Spec URL: http://people.sugarlabs.org/bernie/fedora/specs/monkeysphere.spec SRPM URL: http://people.sugarlabs.org/bernie/fedora/source/monkeysphere-0.31-1.src.rpm Description: SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and expiration. Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions. It can be used in both directions: for users to get validated host keys, and for hosts to authenticate users.
Bernie, A few comments: * You should add a dist tag: http://fedoraproject.org/wiki/Packaging/DistTag * You should add 'BuildArch: noarch' since no binary is built * The build section doesn't do anything, you can leave it out * You need need to include COPYING in which is in the tarball * You should use %defattr(-, root, root, -) instead of %defattr(-, root, root, 755) * A lot of the permissions on the files are weird which rpmlint complains about. For example, the man pages are 755. The man pages can be fixed by replacing the man page lines in the %files section with '%attr(0644, root, root) %{_mandir}/*/*' but looking through some more of the rpmlint errors and warnings it might be easier to patch the Makefile to fix the rest of them. Here's the rpmlint output after making the above modifications including the man page permission fix: [mmckinst@fedora13 rpmbuild]$ rpmlint ~/rpmbuild/RPMS/noarch/monkeysphere-0.31-1.noarch.rpm monkeysphere.noarch: E: non-standard-executable-perm /usr/share/monkeysphere/transitions/0.28 0744L monkeysphere.noarch: W: non-standard-uid /var/lib/monkeysphere monkeysphere monkeysphere.noarch: W: non-standard-gid /var/lib/monkeysphere monkeysphere monkeysphere.noarch: E: non-standard-dir-perm /var/lib/monkeysphere 0775L monkeysphere.noarch: W: non-standard-uid /var/lib/monkeysphere/authorized_keys monkeysphere monkeysphere.noarch: W: non-standard-gid /var/lib/monkeysphere/authorized_keys monkeysphere monkeysphere.noarch: E: non-standard-dir-perm /var/lib/monkeysphere/authorized_keys 0775L monkeysphere.noarch: E: non-standard-executable-perm /usr/share/monkeysphere/transitions/0.23 0744L monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/transitions/0.28 /bin/bash monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/transitions/0.23 /bin/bash monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(Digest::SHA) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms /usr/bin/perl monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans /usr/bin/perl monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms perl(File::Basename) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(File::Basename) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(Crypt::OpenSSL::RSA) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms perl(Cwd) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(bytes) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(Digest::MD5) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms perl(File::stat) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(warnings) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(POSIX) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(Crypt::OpenSSL::Bignum) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms perl(strict) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(strict) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms perl(User::pwent) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(Crypt::OpenSSL::Bignum::CTX) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/checkperms perl(Fcntl) monkeysphere.noarch: W: doc-file-dependency /usr/share/monkeysphere/keytrans perl(MIME::Base64) monkeysphere.noarch: W: dangerous-command-in-%postun userdel 1 packages and 0 specfiles checked; 4 errors, 26 warnings. [mmckinst@fedora13 rpmbuild]$
New spec file and srpm with above problems fixed: http://people.sugarlabs.org/bernie/fedora/specs/monkeysphere.spec http://people.sugarlabs.org/bernie/fedora/source/monkeysphere-0.31-2.src.rpm The following warning/errors remain. They are either spurious or denote venial upstream bugs. I have notified the maintainers about them. bernie@giskard:~/rpmbuild/SPECS$ rpmlint ../RPMS/monkeysphere-0.31-2.fc14.noarch.rpm monkeysphere.noarch: W: manual-page-warning /usr/share/man/man1/openpgp2ssh.1.gz 3375: bad character definition monkeysphere.noarch: W: manual-page-warning /usr/share/man/man1/openpgp2ssh.1.gz 3379: warning: macro `\}' not defined monkeysphere.noarch: W: non-standard-uid /var/lib/monkeysphere monkeysphere monkeysphere.noarch: W: non-standard-gid /var/lib/monkeysphere monkeysphere monkeysphere.noarch: E: non-standard-dir-perm /var/lib/monkeysphere 0775L monkeysphere.noarch: W: non-standard-uid /var/lib/monkeysphere/authorized_keys monkeysphere monkeysphere.noarch: W: non-standard-gid /var/lib/monkeysphere/authorized_keys monkeysphere monkeysphere.noarch: E: non-standard-dir-perm /var/lib/monkeysphere/authorized_keys 0775L monkeysphere.noarch: W: manual-page-warning /usr/share/man/man1/pem2openpgp.1.gz 3375: bad character definition monkeysphere.noarch: W: manual-page-warning /usr/share/man/man1/pem2openpgp.1.gz 3379: warning: macro `\}' not defined monkeysphere.noarch: W: dangerous-command-in-%postun userdel 1 packages and 0 specfiles checked; 2 errors, 9 warnings.
