Hide Forgot
Spec URL: http://mmckinst.fedorapeople.org/packages/lmd/lmd.spec SRPM URL: http://mmckinst.fedorapeople.org/packages/lmd/lmd-1.3.9-1.fc14.src.rpm Scratch URL: http://koji.fedoraproject.org/koji/taskinfo?taskID=2924434 Description: Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.
Hi Mark, Here is the review (this is my first "official" review) so I am open to comments from experienced packagers :) 1 Firstly, please add a line between each new entry of changelog, I mean: * Fri Mar 18 2011 Mark McKinstry <mmckinst> - 1.3.9-1 - whatever.... * Tue Nov 29 2010 Mark McKinstry <mmckinst> - 1.3.7-1 - whatever... 2 - Why is included a tmp file in datadir...? 3 - What's wrong with md5sum? (See below) It's not a minor issue in a software that pretends to detect malware! Because of that, the package is NOT approved YET. Notes: +:ok, =:needs attention, -:needs fixing MUST Items: [] MUST: rpmlint must be run on every package. rpmlint -i -v /var/lib/mock/fedora-rawhide-i386/root/builddir/build/RPMS/lmd-1.3.9-1.fc16.noarch.rpm lmd.noarch: I: checking lmd.noarch: W: spelling-error Summary(en_US) malware -> metalware, malarkey, Mallarme The value of this tag appears to be misspelled. Please double-check. lmd.noarch: W: spelling-error %description -l en_US malware -> metalware, malarkey, Mallarme The value of this tag appears to be misspelled. Please double-check. lmd.noarch: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds) lmd.noarch: E: executable-marked-as-config-file /etc/cron.daily/maldetect Executables must not be marked as config files because that may prevent upgrades from working correctly. If you need to be able to customize an executable, make it for example read a config file in /etc/sysconfig. lmd.noarch: E: zero-length /usr/share/maldetect/ignore_sigs lmd.noarch: W: no-manual-page-for-binary maldet Each executable in standard binary directories should have a man page. 1 packages and 0 specfiles checked; 2 errors, 3 warnings. rpmlint -i -v ../SRPMS/lmd-1.3.9-1.fc14.src.rpm lmd.src: I: checking lmd.src: W: spelling-error Summary(en_US) malware -> metalware, malarkey, Mallarme The value of this tag appears to be misspelled. Please double-check. lmd.src: W: spelling-error %description -l en_US malware -> metalware, malarkey, Mallarme The value of this tag appears to be misspelled. Please double-check. lmd.src: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds) lmd.src: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds) 1 packages and 0 specfiles checked; 0 errors, 2 warnings. rpmlint -i -v lmd.spec lmd.spec: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds) 0 packages and 1 specfiles checked; 0 errors, 0 warnings. Warnings are harmless <<output if not already posted>> [:=] MUST: The package must be named according to the Package Naming Guidelines. [+] MUST: The spec file name must match the base package %{name} [:=] MUST: The package must meet the Packaging Guidelines. [FIXME?: covers this list and more] [+] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines. [-] MUST: The License field in the package spec file must match the actual license. File tlog is licensed under GPLv2+, so License must be: GPLv2 + GPLv2+ [+] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc. [:=] MUST: The spec file must be written in American English. [+] MUST: The spec file for the package MUST be legible. [-] MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. md5sum checksum tarball from SRPM:fdaf465ad43ffe90bb47adf6d2a39918 md5sum checksum upstream: e805672f97e990907fa910029b52a7dd Ooops! What's wrong?? [+] MUST: The package must successfully compile and build into binary rpms on at least one supported architecture. [+] MUST: All build dependencies must be listed in BuildRequires [] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. [+] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [+] MUST: A package must not contain any duplicate files in the %files listing. [+] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line. [+] MUST: Each package must consistently use macros, as described in the macros section of Packaging Guidelines. [+] MUST: The package must contain code, or permissible content. This is described in detail in the code vs. content section of Packaging Guidelines. [+] MUST: If a package includes something as %doc, it must not affect the runtime of the application. [+] MUST: Packages must not own files or directories already owned by other packages. [+] MUST: All filenames in rpm packages must be valid UTF-8. SHOULD Items: [:=] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [+] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. [+] SHOULD: The reviewer should test that the package builds in mock. [:=] SHOULD: The reviewer should test that the package functions as described. [+] SHOULD: Packages should try to preserve timestamps of original installed files. [:=] It has not a manpage for executable file, could it possible? contact to the upstream if you can.
