Bug 711899 - Review Request: opendnssec - DNSSEC key and zone management software
Summary: Review Request: opendnssec - DNSSEC key and zone management software
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-08 22:21 UTC by Paul Wouters
Modified: 2012-07-08 13:19 UTC (History)
7 users (show)

Fixed In Version: opendnssec-1.4.0-0.a1.fc16.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-12 02:45:25 UTC
gwync: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Paul Wouters 2011-06-08 22:21:17 UTC
Spec URL: ftp://ftp.xelerance.com/opendnssec/opendnssec.spec
SRPM URL: ftp://ftp.xelerance.com/opendnssec/opendnssec-1.3.0-0.1.rc2.fc14.src.rpm
Description: OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative
name server. It requires a PKCS#11 crypto module library, such as softhsm

Note this package requires rubygem-dnsruby, new package requested at:
https://bugzilla.redhat.com/show_bug.cgi?id=711893

rpmlint:
opendnssec.src: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
opendnssec.src: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood
opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
opendnssec.x86_64: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood
opendnssec.x86_64: W: only-non-binary-in-usr-lib
opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0640L
opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0640L
opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml.sample 0640L
opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml.sample 0640L
opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html
3 packages and 0 specfiles checked; 4 errors, 6 warnings.

Config files should be readable only to root or a (new) dnssec user.
Sample files should go away
The ruby code in /usr/lib64/opendnssec/kasp_auditor should be moved to /usr/lib/
(will talk to upstream)

Comment 1 Gwyn Ciesla 2011-07-18 15:02:13 UTC
Caveat: this is done using the version of rubygem-dnsruby currently being reviewed.

- rpmlint checks return:

opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
The value of this tag appears to be misspelled. Please double-check.

opendnssec.x86_64: W: spelling-error %description -l en_US softhsm -> Smithson
The value of this tag appears to be misspelled. Please double-check.

Minor.

opendnssec.x86_64: W: only-non-binary-in-usr-lib
There are only non binary files in /usr/lib so they should be in /usr/share.

Fix or document why this absolutely has to be this way.  I see you're working on that.

opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0640L
The file can't be read by everybody. If this is expected (for security
reasons), contact your rpmlint distributor to get it added to the list of
exceptions for your distro (or add it to your local configuration if you
installed rpmlint from the source tarball).

opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0640L
The file can't be read by everybody. If this is expected (for security
reasons), contact your rpmlint distributor to get it added to the list of
exceptions for your distro (or add it to your local configuration if you
installed rpmlint from the source tarball).

opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml.sample 0640L
The file can't be read by everybody. If this is expected (for security
reasons), contact your rpmlint distributor to get it added to the list of
exceptions for your distro (or add it to your local configuration if you
installed rpmlint from the source tarball).

opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml.sample 0640L
The file can't be read by everybody. If this is expected (for security
reasons), contact your rpmlint distributor to get it added to the list of
exceptions for your distro (or add it to your local configuration if you
installed rpmlint from the source tarball).

Ok.

opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html
Each executable in standard binary directories should have a man page.

Is one available?

2 packages and 0 specfiles checked; 4 errors, 4 warnings.


- package meets naming guidelines
- package meets packaging guidelines
- license ( ) OK, text in %doc, matches source
- spec file legible, in am. english

FIX I'll check these after you update to rc3:
(
- source matches upstream
- package compiles on devel (x86)
- no missing BR
- no unnecessary BR
)
- no locales
- not relocatable
- owns all directories that it creates
- no duplicate files
- permissions ok
- %clean ok
- macro use consistent
- code, not content
- no need for -docs
- nothing in %doc affects runtime
- no need for .desktop file 

Otherwise I think it's ok, so we just need rubygems-dnsruby, the lib/share issue, hopefully a man page, and I'll check the source/build bits once the new version is ready.

Comment 2 Paul Wouters 2011-10-06 03:41:20 UTC
Note rubygems-dnsruby past review and should be available shortly. I've added softhsm as a dependancy, as the majority of users will not have a hardware HSM. And for hardware HSM you need opencryptoki. So I opted to make both packages a dependancy.

softhsm has not yet been reviewed: https://bugzilla.redhat.com/show_bug.cgi?id=711895

Spec URL: ftp://ftp.xelerance.com/opendnssec/opendnssec.spec
SRPM URL:
ftp://ftp.xelerance.com/opendnssec/opendnssec-1.3.2-1.fc14.src.rpm

Upgraded to 1.3.2

rpmlint output:

[paul@bofh fedora]$ rpmlint /home/paul/SRPMS/opendnssec-1.3.2-1.fc14.src.rpm /home/paul/RPMS/x86_64/opendnssec-1.3.2-1.fc14.x86_64.rpm /home/paul/RPMS/x86_64/opendnssec-debuginfo-1.3.2-1.fc14.x86_64.rpm
opendnssec.src: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
opendnssec.src: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood
opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
opendnssec.x86_64: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood
opendnssec.x86_64: W: only-non-binary-in-usr-lib
opendnssec.x86_64: E: non-readable /etc/opendnssec/zonelist.xml 0600L
opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0600L
opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0600L
opendnssec.x86_64: E: non-readable /etc/opendnssec/kasp.xml 0600L
opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html
3 packages and 0 specfiles checked; 4 errors, 6 warnings.

The only-non-binary-in-usr-lib is a little strange, as opendnssec installs ruby scripts there. They do not use a she-bang, so they are not executable. But I guess they are "binaries" in a sense.

The xml files are only readable by root because they can contain pins, passwords and private keys.

The usage of /usr/bin/ods-kasp2html is indeed weird. I'll double check with upstream if we should install it or not, as all my attempts at using it is failing:
[paul@bofh opendnssec-1.3.2]$ ods-kasp2html 
usage: /usr/bin/ods-kasp2html [kasp.xml]
[paul@bofh opendnssec-1.3.2]$ sudo ods-kasp2html /etc/opendnssec/kaps.xml
usage: /usr/bin/ods-kasp2html [kasp.xml]

Comment 3 Paul Wouters 2011-10-07 17:14:27 UTC
Note to self: the signer daemon should get a startup/init script.

Comment 4 Gwyn Ciesla 2011-11-15 15:00:17 UTC
opendnssec.src: W: strange-permission conf.xml 0600L
A file that you listed to include in your package has strange permissions.
Usually, a file should have 0644 permissions.

Plus what you posted.

md5sums are fine.

Any work on the ods-kasp2html?


Rawhide mock build failed:

checking for ldns version... < 1.6.9 
configure: error: ldns library too old (1.6.9 or later required)

Comment 5 Paul Wouters 2011-11-16 21:49:06 UTC
[paul@bofh ldns]$ git push
Everything up-to-date
[paul@bofh ldns]$ fedpkg build
Could not initiate build: ldns-1.6.11-2.fc17 has already been built
[paul@bofh ldns]$ git branch
  el5
  el6
  f12
  f13
  f14
  f15
  f16
* master

I'm not sure why you only have ldns-1.6.9 ?

I'll put up a new srpm later today

Comment 6 Gwyn Ciesla 2011-11-18 15:21:18 UTC
Still happening using local mock fedora-rawhide-i386.  Bizarre.

Comment 7 Paul Wouters 2011-11-29 20:38:32 UTC
Updated to 1.3.2-6

Spec URL: ftp://ftp.xelerance.com/opendnssec/opendnssec.spec
SRPM URL:
ftp://ftp.xelerance.com/opendnssec/opendnssec-1.3.2-6.el6.src.rpm

* Thu Nov 24 2011 root - 1.3.2-6
- Added rubygem-dnsruby requires as rpm does not pick it up automatically

* Tue Nov 22 2011 root - 1.3.2-5
- Added /var/opendnssec/signconf/ /as this temp dir is needed

* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
- Added /var/opendnssec/signed/ as this is the default output dir

* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
- Add ods user for opendnssec tasks
- Added initscripts and services for ods-signerd and ods-enforcerd
- Initialise OpenDNSSEC softhsm token on first install

