Spec URL: http://labs.linuxnetz.de/bugzilla/x509watch.spec SRPM URL: http://labs.linuxnetz.de/bugzilla/x509watch-0.1.0-1.src.rpm Description: x509watch is a simple command line application, written in Perl, that can be used to list soon expiring or already expired X.509 certificates, such as e.g. SSL certificates. All certificates are searched by default in the standard PKI directory, but any other directory can be specified as parameter. Only Base64 encoded DER and PEM X.509 certificates are supported.
It seems there is something wrong, some old certificates that I have around are not identified. For instance: [root@mail ~]# openssl x509 -in /etc/postfix/oldcert/postfix.pem -noout -enddate -startdate notAfter=Nov 7 07:57:15 2009 GMT notBefore=May 26 07:57:15 2008 GMT
It gets ignored, because there's "old" in the path name.
it does not work even if I copy the certificate to /root or /tmp
Ignore comment #2. Your "/etc/postfix/oldcert/postfix.pem" isn't the standard PKI directory, which is always "/etc/pki". But maybe a "x509watch --directory /etc/pki --directory /etc/postfix" is what you would like to use instead. As alternative you might want to use "x509watch --directory /etc".
Package Review ============== Key: - = N/A x = Check ! = Problem ? = Not evaluated === REQUIRED ITEMS === [x] Package is named according to the Package Naming Guidelines. [x] Spec file name must match the base package %{name}, in the format %{name}.spec. [x] Package meets the Packaging Guidelines. [x] Package successfully compiles and builds into binary rpms on at least one supported architecture. Tested on: i386 [x] Rpmlint output: source RPM: empty binary RPM: x509watch.noarch: E: executable-marked-as-config-file /etc/cron.daily/x509watch Executables must not be marked as config files because that may prevent upgrades from working correctly. If you need to be able to customize an executable, make it for example read a config file in /etc/sysconfig. => See issue 1 below [x] Package is not relocatable. [x] Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x] License field in the package spec file matches the actual license. License type: GPLv2+ [x] If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x] Spec file is legible and written in American English. [x] Sources used to build the package match the upstream source, as provided in the spec URL. SHA1SUM of source file: f74f4804aab7470d6a451d47438c54d839e926e0 x509watch-0.1.0.tar.gz See also issue 2 below [x] Package is not known to require ExcludeArch [x] All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [-] The spec file handles locales properly. [-] ldconfig called in %post and %postun if required. [x] Package must own all directories that it creates. [x] Package requires other packages for directories it uses. [x] Package does not contain duplicates in %files. [x] Permissions on files are set properly. [x] Package consistently uses macros. [x] Package contains code, or permissable content. [-] Large documentation files are in a -doc subpackage, if required. [x] Package uses nothing in %doc for runtime. [-] Header files in -devel subpackage, if present. [-] Static libraries in -devel subpackage, if present. [-] Package requires pkgconfig, if .pc files are present. [-] Development .so files in -devel subpackage, if present. [-] Fully versioned dependency in subpackages, if present. [x] Package does not contain any libtool archives (.la). [-] Package contains a properly installed %{name}.desktop file if it is a GUI application. [x] Package does not own files or directories owned by other packages. [x] Final provides and requires are sane. === SUGGESTED ITEMS === [x] Latest version is packaged. [x] Package does not include license text files separate from upstream. [-] Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x] Reviewer should test that the package builds in mock. Tested on: koji scratch build for EL-4 [x] Package should compile and build into binary rpms on all supported architectures. Tested on: koji scratch build for EL-4 [!] Package functions as described. See issue 3 below [x] Scriptlets must be sane, if used. [-] The placement of pkgconfig(.pc) files is correct. [-] File based requires are sane. [x] %check is present and the test passes. === OPTIONAL ITEMS === [x] Buildroot is correct (%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)) [x] Package has a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). === Issues === 1. using " %config(noreplace) %{_sysconfdir}/cron.daily/%{name} " is a bit odd and identified as an error by rpmlint. Can you please explain the reason to mark this script as config file ? 