*** Bug 578352 has been marked as a duplicate of this bug. ***
Hi Bernie, Just doing an informal review and adding my 2c... (snip) monkeysphere.noarch: W: dangerous-command-in-%postun userdel 1 packages and 0 specfiles checked; 2 errors, 5 warnings. Comments: * You shouldn't remove users/groups [1] in %postun * groupadd and useradd in %pre don't check whether the user/group already exist. You should use the standard template [1] for this. The user account should use /sbin/nologin instead of /bin/bash. [1] http://fedoraproject.org/wiki/Packaging/UsersAndGroups
I am interested in doing the review. Why not start with upgrading to latest upstream (0.35 seems the last) and addressing David's informal review first?
Created attachment 496460 [details] Updated monkeysphere specfile
Created attachment 496461 [details] Updated monkeysphere SRPM
Created attachment 496463 [details] That would be the 0.31 to 0.35 patch
Updated specfile and SRPM, as well as patch attached. $ sudo rpmlint /root/rpmbuild/SRPMS/monkeysphere-0.35-1.el6.src.rpm /root/rpmbuild/RPMS/noarch/monkeysphere-0.35-1.el6.noarch.rpm monkeysphere.noarch: W: non-standard-uid /var/lib/monkeysphere monkeysphere monkeysphere.noarch: W: non-standard-gid /var/lib/monkeysphere monkeysphere monkeysphere.noarch: W: non-standard-uid /var/lib/monkeysphere/authorized_keys monkeysphere monkeysphere.noarch: W: non-standard-gid /var/lib/monkeysphere/authorized_keys monkeysphere 2 packages and 0 specfiles checked; 0 errors, 4 warnings. Note: I removed the user/group removal due to https://fedoraproject.org/wiki/Packaging/UsersAndGroups: "We never remove users or groups created by packages." Should we add "monkeysphere" to `setup` package to ged rid of non-standard-[g|u]id warning? Can you merge it, please?
Thanks for the refresh! I've fixed a few problems: http://codewiz.org/pub/fedora/specs/monkeysphere.spec http://codewiz.org/pub/fedora/source/monkeysphere-0.35-2.fc14.src.rpm --- monkeysphere.spec.orig 2011-05-03 11:14:32.177154526 -0400 +++ monkeysphere.spec 2011-05-03 11:11:34.503133911 -0400 @@ -1,14 +1,13 @@ Name: monkeysphere Summary: Use the OpenPGP web of trust to verify SSH connections Version: 0.35 -Release: 1%{dist} +Release: 2%{?dist} License: GPLv3+ Group: Applications/Internet URL: http://web.monkeysphere.info/ Source: http://archive.monkeysphere.info/debian/pool/%{name}/m/%{name}/%{name}_%{version}.orig.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch Requires(pre): shadow-utils @@ -38,7 +37,7 @@ rm -rf %{buildroot} make DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_var}/lib/%{name}/authorized_keys rm -r %{buildroot}%{_datadir}/%{name}/transitions/ -chmod -cR 0644 %{buildroot}%{_mandir} +chmod -cR 0644 %{buildroot}%{_mandir}/*/* chmod -cR 0644 src/transitions/* chmod -cR 0755 %{buildroot}%{_var}/lib/%{name}/ @@ -91,6 +90,10 @@ exit 0 %changelog +* Tue May 03 2011 Bernie Innocenti <bernie> - 0.35-2 +- Fix permissions on manpages +- Remove BuildRoot + * Tue May 3 2011 Michal Nowak <mnowak> - 0.35-1 - 0.35 bump - guidelines fixes
BTW, if Michal is interested, I'd like to share ownership of the package with him.
