This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 752223 - Review Request: racoon2 - an implementation of key management system for IPsec
Review Request: racoon2 - an implementation of key management system for IPsec
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Matěj Cepl
Fedora Extras Quality Assurance
:
: 752222 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-08 16:10 EST by Pavel Šimerda (pavlix)
Modified: 2013-10-19 10:42 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-11 17:27:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
mcepl: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)
build log from the koji scratch build (25.15 KB, text/plain)
2011-11-08 16:48 EST, Matěj Cepl
no flags Details
root.log (41.92 KB, text/plain)
2011-11-08 16:50 EST, Matěj Cepl
no flags Details
mock_output.log (1.14 KB, text/plain)
2011-11-08 16:50 EST, Matěj Cepl
no flags Details
state.log (408 bytes, text/plain)
2011-11-08 16:51 EST, Matěj Cepl
no flags Details
Specfile with openssl dependecy added (2.52 KB, text/x-rpm-spec)
2011-11-08 17:07 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM with byacc dependency (62 bytes, text/plain)
2011-11-08 17:19 EST, Pavel Šimerda (pavlix)
no flags Details
specfile with byacc dependency (42 bytes, text/plain)
2011-11-08 17:20 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM with flex (62 bytes, text/plain)
2011-11-08 17:25 EST, Pavel Šimerda (pavlix)
no flags Details
specfile with flex (42 bytes, text/plain)
2011-11-08 17:26 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM with lib/lib64 fixed (62 bytes, text/plain)
2011-11-08 17:38 EST, Pavel Šimerda (pavlix)
no flags Details
specfile with lib/lib64 fixed (42 bytes, text/plain)
2011-11-08 17:39 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM v6 (fixed $ -> %) (62 bytes, text/plain)
2011-11-08 17:44 EST, Pavel Šimerda (pavlix)
no flags Details
specfile (42 bytes, text/plain)
2011-11-08 17:45 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM with cosmetical changes (62 bytes, text/plain)
2011-11-09 10:15 EST, Pavel Šimerda (pavlix)
no flags Details
new specfile (42 bytes, text/plain)
2011-11-09 10:17 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM with shorter rpmlint output (62 bytes, text/plain)
2011-11-09 16:46 EST, Pavel Šimerda (pavlix)
no flags Details
SRPM release 12 (1002.34 KB, application/x-rpm)
2012-01-21 07:35 EST, Pavel Šimerda (pavlix)
no flags Details
New SRPM (1002.54 KB, application/x-rpm)
2012-01-26 03:14 EST, Pavel Šimerda (pavlix)
no flags Details
Updated SPEC (5.46 KB, text/x-rpm-spec)
2012-01-26 03:22 EST, Pavel Šimerda (pavlix)
no flags Details

  None (edit)
Description Pavel Šimerda (pavlix) 2011-11-08 16:10:07 EST
Spec URL: http://data.pavlix.net/fedora/racoon2.spec
SRPM URL: http://data.pavlix.net/fedora/racoon2-20100526a-1.fc15.src.rpm
Description: The Racoon2 project is a joint effort which provides an implementation of key management system for IPsec. The implementation is called Racoon2, a successor of Racoon, which was developed by the KAME project. It supports IKEv1, IKEv2, and KINK protocols. It works on FreeBSD, NetBSD, Linux, and Mac OS X. Racoon2 is provided under a BSD-style license. To support various environments that use IPsec, we will develop various functions.
Comment 1 Pavel Šimerda (pavlix) 2011-11-08 16:12:19 EST
It's my first Fedora package. I'm sorry for any inconvenience.
Comment 2 Matěj Cepl 2011-11-08 16:48:43 EST
Created attachment 532398 [details]
build log from the koji scratch build

