Bug 618059 - Review Request: x509watch - Simple tool to list expiring or expired X.509 certificates
Summary: Review Request: x509watch - Simple tool to list expiring or expired X.509 cer...
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review   
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: manuel wolfshant
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-25 22:28 UTC by Robert Scheck
Modified: 2010-08-19 21:58 UTC (History)
2 users (show)

Fixed In Version: x509watch-0.3.0-1.el4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-30 21:43:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
wolfy: fedora-review+
kevin: fedora-cvs+

Attachments (Terms of Use)

Description Robert Scheck 2010-07-25 22:28:29 UTC
Spec URL: http://labs.linuxnetz.de/bugzilla/x509watch.spec
SRPM URL: http://labs.linuxnetz.de/bugzilla/x509watch-0.1.0-1.src.rpm
x509watch is a simple command line application, written in Perl, that can be
used to list soon expiring or already expired X.509 certificates, such as e.g.
SSL certificates. All certificates are searched by default in the standard PKI
directory, but any other directory can be specified as parameter. Only Base64
encoded DER and PEM X.509 certificates are supported.

Comment 1 manuel wolfshant 2010-07-26 07:31:09 UTC
It seems there is something wrong, some old certificates that I have around are not identified. For instance:

[root@mail ~]# openssl x509 -in /etc/postfix/oldcert/postfix.pem  -noout -enddate -startdate
notAfter=Nov  7 07:57:15 2009 GMT
notBefore=May 26 07:57:15 2008 GMT

Comment 2 Robert Scheck 2010-07-26 08:09:55 UTC
It gets ignored, because there's "old" in the path name.

Comment 3 manuel wolfshant 2010-07-26 08:15:41 UTC
it does not work even if I copy the certificate to /root or /tmp

Comment 4 Robert Scheck 2010-07-26 08:18:48 UTC
Ignore comment #2. Your "/etc/postfix/oldcert/postfix.pem" isn't the standard
PKI directory, which is always "/etc/pki". But maybe a "x509watch --directory 
/etc/pki --directory /etc/postfix" is what you would like to use instead. As
alternative you might want to use "x509watch --directory /etc".

Comment 5 manuel wolfshant 2010-07-26 10:05:30 UTC
Package Review

 - = N/A
 x = Check
 ! = Problem
 ? = Not evaluated

 [x] Package is named according to the Package Naming Guidelines.
 [x] Spec file name must match the base package %{name}, in the format %{name}.spec.
 [x] Package meets the Packaging Guidelines.
 [x] Package successfully compiles and builds into binary rpms on at least one supported architecture.
     Tested on: i386
 [x] Rpmlint output:
source RPM: empty
binary RPM:
x509watch.noarch: E: executable-marked-as-config-file /etc/cron.daily/x509watch
Executables must not be marked as config files because that may prevent
upgrades from working correctly. If you need to be able to customize an
executable, make it for example read a config file in /etc/sysconfig.
=> See issue 1 below

 [x] Package is not relocatable.
 [x] Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines.
 [x] License field in the package spec file matches the actual license.
     License type: GPLv2+
 [x] If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc.
 [x] Spec file is legible and written in American English.
 [x] Sources used to build the package match the upstream source, as provided in the spec URL.
     SHA1SUM of source file: f74f4804aab7470d6a451d47438c54d839e926e0  x509watch-0.1.0.tar.gz
See also issue 2 below
 [x] Package is not known to require ExcludeArch
 [x] All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines.
 [-] The spec file handles locales properly.
 [-] ldconfig called in %post and %postun if required.
 [x] Package must own all directories that it creates.
 [x] Package requires other packages for directories it uses.
 [x] Package does not contain duplicates in %files.
 [x] Permissions on files are set properly.
 [x] Package consistently uses macros.
 [x] Package contains code, or permissable content.
 [-] Large documentation files are in a -doc subpackage, if required.
 [x] Package uses nothing in %doc for runtime.
 [-] Header files in -devel subpackage, if present.
 [-] Static libraries in -devel subpackage, if present.
  [-] Package requires pkgconfig, if .pc files are present.
 [-] Development .so files in -devel subpackage, if present.
 [-] Fully versioned dependency in subpackages, if present.
 [x] Package does not contain any libtool archives (.la).
 [-] Package contains a properly installed %{name}.desktop file if it is a GUI application.
 [x] Package does not own files or directories owned by other packages.
 [x] Final provides and requires are sane.

 [x] Latest version is packaged.
 [x] Package does not include license text files separate from upstream.
 [-] Description and summary sections in the package spec file contains translations for supported Non-English languages, if available.
 [x] Reviewer should test that the package builds in mock.
     Tested on: koji scratch build for EL-4
 [x] Package should compile and build into binary rpms on all supported architectures.
     Tested on: koji scratch build for EL-4
 [!] Package functions as described.
See issue 3 below
 [x] Scriptlets must be sane, if used.
 [-] The placement of pkgconfig(.pc) files is correct.
 [-] File based requires are sane.
 [x] %check is present and the test passes.

 [x] Buildroot is correct (%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n))
 [x] Package has a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT).