(In reply to comment #1) > File tlog is licensed under GPLv2+, so License must be: GPLv2 + GPLv2+ It would be "GPLv2 and GPLv2+". However, I'd prefer a consistent licensing scenario for the whole package. Mark, please ask upstream whether tlog is actually intended to be licensed under GPLv2+ while all other scripts are GPLv2 only. Here are some additional comments: - "lmd" seems to be the abbreviation of the project name. However, upstream uses "maldetect" for the tarball and all related files/folders. Therefore, I personally would tend to name the package "maldetect" as well. - You should drop Requires: perl as this dependency is detected automatically. - Please use plain rm, cp, and sed instead of the corresponding macros. See also: http://fedoraproject.org/wiki/Packaging/Guidelines#Macros - The package currently doesn't own the folders %{_datadir}/maldetect, %{_var}/lib/maldetect, and %{_libexecdir}/maldetect but only their contents. Just remove the asterisks in the %file section to get it right.
Sergio, Thank you for the review. > 1 - Firstly, please add a line between each new entry of changelog, I mean: Done. > 2 - Why is included a tmp file in datadir...? I'll make a request to the author to make the location of tmp tunable. > 3 - What's wrong with md5sum? (See below) It's not a minor issue in a software that pretends to detect malware! Thank you for finding this. The tarball is continually updated with new signatures of malware which is why the md5sum differs. I've included a comment in the spec file on how to delete the signatures and verify the integrity of the rest of the tarball. Martin, > - "lmd" seems to be the abbreviation of the project name. However, upstream > uses "maldetect" for the tarball and all related files/folders. Therefore, > I personally would tend to name the package "maldetect" as well. I agreee. The package name is now maldetect. > - You should drop Requires: perl as this dependency is detected automatically. Done. > - Please use plain rm, cp, and sed instead of the corresponding macros. See > also: http://fedoraproject.org/wiki/Packaging/Guidelines#Macros Done > - The package currently doesn't own the folders %{_datadir}/maldetect, > %{_var}/lib/maldetect, and %{_libexecdir}/maldetect but only their contents. > Just remove the asterisks in the %file section to get it right. Fixed. spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec SRPM: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-1.fc14.src.rpm scratch: http://koji.fedoraproject.org/koji/taskinfo?taskID=3252300
Mark, I'll take a look the package this week. I didn't forget you :)
Hi Mark [ rpmlint spec file ] rpmlint -i -v maldetect.spec maldetect.spec:16: W: mixed-use-of-spaces-and-tabs (spaces: line 16, tab: line 1) The specfile mixes use of spaces and tabs for indentation, which is a cosmetic annoyance. Use either spaces or tabs for indentation, not both. maldetect.spec: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds) 0 packages and 1 specfiles checked; 0 errors, 1 warnings. [A]: Fix it ;) [ rpmlint SRPM file ] rpmlint -i -v /home/sergio/rpmbuild/SRPMS/maldetect-1.4.0-1.fc15.src.rpm maldetect.src: I: checking maldetect.src: W: spelling-error Summary(en_US) malware -> Waldemar The value of this tag appears to be misspelled. Please double-check. maldetect.src: W: spelling-error %description -l en_US malware -> Waldemar The value of this tag appears to be misspelled. Please double-check. maldetect.src: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds) maldetect.src:16: W: mixed-use-of-spaces-and-tabs (spaces: line 16, tab: line 1) The specfile mixes use of spaces and tabs for indentation, which is a cosmetic annoyance. Use either spaces or tabs for indentation, not both. maldetect.src: I: checking-url http://www.rfxn.com/downloads/maldetect-current.tar.gz (timeout 10 seconds) maldetect.src: W: file-size-mismatch maldetect-current.tar.gz = 758891, http://www.rfxn.com/downloads/maldetect-current.tar.gz = 762399 The size of the file in the package does not match the size indicated by peeking at its URL. Verify that the file in the package has the intended contents. 1 packages and 0 specfiles checked; 0 errors, 4 warnings. [B]: Fix indentation issue [ rpmlint rpm files ] maldetect.noarch: I: checking maldetect.noarch: W: spelling-error Summary(en_US) malware -> Waldemar The value of this tag appears to be misspelled. Please double-check. maldetect.noarch: W: spelling-error %description -l en_US malware -> Waldemar The value of this tag appears to be misspelled. Please double-check. maldetect.noarch: I: checking-url http://www.rfxn.com/projects/linux-malware-detect/ (timeout 10 seconds) maldetect.noarch: E: executable-marked-as-config-file /etc/cron.daily/maldetect Executables must not be marked as config files because that may prevent upgrades from working correctly. If you need to be able to customize an executable, make it for example read a config file in /etc/sysconfig. maldetect.noarch: E: incorrect-fsf-address /usr/share/doc/maldetect-1.4.0/COPYING.GPL The Free Software Foundation address in this file seems to be outdated or misspelled. Ask upstream to update the address, or if this is a license file, possibly the entire file with a new copy available from the FSF. maldetect.noarch: E: zero-length /usr/share/maldetect/ignore_sigs