Unfortunately this package doesn't build in koji (http://koji.fedoraproject.org/koji/taskinfo?taskID=3498102). I will attach all logs from the build.
Comment 3 Matěj Cepl 2011-11-08 16:50:17 EST
Created attachment 532400 [details]
root.log
Comment 4 Matěj Cepl 2011-11-08 16:50:57 EST
Created attachment 532401 [details]
mock_output.log
Comment 5 Matěj Cepl 2011-11-08 16:51:12 EST
Created attachment 532402 [details]
state.log
Comment 6 Ben Thompson 2011-11-08 16:55:10 EST
You seem to have posted this request twice:
https://bugzilla.redhat.com/show_bug.cgi?id=752222
Comment 7 Pavel Šimerda (pavlix) 2011-11-08 17:02:04 EST
*** Bug 752222 has been marked as a duplicate of this bug. ***
Comment 8 Pavel Šimerda (pavlix) 2011-11-08 17:07:14 EST
Created attachment 532406 [details]
Specfile with openssl dependecy added

I'm adding a new specfile with openssl-devel dependency.
Comment 9 Pavel Šimerda (pavlix) 2011-11-08 17:08:54 EST
New SRPM: http://data.pavlix.net/fedora/racoon2-20100526a-2.fc15.src.rpm
Comment 10 Pavel Šimerda (pavlix) 2011-11-08 17:19:24 EST
Created attachment 532408 [details]
SRPM with byacc dependency
Comment 11 Pavel Šimerda (pavlix) 2011-11-08 17:20:55 EST
Created attachment 532409 [details]
specfile with byacc dependency
Comment 12 Pavel Šimerda (pavlix) 2011-11-08 17:25:26 EST
Created attachment 532410 [details]
SRPM with flex
Comment 13 Pavel Šimerda (pavlix) 2011-11-08 17:26:11 EST
Created attachment 532411 [details]
specfile with flex
Comment 14 Pavel Šimerda (pavlix) 2011-11-08 17:38:28 EST
Created attachment 532412 [details]
SRPM with lib/lib64 fixed
Comment 15 Pavel Šimerda (pavlix) 2011-11-08 17:39:28 EST
Created attachment 532413 [details]
specfile with lib/lib64 fixed
Comment 16 Pavel Šimerda (pavlix) 2011-11-08 17:44:28 EST
Created attachment 532414 [details]
SRPM v6 (fixed $ -> %)
Comment 17 Pavel Šimerda (pavlix) 2011-11-08 17:45:18 EST
Created attachment 532415 [details]
specfile
Comment 18 Matěj Cepl 2011-11-08 18:10:56 EST
http://koji.fedoraproject.org/koji/taskinfo?taskID=3498367 builds correctly for Rawhide on all architectures.
Comment 19 Ben Thompson 2011-11-08 19:26:03 EST
Informal review, I'm not sponsored yet.

===

Can you add changelog entries to the spec file?

Also getting the following when building:
yacc -d cfparse.y
make[1]: yacc: Command not found
Comment 20 Pavel Šimerda (pavlix) 2011-11-09 10:15:34 EST
Created attachment 532587 [details]
SRPM with cosmetical changes
Comment 21 Pavel Šimerda (pavlix) 2011-11-09 10:17:33 EST
Created attachment 532589 [details]
new specfile
Comment 22 Pavel Šimerda (pavlix) 2011-11-09 10:22:52 EST
(In reply to comment #19)
> Can you add changelog entries to the spec file?

It's just a new package, please see the changelog of -7 version.

> Also getting the following when building:
> yacc -d cfparse.y
> make[1]: yacc: Command not found

You probably used an older version, -6 or -7 should build for you.
Comment 23 Ben Thompson 2011-11-09 11:41:33 EST
Yes you're right, it builds with -7.

Some other notes: You don't need to clean buildroot in your spec anymore and aren't required to specify a buildroot either.

And here's the rpmlint message:

[!] : MUST - Rpmlint output is silent.
        