=== Issues ===
1. using " %config(noreplace) %{_sysconfdir}/cron.daily/%{name} " is a bit odd and identified as an error by rpmlint. Can you please explain the reason to mark this script as config file ?
2. the site requires registration in order to download files. that's beyond optimal as it breaks automatic testing. please consider switching to another hosting site ( such as sourceforge for instance) if you cannot ensure proper / normal access.
3. In Centos 4 the option "-L" passed to "find" is not recognised AND there is no error triggered. Removing this option makes the program to behave normally.
 I suggest to improve error processing and more important, to stop using the find tool and use the perl File::Find  ( http://search.cpan.org/~lbrocard/perl5.005_04/lib/File/Find.pm) module instead. Your approach is prone to very simple attacks. As you can see below, you perl commnand
  open(CERTS, "find -L $directory -name '*.pem' -o -name '*.crt' 2> /dev/null |");
is translated into:
 execve("/bin/sh", ["sh", "-c", "find -L /etc/pki -name '*.pem' -"...], [/* 57 vars */] <unfinished ...>
which is quite simple to abuse, given that it relies on the first "find" that is found in $PATH.

 The same problem is valid for the openssl invocation, too. I strongly suggest to use a proper perl module for that.

==== Final notes ====

Packaging wise except for issue 1 above the rest is OK. But I cannot approve this application unless my security concerns are addressed.

Comment 6 Robert Scheck 2010-07-26 23:05:38 UTC
- Point #1 is of course a mistake. Will fix this with the next SPEC/SRPM.
- Point #2 is not optimal, but according to Fedora Legal not a blocker; we've
  had this situation already at another package in the past.
- Point #3 is getting solved in the next release using perl's File::Find, 
  IPC::Open3 and Fcntl. Beside of that, I'm going to call /usr/bin/openssl
  per default, but this can be overwritten if needed using a parameter.

Will likely push new release today or tomorrow and afterwards new SPEC/SRPM.

Comment 8 manuel wolfshant 2010-07-27 23:26:13 UTC
New sha1sum:
 7ce87e8f735a6ceced6a537d50f4faa6f710c4d8  x509watch

[wolfy@wolfy tmp]$ rpmlint x509watch*rpm
2 packages and 0 specfiles checked; 0 errors, 0 warnings.

No new problems spotted + previous issues solved.

===== APPROVED =====

Comment 9 Robert Scheck 2010-07-28 06:24:14 UTC
Manuel, thank you very much for the review.

New Package CVS Request
Package Name: x509watch
Short Description: Simple tool to list expiring or expired X.509 certificates
Owners: robert
Branches: EL-4 EL-5 EL-6 F-12 F-13

Comment 10 Kevin Fenzi 2010-07-30 20:35:40 UTC
GIT done (by process-cvs-requests.py).

with f14 branch added

Comment 11 Fedora Update System 2010-07-30 21:39:56 UTC
x509watch-0.2.0-1.fc14 has been submitted as an update for Fedora 14.

Comment 12 Fedora Update System 2010-07-30 21:40:04 UTC
x509watch-0.2.0-1.fc13 has been submitted as an update for Fedora 13.

Comment 13 Fedora Update System 2010-07-30 21:40:10 UTC
x509watch-0.2.0-1.fc12 has been submitted as an update for Fedora 12.

Comment 14 Fedora Update System 2010-07-30 21:40:22 UTC
x509watch-0.2.0-1.el4 has been submitted as an update for Fedora EPEL 4.

Comment 15 Fedora Update System 2010-07-30 21:40:28 UTC
x509watch-0.2.0-1.el5 has been submitted as an update for Fedora EPEL 5.

Comment 16 Robert Scheck 2010-07-30 21:43:40 UTC
x509watch-0.2.0-1.el4 Tag: dist-4E-epel-testing-candidate Status: complete 
x509watch-0.2.0-1.el5 Tag: dist-5E-epel-testing-candidate Status: complete 
x509watch-0.2.0-1.el6 Tag: dist-6E-epel Status: complete
x509watch-0.2.0-1.fc12 Tag: dist-f12-updates-candidate Status: complete
x509watch-0.2.0-1.fc13 Tag: dist-f13-updates-candidate Status: complete 
x509watch-0.2.0-1.fc14 Tag: dist-f14-updates-candidate Status: complete 
x509watch-0.2.0-1.fc15 Tag: dist-f15 Status: complete

Comment 17 Fedora Update System 2010-08-01 19:20:05 UTC
x509watch-0.2.0-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2010-08-03 00:43:57 UTC
x509watch-0.2.0-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-08-03 00:55:38 UTC
x509watch-0.2.0-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2010-08-03 21:38:04 UTC
x509watch-0.3.0-1.el4 has been submitted as an update for Fedora EPEL 4.

Comment 21 Fedora Update System 2010-08-03 21:38:21 UTC
x509watch-0.3.0-1.el5 has been submitted as an update for Fedora EPEL 5.

Comment 22 Fedora Update System 2010-08-19 21:57:30 UTC
x509watch-0.3.0-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2010-08-19 21:58:06 UTC
x509watch-0.3.0-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.