Spec URL: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM URL: http://athmane.fedorapeople.org/pkgs/hydra-7.1-1.fc16.src.rpm Description: Hydra is a parallelized log-in cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. This tool gives researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. Currently this tool supports: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MySQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, Cisco auth, Cisco enable, Cisco AAA (incorporated in telnet module). Notes: This is my first package and I need a sponsor.
rpmlint output: $ rpmlint hydra-7.1-1.fc16.src.rpm hydra.src: W: spelling-error %description -l en_US parallelized -> paralleled, palatalized, pluralized hydra.src: W: spelling-error %description -l en_US auth -> auto, Ruth, author 1 packages and 0 specfiles checked; 0 errors, 2 warnings. $ rpmlint hydra-7.1-1.fc16.x86_64.rpm hydra.x86_64: W: spelling-error %description -l en_US parallelized -> paralleled, palatalized, pluralized hydra.x86_64: W: spelling-error %description -l en_US auth -> auto, Ruth, author 1 packages and 0 specfiles checked; 0 errors, 2 warnings. $ rpmlint hydra-frontend-7.1-1.fc16.x86_64.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. $ rpmlint hydra.spec 0 packages and 1 specfiles checked; 0 errors, 0 warnings.
Updated license to 'GPLv3 with exceptions' since it seems to be GPLv3 with OpenSSL exception Spec URL: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM URL: http://athmane.fedorapeople.org/pkgs/hydra-7.1-2.fc16.src.rpm rpmlint output: $ rpmtlint hydra-7.1-2.fc16.src.rpm hydra.src: W: spelling-error %description -l en_US parallelized -> paralleled, palatalized, pluralized hydra.src: W: spelling-error %description -l en_US auth -> auto, Ruth, author 1 packages and 0 specfiles checked; 0 errors, 2 warnings. $ rpmtlint hydra-7.1-2.fc16.x86_64.rpm hydra.x86_64: W: spelling-error %description -l en_US parallelized -> paralleled, palatalized, pluralized hydra.x86_64: W: spelling-error %description -l en_US auth -> auto, Ruth, author 1 packages and 0 specfiles checked; 0 errors, 2 warnings. $ rpmtlint hydra-frontend-7.1-2.fc16.x86_64.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. $ rpmtlint hydra.spec 0 packages and 1 specfiles checked; 0 errors, 0 warnings.
Koji scratch build (x86_64 and i686): http://koji.fedoraproject.org/koji/taskinfo?taskID=3601861
Removed rm -rf %{buildroot} from %install Spec URL: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM URL: http://athmane.fedorapeople.org/pkgs/hydra-7.1-3.fc16.src.rpm
New upstream release (7.2): Spec URL: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM URL: http://athmane.fedorapeople.org/pkgs/hydra-7.2-1.fc16.src.rpm Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3783373
Just a couple of comments: As MySQL > 4 seemingly doesn't work, consider to remove "MySQL" from the description. Do you leave out support for Firebird for a reason? Looking at the build, the optflags aren't actually used. Please remove "The hydra package must be installed before installing the hydra front end.", as dependency resolution takes care of that.
Thanks for your comments, (In reply to comment #6) > Just a couple of comments: > > As MySQL > 4 seemingly doesn't work, consider to remove "MySQL" from the > description. > Fixed, removed the protocols list since it's in constant change. > Do you leave out support for Firebird for a reason? Fixed, added support for Firebird > > Looking at the build, the optflags aren't actually used. > Yes they are not used, I can ask upstream to use CFLAGS if it's necessary. > Please remove "The hydra package must be installed before installing the hydra > front end.", as dependency resolution takes care of that. Fixed New URLs: Spec URL: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM URL: http://athmane.fedorapeople.org/pkgs/hydra-7.2-2.fc16.src.rpm
Please use the compiler flags from the rpm configuration. Asking upstream to include it wouldn't hurt though, I guess. http://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags
(In reply to comment #8) > Please use the compiler flags from the rpm configuration. Asking upstream to > include it wouldn't hurt though, I guess. > > http://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags I've added a workaround to force CFLAGS: Spec URL: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM URL: http://athmane.fedorapeople.org/pkgs/hydra-7.2-3.fc16.src.rpm
Koji scratch build (to check CFLAGS and Firebird support): http://koji.fedoraproject.org/koji/taskinfo?taskID=3783454
Hm, I don't feel very happy about having to install PostgreSQL and Firebird libraries, just to be able to use this program for SVN, for instance. There is at least some GPLv3+ code. Have you dug through the code? It is quite a mixture, but I assume GPLv3+ as the overall license could be fine. Please preserve the timestamps for the manpages and the icon (-p). What is the group "X-Red-Hat-Base" for? There are several format warnings when you compile the code. Try to fix them and submit it to upstream. On my F16 64 bit system a build with rpmbuild fails for some reason, while it works with Mock.