        rpmlint racoon2-20100526a-7.fc17.i686.rpm
        ================================================================================
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/hook/functions
        racoon2.i686: E: non-executable-script /etc/racoon2/hook/functions 0644L /bin/sh
        racoon2.i686: E: script-without-shebang /lib/systemd/system/spmd.service
        racoon2.i686: E: non-readable /etc/racoon2/transport_ike.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/transport_ike.conf
        racoon2.i686: E: non-readable /etc/racoon2/racoon2.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/racoon2.conf
        racoon2.i686: E: non-readable /etc/racoon2/vals.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/vals.conf
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/tunnel_ike.conf
        racoon2.i686: E: non-readable /etc/racoon2/local-test.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/local-test.conf
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike_natt.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/tunnel_ike_natt.conf
        racoon2.i686: E: non-readable /etc/racoon2/transport_kink.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/transport_kink.conf
        racoon2.i686: E: non-readable /etc/racoon2/default.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/default.conf
        racoon2.i686: E: script-without-shebang /lib/systemd/system/iked.service
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_kink.conf 0600L
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/tunnel_kink.conf
        racoon2.i686: W: no-manual-page-for-binary iked
        racoon2.i686: W: dangerous-command-in-%post chmod
        1 packages and 0 specfiles checked; 12 errors, 12 warnings.
        ================================================================================
        
        rpmlint racoon2-20100526a-7.fc17.src.rpm
        ================================================================================
        1 packages and 0 specfiles checked; 0 errors, 0 warnings.
        ================================================================================
        
        rpmlint racoon2-debuginfo-20100526a-7.fc17.i686.rpm
        ================================================================================
        1 packages and 0 specfiles checked; 0 errors, 0 warnings.
        ================================================================================
Comment 24 Pavel Šimerda (pavlix) 2011-11-09 16:46:21 EST
Created attachment 532682 [details]
SRPM with shorter rpmlint output

I improved the specfile to get rid of some rpmlint messages on the binary. I'd glady take some advice on the rest of the messages.

$ rpmlint RPMS/i686/racoon2-20100526a-8.fc15.i686.rpm  
racoon2.i686: W: non-conffile-in-etc /etc/racoon2/hook/functions
racoon2.i686: E: non-executable-script /etc/racoon2/hook/functions 0644L /bin/sh
racoon2.i686: E: non-readable /etc/racoon2/transport_ike.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/racoon2.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/vals.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/local-test.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike_natt.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/transport_kink.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/default.conf 0600L
racoon2.i686: E: non-readable /etc/racoon2/tunnel_kink.conf 0600L
racoon2.i686: W: no-manual-page-for-binary iked
racoon2.i686: W: dangerous-command-in-%post chmod
1 packages and 0 specfiles checked; 10 errors, 3 warnings.

I guess Racoon2 authors made the config files non-world-readable intentinally. Non-executable "script" could be patched if needed. The chmod is probably necessary.
Comment 25 Ben Thompson 2011-11-10 18:56:17 EST
I've had a look at previous packages and the remaining errors and warnings seem OK to me. There are a few man pages you've forgotten to add to the spec file:
racoon2-20100526a/iked/iked.8
racoon2-20100526a/kinkd/kinkd.8
Comment 26 Bill Nottingham 2011-11-11 11:26:39 EST
Is there a reason we would ship both this and ipsec-tools?
Comment 27 Matěj Cepl 2011-11-11 14:33:00 EST
(In reply to comment #25)
> I've had a look at previous packages and the remaining errors and warnings seem
> OK to me. There are a few man pages you've forgotten to add to the spec file:
> racoon2-20100526a/iked/iked.8
> racoon2-20100526a/kinkd/kinkd.8

Ben, do you want to take over review of this bug?
Comment 28 Ben Thompson 2011-11-11 14:52:49 EST
(In reply to comment #26)
> Is there a reason we would ship both this and ipsec-tools?

Ah, I overlooked the --disable-kinkd option, so just the iked.8 might come in useful.
Comment 29 Ben Thompson 2011-11-11 14:55:25 EST
(In reply to comment #27)
> (In reply to comment #25)
> > I've had a look at previous packages and the remaining errors and warnings seem
> > OK to me. There are a few man pages you've forgotten to add to the spec file:
> > racoon2-20100526a/iked/iked.8
> > racoon2-20100526a/kinkd/kinkd.8
> 
> Ben, do you want to take over review of this bug?

Well I'm just getting started and my reviews are "informal", as I am not yet sponsored. Just practising, let me know if it's not helping or you have some advice, thanks!
Comment 30 Matěj Cepl 2011-11-11 15:12:40 EST
(In reply to comment #29)
> Well I'm just getting started and my reviews are "informal", as I am not yet
> sponsored. Just practising, let me know if it's not helping or you have some
> advice, thanks!

