Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-1.fc17.src.rpm Description: SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing. Fedora Account System Username: pwouters
Just some quick comments: - rpm is taking care of the compression of the man pages. - You are mixing macro style (%{buildroot}) and variable style ($RPM_OPT_FLAGS) - 'install -Dp -m 0755 ...' instead of just cp looks nicer ;-)
Hi, could you document why make test is disabled ( I assume because it requires root access, but then I wonder why ecc test is disabled ).
ecc is banned from Fedora/RHEL for legal (patent) reasons. I'll dizup macro style and remove compression. Though i think install is a little overkill :)
I will review this.
Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-2.fc17.src.rpm * Fri Jul 27 2012 Paul Wouters <pwouters> - 0.4.4-2 - Fix missing buildrequire for check-devel - Run make check - No need to compress man pages - No mixing of macro styles
- When in a mock build, %check needs openssl, maybe that should be a BuildRequire? - On a system with no IPv6 network, the tests fail: Cannot resolve address '::1' port '10443': Name or service not known Cannot resolve address '::1' port '10443': Name or service not known Cannot resolve address '::1' port '10443': Name or service not known ... 97%: Checks: 105, Failures: 0, Errors: 3 - fedora-review output: Package Review ============== Key: - = N/A x = Pass ! = Fail ? = Not evaluated ==== C/C++ ==== [x]: MUST Header files in -devel subpackage, if present. [x]: MUST Package does not contain any libtool archives (.la) [x]: MUST Package does not contain kernel modules. [x]: MUST Package contains no static executables. [x]: MUST Rpath absent or only used for internal libs. ==== Generic ==== [x]: EXTRA Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: EXTRA Spec file according to URL is the same as in SRPM. [x]: MUST Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: MUST Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: MUST %build honors applicable compiler flags or justifies otherwise. [x]: MUST All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: MUST Buildroot is not present Note: Unless packager wants to package for EPEL5 this is fine [x]: MUST Package contains no bundled libraries. [x]: MUST Changelog in prescribed format. [x]: MUST Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: Clean would be needed if support for EPEL is required [x]: MUST Sources contain only permissible code or content. [x]: MUST Each %files section contains %defattr if rpm < 4.4 Note: Note: defattr macros not found. They would be needed for EPEL5 [x]: MUST Macros in Summary, %description expandable at SRPM build time. [-]: MUST Package contains desktop file if it is a GUI application. [-]: MUST Development files must be in a -devel package [x]: MUST Package requires other packages for directories it uses. [x]: MUST Package uses nothing in %doc for runtime. [x]: MUST Package is not known to require ExcludeArch. [x]: MUST Permissions on files are set properly. [x]: MUST Package does not contain duplicates in %files. [x]: MUST Package complies to the Packaging Guidelines [x]: MUST Spec file lacks Packager, Vendor, PreReq tags. [x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf would be needed if support for EPEL5 is required [x]: MUST Large documentation files are in a -doc subpackage, if required. [-]: MUST If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: MUST License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "BSD (2 clause)", "MIT/X11 (BSD like)" For detailed output of [x]: MUST Package consistently uses macro is (instead of hard-coded directory names). [x]: MUST Package is named using only allowed ascii characters. [x]: MUST Package is named according to the Package Naming Guidelines. [x]: MUST Package does not generate any conflict. Note: Package contains no Conflicts: tag(s) [x]: MUST Package obeys FHS, except libexecdir and /usr/target. [x]: MUST Package must own all directories that it creates. [x]: MUST Package does not own files or directories owned by other packages. [x]: MUST Package installs properly. [x]: MUST Package is not relocatable. [x]: MUST Requires correct, justified where necessary. [x]: MUST Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. [x]: MUST Spec file is legible and written in American English. [x]: MUST Spec file name must match the spec package %{name}, in the format %{name}.spec. [-]: MUST Package contains systemd file(s) if in need. [x]: MUST File names are valid UTF-8. [x]: MUST Useful -debuginfo package or justification otherwise. [x]: SHOULD Reviewer should test that the package builds in mock. [!]: SHOULD If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: SHOULD Dist tag is present. [x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q --requires). [?]: SHOULD Package functions as described. [x]: SHOULD Latest version is packaged. [x]: SHOULD Package does not include license text files separate from upstream. [x]: SHOULD SourceX / PatchY prefixed with %{name}. [x]: SHOULD SourceX is a working URL. [-]: SHOULD Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: SHOULD Package should compile and build into binary rpms on all supported architectures. [!]: SHOULD %check is present and all tests pass. Note: The checks fail on a system without IPv6 support [x]: SHOULD Packages should try to preserve timestamps of original installed files. [x]: SHOULD Spec use %global instead of %define. Rpmlint ------- Checking: sslsplit-debuginfo-0.4.4-2.fc18.x86_64.rpm sslsplit-0.4.4-2.fc18.src.rpm sslsplit-0.4.4-2.fc18.x86_64.rpm sslsplit.src: W: spelling-error Summary(en_US) scalable -> salable, callable, calculable sslsplit.src: W: spelling-error %description -l en_US netfilter -> net filter, net-filter, filterer sslsplit.x86_64: W: spelling-error Summary(en_US) scalable -> salable, callable, calculable sslsplit.x86_64: W: spelling-error %description -l en_US netfilter -> net filter, net-filter, filterer sslsplit.x86_64: E: non-standard-executable-perm /usr/bin/sslsplit 0775L sslsplit.x86_64: W: manual-page-warning /usr/share/man/man1/sslsplit.1.gz 395: warning: macro `HS' not defined 3 packages and 0 specfiles checked; 1 errors, 5 warnings. Rpmlint (installed packages) ---------------------------- # rpmlint sslsplit sslsplit.x86_64: I: enchant-dictionary-not-found en_US sslsplit.x86_64: E: non-standard-executable-perm /usr/bin/sslsplit 0775L sslsplit.x86_64: W: manual-page-warning /usr/share/man/man1/sslsplit.1.gz 395: warning: macro `HS' not defined 1 packages and 0 specfiles checked; 1 errors, 1 warnings. # echo 'rpmlint-done:' Requires -------- sslsplit-debuginfo-0.4.4-2.fc18.x86_64.rpm (rpmlib, GLIBC filtered): sslsplit-0.4.4-2.fc18.x86_64.rpm (rpmlib, GLIBC filtered): iproute iptables libc.so.6()(64bit) libcrypto.so.10()(64bit) libcrypto.so.10(OPENSSL_1.0.1)(64bit) libcrypto.so.10(libcrypto.so.10)(64bit) libevent-2.0.so.5()(64bit) libevent_openssl-2.0.so.5()(64bit) libevent_pthreads-2.0.so.5()(64bit) libpthread.so.0()(64bit) libssl.so.10()(64bit) libssl.so.10(libssl.so.10)(64bit) rtld(GNU_HASH) Provides -------- sslsplit-debuginfo-0.4.4-2.fc18.x86_64.rpm: sslsplit-debuginfo = 0.4.4-2.fc18 sslsplit-debuginfo(x86-64) = 0.4.4-2.fc18 sslsplit-0.4.4-2.fc18.x86_64.rpm: sslsplit = 0.4.4-2.fc18 sslsplit(x86-64) = 0.4.4-2.fc18 MD5-sum check ------------- http://mirror.roe.ch/rel/sslsplit/sslsplit-0.4.4.tar.bz2 : MD5SUM this package : db3a32e0d3bf69ac3f4d95ce540dbc75 MD5SUM upstream package : db3a32e0d3bf69ac3f4d95ce540dbc75 Generated by fedora-review 0.2.0 (53cc903) last change: 2012-07-09
Please note: fedora-review was done on an SRPM where I removed the call to make check, since my system does not has IPv6 connectivity.
I just noticed I forgot one very important thing, which I think is really dangerous: - Sed lines in the spec file. If the upstream sources change, this could break quite easily without anyone noticing. I would suggest using a patch file, since they just fail to apply (and thus fail to build the RPM) if there is something changed, so the maintainer will take a look at the build logs.
True, and a proper patch could be sent upstream ( with, for example, autodetection of the supported ciphers, or a switch somewhere ). But on the other hand, i think we cannot blame anyone for not wanting to touch to makefile :)
Created attachment 600749 [details] A proposed patch to replace the sed line I created this patch by just applying the sed line to a local directory. My suggestion would be to use something like this.