FORMAL REVIEW ============= [PASS] * MUST: rpmlint must be run on the source rpm and all binary rpms the build produces. The output should be posted in the review.[1] [PASS] * MUST: The package must be named according to the Package Naming Guidelines . [PASS] * MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. [2] . [PASS] * MUST: The package must meet the Packaging Guidelines . [PASS] * MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines . [PASS] * MUST: The License field in the package spec file must match the actual license. [3] [PASS] * MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.[4] [PASS] * MUST: The spec file must be written in American English. [5] [PASS] * MUST: The spec file for the package MUST be legible. [6] [PASS] MD5: 481ac14c9fdef0ccd1944c593bd4f517 * MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. [PASS] * MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture. [7] [WAIVE] * MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed [PASS] * MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense. [WAIVE] * MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.[9] [WAIVE] * MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. [10] [PASS] * MUST: Packages must NOT bundle copies of system libraries.[11] [PASS] * MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. [12] [PASS] * MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [13] [PASS] * MUST: A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations)[14] [PASS] * MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. [15] [PASS] * MUST: Each package must consistently use macros. [16] [PASS] * MUST: The package must contain code, or permissable content. [17] [WAIVE] * MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity). [18] [PASS] * MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. [18] [WAIVE] * MUST: Header files must be in a -devel package. [19] [WAIVE] * MUST: Static libraries must be in a -static package. [20] [PASS] * MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package. [19] [WAIVE] * MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release} [21] [PASS] * MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.[20] [WAIVE] * MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. [22] [PASS] * MUST: Packages must not own files or directories already owned by other packages. [PASS] * MUST: All filenames in rpm packages must be valid UTF-8. [24] [WAIVE] * SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [25] [WAIVE] * SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. [26] [PASS] * SHOULD: The reviewer should test that the package builds in mock. [27] [WAIVE] * SHOULD: The package should compile and build into binary rpms on all supported architectures. [28] [PASS] * SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example. [PASS] * SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity. [29] [WAIVE] * SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency. [21] [WAIVE] * SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb. [30] [WAIVE] * SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself. [31] [PASS] * SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.[32] All pass. One thing I suggest, remove "%{__make} %{?_smp_mflags}" and keep the %build section empty. I am interested in co-maintenance, add me, please. Consider doing a swap for mozilla-monkeysphere XUL plugin in bug 701668. Thanks. ACCEPTED
It's quite some time I did my last package review; is there anything I should set/do so we can proceed towards Fedora dist-git?
No, everything looks good so far. Bernie should now request a Git repo for the package: http://fedoraproject.org/wiki/Package_SCM_admin_requests
Bernie? Ping.
New Package SCM Request ======================= Package Name: monkeysphere Short Description: Use the OpenPGP web of trust to verify ssh Owners: bernie mnowak Branches: f14 f15 InitialCC: bernie mnowak
(In reply to comment #15) > Bernie? Ping. Sorry for the delay, I was travelling. I'm not sure about your suggestion to remove the build stage: currently it doesn't do anything, but if this changes in future upstream releases, we risk silently breaking something.
Git done (by process-git-requests).
Package imported and built for f14, f15 and rawhide. Thanks to everyone who contributed to this review.
Package Change Request ====================== Package Name: monkeysphere New Branches: el6 epel7 Owners: stardust85