Bug 798738 - (mysqlenum) Review request: mysqlenum - is an automatic blind SQL injection tool.
Review request: mysqlenum - is an automatic blind SQL injection tool.
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All All
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
http://www.andreafabrizi.it/?mysqlenum
:
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2012-02-29 12:43 EST by pjp
Modified: 2013-05-03 02:54 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-03 02:54:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description pjp 2012-02-29 12:43:27 EST
Hi,

mysqlenum - is an automatic blind SQL injection tool.

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-1.fc16.src.rpm
Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3840986

Thank you.
Comment 1 Matthias Runge 2012-03-01 02:45:04 EST
pjp, you can't review your own package.

You should only set fedora-review-flag if you're going to do a review.

One minor: If you're not going to submit this for el5, then you should remove rm -rf $RPM_BUILD_ROOT from install section.
Comment 2 pjp 2012-03-01 03:31:21 EST
Oops sorry,(In reply to comment #1)
> pjp, you can't review your own package.
> You should only set fedora-review-flag if you're going to do a review.

  Oh, sorry about that, got confused.
 
> One minor: If you're not going to submit this for el5, then you should remove
> rm -rf $RPM_BUILD_ROOT from install section.

  Why not, I can submit it for el5 as well. Hope that's ok.

Thank you.
Comment 3 Jan Lieskovsky 2012-03-01 04:12:50 EST
Removed the 'Security' keyword. Please don't use that one for cases like this, as it has different purpose.

This is not a security issue, just package review request.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 4 Athmane Madjoudj 2012-03-03 06:11:52 EST
Here's some comments:

- Source0 should be point to upstream ie: http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz

- Use %{version} macro instead of hard coded version (eg: in Source0)

- %{_sysconfdir}/mysqlenum.conf should be marked as %config


I added FE-SECLAB blocker since this package is in Security Lab spin wishlist.
Comment 5 pjp 2012-03-03 08:59:12 EST
(In reply to comment #4)
> - Source0 should be point to upstream ie:
> http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz

  I had done that, it causes error during $ rpmbuild -ba 

error: File /home/rpm/rpmbuild/SOURCES/download.php?file=%{name}-%{version}.tar.gz: No such file or directory

Please see:

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-2.fc16.src.rpm
Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3849235

Thanks.
Comment 6 Athmane Madjoudj 2012-03-03 09:13:59 EST
According to [1], you should use something like:

# Upstream URL does not end with tarball name
# You can get the tarball by following a link from:
# http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz
Source0: %{name}-%{version}.tar.gz


[1] http://fedoraproject.org/wiki/Packaging:SourceURL#Troublesome_URLs
Comment 7 pjp 2012-03-03 09:58:08 EST
(In reply to comment #6)
> # Upstream URL does not end with tarball name
> # You can get the tarball by following a link from:
> # http://www.andreafabrizi.it/download.php?file=mysqlenum-0.3.tar.gz
> Source0: %{name}-%{version}.tar.gz

  Yep, done. Please see

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-3.fc16.src.rpm
Koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=3849337

Thank you!
Comment 8 Susi Lehtola 2012-03-04 06:45:30 EST
pjp: please fill in your full name in bugzilla.

Are you a member of the packaging group? Have you been sponsored?

Please document what patch0 does. And be sure to run rpmlint on your rpms, at least the summary does not adhere to Fedora standards.
Comment 9 pjp 2012-03-04 09:21:27 EST
(In reply to comment #8)
> Are you a member of the packaging group? Have you been sponsored?

   Yes, I am.
 
> Please document what patch0 does. And be sure to run rpmlint on your rpms, at
> least the summary does not adhere to Fedora standards.

Please see:

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-4.fc16.src.rpm


$ rpmlint SPECS/mysqlenum.spec 
SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.
 
$ rpmlint RPMS/x86_64/mysqlenum-0.3-4.fc16.x86_64.rpm 
mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

$ rpmlint SRPMS/mysqlenum-0.3-4.fc16.src.rpm 
mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.
Comment 10 Michael Scherer 2012-03-18 18:48:02 EDT
I think you should split the patch in 2 separate patchs, and add a comment about when you have sent them upstream ( and of course, sending them upstream ).

See https://fedoraproject.org/wiki/Packaging:Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment
Comment 11 pjp 2012-03-19 02:13:04 EDT
(In reply to comment #10)
> I think you should split the patch in 2 separate patchs,

  Okay.

> and add a comment
> about when you have sent them upstream ( and of course, sending them upstream).

  Yes, I've sent(on Feb 29'th 2012) the patch to upstream author

 -> andrea.fabrizi@gmail.com

But haven't heard anything from him.
Comment 12 pjp 2012-03-19 09:14:36 EDT
I've split the original patch into two: one for COPYING and other for the Makefile. 

Please see:

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: pjp.dgplug.org/tools/mysqlenum-0.3-5.fc16.src.rpm


$ rpmlint SPECS/mysqlenum.spec 
SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.

