fedorapeople web server as suggested by Chen Lei above.

Note that you cannot comment out %define like you do:
#%define snapshot .git20100411
Macros are expanded in comments in .spec. You have to remove the %. Not that it matters much.

Also please add the COPYING file as %doc in %files.

Comment 11 Avesh Agarwal 2010-05-27 14:33:29 UTC
Hello Chen, and Tomas,

Thanks for comments:

Here is the public link for the files:

http://people.redhat.com/avagarwa/files/NetworkManager-openswan/

Comment 12 Avesh Agarwal 2010-05-27 14:34:52 UTC
(In reply to comment #9)
> It'll be better to change %define snapshot .git20100411 to %define snapshot
> .20100411git or .%{gitdate}git%{githash}.
> 
> The naming style for the NetworkManger seems a little different compared to
> other packages in fedora.
> 
> See http://fedoraproject.org/wiki/PackageNamingGuidelines#Pre-Release_packages


The naming style for NetworkManager-openswan, I have taken, is based on NetworkManager-vpnc and NetworkManager-openvpn , so that this new package is consistent with them.

Comment 13 Avesh Agarwal 2010-05-27 14:36:30 UTC
(In reply to comment #10)
> You've attached tar.gz instead of src.rpm.
> Please put the updated .src.rpm to the fedorapeople web server as suggested by
> Chen Lei above.

Done: 

http://people.redhat.com/avagarwa/files/NetworkManager-openswan/

> 
> Note that you cannot comment out %define like you do:
> #%define snapshot .git20100411

> Macros are expanded in comments in .spec. You have to remove the %. Not that it
> matters much.

Instead commenting it, I have included it to make it consistent with other packages like NetworkManager-vpnc and NetworkManager-openvpn .
 

> 
> Also please add the COPYING file as %doc in %files.    
Done.

Comment 14 Chen Lei 2010-05-27 15:00:11 UTC
Some comment:
1.
Source:    %{name}-%{realversion}.tar.gz
Should add some comments about how to genrate the tarball
See http://fedoraproject.org/wiki/Packaging:SourceURL#Using_Revision_Control

2.Epoch:     1

Remove it from spec, when possible packager should avoid of using epoch.


3.
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Only needed for epel5

4.
%post
/sbin/ldconfig

%postun
/sbin/ldconfig

It's a plugin, I don't think ldconfig is necesscery

5.
%define nm_version          1:0.7.997-1
%define dbus_version        1.1
%define gtk2_version        2.10.0
%define shared_mime_version 0.16-3

Those lines are useless, all branches in fedora match those versions.


6.%{_datadir}/icons/hicolor/48x48/apps/gnome-mime-application-x-openswan-ipsec-vpn-settings.png

Is this file useful for openswan?


7.
%files -f %{name}.lang
%defattr(-, root, root)
->
%files -f %{name}.lang
%defattr(-, root, root,-)


8.
Requires: gtk2             >= %{gtk2_version}
Requires: dbus             >= %{dbus_version}
Requires: shared-mime-info >= %{shared_mime_version}
Requires: GConf2
Those dependicies may not need, please reconsider it, normally rpmbuild will pull in shlib depenpencies automatically.

Comment 15 Avesh Agarwal 2010-05-27 17:43:18 UTC
(In reply to comment #14)
> Some comment:
> 1.
> Source:    %{name}-%{realversion}.tar.gz
> Should add some comments about how to genrate the tarball
> See http://fedoraproject.org/wiki/Packaging:SourceURL#Using_Revision_Control
> 
Done.

> 2.Epoch:     1
> 
> Remove it from spec, when possible packager should avoid of using epoch.
> 
Done.


