Bug 691619 - (openvas-manager) Review Request: openvas-manager - Open Vulnerability Assessment (OpenVAS) Manager (edit)
Review Request: openvas-manager - Open Vulnerability Assessment (OpenVAS) Man...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Carl Thompson
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2011-03-28 22:33 EDT by Michal Ambroz
Modified: 2014-09-23 15:18 EDT (History)
8 users (show)

See Also:
Fixed In Version: openvas-manager-2.0.3-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-06 22:51:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
fedora: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Michal Ambroz 2011-03-28 22:33:29 EDT
Hello,
Please I would like to ask you for review of a new openvas package.

Spec URL: http://rebus.fedorapeople.org/SPECS/openvas-manager.spec
SRPM URL: http://rebus.fedorapeople.org/SRPMS/openvas-manager-2.0.2-1.fc14.src.rpm

Description:
The OpenVAS Manager is the central service that consolidates plain vulnerability
scanning into a full vulnerability management solution. The Manager controls the
Scanner via OTP and itself offers the XML-based, stateless OpenVAS Management 
Protocol (OMP). All intelligence is implemented in the Manager so that it is
possible to implement various lean clients that will behave consistently e.g. 
with regard to filtering or sorting scan results. The Manager also controls 
a SQL database (sqlite-based) where all configuration and scan result data is 
centrally stored.

Best regards
Michal Ambroz
Comment 1 Carl Thompson 2011-03-29 23:57:31 EDT
+ = OK
- = NA
? = Issue

+ MUST: rpmlint must be run on the source rpm and all binary rpms the build produces. The output should be posted in the review.
rpmlint openvas-manager.spec 
0 packages and 1 specfiles checked; 0 errors, 0 warnings.

+ MUST: The package must be named according to the Package Naming Guidelines .
+ MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption.
+ MUST: The package must meet the Packaging Guidelines .
+ MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines.
+ MUST: The License field in the package spec file must match the actual license.
+ MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
+ MUST: The spec file must be written in American English.
+ MUST: The spec file for the package MUST be legible.
+ MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.
5680a523cfeac8aec4d52f5f964d1713  openvas-manager-2.0.2.tar.gz (package)
5680a523cfeac8aec4d52f5f964d1713  openvas-manager-2.0.2.tar.gz (upstream)

? MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture.
#output
-- Configuring the Manager...
-- The C compiler identification is GNU
-- Check for working C compiler: /usr/lib/ccache/gcc
-- Check for working C compiler: /usr/lib/ccache/gcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Install prefix: /usr
-- checking for module 'libopenvas>=4.0.0'
--   found libopenvas, version 4.0.3
-- checking for module 'gnutls'
--   found gnutls, version 2.10.5
-- checking for module 'glib-2.0'
--   found glib-2.0, version 2.28.4
-- checking for module 'sqlite3'
--   found sqlite3, version 3.7.5
-- checking for module 'uuid'
--   package 'uuid' not found
CMake Error at /usr/share/cmake/Modules/FindPkgConfig.cmake:266 (message):
  A required package was not found
Call Stack (most recent call first):
  /usr/share/cmake/Modules/FindPkgConfig.cmake:320 (_pkg_check_modules_internal)
  CMakeLists.txt:180 (pkg_check_modules)
-- Looking for pcap...
-- Looking for pcap... PCAP-NOTFOUND
CMake Error at CMakeLists.txt:186 (message):
  The pcap library is required.
-- Configuring incomplete, errors occurred!
#end output
probably needs some additional requires defined such as libpcap-devel, libuuid-devel
I recomend cleaning your mock and re initializing it to ensure a minimal environment when you build

? MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line.
see previous item

? MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense.
see previous item (2 up, build failure)

+ MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
+ MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun.
+ MUST: Packages must NOT bundle copies of system libraries.
- MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker.
? MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
The %{_datadir}/openvas is not owned by the package, may consider naming the directory openvas-%{version} as well

+ MUST: A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations)
+ MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line.
+ MUST: Each package must consistently use macros.
+ MUST: The package must contain code, or permissable content.
+ MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity).
+ MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present.
- MUST: Header files must be in a -devel package.
- MUST: Static libraries must be in a -static package.
- MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package.
- MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release}
- MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
- MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation.
+ MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time.
+ MUST: All filenames in rpm packages must be valid UTF-8.

? SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
Its listed in the readme but have you asked upstream to include a license.txt in the archive?

- SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
+ SHOULD: The reviewer should test that the package builds in mock.
? SHOULD: The package should compile and build into binary rpms on all supported architectures.
compile time errors see above

? SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.
compile time errors see above

+ SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity.
- SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency.
- SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb.
- SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.
+ SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.
Comment 2 Michal Ambroz 2011-03-30 09:22:55 EDT
Hello Carl,
thank you for feedback. I address the issues and upload new package at the evening.

>? MUST: The package MUST successfully compile and build into binary rpms on at
Sorry for that - I will review dev dependencies once again.

>- MUST: If the package is designed to be relocatable, the packager must state
MA: Packageis not designed as relocatable and doesn't contain Prefix


>? MUST: A package must own all directories that it creates. If it does not
I will add dir %{_datadir}/openvas. Expect modified version uploaded this evening.
I will not change to openvas-%{version} as the directory is used by other openvas
packages as well and there is not a stong link to the version


>- MUST: Header files must be in a -devel package.
there are no header files


>- MUST: Static libraries must be in a -static package.
there are no static libraries
main binary openvasmd is linked dynamically


>- MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1),
not applicable

>- MUST: In the vast majority of cases, devel packages must require the base
not applicable - this is not devel package

>- MUST: Packages must NOT contain any .la libtool archives, these must be
not applicable - doesn't contain .la archives

>- MUST: Packages containing GUI applications must include a %{name}.desktop
not applicable - doesn't contain GUI application

>? SHOULD: If the source package does not include license text(s) as a separate
Not applicable - the package does include license text

>- SHOULD: The description and summary sections in the package spec file should
>contain translations for supported Non-English languages, if available.
Not applicable - translation is not available now.

>- SHOULD: Usually, subpackages other than devel should require the base package
>using a fully versioned dependency.
Not applicable - this is standalone module of openvas and is not tightly
limited for usage of all packages of the same version. 
Version specific requirement for compiled library is computed automatically during
build as recommended by the packagin guideline:
"Packages must not contain explicit Requires on libraries except when absolutely necessary. "

>- SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and
not applicable - .pc files not included in the binary package

>- SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin,
I will add as this dependency was not detected by RPM, it is within /usr/bin and explicit linking whole library is prohibited by the packaging guideline
Requires:       /usr/bin/xsltproc
Comment 3 Carl Thompson 2011-03-30 12:13:03 EDT
the - ones you don't have to worry about because they are not applicable, only the ? ones.

Just update the bug when you get the dependencies tied up and get a new rpm and spec up.
Comment 4 Michal Ambroz 2011-03-30 19:05:48 EDT
Hello,
here is the updated package:

Spec URL: http://rebus.fedorapeople.org/SPECS/openvas-manager.spec
SRPM URL:
http://rebus.fedorapeople.org/SRPMS/openvas-manager-2.0.2-2.fc14.src.rpm

Thank you
Michal Ambroz
Comment 5 Carl Thompson 2011-03-30 19:58:05 EDT
Unable to retrieve src.rpm

rpmlint returns a warning so you know:

rpmlint openvas-manager.spec 
openvas-manager.spec:26: W: mixed-use-of-spaces-and-tabs (spaces: line 26, tab: line 1)
openvas-manager.spec: W: invalid-url Source0: http://wald.intevation.org/frs/download.php/858/openvas-manager-2.0.2.tar.gz <urlopen error timed out>
0 packages and 1 specfiles checked; 0 errors, 2 warnings.