2. the site requires registration in order to download files. that's beyond optimal as it breaks automatic testing. please consider switching to another hosting site ( such as sourceforge for instance) if you cannot ensure proper / normal access. 3. In Centos 4 the option "-L" passed to "find" is not recognised AND there is no error triggered. Removing this option makes the program to behave normally. I suggest to improve error processing and more important, to stop using the find tool and use the perl File::Find ( http://search.cpan.org/~lbrocard/perl5.005_04/lib/File/Find.pm) module instead. Your approach is prone to very simple attacks. As you can see below, you perl commnand open(CERTS, "find -L $directory -name '*.pem' -o -name '*.crt' 2> /dev/null |"); is translated into: execve("/bin/sh", ["sh", "-c", "find -L /etc/pki -name '*.pem' -"...], [/* 57 vars */] <unfinished ...> which is quite simple to abuse, given that it relies on the first "find" that is found in $PATH. The same problem is valid for the openssl invocation, too. I strongly suggest to use a proper perl module for that. ==== Final notes ==== Packaging wise except for issue 1 above the rest is OK. But I cannot approve this application unless my security concerns are addressed.
- Point #1 is of course a mistake. Will fix this with the next SPEC/SRPM. - Point #2 is not optimal, but according to Fedora Legal not a blocker; we've had this situation already at another package in the past. - Point #3 is getting solved in the next release using perl's File::Find, IPC::Open3 and Fcntl. Beside of that, I'm going to call /usr/bin/openssl per default, but this can be overwritten if needed using a parameter. Will likely push new release today or tomorrow and afterwards new SPEC/SRPM.
Spec URL: http://labs.linuxnetz.de/bugzilla/x509watch.spec SRPM URL: http://labs.linuxnetz.de/bugzilla/x509watch-0.2.0-1.src.rpm
Re-review: New sha1sum: 7ce87e8f735a6ceced6a537d50f4faa6f710c4d8 x509watch [wolfy@wolfy tmp]$ rpmlint x509watch*rpm 2 packages and 0 specfiles checked; 0 errors, 0 warnings. No new problems spotted + previous issues solved. ===== APPROVED =====
Manuel, thank you very much for the review. New Package CVS Request ======================= Package Name: x509watch Short Description: Simple tool to list expiring or expired X.509 certificates Owners: robert Branches: EL-4 EL-5 EL-6 F-12 F-13 InitialCC:
GIT done (by process-cvs-requests.py). with f14 branch added
x509watch-0.2.0-1.fc14 has been submitted as an update for Fedora 14. http://admin.fedoraproject.org/updates/x509watch-0.2.0-1.fc14
x509watch-0.2.0-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/x509watch-0.2.0-1.fc13
x509watch-0.2.0-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/x509watch-0.2.0-1.fc12
x509watch-0.2.0-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/x509watch-0.2.0-1.el4
x509watch-0.2.0-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/x509watch-0.2.0-1.el5
x509watch-0.2.0-1.el4 Tag: dist-4E-epel-testing-candidate Status: complete x509watch-0.2.0-1.el5 Tag: dist-5E-epel-testing-candidate Status: complete x509watch-0.2.0-1.el6 Tag: dist-6E-epel Status: complete x509watch-0.2.0-1.fc12 Tag: dist-f12-updates-candidate Status: complete x509watch-0.2.0-1.fc13 Tag: dist-f13-updates-candidate Status: complete x509watch-0.2.0-1.fc14 Tag: dist-f14-updates-candidate Status: complete x509watch-0.2.0-1.fc15 Tag: dist-f15 Status: complete
x509watch-0.2.0-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
x509watch-0.2.0-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
x509watch-0.2.0-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
x509watch-0.3.0-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/x509watch-0.3.0-1.el4
x509watch-0.3.0-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/x509watch-0.3.0-1.el5
x509watch-0.3.0-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
x509watch-0.3.0-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.