> 
> 3.
> BuildRoot: %{_tmppath}/%{name}-%{version}-root
> Only needed for epel5
> 

Did not change as this package may be built for epel5 too. However, I have modified it to have as per fedora packaging guidelines:

%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

> 4.
> %post
> /sbin/ldconfig
> 
> %postun
> /sbin/ldconfig
> 
> It's a plugin, I don't think ldconfig is necesscery
> 
Done.
> 5.
> %define nm_version          1:0.7.997-1
> %define dbus_version        1.1
> %define gtk2_version        2.10.0
> %define shared_mime_version 0.16-3
> 
> Those lines are useless, all branches in fedora match those versions.
> 
> 
Done.

> 6.%{_datadir}/icons/hicolor/48x48/apps/gnome-mime-application-x-openswan-ipsec-vpn-settings.png
> 
> Is this file useful for openswan?

Done.
> 
> 
> 7.
> %files -f %{name}.lang
> %defattr(-, root, root)
> ->
> %files -f %{name}.lang
> %defattr(-, root, root,-)
>
Done. 
> 
> 8.
> Requires: gtk2             >= %{gtk2_version}
> Requires: dbus             >= %{dbus_version}
> Requires: shared-mime-info >= %{shared_mime_version}
> Requires: GConf2
> Those dependicies may not need, please reconsider it, normally rpmbuild will
> pull in shlib depenpencies automatically.    
Done.

In addition, added requires for openswan, and also made a few other changes. Current versions are avilable at

http://people.redhat.com/avagarwa/files/NetworkManager-openswan/

Thanks for your detailed comments.
Avesh

Comment 16 Tomas Mraz 2010-05-27 18:37:10 UTC
Chen Lei, will you do the formal review?

Comment 17 Chen Lei 2010-05-29 04:37:32 UTC
(In reply to comment #16)
> Chen Lei, will you do the formal review?    

I plan to do so :)

Is there anyone to help me to check whether the shared-mime-info dependency is needed for NM plugins? I don't understand  why all NM plugins require shared-mime-info. If all NM plugins requires mime info why not to add it to NM instead of plugins?


Some more suggestions:
It'll better to add --disable-static to %configure, thus rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.a is not needed in spec.

From http://cvs.fedoraproject.org/viewvc/rpms/NetworkManager-pptp/devel/NetworkManager-pptp.spec?revision=1.22&view=co

I found that desktop file and icons are commended out in spec, %post and %postun seems unnecessary.

Comment 18 Chen Lei 2010-05-31 04:02:02 UTC
I can confirm the share-mime-info is useless now, all NM plugins in rawhide don't include desktop files now.

Comment 19 Avesh Agarwal 2010-06-01 20:14:31 UTC
(In reply to comment #17)
> (In reply to comment #16)
> > Chen Lei, will you do the formal review?    
> 
> I plan to do so :)
> 
> Is there anyone to help me to check whether the shared-mime-info dependency is
> needed for NM plugins? I don't understand  why all NM plugins require
> shared-mime-info. If all NM plugins requires mime info why not to add it to NM
> instead of plugins?
> 
> 
> Some more suggestions:
> It'll better to add --disable-static to %configure, thus rm -f
> %{buildroot}%{_libdir}/NetworkManager/lib*.a is not needed in spec.
> 
> From
> http://cvs.fedoraproject.org/viewvc/rpms/NetworkManager-pptp/devel/NetworkManager-pptp.spec?revision=1.22&view=co
> 
> I found that desktop file and icons are commended out in spec, %post and
> %postun seems unnecessary.    

Thanks for your comments. They have been incorporated.