[paul@bofh paul]$ rpmlint  /home/paul/SRPMS/opendnssec-1.3.2-6.fc14.src.rpm /home/paul/RPMS/x86_64/opendnssec-1.3.2-6.fc14.x86_64.rpm /home/paul/RPMS/x86_64/opendnssec-debuginfo-1.3.2-6.fc14.x86_64.rpm
opendnssec.src: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
opendnssec.src: W: spelling-error %description -l en_US softhsm -> softhearted, softness, softwood
opendnssec.x86_64: W: spelling-error %description -l en_US crypto -> crypt, crypts, crypt o
opendnssec.x86_64: W: only-non-binary-in-usr-lib
opendnssec.x86_64: W: non-standard-gid /var/opendnssec/tmp ods
opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec/tmp 0770L
opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/zonelist.xml ods
opendnssec.x86_64: E: non-readable /etc/opendnssec/zonelist.xml 0660L
opendnssec.x86_64: W: non-standard-gid /etc/opendnssec ods
opendnssec.x86_64: E: non-standard-dir-perm /etc/opendnssec 0750L
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_checker.rb
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/auditor.rb
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/preparser.rb
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/commands.rb
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/partial_auditor.rb
opendnssec.x86_64: W: non-standard-gid /var/opendnssec/signed ods
opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec/signed 0770L
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor.rb
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/config.rb
opendnssec.x86_64: W: non-standard-gid /var/opendnssec/signconf ods
opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec/signconf 0770L
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/time_shift.rb
opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/conf.xml ods
opendnssec.x86_64: E: non-readable /etc/opendnssec/conf.xml 0660L
opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/zonefetch.xml ods
opendnssec.x86_64: E: non-readable /etc/opendnssec/zonefetch.xml 0660L
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/changed_config.rb
opendnssec.x86_64: W: non-standard-gid /var/opendnssec ods
opendnssec.x86_64: E: non-standard-dir-perm /var/opendnssec 0770L
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/parse.rb
opendnssec.x86_64: W: non-standard-gid /etc/opendnssec/kasp.xml ods
opendnssec.x86_64: E: non-readable /etc/opendnssec/kasp.xml 0660L
opendnssec.x86_64: W: non-standard-gid /var/run/opendnssec ods
opendnssec.x86_64: E: non-standard-dir-perm /var/run/opendnssec 0770L
opendnssec.x86_64: E: script-without-shebang /usr/lib64/opendnssec/kasp_auditor/key_tracker.rb
opendnssec.x86_64: W: no-manual-page-for-binary ods-kasp2html
opendnssec.x86_64: W: non-standard-dir-in-var opendnssec
opendnssec.x86_64: W: no-reload-entry /etc/rc.d/init.d/ods-enforcerd
opendnssec.x86_64: W: no-reload-entry /etc/rc.d/init.d/ods-signerd
3 packages and 0 specfiles checked; 21 errors, 18 warnings.

Comment 8 Gwyn Ciesla 2011-11-29 21:16:06 UTC
Still happening using local mock fedora-rawhide-i386.  Also, you need to ship systemd unit files rather than sysv initscripts.

Comment 9 Gwyn Ciesla 2011-12-21 15:36:38 UTC
Any updates?

Comment 10 Gwyn Ciesla 2012-01-26 18:50:25 UTC
Ping?

Comment 11 Paul Wouters 2012-02-24 20:36:43 UTC
Here is an updated package, please test (as I have not given it any testing myself yet)

ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec
ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.3.6-3.fc17.src.rpm

* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
- Requires rubygem-soap4r when using ruby-1.9
- Don't ghost /var/run/opendnssec
- Converted initd to systemd



Note that opendnssec is not supported yet with ruby 1.9, but I think this might be solved now with depending on rubygem-soap4r

I'm packaging that up, but having some issues with, for testing now just "gem install soap4r", or help me by fixing: 

ftp://ftp.nohats.ca/dns/opendnssec/rybygem-soap4r.spec
ftp://ftp.nohats.ca/dns/opendnssec/rubygem-soap4r-1.5.8-1.fc17.src.rpm

I'm still looking at the softhsm interaction, and might decide to make softhsm use user/group ods so its directories are owned by ods and the signer has no permission problems.

Comment 12 Gwyn Ciesla 2012-02-27 14:51:37 UTC
Is there a review BZ for rubygem-soap4r yet?

Comment 13 Paul Wouters 2012-02-27 18:20:30 UTC
there is no review yet as the rubygem-soap4r spec file is not working properly yet, so I have not submitted it for review

Comment 14 Gwyn Ciesla 2012-02-28 15:41:41 UTC
Ok, when there is, link to it here and I'll take it, so we can get it in and proceed with this.

Comment 15 Paul Wouters 2012-03-25 17:03:49 UTC
The new 1.4.x branch no longer ships with the Auditor, so it no longer requires any ruby code.

ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec
ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.4.0-0.a1.fc16.src.rpm

* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
- The 1.4.x branch no longer needs ruby, as the auditor has been removed
- Added missing openssl-devel BuildRequire
- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind

Comment 16 Gwyn Ciesla 2012-03-26 13:40:07 UTC
rpmlint:

opendnssec.spec:7: W: macro-in-comment %{name}
There is a unescaped macro after a shell style comment in the specfile. Macros
are expanded everywhere, so check if it can cause a problem in this case and
escape the macro with another leading % if appropriate.

opendnssec.spec:7: W: macro-in-comment %{version}
There is a unescaped macro after a shell style comment in the specfile. Macros
are expanded everywhere, so check if it can cause a problem in this case and
escape the macro with another leading % if appropriate.

