Bug 816975 - Review Request: mod_security_crs - ModSecurity Rules
Review Request: mod_security_crs - ModSecurity Rules
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-27 07:29 EDT by Peter Vrabec
Modified: 2012-08-27 21:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-07 08:14:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mmaslano: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Peter Vrabec 2012-04-27 07:29:50 EDT
Spec URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs.spec
SRPM URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs-2.2.4-1.fc16.src.rpm
Description: This package provides the base rules for mod_security.
Comment 1 Peter Vrabec 2012-04-27 07:37:25 EDT
Upgraded mod_security package, which is not available in repo yet, is required to install/test the rule set.

http://people.redhat.com/pvrabec/mod_security/mod_security-2.6.5-2.fc16.src.rpm
Comment 2 Peter Vrabec 2012-04-27 07:41:45 EDT
$ rpmlint /home/pvrabec/rpmbuild/SRPMS/mod_security_crs-2.2.4-1.fc16.src.rpm
mod_security_crs.src:35: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules
mod_security_crs.src:36: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules
mod_security_crs.src:37: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules
mod_security_crs.src:38: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
mod_security_crs.src:41: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/
mod_security_crs.src:42: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules/
mod_security_crs.src:43: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules/
mod_security_crs.src:44: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
mod_security_crs.src:47: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/`
mod_security_crs.src:48: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/$f
mod_security_crs.src:60: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules
mod_security_crs.src:63: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules
mod_security_crs.src:64: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules
mod_security_crs.src:65: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
1 packages and 0 specfiles checked; 14 errors, 0 warnings.

I suppose this is OK - according to the latest systemd trends.
Comment 3 Marcela Mašláňová 2012-04-27 08:02:37 EDT
Could you create mod_security review in bugzilla and add the number into "depends on" in this review?

I'll look at it.
Comment 4 Marcela Mašláňová 2012-04-27 09:18:59 EDT
Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



==== Generic ====
[!]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[-]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[!]: MUST Buildroot is not present
     Note: Buildroot is not needed unless packager plans to package for EPEL5
[x]: MUST Package contains no bundled libraries.
[x]: MUST Changelog in prescribed format.
[!]: MUST Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean is needed only if supporting EPEL
[x]: MUST Sources contain only permissible code or content.
[x]: MUST %config files are marked noreplace or the reason is justified.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[x]: MUST Macros in Summary, %description expandable at SRPM build time.
[!]: MUST Package requires other packages for directories it uses.
[x]: MUST Package uses nothing in %doc for runtime.
[-]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[x]: MUST Fully versioned dependency in subpackages, if present.
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf is only needed if supporting EPEL5
[-]: MUST Large documentation files are in a -doc subpackage, if required.
[x]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[x]: MUST License field in the package spec file matches the actual license.
[x]: MUST License file installed when any subpackage combination is installed.
[x]: MUST Package consistently uses macros (instead of hard-coded directory
     names).
[x]: MUST Package is named according to the Package Naming Guidelines.
[x]: MUST No %config files under /usr.
[x]: MUST Package does not generate any conflict.
[ ]: MUST Package obeys FHS, except libexecdir and /usr/target.
[x]: MUST Package must own all directories that it creates.
[x]: MUST Package does not own files or directories owned by other packages.
[ ]: MUST Package installs properly.
[!]: MUST Requires correct, justified where necessary.
[!]: MUST Rpmlint output is silent.

rpmlint mod_security_crs-2.2.4-1.fc18.src.rpm

rpmlint mod_security_crs-2.2.4-1.fc18.src.rpm

mod_security_crs.src:35: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules
mod_security_crs.src:36: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules
mod_security_crs.src:37: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules
mod_security_crs.src:38: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
mod_security_crs.src:41: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/
mod_security_crs.src:42: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules/
mod_security_crs.src:43: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules/
mod_security_crs.src:44: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
mod_security_crs.src:47: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/`
mod_security_crs.src:48: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/$f
mod_security_crs.src:60: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules
mod_security_crs.src:63: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules
mod_security_crs.src:64: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules
mod_security_crs.src:65: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
1 packages and 0 specfiles checked; 14 errors, 0 warnings.


rpmlint mod_security_crs-2.2.4-1.fc18.noarch.rpm

mod_security_crs.noarch: W: only-non-binary-in-usr-lib
mod_security_crs.noarch: W: install-file-in-docs /usr/share/doc/mod_security_crs-2.2.4/INSTALL
1 packages and 0 specfiles checked; 0 errors, 2 warnings.


rpmlint mod_security_crs-extras-2.2.4-1.fc18.noarch.rpm

mod_security_crs-extras.noarch: W: only-non-binary-in-usr-lib
mod_security_crs-extras.noarch: W: no-documentation
1 packages and 0 specfiles checked; 0 errors, 2 warnings.