Comment 20 Chen Lei 2010-06-04 16:40:50 UTC
Rpm building fails on koji. I think you should remove the icon file, because you don't include a desktop file in rpm, also other NM plugins already remove icons and desktop files recently.

error: Installed (but unpackaged) file(s) found:
   /usr/share/icons/hicolor/48x48/apps/gnome-mime-application-x-openswan-ipsec-vpn-settings.png



formal review here:
+:ok, =:needs attention, -:needs fixing

MUST Items:
[-] MUST: rpmlint must be run on every package.
rpmlint NetworkManager-openswan.spec 
NetworkManager-openswan.spec:31: W: mixed-use-of-spaces-and-tabs (spaces: line 7, tab: line 31)

rpmlint NetworkManager-openswan-*rpm
NetworkManager-openswan.x86_64: I: enchant-dictionary-not-found en_US
NetworkManager-openswan.x86_64: W: incoherent-version-in-changelog 0.8.0-1 ['0.8.0-1.git20100411.fc14', '0.8.0-1.git20100411']
NetworkManager-openswan.x86_64: W: non-conffile-in-etc /etc/NetworkManager/VPN/nm-openswan-service.name
NetworkManager-openswan.x86_64: W: non-conffile-in-etc /etc/dbus-1/system.d/nm-openswan-service.conf

[-] MUST: The package must be named according to the Package Naming Guidelines.
[+] MUST: The spec file name must match the base package %{name}
[+] MUST: The package must meet the Packaging Guidelines. [FIXME?: covers this list and more]
[+] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines.
[+] MUST: The License field in the package spec file must match the actual license.
[+] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
[+] MUST: The spec file must be written in American English.
[+] MUST: The spec file for the package MUST be legible.
[+] MUST: The sources used to build the package must match the upstream source, as provided in the spec URL.
<<md5sum checksum>>065b8f38d89e7bc40bfe0d15a9e7f8ba
[+] MUST: The package must successfully compile and build into binary rpms on at least one supported architecture.
[=] MUST: All build dependencies must be listed in BuildRequires
[+] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro.
[+] MUST: Every binary RPM package which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun.
[+] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
[+] MUST: A package must not contain any duplicate files in the %files listing.
[+] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line.
[+] MUST: Each package must have a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT).
[+] MUST: Each package must consistently use macros, as described in the macros section of Packaging Guidelines.
[+] MUST: The package must contain code, or permissible content. This is described in detail in the code vs. content section of Packaging Guidelines.
[+] MUST: If a package includes something as %doc, it must not affect the runtime of the application.
[+] MUST: Packages must NOT contain any .la libtool archives, these should be removed in the spec.
[+] MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section.
[+] MUST: Packages must not own files or directories already owned by other packages.
[+] MUST: All filenames in rpm packages must be valid UTF-8.

SHOULD Items:
[+] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
[=] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
[+] SHOULD: The reviewer should test that the package builds in mock.
[+] SHOULD: The package should compile and build into binary rpms on all supported architectures.
[+] SHOULD: The reviewer should test that the package functions as described.
[+] SHOULD: If scriptlets are used, those scriptlets must be sane.
[+] SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.

Issues:

1. Most of the rpmlist warnings are harmless.
You should fix 
NetworkManager-openswan.spec:31: W: mixed-use-of-spaces-and-tabs (spaces: line 7, tab: line 31)

NetworkManager-openswan.x86_64: W: incoherent-version-in-changelog 0.8.0-1 ['0.8.0-1.git20100411.fc14', '0.8.0-1.git20100411']


2.According to naming guideline %define snapshot .git20100411 should be %define snapshot .20100411git, I found that the whole NM package stack are agaist naming guideline
See http://fedoraproject.org/wiki/PackageNamingGuidelines#Snapshot_packages
3.
BuildRequires: dbus-devel
BuildRequires: NetworkManager-devel

Those line can be commented out just for a reference, NetworkManager-glib-devel already requires them.

See http://koji.fedoraproject.org/koji/rpminfo?rpmID=1970296

Comment 21 Avesh Agarwal 2010-06-09 20:01:24 UTC
(In reply to comment #20)
> Rpm building fails on koji. I think you should remove the icon file, because
> you don't include a desktop file in rpm, also other NM plugins already remove
> icons and desktop files recently.
> 
> error: Installed (but unpackaged) file(s) found:
>   
> /usr/share/icons/hicolor/48x48/apps/gnome-mime-application-x-openswan-ipsec-vpn-settings.png
> 

Fixed.