maldetect.noarch: E: incorrect-fsf-address /var/lib/maldetect/inotify/tlog The Free Software Foundation address in this file seems to be outdated or misspelled. Ask upstream to update the address, or if this is a license file, possibly the entire file with a new copy available from the FSF. maldetect.noarch: W: no-manual-page-for-binary maldet Each executable in standard binary directories should have a man page. [C]: Fix FSF address take a look at http://www.fsf.org/about/contact/ and eg /usr/share/doc/kdeaccessibility-4.6.5/COPYING [:=] MUST: The package must be named according to the Package Naming Guidelines. [+] MUST: The spec file name must match the base package %{name} [:=] MUST: The package must meet the Packaging Guidelines. [FIXME?: covers this list and more] [+] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines. [+] MUST: The License field in the package spec file must match the actual license. [+] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc. [:=] MUST: The spec file must be written in American English. [+] MUST: The spec file for the package MUST be legible. [:=] MUST: The sources used to build the package must match the upstream source, [+] MUST: The package must successfully compile and build into binary rpms on at least one supported architecture. [+] MUST: All build dependencies must be listed in BuildRequires [] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. [+] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [+] MUST: A package must not contain any duplicate files in the %files listing. [+] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line. [+] MUST: Each package must consistently use macros, as described in the macros section of Packaging Guidelines. [+] MUST: The package must contain code, or permissible content. This is described in detail in the code vs. content section of Packaging Guidelines. [+] MUST: If a package includes something as %doc, it must not affect the runtime of the application. [+] MUST: Packages must not own files or directories already owned by other packages. [+] MUST: All filenames in rpm packages must be valid UTF-8. SHOULD Items: [:=] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [:=] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. [+] SHOULD: The reviewer should test that the package builds in mock. [+] SHOULD: The reviewer should test that the package functions as described. [+] SHOULD: Packages should try to preserve timestamps of original installed files. [:=] It has not a manpage for executable file, could it possible? contact to the upstream if you can. [D] Please coud you contact to upstream to determine what kind of license should be applied to the entire package as Martin Gieseking suggested? If upstream doesn't answer so let license be GPLv2 + GPLv2+ [E]: The comment in the specfile: It's a bit bad-written :) and also I think that "hardcoding" the current md5sum is not a good idea. # The author does not provide a way of download a specifc version. # The md5sum of the tarball in this SRPM will differ becasue the signatures # included are constantly updated. To confirm this tarball is the same as the # one you just donwloaded, the line below delete the signatures and generate # the md5sum. The md5sum should be b7a28e4121e4ba0655de143a38aa3ed4 You may add something like this instead: # The author does not provide a way of download a specifc version. # The md5sum of the tarball in this SRPM will differ becasue the signatures # included are constantly updated. In order to confirm this tarball is the same # as the one you just donwloaded from Source0, run the line below which deletes # the signatures and generates the md5sum. You should do it the same for #tarball of SRPM package. Both md5sums should be equal. Please fix each issue labeled with letters and then come back and maldetect will be approved :) But there are a serious issue unless I didn't understand well how this program works, look at this: My /etc/fstab looks as follows: # # /etc/fstab # Created by anaconda on Tue Jul 12 19:45:18 2011 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/vg_sebelk-root / ext4 defaults 1 1 #UUID=1cfa489a-8252-4b54-b740-2b0344474e2e /boot ext4 defaults 1 2 /dev/sda3 /boot ext4 defaults 1 2 /dev/mapper/vg_sebelk-LogVol02 /home ext4 defaults 1 2 /dev/mapper/vg_sebelk-LogVol01 swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 maldet -a /etc/fstab Linux Malware Detect v1.4.0 (C) 2002-2011, R-fx Networks <proj> (C) 2011, Ryan MacDonald <ryan> inotifywait (C) 2007, Rohan McGovern <rohan.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(2809): {scan} signatures loaded: 8114 (6257 MD5 / 1857 HEX) maldet(2809): {scan} building file list for /etc/fstab, this might take awhile... maldet(2809): {scan} file list completed, found 1 files... maldet(2809): {scan} 1/1 files scanned: 0 hits 0 cleaned maldet(2809): {scan} scan completed on /etc/fstab: files 1, malware hits 1, cleaned hits 0 [NOTE FROM MYSELF: WHAT????] maldet(2809): {scan} scan report saved 'maldet --report 082011-2109.2809' I've edited /etc/maldetect.conf and set quar_hits to 1 And guess what? maldetect put my innocent fstab under qurantine!!! I've tested with a lot of other innocent files and did it the same. Please tell me if we should let come in this package in Fedora... Did I miss something? Take care.