Sure, make a complete review here, please, (https://fedoraproject.org/wiki/Packaging:ReviewGuidelines) and let me know. I cannot sponsor you, but certainly every done review is helpful.
Comment 31 Tomas Mraz 2011-11-11 17:14:40 EST
I have no problem with shipping both racoon2 and ipsec-tools. Ipsec-tools seem to be more stable base on the other hand racoon2 has multiple new features that ipsec-tools do not have. So both have their own opportunities to be used.
Comment 32 Pavel Šimerda (pavlix) 2011-11-11 17:57:54 EST
(In reply to comment #26)
> Is there a reason we would ship both this and ipsec-tools?

There definitely is. Racoon2 and Racoon are two very different projects. Racoon is well known and used in some environments, ipsec howto includes Racoon configuration. Racoon2 supports IKEv2 which Racoon doesn't.

Therefore, both of them are useful.
Comment 33 Pavel Šimerda (pavlix) 2011-11-11 17:59:55 EST
(In reply to comment #28)
> (In reply to comment #26)
> > Is there a reason we would ship both this and ipsec-tools?
> 
> Ah, I overlooked the --disable-kinkd option, so just the iked.8 might come in
> useful.

Please feel free to test without --disable-kinkd. It didn't compile for me, so I disabled it for the beginning. Of course I would be happy to have it enabled too.
Comment 34 Ben Thompson 2011-11-17 15:49:04 EST
Package Review (Informal)
==============

Key:
- = N/A
x = Check
! = Problem
? = Not evaluated
==== C/C++ ====

[x] : MUST - Header files in -devel subpackage, if present.
[x] : MUST - Package does not contain any libtool archives (.la)

==== Generic ====

[x] : MUST - Package successfully compiles and builds into binary rpms on at least one supported architecture.
[x] : MUST - Package has a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT).(EPEL6 & Fedora < 13)
[x] : MUST - %config files are marked noreplace or the reason is justified.
[x] : MUST - Each %files section contains %defattr
[x] : MUST - Permissions on files are set properly.
[x] : MUST - Package does not contain duplicates in %files.
[x] : MUST - Spec file lacks Packager, Vendor, PreReq tags.
[x] : MUST - Package run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) and the beginning of %install. (EPEL5)
[x] : MUST - Package is named according to the Package Naming Guidelines.
[!] : MUST - Rpmlint output is silent.
        
        rpmlint racoon2-debuginfo-20100526a-8.fc17.i686.rpm
        ================================================================================
        1 packages and 0 specfiles checked; 0 errors, 0 warnings.
        ================================================================================
        
        rpmlint racoon2-20100526a-8.fc17.src.rpm
        ================================================================================
        1 packages and 0 specfiles checked; 0 errors, 0 warnings.
        ================================================================================
        
        rpmlint racoon2-20100526a-8.fc17.i686.rpm
        ================================================================================
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/hook/functions
        racoon2.i686: E: non-executable-script /etc/racoon2/hook/functions 0644L /bin/sh
        racoon2.i686: E: non-readable /etc/racoon2/transport_ike.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/racoon2.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/vals.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/local-test.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike_natt.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/transport_kink.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/default.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_kink.conf 0600L
        racoon2.i686: W: no-manual-page-for-binary iked
        racoon2.i686: W: dangerous-command-in-%post chmod
        1 packages and 0 specfiles checked; 10 errors, 3 warnings.
        ================================================================================
        
[x] : MUST - Sources used to build the package matches the upstream source, as provided in the spec URL.
        /mnt/docs/development/fedora-git/FedoraReview/src/752223/racoon2-20100526a.tgz :
          MD5SUM this package     : 2fa33abff1ccd6fc22876a23db77aaa8
          MD5SUM upstream package : 2fa33abff1ccd6fc22876a23db77aaa8
        