> 
> 
> formal review here:
> +:ok, =:needs attention, -:needs fixing
> 
> MUST Items:
> [-] MUST: rpmlint must be run on every package.
> rpmlint NetworkManager-openswan.spec 
> NetworkManager-openswan.spec:31: W: mixed-use-of-spaces-and-tabs (spaces: line
> 7, tab: line 31)
> 
> rpmlint NetworkManager-openswan-*rpm
> NetworkManager-openswan.x86_64: I: enchant-dictionary-not-found en_US
> NetworkManager-openswan.x86_64: W: incoherent-version-in-changelog 0.8.0-1
> ['0.8.0-1.git20100411.fc14', '0.8.0-1.git20100411']
> NetworkManager-openswan.x86_64: W: non-conffile-in-etc
> /etc/NetworkManager/VPN/nm-openswan-service.name
> NetworkManager-openswan.x86_64: W: non-conffile-in-etc
> /etc/dbus-1/system.d/nm-openswan-service.conf
> 

Fixed all rpmlint errors.

> [-] MUST: The package must be named according to the Package Naming Guidelines.

Fixed.

> Issues:
> 
> 1. Most of the rpmlist warnings are harmless.
> You should fix 
> NetworkManager-openswan.spec:31: W: mixed-use-of-spaces-and-tabs (spaces: line
> 7, tab: line 31)
> 
> NetworkManager-openswan.x86_64: W: incoherent-version-in-changelog 0.8.0-1
> ['0.8.0-1.git20100411.fc14', '0.8.0-1.git20100411']
> 

Fixed.

> 
> 2.According to naming guideline %define snapshot .git20100411 should be %define
> snapshot .20100411git, I found that the whole NM package stack are agaist
> naming guideline
> See http://fedoraproject.org/wiki/PackageNamingGuidelines#Snapshot_packages

Fixed.


> 3.
> BuildRequires: dbus-devel
> BuildRequires: NetworkManager-devel
> 

Fixed.

> Those line can be commented out just for a reference, NetworkManager-glib-devel
> already requires them.
> 
> See http://koji.fedoraproject.org/koji/rpminfo?rpmID=1970296    

The latest modified versions are available at 
http://people.redhat.com/~avagarwa/files/NetworkManager-openswan/

Comment 22 Avesh Agarwal 2010-06-09 20:03:35 UTC
When I fixed the rpmlint error "non-conffile-in-etc", by putting %config section, rpmlint started showing the error "conffile-without-noreplace-flag", so I had to put %config(noreplace) .

Comment 23 Chen Lei 2010-06-11 12:29:28 UTC
(In reply to comment #22)
> When I fixed the rpmlint error "non-conffile-in-etc", by putting %config
> section, rpmlint started showing the error "conffile-without-noreplace-flag",
> so I had to put %config(noreplace) .    

From fedora guideline
"Use your common sense and do not follow rpmlint warnings blindly"

Many rpmlint warnings or errors are harmless or even wrong, e.g. "spelling error".


The package is approved, but you still need to remove %config(noreplace) from %file. I think those config files should be overrided every time when updating this package.

Comment 24 Avesh Agarwal 2010-06-11 16:05:26 UTC

> The package is approved, but you still need to remove %config(noreplace) from
> %file. I think those config files should be overrided every time when updating
> this package.    

fixed, and package updated. Thanks for the review.

Comment 25 Avesh Agarwal 2010-06-11 19:37:19 UTC
New Package CVS Request
=======================
Package Name: NetworkManager-openswan
Short Description: This package contains software for integrating the openswan VPN software with NetworkManager and the GNOME desktop
Owners: avesh
Branches: F-12 F-13
InitialCC: avesh

Comment 26 Kevin Fenzi 2010-06-14 04:44:07 UTC
CVS done (by process-cvs-requests.py).


Note You need to log in before you can comment on or make changes to this bug.