(In reply to comment #11) > Hm, I don't feel very happy about having to install PostgreSQL and Firebird > libraries, just to be able to use this program for SVN, for instance. > It's a multi-protocols brute-forcer, there's a similar package in fedora 'medusa', packaged in the same way even if it has a modular architecture (.so for each service, but the package depends on libssh2, postgresql libs etc...), hydra is on binary :/. > There is at least some GPLv3+ code. Have you dug through the code? It is quite > a mixture, but I assume GPLv3+ as the overall license could be fine. > It seems to be 'GPLv3 with exceptions' (because of OpenSSL), I checked with Gentoo (GPL-3) and Debian (GPL-3.0+ with OpenSSL exception) > Please preserve the timestamps for the manpages and the icon (-p). > Fixed in -4 > What is the group "X-Red-Hat-Base" for? > Removed in -4, > There are several format warnings when you compile the code. Try to fix them > and submit it to upstream. > I noticed them when I enabled CFLAGS, I'm using this build at work and it seems very stable (heavily tested with SSH and FTP), but I'll try to help upstream to fix them (along with mysql and CFLAGS support) > On my F16 64 bit system a build with rpmbuild fails for some reason, while it > works with Mock. Maybe you have mysql-devel, can attach the errors SPEC: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM: http://athmane.fedorapeople.org/pkgs/hydra-7.2-4.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3870495
Yes, it fails, if mysql-devel is installed. Can you solve that?
(In reply to comment #13) > Yes, it fails, if mysql-devel is installed. Can you solve that? That error appears because 'hash_password' and 'scramble' are defined in the headers but not exposed by libmysql. I have a workaround for that issue, just testing it.
- Fixed compilation warnings (important one). - Added mysql support (I need to investigate more on this because it does not seem to find a valid user/pass against mysql server 5.5.x) SPEC: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM: http://athmane.fedorapeople.org/pkgs/hydra-7.2-5.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3888842
(In reply to comment #15) > (I need to investigate more on this because it does not > seem to find a valid user/pass against mysql server 5.5.x) Nevermind, I had the same issue with a package from other distro (it's an issue with hydra-mysql itself).
Upstream responded that he'll include the patchs/fixes.
I've reversed a patch because it breaks brute-forcing NTLM-enabled services (upstream confirmed that it's not necessary) SPEC: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM: http://athmane.fedorapeople.org/pkgs/hydra-7.2-6.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3996524
Created attachment 577860 [details] hydra-7.2-destdir.patch Tested now on Fedora 17 and it works (tested ssh and mysql) - thanks. Please would you consider adding the dpl2hydra files to the package? It can be usefull. %{_bindir}/dpl4hydra.sh %{_datadir}/%{name}/dpl4hydra*.csv Attached is a patch which I use for the DESTDIR install and putting the csv database to /usr/share/hydra directory. Best regards Michal Ambroz
(In reply to comment #15) > - Added mysql support (I need to investigate more on this because it does not > seem to find a valid user/pass against mysql server 5.5.x) BTW I was testing against mysql server 5.5.22 from Fedora 17 and seemd to worked fine for me with small dictionary containing the right password in dozen of other words. Problem is that it reports false positives also on some other words if you use bigger dictionary.
Thanks Michal, I've included dpl4hydra and added the patch for DESTDIR. SPEC: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM: http://athmane.fedorapeople.org/pkgs/hydra-7.2-7.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3996813
Thank you ... dpl4hydra works fine for me now.