[!]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
/home/marca/Development/816975/modsecurity-crs_2.2.4.tar.gz :
  MD5SUM this package     : 160321534ba4859ccdb04ae1648fb51d
  MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12

[x]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[-]: MUST Package contains a SysV-style init script if in need of one.
[x]: MUST File names are valid UTF-8.
[-]: MUST Useful -debuginfo package or justification otherwise.
[x]: SHOULD Reviewer should test that the package builds in mock.
[x]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[!]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[!]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[x]: SHOULD Package functions as described.
[x]: SHOULD Latest version is packaged.
[x]: SHOULD Package does not include license text files separate from
     upstream.
[x]: SHOULD SourceX is a working URL.
[-]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[x]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[x]: SHOULD %check is present and all tests pass.
[x]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[x]: SHOULD Spec use %global instead of %define.

Issues:
[!]: MUST Buildroot is not present
     Note: Buildroot is not needed unless packager plans to package for EPEL5
See: http://fedoraproject.org/wiki/Packaging/Guidelines#BuildRoot_tag
[!]: MUST Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean is needed only if supporting EPEL
See: http://fedoraproject.org/wiki/Packaging/Guidelines#.25clean
[!]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf is only needed if supporting EPEL5
See: None
[!]: MUST Rpmlint output is silent.

rpmlint mod_security_crs-2.2.4-1.fc18.src.rpm

mod_security_crs.src:35: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules
mod_security_crs.src:36: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules
mod_security_crs.src:37: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules
mod_security_crs.src:38: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
mod_security_crs.src:41: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/
mod_security_crs.src:42: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules/
mod_security_crs.src:43: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules/
mod_security_crs.src:44: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
mod_security_crs.src:47: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/`
mod_security_crs.src:48: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules/$f
mod_security_crs.src:60: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/base_rules
mod_security_crs.src:63: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/optional_rules
mod_security_crs.src:64: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/experimental_rules
mod_security_crs.src:65: E: hardcoded-library-path in %{_prefix}/lib/modsecurity.d/slr_rules
1 packages and 0 specfiles checked; 14 errors, 0 warnings.

Why are you using modsecurity.d instead of modesecurity? We can discuss it later, because there are
loads of other problems.

rpmlint mod_security_crs-2.2.4-1.fc18.noarch.rpm

mod_security_crs.noarch: W: only-non-binary-in-usr-lib
mod_security_crs.noarch: W: install-file-in-docs /usr/share/doc/mod_security_crs-2.2.4/INSTALL
1 packages and 0 specfiles checked; 0 errors, 2 warnings.


rpmlint mod_security_crs-extras-2.2.4-1.fc18.noarch.rpm

mod_security_crs-extras.noarch: W: only-non-binary-in-usr-lib
mod_security_crs-extras.noarch: W: no-documentation
1 packages and 0 specfiles checked; 0 errors, 2 warnings.


See: http://fedoraproject.org/wiki/Packaging/Guidelines#rpmlint
[!]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
/home/marca/Development/816975/modsecurity-crs_2.2.4.tar.gz :
  MD5SUM this package     : 160321534ba4859ccdb04ae1648fb51d
  MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12
See: http://fedoraproject.org/wiki/Packaging/SourceURL

The path to Perl differs in every script. Replace /opt/usr/local/perl by /usr/bin/perl in spec in the install section.
Same problem with lua scripts. Use the default installation, not /opt.

