Bug 840602 - Review Request: maradns - Authoritative and recursive DNS server made with security in mind
Review Request: maradns - Authoritative and recursive DNS server made with se...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomasz Torcz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-16 12:54 EDT by Tomasz Torcz
Modified: 2012-12-02 22:24 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-02 22:24:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
casper: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)
.spec changes (5.76 KB, patch)
2012-10-22 12:45 EDT, Tomasz Torcz
no flags Details | Diff

  None (edit)
Description Tomasz Torcz 2012-07-16 12:54:24 EDT
Spec URL: http://ttorcz.fedorapeople.org/maradns.spec
SRPM URL: http://ttorcz.fedorapeople.org/maradns-2.0.06-1.fc17.src.rpm
Description: MaraDNS is a package that implements the Domain Name Service (DNS), an essential internet service. MaraDNS has the following advantages:
        * Secure.
        * Supported.
        * Easy to use.
        * Small.
        * Open Source.

Fedora Account System Username: ttorcz

I'd like to revive package which got removed in February. I've based this spec on previously packaged maradns-1.3, which is beyond end of life. Thus, upgrade to 2.0.
Comment 1 Matthieu Saulnier 2012-08-07 13:38:37 EDT
Hello, sorry for the latence.
Some remarks:

* Don't add systemd unit files using a patch, add them using Source1,
  Source2 and Source3 tags. However, your patch is good to modify
  build/install.sh file properly.

* Group tag is useless, you can remove it.
  https://fedoraproject.org/wiki/Packaging:Guidelines#Group_tag

* Use "make" instead of %{__make}, "install" instead of %{__install},
  "rm" instead of %{__rm}, and "sed" instead of %{__sed}.
  https://fedoraproject.org/wiki/Packaging:Guidelines#Macros

* You can remove the script in %install section:
    %{__rm} CHANGELOG CREDITS FAQ
    ln -fs en/changelog.txt CHANGELOG
    ln -fs en/credits.txt CREDITS
    ln -fs en/faq.txt FAQ
  Because these files are already symbolic links:
    $ file CHANGELOG CREDITS FAQ
    CHANGELOG: symbolic link to `doc/en/changelog.txt'
    CREDITS:   symbolic link to `doc/en/credits.txt'
    FAQ:       symbolic link to `doc/en/faq.txt'

* There is some duplicate files in the rpm with the actual %doc line, it
  would better like this:
    %doc COPYING doc/en/changelog.txt doc/en/credits.txt doc/en/faq.txt doc/en/{examples,tutorial,webpage}

* You can remove "%doc maradns.gpg.key" line, the source tarball is not
  signed.

* In %post section, you can replace 's/\/etc\/deadwood/\/var\/cache\/deadwood/'
  by 's@/etc/deadwood@/var/cache/deadwood@'
Comment 2 Tomasz Torcz 2012-08-21 08:29:04 EDT
Thanks you for remarks. I've incorporated suggestions into .spec. I'd like to continue using Patch0, as this patch was submitted upstream - I've added a note to .spec.

Spec URL: http://ttorcz.fedorapeople.org/maradns.spec
SRPM URL: http://ttorcz.fedorapeople.org/maradns-2.0.06-2.fc17.src.rpm
Scratch : http://koji.fedoraproject.org/koji/taskinfo?taskID=4409540
Comment 3 Tomasz Torcz 2012-09-13 04:09:51 EDT
Ping? Can we continue?
Comment 4 Matthieu Saulnier 2012-10-16 08:50:48 EDT
Package Review
==============

Key:
[x] = Pass
[!] = Fail
[-] = Not applicable
[?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package contains no bundled libraries.
[x]: Changelog in prescribed format.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Sources contain only permissible code or content.
[x]: %config files are marked noreplace or the reason is justified.
[-]: Each %files section contains %defattr if rpm < 4.4
[x]: Macros in Summary, %description expandable at SRPM build time.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package requires other packages for directories it uses.
[x]: Package uses nothing in %doc for runtime.
[x]: Package is not known to require ExcludeArch.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package complies to the Packaging Guidelines
[x]: Spec file lacks Packager, Vendor, PreReq tags.
[-]: Large documentation files are in a -doc subpackage, if required.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "BSD (2 clause)", "Unknown or generated". 2 files have unknown license.
     Detailed output of licensecheck in
     /home/test/840602-maradns/licensecheck.txt
[x]: Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: Package is named using only allowed ASCII characters.
[x]: Package is named according to the Package Naming Guidelines.
[x]: No %config files under /usr.
[x]: Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: Package do not use a name that already exist
     Note: Couldn't connect to PackageDB, check manually
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package installs properly.
[x]: Package is not relocatable.
[x]: Requires correct, justified where necessary.
[x]: CheckResultdir
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file is legible and written in American English.
[x]: Spec file name must match the spec package %{name}, in the format
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: Package contains systemd file(s) if in need.
[x]: File names are valid UTF-8.
[x]: Useful -debuginfo package or justification otherwise.