> [A]: Fix it ;) > [B]: Fix indentation issue Fixed. > [C]: Fix FSF address take a look at http://www.fsf.org/about/contact/ and eg > /usr/share/doc/kdeaccessibility-4.6.5/COPYING I emailed the author. > [D] Please coud you contact to upstream to determine what kind of license > should be applied to the entire package as Martin Gieseking suggested? If > upstream doesn't answer so let license be GPLv2 + GPLv2+ I emailed the author. > [E]: The comment in the specfile: I've updated the comment. > maldetect put my innocent fstab under qurantine!!! > > I've tested with a lot of other innocent files and did it the same. > > Please tell me if we should let come in this package in Fedora... Did I miss > something? I think I may have introduced a bug when it was upgraded to 1.4.0. Try scanning again using the new RPM. You generally don't want to tell it to quarantine results unless you're sure all the stuff it has found is valid. It may still come up with false positives, it is meant for scanning web sites to find things like remote shells, irc bots, spamming scripts, etc. It is not meant to be an antivirus program like Windows has, that will scan all files on your computer. If you'd like a better test of its abilities, google for terms like 'r57 shell' or 'c99 shell' and try scanning those files. I contacted the author this afternoon to see if he can clarify the licensing. I'll give it a week or two before contacting him again. In the mean time, here's and updated SPEC and SRPM: Spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec SRPM: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-2.fc14.src.rpm
I heard back from the author and the license on tlog has been updated to GPLv2 only (no longer GPLv2+) so the entire program is GPLv2 now. The address for the FSF has also been updated to the most recent address. I introduced a bug with one of my patches which lead to the problems scanning files you were having. To better test it, google for 'r57 shell' or 'c99 shell' and try scanning them. If you have a website, you could try scanning the files for it as well since scanning web files malware/shells/spamming scripts/suspicious files is what it was designed for. Spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec SRPM: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-3.fc14.src.rpm
ping?
Hi Mark, Are you in a hurry? :) Please consider that package you have submitted has been little-friendly for reviewing. Also, I was a bit busy. So please, be patient. I will review as as soon I have the time to one more time to take the task seriously of review this package. Especially when the software doesn't give a lot of false positives only in certain cases... Regards
(In reply to comment #7) > I heard back from the author and the license on tlog has been updated to GPLv2 > only (no longer GPLv2+) so the entire program is GPLv2 now. The address for the > FSF has also been updated to the most recent address. > > I introduced a bug with one of my patches which lead to the problems scanning > files you were having. To better test it, google for 'r57 shell' or 'c99 shell' > and try scanning them. If you have a website, you could try scanning the files > for it as well since scanning web files malware/shells/spamming > scripts/suspicious files is what it was designed for. You are saying that is not a rootkit scanner, aren't you? So, make it clear on the Description and (this is not mandatory) suggest the same to upstream if you wish > Spec: http://mmckinst.fedorapeople.org/packages/maldetect/maldetect.spec > SRPM: > http://mmckinst.fedorapeople.org/packages/maldetect/maldetect-1.4.0-3.fc14.src.rpm Make these things if you are so interested to include such a package in Fedora
Ping? Any progress here? Or we can close this review?
Stalled Review. Closing per: https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews If you ever want to continue in this review, please reopen or submit new review.
This package did not pass review. Therefore reseting fedora-review flag. This package is not included in Fedora. Therefore closing as NOTABUG.
Still waiting for this be fixed: maldetect.noarch: E: executable-marked-as-config-file /etc/cron.daily/maldetect Executables must not be marked as config files because that may prevent upgrades from working correctly. If you need to be able to customize an executable, make it for example read a config file in /etc/sysconfig.
Sorry I've approved earlier by mistake, as I've said we are waiting for some errors to be fixed