Spec URL: ftp://ftp.xelerance.com/opendnssec/opendnssec.spec SRPM URL: ftp://ftp.xelerance.com/opendnssec/opendnssec-1.3.0-0.1.rc2.fc14.src.rpm Description: OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server. It requires a PKCS#11 crypto module library, such as softhsm Note this package requires rubygem-dnsruby, new package requested at: https://bugzilla.redhat.com/show_bug.cgi?id=711893 rpmlint: opendnssec.src: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o opendnssec.src: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o opendnssec.x86_64: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood opendnssec.x86_64: W: only-non-binary-in-usr-lib opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0640L opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0640L opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml.sample 0640L opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml.sample 0640L opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html 3 packages and 0 specfiles checked; 4 errors, 6 warnings. Config files should be readable only to root or a (new) dnssec user. Sample files should go away The ruby code in /usr/lib64/opendnssec/kasp_auditor should be moved to /usr/lib/ (will talk to upstream)
Caveat: this is done using the version of rubygem-dnsruby currently being reviewed. - rpmlint checks return: opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o The value of this tag appears to be misspelled. Please double-check. opendnssec.x86_64: W: spelling-error %description -l en_US softhsm -> Smithson The value of this tag appears to be misspelled. Please double-check. Minor. opendnssec.x86_64: W: only-non-binary-in-usr-lib There are only non binary files in /usr/lib so they should be in /usr/share. Fix or document why this absolutely has to be this way. I see you're working on that. opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0640L The file can't be read by everybody. If this is expected (for security reasons), contact your rpmlint distributor to get it added to the list of exceptions for your distro (or add it to your local configuration if you installed rpmlint from the source tarball). opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0640L The file can't be read by everybody. If this is expected (for security reasons), contact your rpmlint distributor to get it added to the list of exceptions for your distro (or add it to your local configuration if you installed rpmlint from the source tarball). opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml.sample 0640L The file can't be read by everybody. If this is expected (for security reasons), contact your rpmlint distributor to get it added to the list of exceptions for your distro (or add it to your local configuration if you installed rpmlint from the source tarball). opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml.sample 0640L The file can't be read by everybody. If this is expected (for security reasons), contact your rpmlint distributor to get it added to the list of exceptions for your distro (or add it to your local configuration if you installed rpmlint from the source tarball). Ok. opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html Each executable in standard binary directories should have a man page. Is one available? 2 packages and 0 specfiles checked; 4 errors, 4 warnings. - package meets naming guidelines - package meets packaging guidelines - license ( ) OK, text in %doc, matches source - spec file legible, in am. english FIX I'll check these after you update to rc3: ( - source matches upstream - package compiles on devel (x86) - no missing BR - no unnecessary BR ) - no locales - not relocatable - owns all directories that it creates - no duplicate files - permissions ok - %clean ok - macro use consistent - code, not content - no need for -docs - nothing in %doc affects runtime - no need for .desktop file Otherwise I think it's ok, so we just need rubygems-dnsruby, the lib/share issue, hopefully a man page, and I'll check the source/build bits once the new version is ready.
Note rubygems-dnsruby past review and should be available shortly. I've added softhsm as a dependancy, as the majority of users will not have a hardware HSM. And for hardware HSM you need opencryptoki. So I opted to make both packages a dependancy. softhsm has not yet been reviewed: https://bugzilla.redhat.com/show_bug.cgi?id=711895 Spec URL: ftp://ftp.xelerance.com/opendnssec/opendnssec.spec SRPM URL: ftp://ftp.xelerance.com/opendnssec/opendnssec-1.3.2-1.fc14.src.rpm Upgraded to 1.3.2 rpmlint output: [paul@bofh fedora]$ rpmlint /home/paul/SRPMS/opendnssec-1.3.2-1.fc14.src.rpm /home/paul/RPMS/x86_64/opendnssec-1.3.2-1.fc14.x86_64.rpm /home/paul/RPMS/x86_64/opendnssec-debuginfo-1.3.2-1.fc14.x86_64.rpm opendnssec.src: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o opendnssec.src: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o opendnssec.x86_64: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood opendnssec.x86_64: W: only-non-binary-in-usr-lib opendnssec.x86_64: E: non-readable /etc/opendnssec/zonelist.xml 0600L opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0600L opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0600L opendnssec.x86_64: E: non-readable /etc/opendnssec/kasp.xml 0600L opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html 3 packages and 0 specfiles checked; 4 errors, 6 warnings. The only-non-binary-in-usr-lib is a little strange, as opendnssec installs ruby scripts there. They do not use a she-bang, so they are not executable. But I guess they are "binaries" in a sense. The xml files are only readable by root because they can contain pins, passwords and private keys. The usage of /usr/bin/ods-kasp2html is indeed weird. I'll double check with upstream if we should install it or not, as all my attempts at using it is failing: [paul@bofh opendnssec-1.3.2]$ ods-kasp2html usage: /usr/bin/ods-kasp2html [kasp.xml] [paul@bofh opendnssec-1.3.2]$ sudo ods-kasp2html /etc/opendnssec/kaps.xml usage: /usr/bin/ods-kasp2html [kasp.xml]
Note to self: the signer daemon should get a startup/init script.