===== SHOULD items =====

Generic:
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[-]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Patches link to upstream bugs/comments/lists or are otherwise justified.
[-]: The placement of pkgconfig(.pc) files are correct.
[x]: Scriptlets must be sane, if used.
[x]: SourceX tarball generation or download is documented.
[!]: SourceX / PatchY prefixed with %{name}.
     Note: Patch0 (0001-add-systemd-unit-files-Fedora-15-and-later-
     RHEL7.patch) Source0 (maradns-2.0.06.tar.xz)
[x]: SourceX is a working URL.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[!]: Packages should try to preserve timestamps of original installed files.
Add -p option on "install" commands lines in %%install section
[x]: Spec use %global instead of %define.

===== EXTRA items =====
Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[!]: Spec file according to URL is the same as in SRPM.
     Note: Spec file as given by url is not the same as in SRPM (see attached
     diff).


Rpmlint
-------
Checking: maradns-2.0.06-2.fc17.src.rpm
          maradns-debuginfo-2.0.06-2.fc17.x86_64.rpm
          maradns-2.0.06-2.fc17.x86_64.rpm
maradns.src: W: invalid-url URL: http://www.maradns.org/ <urlopen error [Errno -2] Name or service not known>
maradns.src:41: W: configure-without-libdir-spec
maradns.x86_64: W: only-non-binary-in-usr-lib
maradns.x86_64: W: non-standard-uid /etc/maradns/logger maradns
maradns.x86_64: W: non-standard-gid /etc/maradns/logger maradns
maradns.x86_64: W: non-standard-uid /etc/maradns maradns
maradns.x86_64: W: non-standard-gid /etc/maradns maradns
maradns.x86_64: W: non-standard-uid /var/cache/deadwood maradns
maradns.x86_64: W: non-standard-gid /var/cache/deadwood maradns
3 packages and 0 specfiles checked; 0 errors, 9 warnings.

Add "--libdir=%{_libdir}" option in configure line just to fix configure-without-libdir-spec warning
Nothing to do for other warnings


Rpmlint (installed packages)
----------------------------
# rpmlint maradns-debuginfo maradns
maradns.x86_64: W: only-non-binary-in-usr-lib
maradns.x86_64: W: non-standard-uid /etc/maradns/logger maradns
maradns.x86_64: W: non-standard-gid /etc/maradns/logger maradns
maradns.x86_64: W: non-standard-uid /etc/maradns maradns
maradns.x86_64: W: non-standard-gid /etc/maradns maradns
maradns.x86_64: W: non-standard-uid /var/cache/deadwood maradns
maradns.x86_64: W: non-standard-gid /var/cache/deadwood maradns
2 packages and 0 specfiles checked; 0 errors, 7 warnings.
# echo 'rpmlint-done:'

Nothing to do


Diff spec file in url and in SRPM
---------------------------------
--- /home/test/840602-maradns/srpm/maradns.spec 2012-10-16 13:17:19.756112818 +0200
+++ /home/test/840602-maradns/srpm-unpacked/maradns.spec        2012-10-16 13:17:22.398114008 +0200
@@ -173,5 +173,5 @@

 %changelog
-* Tue Aug 21 2012 Tomasz Torcz <ttorcz@fedoraproject.org> - 2.0.06-2
+* Tue Aug 21 2012 Tomasz Torcz <ttorcz@fedoraproject.org - 2.0.06-2
 - provide link to patch sent upstream
 - review remarks:
@@ -182,4 +182,4 @@
   - be more specific in doc line