[x] : MUST - Spec file is legible and written in American English.
[x] : MUST - Spec file name must match the spec package %{name}, in the format %{name}.spec.
[x] : MUST - File names are valid UTF-8.
[x] : SHOULD - Reviewer should test that the package builds in mock.
[x] : SHOULD - Dist tag is present.
[!] : SHOULD - SourceX / PatchY prefixed with %{name}.
        Source0:        http://ftp.racoon2.wide.ad.jp/pub/racoon2/racoon2-20100526a.tgz (racoon2-20100526a.tgz)
        Patch0:         racoon2-autotools.patch (racoon2-autotools.patch)
        Patch1:         racoon2-systemd.patch (racoon2-systemd.patch)
        
[x] : SHOULD - SourceX is a working URL.
[x] : SHOULD - Spec use %global instead of %define.

Issues:
[!] : MUST - Buildroot is correct (EPEL5 & Fedora < 10)
        Multiple BuildRoot definitions found
[!] : MUST - Rpmlint output is silent.
        
        rpmlint racoon2-debuginfo-20100526a-8.fc17.i686.rpm
        ================================================================================
        1 packages and 0 specfiles checked; 0 errors, 0 warnings.
        ================================================================================
        
        rpmlint racoon2-20100526a-8.fc17.src.rpm
        ================================================================================
        1 packages and 0 specfiles checked; 0 errors, 0 warnings.
        ================================================================================
        
        rpmlint racoon2-20100526a-8.fc17.i686.rpm
        ================================================================================
        racoon2.i686: W: non-conffile-in-etc /etc/racoon2/hook/functions
        racoon2.i686: E: non-executable-script /etc/racoon2/hook/functions 0644L /bin/sh
        racoon2.i686: E: non-readable /etc/racoon2/transport_ike.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/racoon2.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/vals.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/local-test.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_ike_natt.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/transport_kink.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/default.conf 0600L
        racoon2.i686: E: non-readable /etc/racoon2/tunnel_kink.conf 0600L
        racoon2.i686: W: no-manual-page-for-binary iked
        racoon2.i686: W: dangerous-command-in-%post chmod
        1 packages and 0 specfiles checked; 10 errors, 3 warnings.
        ================================================================================
Comment 35 Matěj Cepl 2011-12-08 04:08:15 EST
bug 753354 is related
Comment 36 Pavel Šimerda (pavlix) 2012-01-01 12:39:59 EST
Please try this new:

http://data.pavlix.net/fedora/racoon2-20100526a-11.fc16.src.rpm

The updated specfile is still at the same location:

http://data.pavlix.net/fedora/racoon2.spec

The main news are:

* Fri Dec 30 2011 Pavel Šimerda <pavlix@pavlix.net> - 20100526a-11
- Removed -fno-strict-aliasing
- Removed -D_GNU_SOURCE=1
- Added rationale for --disable-kinkd and --disable-pedant
- Removed @prefix@ from configuration files (patch)

* Thu Dec 29 2011 Pavel Šimerda <pavlix@pavlix.net> - 20100526a-10
- Added pwgen dependency
- Moved various inline fixes from specfile to patches
- Fixed racoon2 configuration path (/etc/racoon2)

* Wed Dec 07 2011 Pavel Šimerda <pavlix@pavlix.net> - 20100526a-9
- Incorporated more rpmlint feedback
- Directories are now specified by macros
- Added systemd scriptlets
- Added needed /var/run/racoon2 directory
- Added directories to %files section

Racoon2 builds (on my i686 using rpmbuild), and runs. 

--disable-kinkd: KINK must be disabled unless krb5 is compiled --with-crypto-impl=builtin because kinkd uses krb5's internal crypto functions that are not compiled otherwise.