opendnssec.src: W: strange-permission conf.xml 0600L A file that you listed to include in your package has strange permissions. Usually, a file should have 0644 permissions. Plus what you posted. md5sums are fine. Any work on the ods-kasp2html? Rawhide mock build failed: checking for ldns version... < 1.6.9 configure: error: ldns library too old (1.6.9 or later required)
[paul@bofh ldns]$ git push Everything up-to-date [paul@bofh ldns]$ fedpkg build Could not initiate build: ldns-1.6.11-2.fc17 has already been built [paul@bofh ldns]$ git branch el5 el6 f12 f13 f14 f15 f16 * master I'm not sure why you only have ldns-1.6.9 ? I'll put up a new srpm later today
Still happening using local mock fedora-rawhide-i386. Bizarre.
Updated to 1.3.2-6 Spec URL: ftp://ftp.xelerance.com/opendnssec/opendnssec.spec SRPM URL: ftp://ftp.xelerance.com/opendnssec/opendnssec-1.3.2-6.el6.src.rpm * Thu Nov 24 2011 root - 1.3.2-6 - Added rubygem-dnsruby requires as rpm does not pick it up automatically * Tue Nov 22 2011 root - 1.3.2-5 - Added /var/opendnssec/signconf/ /as this temp dir is needed * Mon Nov 21 2011 Paul Wouters <paul> - 1.3.2-4 - Added /var/opendnssec/signed/ as this is the default output dir * Sun Nov 20 2011 Paul Wouters <paul> - 1.3.2-3 - Add ods user for opendnssec tasks - Added initscripts and services for ods-signerd and ods-enforcerd - Initialise OpenDNSSEC softhsm token on first install [paul@bofh paul]$ rpmlint /home/paul/SRPMS/opendnssec-1.3.2-6.fc14.src.rpm /home/paul/RPMS/x86_64/opendnssec-1.3.2-6.fc14.x86_64.rpm /home/paul/RPMS/x86_64/opendnssec-debuginfo-1.3.2-6.fc14.x86_64.rpm opendnssec.src: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o opendnssec.src: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o opendnssec.x86_64: W: only-non-binary-in-usr-lib opendnssec.x86_64: W: non-standard-gid /var/opendnssec/tmp ods opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec/tmp 0770L opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/zonelist.xml ods opendnssec.x86_64: E: non-readable /etc/opendnssec/zonelist.xml 0660L opendnssec.x86_64: W: non-standard-gid /etc/opendnssec ods opendnssec.x86_64: E: non-standard-dir-perm /etc/opendnssec 0750L opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_checker.rb opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/auditor.rb opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/preparser.rb opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/commands.rb opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/partial_auditor.rb opendnssec.x86_64: W: non-standard-gid /var/opendnssec/signed ods opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec/signed 0770L opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor.rb opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/config.rb opendnssec.x86_64: W: non-standard-gid /var/opendnssec/signconf ods opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec/signconf 0770L opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/time_shift.rb opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/conf.xml ods opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0660L opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/zonefetch.xml ods opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0660L opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/changed_config.rb opendnssec.x86_64: W: non-standard-gid /var/opendnssec ods opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec 0770L opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/parse.rb opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/kasp.xml ods opendnssec.x86_64: E: non-readable /etc/opendnssec/kasp.xml 0660L opendnssec.x86_64: W: non-standard-gid /var/run/opendnssec ods opendnssec.x86_64: E: non-standard-dir-perm /var/run/opendnssec 0770L opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/key_tracker.rb opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html opendnssec.x86_64: W: non-standard-dir-in-var opendnssec opendnssec.x86_64: W: no-reload-entry /etc/rc.d/init.d/ods-enforcerd opendnssec.x86_64: W: no-reload-entry /etc/rc.d/init.d/ods-signerd 3 packages and 0 specfiles checked; 21 errors, 18 warnings.
Still happening using local mock fedora-rawhide-i386. Also, you need to ship systemd unit files rather than sysv initscripts.
Any updates?
Ping?