Fix before import.

Lots of non-standard uid/gid errors, expected with custom user.

You're missing an -m on line 49 for install, which results in a spurious 0755 dir in the buildroot, and no unitdir, though unitdir is in the final RPM.

One other issue, the sources refer to a LICENSE file that's not there.

So it's just the install, the commented macros, and the LICENSE file.  Mock build is good. :)

Comment 17 Paul Wouters 2012-03-26 17:04:03 UTC
The macros are because of this weird numbered pre-release version. I added spaces to protect the commented line from macro expansion. 

I added the -m on line 49

I looked all over the source and website to find any reference to a license, and its not there. I told them this over a year ago as well, but I'll ping them again. The only thing we have to go on is the BSD license headers in the source files. so I am not sure what I can do until they fix this upstream.


ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec
ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.4.0-0.a1.fc16.1.src.rpm

Comment 18 Paul Wouters 2012-03-26 17:16:20 UTC
Jon Ciesla: if you took over the review, can you set the review flag to + for me, so I can requst the SCM?

Comment 19 Gwyn Ciesla 2012-03-26 17:38:16 UTC
Ok, that's fine, fix it if required by later revelations.  Thanks!

APPROVED.

Comment 20 Paul Wouters 2012-03-26 17:58:18 UTC

ftp://ftp.nohats.ca/dns/opendnssec/opendnssec.spec
ftp://ftp.nohats.ca/dns/opendnssec/opendnssec-1.4.0-0.a1.fc16.2.src.rpm

Jakob from opendnssec gave me a license file. I've added it to the spec file as SOURCE6 and install it via %doc.

Comment 21 Paul Wouters 2012-03-26 17:59:34 UTC
New Package SCM Request
=======================
Package Name: opendnssec
Short Description: DNSSEC key and zone management software
Owners: pwouters
Branches: f16 f17 el5 el6
InitialCC:

Comment 22 Gwyn Ciesla 2012-03-26 18:02:50 UTC
Git done (by process-git-requests).


Excellent!

Comment 23 Lars Delhage 2012-03-26 19:51:18 UTC
As it stands now it doesn't build on el6 because of the systemd files and macros. Would you be interested in pushing it to EPEL too? I could lend a hand but I'm not in the packagers group (yet).

Comment 24 Paul Wouters 2012-03-26 20:17:23 UTC
Lars: Sure, that would be great!

Comment 25 Fedora Update System 2012-03-29 20:13:16 UTC
opendnssec-1.4.0-0.a1.el6.2 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendnssec-1.4.0-0.a1.el6.2

Comment 26 Jerry Lundström 2012-03-30 07:43:17 UTC
Hi,

Please note that 1.4.0a1 is an ALPHA release and should NOT be used in production environment!

If Auditor/Ruby is a problem for the OpenDNSSEC 1.3.x release in EPEL please consider disabling it with --disable-auditor .

/Jerry
OpenDNSSEC Developer

Comment 27 Fedora Update System 2012-03-30 18:06:00 UTC
opendnssec-1.4.0-0.a1.el6.2 has been pushed to the Fedora EPEL 6 testing repository.

Comment 28 Paul Wouters 2012-04-04 13:20:33 UTC
el5 branch is aborted due to too old versions of sqlite (not just for opendnssecc but also for softhsm)

Comment 29 Fedora Update System 2012-04-04 14:45:40 UTC
opendnssec-1.4.0-0.a1.fc17.2 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/opendnssec-1.4.0-0.a1.fc17.2

Comment 30 Fedora Update System 2012-04-04 14:46:18 UTC
opendnssec-1.4.0-0.a1.fc16.2 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/opendnssec-1.4.0-0.a1.fc16.2

Comment 31 Fedora Update System 2012-04-12 02:45:25 UTC
opendnssec-1.4.0-0.a1.fc17.2 has been pushed to the Fedora 17 stable repository.

Comment 32 Fedora Update System 2012-04-16 17:56:29 UTC
opendnssec-1.4.0-0.a1.el6.2 has been pushed to the Fedora EPEL 6 stable repository.

Comment 33 Fedora Update System 2012-04-18 19:32:54 UTC
opendnssec-1.4.0-0.a1.fc16.2 has been pushed to the Fedora 16 stable repository.

Comment 34 Jerry Lundström 2012-07-08 13:19:42 UTC
Hello,

Why has this been pushed to stable ?!

1.4.0a1 IS AN ALPHA RELEASE !!!!

Serious, pull this back ASAP! You are breaking installations!

/Jerry
OpenDNSSEC Developer


Note You need to log in before you can comment on or make changes to this bug.