The sed lines usually fix a problem, so it won't silently cause something to break. It will generally explode building if failed. I like it because I don't have to create a trivial patchlet. Also it will never be submitted upstream, as it removes ECC functionality, which is our own legal "problem", not upstream's. openssl is already a buildrequire, mock builds work fine for me. Fixed binary permissions from 775 to 755 I'm not sure I understand the ipv6 problem. On a stock Fedora install it seems to work even if no ipv6 is there. it builds/tests for me on a system that does not have ipv6 enabled in /etc/sysconfig/network. Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-3.fc17.src.rpm
I cannot reproduce the 'openssl missing' bug anymore, I guess that was a temporary hickup of my mock root. About the IPv6 problem: I guess that's because this is a system that is configured to use IPv6, but has not received an IPv6 address. I just tried it again, and still cannot finish the tests, and thus not build the RPM, both with and without mock. The error lines: Cannot resolve address '::1' port '10443': Name or service not known Cannot resolve address '::1' port '10443': Name or service not known Cannot resolve address '::1' port '10443': Name or service not known ... 97%: Checks: 105, Failures: 0, Errors: 3 opts.t.c:96:E:proxyspec_parse:proxyspec_parse_02:0: (after this point) Early exit with return value 1 opts.t.c:298:E:proxyspec_parse:proxyspec_parse_13:0: (after this point) Early exit with return value 1 opts.t.c:331:E:proxyspec_parse:proxyspec_parse_14:0: (after this point) Early exit with return value 1 The "Name or service not known" gets verified by "ping ::1": "ping: unknown host ::1"
I'm still confused about this error. I'll have a closer look. btw, dont use ping but ping6 [paul@bofh ~]$ ping6 ::1 PING ::1(::1) 56 data bytes 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.020 ms 64 bytes from ::1: icmp_seq=2 ttl=64 time=0.044 ms
I can reproduce this even with a completely new, both Minimal and Graphical Desktop, installation of F17. The only commands ever executed on this VM after installation are: sudo yum install -y ccache mock wget wget ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-3.fc17.src.rpm mock sslsplit-0.4.4-3.fc17.src.rpm And when I read the /var/lib/mock/fedora-17-x86_64/result/build.log, I get the exact same errors. Again, this is a system that has no IPv6 connectivity whatsoever, the only IPv6 address it has is the fe80:... address.
Make check also fails if the building machine has no connection to the internet, as it tries to test itself by reaching the website of the creator. This is a problem on Koji, as the builders appear to have no connectivity to the outside world, so any Koji build will fail currently. This also make the building dependent on the website of the author, which may or may not be desirable (what would happen if the author would cancel his domain name somewhere in the future?). Proof: https://koji.fedoraproject.org/koji/taskinfo?taskID=4340467 I would suggest either removing the tests connecting to the internet, and making the IPv6 tests conditional on connectivity, or just disabling make check completely for the moment.
Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-4.fc17.src.rpm Totally missed that. Commented make test section with a comment.
Since this version successfully builds, even in Koji, and I see no other problems anymore as it seems to be working correctly, I declare this package to be APPROVED
New Package SCM Request ======================= Package Name: sslsplit Short Description: Transparent and scalable SSL/TLS interception Owners: pwouters Branches: f17 el6 InitialCC:
Patrick, please re-set review-flag to +.
Done, although I don't know why it wasn't, as I had left it on +. I have also raised the CVS flag again.
Git done (by process-git-requests). Thanks, I think it's a Bugzilla issue, and there's already a Trac on it if I'm not mistaken.
sslsplit-0.4.4-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sslsplit-0.4.4-4.fc17
note EL branch cannot build because we actually require libevent >= 2.0 and EL only has 1.x
sslsplit-0.4.4-4.fc17 has been pushed to the Fedora 17 testing repository.
sslsplit-0.4.4-4.fc17 has been pushed to the Fedora 17 stable repository.
Package Change Request ====================== Package Name: sslsplit New Branches: epel7 Owners: pwouters InitialCC:
Git done (by process-git-requests).
sslsplit-0.4.8-3.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/sslsplit-0.4.8-3.el7
sslsplit-0.4.8-3.el7 has been pushed to the Fedora EPEL 7 stable repository.