You used many tabs but on line 26 you used spaces.  Not a blocker in my opinion but we do need to be able to pull down the src.rpm
Comment 6 Michal Ambroz 2011-03-31 03:14:01 EDT
Hi Carl,
the src.rpm is really there - I have double-checked now. I am able to download.
I even see it the http://rebus.fedorapeople.org/SRPMS/ directory. Please can you check you do not have some problems with your proxy?
Space is just typo - I will fix it. 
Mik
Comment 7 Michal Ambroz 2011-03-31 03:24:12 EDT
Link http://wald.intevation.org/frs/download.php/858/openvas-manager-2.0.2.tar.gz
is the correct one as well and is working now. 
It is also officiall download link taken from http://www.openvas.org/.
Please check again.
Mik
Comment 8 Carl Thompson 2011-03-31 19:05:17 EDT
Michal,

When I get back to the house I'll try to review again.  I don't run a proxy and didn't have issues with anything else.  Could have been a link issue from my location to server or the server wasn't responsive at the time.

Carl
Comment 9 Michal Ambroz 2011-03-31 19:55:58 EDT
Thank you Carl.
For testing you might need openvas-cli client.
https://bugzilla.redhat.com/show_bug.cgi?id=692733
Mik
Comment 10 Carl Thompson 2011-04-01 02:19:44 EDT
Looks like all builds and runs without issues that I could find in rawhide.

It will not build in any other release.
Comment 11 Michal Ambroz 2011-04-01 15:31:54 EDT
Hello Carl.

>It will not build in any other release.
Chicken and egg problem - you know. OpenVAS 4 needs 5 more packages (openvas-manager, openvas-cli, openvas-administrator and openvas-gsa, openvas-gsd ) to get the full solution.

openvas-cli wont build in other releases as the other releases are now with OpenVAS 3.1 and not OpenVAS 4.0

Personally I am up to upgrading openvas from 3.1 to 4 for the other releases as well as it is fixing some serious bugs and brings some new features as well.

Best regards
Michal Ambroz
Comment 12 Michal Ambroz 2011-04-01 15:45:58 EDT
Oops - I missed you already set the review as completed - thank you Carl.
Comment 13 Michal Ambroz 2011-04-01 15:57:33 EDT
New Package SCM Request
=======================
Package Name: openvas-manager
Short Description: Manager module for the Open Vulnerability Assessment System (OpenVAS)
Owners: rebus sgros huzaifas xavierb
Branches: f13 f14 f15 el5 el6
InitialCC: rebus sgros huzaifas xavierb
Comment 14 Jason Tibbitts 2011-04-05 11:26:23 EDT
Git done (by process-git-requests).
Comment 15 Michal Ambroz 2011-04-05 20:28:09 EDT
Package imported to the devel branch. Build in the devel branch is without issues:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2977156

Pending build of openvas-libraries for OpenVAS 4 in other branches:
Comment 16 Xavier Bachelot 2011-04-06 04:43:25 EDT
This is only nitpicking but the %clean section could be made simpler. you can remove all of "[ "%{buildroot}" = "/" ] || "
Comment 17 Michal Ambroz 2011-04-06 10:39:20 EDT
OK. I agree that in situation where most of the related packages (openvas-libraries, openvas-scanner) doesn't have such safety check it won't save anybody anyway - I will remove it.
Comment 18 Fedora Update System 2011-04-19 17:25:59 EDT
openvas-manager-2.0.3-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/openvas-manager-2.0.3-1.fc15
Comment 19 Fedora Update System 2011-04-19 17:26:10 EDT
openvas-manager-2.0.3-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/openvas-manager-2.0.3-1.fc14
Comment 20 Fedora Update System 2011-04-19 22:42:28 EDT
openvas-manager-2.0.3-1.fc15 has been pushed to the Fedora 15 testing repository.
Comment 21 Fedora Update System 2011-05-06 22:51:53 EDT
openvas-manager-2.0.3-1.fc14 has been pushed to the Fedora 14 stable repository.
Comment 22 Fedora Update System 2011-05-08 23:55:58 EDT
openvas-manager-2.0.3-1.fc15 has been pushed to the Fedora 15 stable repository.
Comment 23 Michal Ambroz 2014-09-23 13:59:20 EDT
Package Change Request
======================
Package Name: openvas-manager
New Branches: epel7
Owners: rebus

Hello SCM team,
plase can you add epel7 branch for the openvas-manager package?
Thank you
Michal Ambroz
Comment 24 Gwyn Ciesla 2014-09-23 15:18:08 EDT
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.