I consider this a problem in racoon2 and not in krb5.
Comment 37 Pavel Šimerda (pavlix) 2012-01-01 15:01:59 EST
Racoon2 now also builds for EPEL6:

http://data.pavlix.net/fedora/racoon2.spec
http://data.pavlix.net/fedora/racoon2-20100526a-12.el6.src.rpm

* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 20100526a-12
- Added conditionals to build on epel6
- Fixed macro usage: initrddir to initddir
Comment 38 Dan Horák 2012-01-19 05:02:47 EST
FYI I have stopped to use one spec file for both Fedora and EPEL when sysvinit and systemd should be in play and track them separately. It can easily make the spec file illegible which would violate one of the major guidelines. And cherry-picking in git still allows to maintain situations like version updates very easily.
Comment 39 Pavel Šimerda (pavlix) 2012-01-21 07:35:36 EST
Created attachment 556688 [details]
SRPM release 12

The wiki pages about initscripts and systemd units packaging is rather confusing. I decided to remove the sysvinit package because the wiki recommendations simply don't work.

The current package is still intended for both Fedora and EPEL, tested on Fedora, and this is accomplished by two simple conditionals. It can be split into branches when it gets to Git if needed.

rpmlint output:

racoon2.i686: E: non-standard-dir-perm /etc/racoon2 0700L

/etc/racoon2 contains IPsec configuration. Administrator
can include keys in there and forget to set proper permissions.

Setting mode 700 is *not* necessary but it helps to prevent ordinary
users from accessing IPsec configuration.

Upstream protects individual files but we have the advantage
of knowing the diretory name.

Please see also Bug 753354, review request for Strongswan.

racoon2.i686: E: non-standard-dir-perm /var/run/racoon2 0700L

Setting mode 700 helps users prevent accessing runtime data of Racoon2.

racoon2.i686: W: dangerous-command-in-%post chmod

Running chmod is necessary to protect a key generated during %post.

Changes:

* Sun Jan 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 20100526a-12
- Removed sysvinit subpackage
- Added conditionals to handle different init systems
- Changed initrd macro to initd
- Marked functions as config file
Comment 40 Matěj Cepl 2012-01-25 18:22:46 EST
Legend: + = PASSED, - = FAILED, 0 = Not Applicable

+ MUST: rpmlint must be run on every package. The output should be posted in
the review

see comment 39 with explanations, which satisfy me

+ MUST: package named according to the Package Naming Guidelines

Not sure that this breach of Guidelines, but this is really wrong

%if 0%{?fedora}

I really am not sure what it is supposed to achieve (are you 100% certain that no RHEL ever will provide fedora element?). What about this one?

%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7

(or something equivalent)?

+ MUST: The spec file name must match the base package %{name}
+ MUST: The package must meet the Packaging Guidelines .
+ MUST: The package licensed with a Fedora approved license and meets the
Licensing Guidelines
+ MUST: The License field in the package spec file matches the actual
license
BSD
+ MUST: If (and only if) the source package includes the text of the license(s)
in its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.
License is included.
+ MUST: The spec file must be written in American English.
+ MUST: The spec file for the package MUST be legible.
+ MUST: The sources used to build the package must match the upstream
source, as provided in the spec URL. Reviewers should use md5sum for this task
MD5: 2fa33abff1ccd6fc22876a23db77aaa8
+ MUST: The package successfully compiles and builds into binary rpms on at
least one primary architecture - build in koji, no problems
0 MUST: If the package does not successfully compile, build or work on an
architecture, then those architectures should be listed in the spec in
ExcludeArch
+ MUST: All build dependencies must be listed in BuildRequires, except for any
that are listed in the exceptions section of the Packaging Guidelines
Build in koji (http://koji.fedoraproject.org/koji/taskinfo?taskID=3733429)
0 MUST: The spec file handles locales properly. This is done by using the
%find_lang macro
No locales are present.
0 MUST: Every binary RPM package (or subpackage) which stores shared library
files (not just symlinks) in any of the dynamic linker's default paths, must
call ldconfig in %post and %postun.
No libraries provided.
+ MUST: Packages must NOT bundle copies of system libraries
0 MUST: If the package is designed to be relocatable, the packager must state
this fact in the request for review, along with the rationalization for
relocation of that specific package. Without this, use of Prefix: /usr is
considered a blocker
+ MUST: Package must own all directories that it creates. If it does not create
a directory that it uses, then it should require a package which does create
that directory
+ MUST: Package must not list a file more than once in the spec file's %files
listings
+ MUST: Permissions on files must be set properly. Every %files section must
include a %defattr(...) line.
+ MUST: Each package must have a %clean section, which contains rm -rf
%{buildroot} (or $RPM_BUILD_ROOT).
+ MUST: Each package must consistently use macros
+ MUST: The package must contain code, or permissible content
0 MUST: Large documentation files must go in a -doc subpackage
+ MUST: If a package includes something as %doc, it must not affect the runtime
of the application
0 MUST: Header files must be in a -devel package
0 MUST: Static libraries must be in a -static package
0 MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'
0 MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1),
then library files that end in .so (without suffix) must go in a -devel package
0 MUST: devel packages must require the base package using a fully versioned
dependency: Requires: %{name} = %{version}-%{release}
+ MUST: Packages must NOT contain any .la libtool archives, these must be
removed in the spec if they are built
0 MUST: Packages containing GUI applications must include a %{name}.desktop
file, and that file must be properly installed with desktop-file-install in the
%install section
+ MUST: Packages must not own files or directories already owned by other
packages
- MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot}
(or $RPM_BUILD_ROOT)
+ MUST: All filenames in rpm packages must be valid UTF-8