Not sure if you don't need set requires lua. It's in BR, but I'm not sure how it is with run time.
You are surely missing requires on Perl modules. You need to require them for full functionality of those scripts:
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(XMLRPC::Lite), perl(HTTP::Cookies), Time::Local, Sys::Hostname, LWP::UserAgent, LWP::Debug, URI, HTTP::Date, Cwd, Getopt::Std, IO::File, IO::Socket, IO::Select, HTTP::Request, HTTP::Response, Safe, Storable, Getopt::Long, Pod::Usage, FindBin, Data::Dumper, Sys::Hostname, Data::Types, Switch (all of these will have perl(XXX) around).
non-mandatory: perl(GnuPG)

Unresolved dependency: mod_security >= 2.6.5

The description is not descriptive enough. It's not obvious what is mod_security doing.

The deffattr attribute is needed in EL-5 and older. Fix it to correct %defattr (-,root,root,-) or remove it.

License: I wonder where you get GPLv2. In License file and in code is only ASL 2.0.


Generated by fedora-review 0.1.3
External plugins:
Comment 5 Peter Vrabec 2012-05-03 05:05:21 EDT
updated package is available here:
Spec URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs.spec
SRPM URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs-2.2.4-2.fc16.src.rpm

Some issues that you mentioned are fixed.

What is not fixed?

* MD5SUM this package     : 160321534ba4859ccdb04ae1648fb51d
  MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12
This must be bug in fedora-review tool. :) I have double checked the sources from upstream and it was OK.

* "Why are you using modsecurity.d instead of modesecurity?"
I'm inclined to "modsecurity.d" for these reasons:
- upstream prefers .d
- we used to put rules files in .d directory
- a main package (mod_security) use /etc/httpd/modsecurity.d/ for rules

* perl and lua dependencies are not relevant because we don't ship any scripts in the package.

* mod_security >= 2.6.5 & mod_security review
mod_security-2.6.5 is already available in rawhide. The review is not needed.


I hope the rest is OK. thnx. for the review.
Comment 6 Marcela Mašláňová 2012-05-03 08:42:57 EDT
(In reply to comment #5)
> updated package is available here:
> Spec URL: http://people.redhat.com/pvrabec/mod_security/mod_security_crs.spec
> SRPM URL:
> http://people.redhat.com/pvrabec/mod_security/mod_security_crs-2.2.4-2.fc16.src.rpm
> 
> Some issues that you mentioned are fixed.
> 
> What is not fixed?
> 
> * MD5SUM this package     : 160321534ba4859ccdb04ae1648fb51d
>   MD5SUM upstream package : 62179bdbe8304e997ff206cb3bf62f12
> This must be bug in fedora-review tool. :) I have double checked the sources
> from upstream and it was OK.
> 
I filed a bug https://fedorahosted.org/FedoraReview/ticket/49

> * "Why are you using modsecurity.d instead of modesecurity?"
> I'm inclined to "modsecurity.d" for these reasons:
> - upstream prefers .d
> - we used to put rules files in .d directory
> - a main package (mod_security) use /etc/httpd/modsecurity.d/ for rules
> 
OK.

> * perl and lua dependencies are not relevant because we don't ship any scripts
> in the package.
> 
OK.

> * mod_security >= 2.6.5 & mod_security review
> mod_security-2.6.5 is already available in rawhide. The review is not needed.
> 
> 
> I hope the rest is OK. thnx. for the review.

OK.

APPROVED
Comment 7 Peter Vrabec 2012-05-03 11:13:40 EDT
New Package SCM Request
=======================
Package Name: mod_security_crs
Short Description: ModSecurity Rules
Owners: pvrabec
Branches: f17
InitialCC:
Comment 8 Gwyn Ciesla 2012-05-03 11:21:41 EDT
Git done (by process-git-requests).
Comment 9 Athmane Madjoudj 2012-08-23 12:07:47 EDT
I'd like to maintain a epel branch of this packages (required by mod_security)
Comment 10 Athmane Madjoudj 2012-08-23 12:08:57 EDT
Package Change Request
======================
Package Name: mod_security_crs
New Branches: el5 el6
Owners: athmane
Comment 11 Gwyn Ciesla 2012-08-23 12:35:55 EDT
Peter, any objections?
Comment 12 Peter Vrabec 2012-08-27 07:00:03 EDT
No objections, I'm very happy to see Athmane's effort.
Comment 13 Athmane Madjoudj 2012-08-27 17:18:15 EDT
Package Change Request
======================
Package Name: mod_security_crs
New Branches: el5 el6
Owners: athmane
Comment 14 Gwyn Ciesla 2012-08-27 21:15:37 EDT
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.