Here is an updated package, please test (as I have not given it any testing myself yet) ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.3.6-3.fc17.src.rpm * Fri Feb 24 2012 Paul Wouters <pwouters> - 1.3.6-3 - Requires rubygem-soap4r when using ruby-1.9 - Don't ghost /var/run/opendnssec - Converted initd to systemd Note that opendnssec is not supported yet with ruby 1.9, but I think this might be solved now with depending on rubygem-soap4r I'm packaging that up, but having some issues with, for testing now just "gem install soap4r", or help me by fixing: ftp://ftp.nohats.ca/dns/opendnssec/rybygem-soap4r.spec ftp://ftp.nohats.ca/dns/opendnssec/rubygem-soap4r-1.5.8-1.fc17.src.rpm I'm still looking at the softhsm interaction, and might decide to make softhsm use user/group ods so its directories are owned by ods and the signer has no permission problems.
Is there a review BZ for rubygem-soap4r yet?
there is no review yet as the rubygem-soap4r spec file is not working properly yet, so I have not submitted it for review
Ok, when there is, link to it here and I'll take it, so we can get it in and proceed with this.
The new 1.4.x branch no longer ships with the Auditor, so it no longer requires any ruby code. ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.4.0-0.a1.fc16.src.rpm * Sun Mar 25 2012 Paul Wouters <pwouters> - 1.4.0-0.a1 - The 1.4.x branch no longer needs ruby, as the auditor has been removed - Added missing openssl-devel BuildRequire - Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
rpmlint: opendnssec.spec:7: W: macro-in-comment %{name} There is a unescaped macro after a shell style comment in the specfile. Macros are expanded everywhere, so check if it can cause a problem in this case and escape the macro with another leading % if appropriate. opendnssec.spec:7: W: macro-in-comment %{version} There is a unescaped macro after a shell style comment in the specfile. Macros are expanded everywhere, so check if it can cause a problem in this case and escape the macro with another leading % if appropriate. Fix before import. Lots of non-standard uid/gid errors, expected with custom user. You're missing an -m on line 49 for install, which results in a spurious 0755 dir in the buildroot, and no unitdir, though unitdir is in the final RPM. One other issue, the sources refer to a LICENSE file that's not there. So it's just the install, the commented macros, and the LICENSE file. Mock build is good. :)
The macros are because of this weird numbered pre-release version. I added spaces to protect the commented line from macro expansion. I added the -m on line 49 I looked all over the source and website to find any reference to a license, and its not there. I told them this over a year ago as well, but I'll ping them again. The only thing we have to go on is the BSD license headers in the source files. so I am not sure what I can do until they fix this upstream. ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.4.0-0.a1.fc16.1.src.rpm
Jon Ciesla: if you took over the review, can you set the review flag to + for me, so I can requst the SCM?
Ok, that's fine, fix it if required by later revelations. Thanks! APPROVED.
ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.4.0-0.a1.fc16.2.src.rpm Jakob from opendnssec gave me a license file. I've added it to the spec file as SOURCE6 and install it via %doc.
New Package SCM Request ======================= Package Name: opendnssec Short Description: DNSSEC key and zone management software Owners: pwouters Branches: f16 f17 el5 el6 InitialCC:
Git done (by process-git-requests). Excellent!
As it stands now it doesn't build on el6 because of the systemd files and macros. Would you be interested in pushing it to EPEL too? I could lend a hand but I'm not in the packagers group (yet).
Lars: Sure, that would be great!
opendnssec-1.4.0-0.a1.el6.2 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendnssec-1.4.0-0.a1.el6.2
Hi, Please note that 1.4.0a1 is an ALPHA release and should NOT be used in production environment! If Auditor/Ruby is a problem for the OpenDNSSEC 1.3.x release in EPEL please consider disabling it with --disable-auditor . /Jerry OpenDNSSEC Developer
opendnssec-1.4.0-0.a1.el6.2 has been pushed to the Fedora EPEL 6 testing repository.
el5 branch is aborted due to too old versions of sqlite (not just for opendnssecc but also for softhsm)
opendnssec-1.4.0-0.a1.fc17.2 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/opendnssec-1.4.0-0.a1.fc17.2
opendnssec-1.4.0-0.a1.fc16.2 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/opendnssec-1.4.0-0.a1.fc16.2
opendnssec-1.4.0-0.a1.fc17.2 has been pushed to the Fedora 17 stable repository.
opendnssec-1.4.0-0.a1.el6.2 has been pushed to the Fedora EPEL 6 stable repository.
opendnssec-1.4.0-0.a1.fc16.2 has been pushed to the Fedora 16 stable repository.
Hello, Why has this been pushed to stable ?! 1.4.0a1 IS AN ALPHA RELEASE !!!! Serious, pull this back ASAP! You are breaking installations! /Jerry OpenDNSSEC Developer