Just a nitpicks:
- please fix those conditionals
- please add rm -rf %{buildroot} to %install (and %check if it will ever be present)
Comment 41 Pavel Šimerda (pavlix) 2012-01-26 03:14:08 EST
Created attachment 557601 [details]
New SRPM

“are you 100% certain that no RHEL ever will provide fedora element?”

If it does, I'm not sure what version number will be used there. This is beyond my knowledge, so I'm using the line you provided.

* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 20100526a-13
- Added rm at the beginning of install section
- Changed conditionals to versioned ones
Comment 42 Pavel Šimerda (pavlix) 2012-01-26 03:22:05 EST
Created attachment 557606 [details]
Updated SPEC
Comment 43 Matěj Cepl 2012-01-26 13:15:10 EST
(In reply to comment #41)
> * Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 20100526a-13
> - Added rm at the beginning of install section
> - Changed conditionals to versioned ones

APPROVED!

(although, there is IMHO a bug in spec ... will racoon2 ever work on RHEL6 where there is no /bin/systemctl at all? I think there is more %if-ing required).
Comment 44 Pavel Šimerda (pavlix) 2012-02-13 08:54:59 EST
New Package SCM Request
=======================
Package Name: strongswan
Short Description: An implementation of key management system for IPsec
Owners: pavlix
Branches: f16 f17 el6
InitialCC:
Comment 45 Pavel Šimerda (pavlix) 2012-02-13 09:44:29 EST
New Package SCM Request
=======================
Package Name: racoon2
Short Description: An implementation of key management system for IPsec
Owners: pavlix
Branches: f16 f17 el6
InitialCC:
Comment 46 Jon Ciesla 2012-02-13 09:51:38 EST
Git done (by process-git-requests).
Comment 47 Fedora Update System 2012-02-13 11:35:49 EST
racoon2-20100526a-14.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/racoon2-20100526a-14.fc16
Comment 48 Fedora Update System 2012-02-14 04:02:24 EST
racoon2-20100526a-14.fc16 has been pushed to the Fedora 16 testing repository.
Comment 49 Fedora Update System 2012-02-14 11:13:02 EST
racoon2-20100526a-14.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/racoon2-20100526a-14.el6
Comment 50 Fedora Update System 2012-02-14 18:23:13 EST
racoon2-20100526a-16.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/racoon2-20100526a-16.fc16
Comment 51 Fedora Update System 2012-03-09 16:03:44 EST
racoon2-20100526a-17.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/racoon2-20100526a-17.fc16
Comment 52 Fedora Update System 2012-03-09 16:05:33 EST
racoon2-20100526a-17.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/racoon2-20100526a-17.el6
Comment 53 Fedora Update System 2012-03-20 22:40:33 EDT
racoon2-20100526a-17.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 54 Fedora Update System 2012-03-25 18:26:10 EDT
racoon2-20100526a-17.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 55 Matěj Cepl 2013-09-11 15:04:15 EDT
What about closing this bug when all packages are in stable for a long time?

Note You need to log in before you can comment on or make changes to this bug.