-* Mon Jul 16 2012 Tomasz Torcz <ttorcz@fedoraproject.org> - 2.0.06-1
+* Mon Jul 16 2012 Tomasz Torcz <ttorcz@fedoraproject.org - 2.0.06-1
 - initial package for 2.0 branch


Requires
--------
maradns-debuginfo-2.0.06-2.fc17.x86_64.rpm (rpmlib, GLIBC filtered):


maradns-2.0.06-2.fc17.x86_64.rpm (rpmlib, GLIBC filtered):

    /bin/sh
    config(maradns) = 2.0.06-2.fc17
    libc.so.6()(64bit)
    librt.so.1()(64bit)
    rtld(GNU_HASH)
    shadow-utils
    systemd-units


Provides
--------
maradns-debuginfo-2.0.06-2.fc17.x86_64.rpm:

    maradns-debuginfo = 2.0.06-2.fc17
    maradns-debuginfo(x86-64) = 2.0.06-2.fc17

maradns-2.0.06-2.fc17.x86_64.rpm:

    config(maradns) = 2.0.06-2.fc17
    maradns = 2.0.06-2.fc17
    maradns(x86-64) = 2.0.06-2.fc17



MD5-sum check
-------------
http://www.maradns.org/download/2.0/2.0.06/maradns-2.0.06.tar.xz :
  CHECKSUM(SHA256) this package     : 8454493255b5ac794312f24a2944edc0187e2ce4067131aed6b7de058160e17b
  CHECKSUM(SHA256) upstream package : 8454493255b5ac794312f24a2944edc0187e2ce4067131aed6b7de058160e17b


Generated by fedora-review 0.3.0 (c78e275) last change: 2012-09-24
Buildroot used: fedora-17-x86_64
Command line :/usr/bin/fedora-review -b 840602 -v
Comment 5 Tomasz Torcz 2012-10-22 12:45:59 EDT
Created attachment 631638 [details]
.spec changes

Thank you. Please see -3 with issues fixed.

Spec URL: http://ttorcz.fedorapeople.org/maradns.spec
SRPM URL: http://ttorcz.fedorapeople.org/maradns-2.0.06-3.fc18.src.rpm
Scratch : http://koji.fedoraproject.org/koji/taskinfo?taskID=4616000
Comment 6 Matthieu Saulnier 2012-11-11 04:24:44 EST
Hello,
the package looks good for me.
However, maradns is known for its security issue:

  https://bugzilla.redhat.com/buglist.cgi?quicksearch=maradns
  http://www.maradns.org/security.html

All CVE seems to be fixed in current version, except
CVE-2010-2445, please contact upstream about this.
Comment 7 Tomasz Torcz 2012-11-12 05:16:32 EST
Are you sure about CVE-2010-2445? It seem to be for freeciv in conjuction with Lua interpreter. Maradns do not have Lua interpreted embedded.
Mailing list links points to maradns patch which fixes CVE-2010-2444.

Getting current version of maradns in Fedora would close all those open security bugs.
Comment 8 Matthieu Saulnier 2012-11-13 00:05:52 EST
Sorry I was confused by this line:
https://bugzilla.redhat.com/show_bug.cgi?id=612296
> Reference: MLIST:[oss-security] 20100610 CVE requests: maradns, freeciv, rbot, gitolite, gource, shib, kvirc

But yes everything is OK :)

----------------
PACKAGE APPROVED
----------------
Comment 9 Tomasz Torcz 2012-11-13 08:44:53 EST
Package Change Request
======================
Package Name: maradns
New Branches: f18 devel
Owners: ttorcz

Please unretire maradns package. I'm taking the ownership, upgrading to current release (which fixes security bugs reported for previous version) and commiting to maintin the package in Fedora.
Comment 10 Gwyn Ciesla 2012-11-13 08:56:53 EST
Git done (by process-git-requests).
Comment 11 Fedora Update System 2012-11-14 12:53:10 EST
maradns-2.0.06-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/maradns-2.0.06-3.fc18
Comment 12 Fedora Update System 2012-11-15 01:29:48 EST
maradns-2.0.06-3.fc18 has been pushed to the Fedora 18 testing repository.
Comment 13 Fedora Update System 2012-12-02 22:24:05 EST
maradns-2.0.06-3.fc18 has been pushed to the Fedora 18 stable repository.

Note You need to log in before you can comment on or make changes to this bug.