Hello, unfortunately I am not sponsor so I can provide only with the informal non-authoritative review. Package Review ============== Generated by fedora-review 0.1.3 + manual review Key: - = N/A x = Pass (by automated check) X = Pass (manual check) ! = Fail ? = Not evaluated / Needs attention ==== C/C++ ==== [x]: MUST Header files in -devel subpackage, if present. [x]: MUST Package does not contain any libtool archives (.la) [X]: MUST Package does not contain kernel modules. [X]: MUST Package contains no static executables. [X]: MUST Rpath absent or only used for internal libs. [X]: MUST Package is not relocatable. ==== Generic ==== [X?]: MUST Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. - package released under GPLv3+ with exemption allowing linking with openssl - contains GPLv2+ code and publi domain code - exceptions were sufficient for the license to be accepted to Debian - I would recommend to cross check with Tom 'spot' Callaway [x]: MUST Package successfully compiles and builds into binary rpms on at least one supported primary architecture. - koji build is referenced in the review request - I have successfully re-build package for Fedora 17 [X]: MUST %build honors applicable compiler flags or justifies otherwise. - Makefile.am is patched to include CFLAGS in OPTS, OPTS are used in Makefile then [x]: MUST All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: MUST Buildroot is not present Note: Unless packager wants to package for EPEL5 this is fine [!]: MUST Package contains no bundled libraries. - package doesn't contain bundled libraries, but it contains header files from PostgreSQL - I would recommend to patch to use the header files from the installed postgresql-devel package - similar patch is contained in debian http://packages.debian.org/source/testing/hydra [X]: MUST Changelog in prescribed format. [x]: MUST Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: Clean would be needed if support for EPEL is required [X]: MUST Sources contain only permissible code or content. [x]: MUST Each %files section contains %defattr if rpm < 4.4 Note: Note: defattr macros not found. They would be needed for EPEL5 [X]: MUST Macros in Summary, %description expandable at SRPM build time. [X]: MUST Package contains a properly installed %{name}.desktop using desktop- file-install file if it is a GUI application. [X]: MUST Package requires other packages for directories it uses. [X]: MUST Package uses nothing in %doc for runtime. [-]: MUST Package is not known to require ExcludeArch. [x]: MUST Permissions on files are set properly. [x]: MUST Package does not contain duplicates in %files. [x]: MUST Fully versioned dependency in subpackages, if present. [x]: MUST Spec file lacks Packager, Vendor, PreReq tags. [x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf would be needed if support for EPEL5 is required [-]: MUST Large documentation files are in a -doc subpackage, if required. [!]: MUST If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. - file LICENSE.OPENSSL is missing in the doc [X]: MUST License field in the package spec file matches the actual license. [X]: MUST License file installed when any subpackage combination is installed. [X]: MUST Package consistently uses macros (instead of hard-coded directory names). [x]: MUST Package is named according to the Package Naming Guidelines. [X]: MUST Package does not generate any conflict. [X]: MUST Package obeys FHS, except libexecdir and /usr/target. [!]: MUST Package must own all directories that it creates. - directory /usr/share/hydra should be owned with the %dir directive [X]: MUST Package does not own files or directories owned by other packages. [X]: MUST Package installs properly. [-]: MUST Requires correct, justified where necessary. [X?]: MUST Rpmlint output is silent. - please notify the upstream about the incorrect fsf addreass - other than that i believe it is good rpmlint hydra-debuginfo-7.2-7.fc17.x86_64.rpm hydra-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/hydra-7.2-src/hmacmd5.h hydra-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/hydra-7.2-src/hmacmd5.c 1 packages and 0 specfiles checked; 2 errors, 0 warnings. rpmlint hydra-frontend-7.2-7.fc17.x86_64.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. rpmlint hydra-7.2-7.fc17.src.rpm hydra.src: W: spelling-error %description -l en_US parallelized -> paralleled, palatalized, pluralized 1 packages and 0 specfiles checked; 0 errors, 1 warnings. rpmlint hydra-7.2-7.fc17.x86_64.rpm hydra.x86_64: W: spelling-error %description -l en_US parallelized -> paralleled, palatalized, pluralized hydra.x86_64: W: no-manual-page-for-binary dpl4hydra.sh 1 packages and 0 specfiles checked; 0 errors, 2 warnings. [x]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. /home/mambroz/tmp/hydra/769919/hydra-7.2-src.tar.gz : MD5SUM this package : 7a72f2d4dd8a771a4935072f80e336dd MD5SUM upstream package : 7a72f2d4dd8a771a4935072f80e336dd [X]: MUST Spec file is legible and written in American English. [x]: MUST Spec file name must match the spec package %{name}, in the format %{name}.spec. [-]: MUST Package contains a SysV-style init script if in need of one. [x]: MUST File names are valid UTF-8. [X]: MUST Useful -debuginfo package or justification otherwise. [x]: SHOULD Reviewer should test that the package builds in mock. [-]: SHOULD If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: SHOULD Dist tag is present. [X]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [X]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q --requires). [X]: SHOULD Package functions as described. [X]: SHOULD Latest version is packaged. [X]: SHOULD Package does not include license text files separate from upstream. [-]: SHOULD Patches link to upstream bugs/comments/lists or are otherwise justified. [X?]: SHOULD SourceX / PatchY prefixed with %{name}. Note: Source1: xhydra.desktop (xhydra.desktop) Patch1: hydra-fix-mysql- support.patch (hydra-fix-mysql-support.patch ) Patch2: hydra-fix-format- extra-args.patch (hydra-fix-format-extra-args.patch ) Patch3: hydra-7.2-destdir.patch (hydra-7.2-destdir.patch) - xhydra.desktop was flagged by automated check, but I believe the name is acceptable - I believe that hydra.desktop for the commandline util will be provided by security-menus [x]: SHOULD SourceX is a working URL. [-]: SHOULD Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [X]: SHOULD Package should compile and build into binary rpms on all supported architectures. [-]: SHOULD %check is present and all tests pass. [X?]: SHOULD Packages should try to preserve timestamps of original installed files. - install in the spec file respects timestamps - install in the Makefile does not - I would recommend to patch it and report to upstream [x]: SHOULD Spec use %global instead of %define. Summary: - Generally I would say the package is good and ready to be accepted. There are only minor easy-to fix glitches - Please fix these issues: - use postgres header files from the installed postgresql-devel package - add dir of /usr/share/hydra - include LICENSE.OPENSSL as doc - please inform the upstream about the wrong address of FSF in hmacmd5 files
(In reply to comment #23) <snip> > > Summary: > - Generally I would say the package is good and ready to be accepted. > There are only minor easy-to fix glitches > - Please fix these issues: > - use postgres header files from the installed postgresql-devel package > - add dir of /usr/share/hydra > - include LICENSE.OPENSSL as doc > - please inform the upstream about the wrong address of FSF in hmacmd5 > files Fixed those issues, also synced with upstream (informed him about wrong FSF address, submitted postgres patch and suggested to remove the bundled postgres headers) SPEC: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM: http://athmane.fedorapeople.org/pkgs/hydra-7.2-8.fc16.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=4087791
According licensing matrices [1]: - Public Domain (not a license) is compatible with GPLv2+ and GPLv3+ - GPLv2+ is compatible GPLv3+ [1] http://fedoraproject.org/wiki/Licensing
CCing Tom 'spot' Callaway
Thank you Athmane. By me everything is OK. Good luck with searching for sponsor. Best regards Michal Ambroz
New upstream release (7.3): SPEC: http://athmane.fedorapeople.org/pkgs/hydra.spec SRPM: http://athmane.fedorapeople.org/pkgs/hydra-7.3-9.fc17.src.rpm Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=4095451
Hello Athmane, please leave the release number (9) as it is now, but for next upstream versions the release should always reset to 1. http://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag Thank you Michal Ambroz
(In reply to comment #29) > Hello Athmane, > please leave the release number (9) as it is now, but for next upstream > versions the release should always reset to 1. > > http://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag > I didn't reset release number to 1 because 7.3 is a bugfix release (ie. no major changes), I'll do it next time, thanks.
Hi Athmane, I have not found any other issues other then those, which have already been fixed or reported to upstream. From my point of view the package is OK. Good luck with searching for sponsor. Michal Ambroz
I've sponsored Athmane, removing FE_NEEDSPONSOR.
Kevin thank you for information. If Athmane is already sponsored, I can take the review of the package.
ACCEPT In my opinion the package is ready to be accepted for Fedora. Athmane please when you will be raising SCM admin request, put my id "rebus" to the InitialCC field. http://fedoraproject.org/wiki/Package_SCM_admin_requests
New Package SCM Request ======================= Package Name: hydra Short Description: Very fast network log-on cracker Owners: athmane Branches: f16 f17 InitialCC: rebus
Git done (by process-git-requests).
hydra-7.3-9.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/hydra-7.3-9.fc17
hydra-7.3-9.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/hydra-7.3-9.fc16
hydra-7.3-9.fc17 has been pushed to the Fedora 17 stable repository.
hydra-7.3-10.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/hydra-7.3-10.fc16
hydra-7.3-10.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Package Change Request ====================== Package Name: hydra New Branches: el6 Owners: athmane
removing alias so bugzilla can be searched for hydra