$ rpmlint RPMS/x86_64/mysqlenum-0.3-5.fc16.x86_64.rpm 
mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

$ rpmlint SRPMS/mysqlenum-0.3-5.fc16.src.rpm 
mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

Thank you.
Comment 13 Michael Scherer 2012-03-19 15:13:21 EDT
The md5sum doesn't match, it seems that you repackaged everything in a different directory. You should not do it, and rather use -n option of %setup :

%setup -q -n %{name} 

Please fix.
Comment 14 Michael Scherer 2012-03-19 15:14:26 EDT
Also, please add post a complete url, as I am using fedora-review, and it is confuse if the url is not complete ( ie, without http:// ).
Comment 15 Michael Scherer 2012-03-19 15:15:51 EDT
And this is not needed to clean the buildroot in %install, see 
https://fedoraproject.org/wiki/Packaging:Guidelines#BuildRoot_tag
Comment 16 pjp 2012-03-27 02:26:09 EDT
Hi, I've made the changes, please see:

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-6.fc16.x86_64.rpm


$ rpmlint SPECS/mysqlenum.spec 
SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.

$ rpmlint SRPMS/mysqlenum-0.3-6.fc16.src.rpm 
mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

$ rpmlint RPMS/x86_64/mysqlenum-0.3-6.fc16.x86_64.rpm 
mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum
1 packages and 0 specfiles checked; 0 errors, 1 warnings.
Comment 18 Michael Scherer 2012-03-27 15:29:56 EDT
You didn't fix the problem of comment #13 and that's a blocker.
Comment 19 pjp 2012-03-28 05:35:47 EDT
Hey sorry, I've fixed it. Please see:

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-7.fc16.src.rpm

$ rpmlint SPECS/mysqlenum.spec 
SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.

$ rpmlint SRPMS/mysqlenum-0.3-7.fc16.src.rpm 
mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

$ rpmlint RPMS/x86_64/mysqlenum-0.3-7.fc16.x86_64.rpm 
mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

Thank you.
Comment 20 Michael Scherer 2012-04-01 07:17:49 EDT
The tarball is still not matching the md5sum, the tarball upstream is using root user, and seems that the one in the rpm use the rpm user.
Comment 21 pjp 2012-04-01 11:18:07 EDT
I replaced the source tarball with the upstream one. Please see

SPEC: http://pjp.dgplug.org/tools/mysqlenum.spec
SRPM: http://pjp.dgplug.org/tools/mysqlenum-0.3-8.fc16.src.rpm

$ rpmlint SPECS/mysqlenum.spec SPECS/mysqlenum.spec: W: invalid-url Source0: mysqlenum-0.3.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.

$ rpmlint RPMS/x86_64/mysqlenum-0.3-8.fc16.x86_64.rpm 
mysqlenum.x86_64: W: no-manual-page-for-binary mysqlenum
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

$ rpmlint SRPMS/mysqlenum-0.3-8.fc16.src.rpm 
mysqlenum.src: W: invalid-url Source0: mysqlenum-0.3.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.


Thank you.
Comment 22 Michael Scherer 2012-04-06 14:51:48 EDT
Hi, sorry to not have answered earlier, was busy IRL.

I looked at the license side, and there is a base64.c base64.h files under BSD license with :

* 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the Apache Group
 *    for use in the Apache HTTP server project (http://www.apache.org/)."

Not sure if that's suitable for Fedora, so I place this as blocked by FE-Legal.
Comment 23 Rahul Sundaram 2012-04-09 01:54:06 EDT
BSD with advertising is a free software license albeit GPL incompatible.  Acceptable for Fedora according to https://fedoraproject.org/wiki/Licensing:Main.  PJP,  do consult with upstream on whether they are willing to drop the advertising clause nevertheless.
Comment 24 Tom "spot" Callaway 2012-04-10 14:44:51 EDT
That license is actually ASL 1.0, which is Free but GPL-incompatible. Lifting FE-Legal.
Comment 25 pjp 2012-04-16 01:16:25 EDT
I wrote to upstream about the license issue more than a week ago, no reply yet.
Comment 26 pjp 2012-04-26 13:57:26 EDT
I wrote to upstream again, still no reply.
Comment 27 Michael Scherer 2012-04-27 04:05:20 EDT
Non responsive upstream, that's not good :/
Comment 28 Matthias Runge 2012-10-18 08:23:15 EDT
any progress here?
Comment 29 pjp 2012-10-27 03:18:00 EDT
(In reply to comment #28)
> any progress here?

Nope, no reply from upstream.
Comment 30 pjp 2013-05-01 23:52:33 EDT
Another mail sent to upstream, waiting for reply.
Comment 31 pjp 2013-05-03 01:15:23 EDT
Upstream reply:
+-------------------------+
| sorry but mysqlenum is an old software, that I not maintain anymore,
| I do not recommend to you to package it.
|
| Regards,
| Andrea

Note You need to log in before you can comment on or make changes to this bug.