Bug 855283 - Review Request: pass - A unix password manager using standard tools
Summary: Review Request: pass - A unix password manager using standard tools
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Michael S.
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-07 08:18 UTC by Christophe Fergeau
Modified: 2012-10-01 14:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-25 06:17:18 UTC
misc: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Christophe Fergeau 2012-09-07 08:18:56 UTC
Spec URL: http://teuf.fedorapeople.org/reviews/pass/pass.spec
SRPM URL: http://teuf.fedorapeople.org/reviews/pass/pass-1.1.2-1.fc17.src.rpm
Description: Stores, retrieves, generates, and synchronizes passwords securely using gpg, pwgen, and git.
Fedora Account System Username: teuf

Comment 1 Jason A. Donenfeld 2012-09-07 15:30:14 UTC
The spec looks good to me. +1

Comment 2 Jason Tibbitts 2012-09-07 15:42:04 UTC
I wasn't aware that there was a standard unix password manager.  Which standard defines this?

Comment 3 Jason A. Donenfeld 2012-09-07 15:45:47 UTC
I think the idea is that it uses standard unix tools to achieve its aim. In any case, the description in the .spec appears to be: "stores, retrieves, generates, and synchronizes passwords securely using gpg, pwgen, and git", which is fairly accurate.

Comment 4 Jason Tibbitts 2012-09-07 15:49:12 UTC
The %description is indeed accurate.  The Summary:, however, describes this as some sort of standard.  Nice marketing for the upstream project, perhaps, but we should avoid misleading the Fedora user base.

Comment 5 Christophe Fergeau 2012-09-07 16:06:18 UTC
Spec URL: http://teuf.fedorapeople.org/reviews/pass/pass.spec
SRPM URL: http://teuf.fedorapeople.org/reviews/pass/pass-1.1.3-1.fc17.src.rpm

Updated the short description, and updated to a newer upstream version fixing various rpmlint issues (man page and bash completion file being 0755, shebang in bash completion file, wrong FSF address)

Comment 6 Michael S. 2012-09-07 17:25:11 UTC
Looking at the source code, there is a call to qdus, but qt is not in Requires.
There is also a call to pwgen, and not in Requires either.

Comment 7 Michael S. 2012-09-07 17:25:43 UTC
Mhh, forget, pwgen is there

Comment 8 Luis Bazan 2012-09-07 17:27:13 UTC
This is an informal review


Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



==== Generic ====
[x]: EXTRA Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: EXTRA Spec file according to URL is the same as in SRPM.
[ ]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[ ]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[ ]: MUST Package contains no bundled libraries.
[ ]: MUST Changelog in prescribed format.
[ ]: MUST Sources contain only permissible code or content.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[ ]: MUST Macros in Summary, %description expandable at SRPM build time.
[ ]: MUST Package contains desktop file if it is a GUI application.
[ ]: MUST Development files must be in a -devel package
[ ]: MUST Package requires other packages for directories it uses.
[ ]: MUST Package uses nothing in %doc for runtime.
[ ]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[ ]: MUST Package complies to the Packaging Guidelines
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[ ]: MUST Large documentation files are in a -doc subpackage, if required.
[x]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[!]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. No licenses
     found. Please check the source files for licenses manually.
[ ]: MUST Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: MUST Package is named using only allowed ascii characters.
[ ]: MUST Package is named according to the Package Naming Guidelines.
[ ]: MUST Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[ ]: MUST Package obeys FHS, except libexecdir and /usr/target.
[ ]: MUST If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[ ]: MUST Package must own all directories that it creates.
[ ]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[ ]: MUST Package is not relocatable.
[ ]: MUST Requires correct, justified where necessary.
[x]: MUST Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
[ ]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[ ]: MUST Package contains systemd file(s) if in need.
[x]: MUST File names are valid UTF-8.
[x]: SHOULD Reviewer should test that the package builds in mock.
[x]: SHOULD Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL5 is required
[ ]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[ ]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[ ]: SHOULD Package functions as described.
[ ]: SHOULD Latest version is packaged.
[ ]: SHOULD Package does not include license text files separate from
     upstream.
[x]: SHOULD SourceX tarball generation or download is documented.
[x]: SHOULD SourceX / PatchY prefixed with %{name}.
[x]: SHOULD SourceX is a working URL.
[ ]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[ ]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[ ]: SHOULD %check is present and all tests pass.
[ ]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[x]: SHOULD Spec use %global instead of %define.

Issues:
[!]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. No licenses
     found. Please check the source files for licenses manually.
See: http://fedoraproject.org/wiki/Packaging/LicensingGuidelines#ValidLicenseShortNames

Rpmlint
-------
Checking: pass-1.1.3-1.fc17.noarch.rpm
          pass-1.1.3-1.fc17.src.rpm
pass.noarch: W: spelling-error %description -l en_US gpg -> pg, gig, gag
pass.noarch: W: non-conffile-in-etc /etc/bash_completion.d/password-store
pass.src: W: spelling-error %description -l en_US gpg -> pg, gig, gag
pass.src: W: spelling-error %description -l en_US pwgen -> pungent
pass.src: W: no-%build-section
2 packages and 0 specfiles checked; 0 errors, 5 warnings.

where is the %build section?
could you do a test in koji please?
and run rpmlint.

Rpmlint (installed packages)
----------------------------
Cannot parse rpmlint output:
Requires
--------
pass-1.1.3-1.fc17.noarch.rpm (rpmlib, GLIBC filtered):
    
    /bin/bash  
    git  
    gnupg  
    pwgen  
    tree  
    xclip  

Provides
--------
pass-1.1.3-1.fc17.noarch.rpm:
    
    pass = 1.1.3-1.fc17

MD5-sum check
-------------
http://git.zx2c4.com/password-store/snapshot/password-store-1.1.3.tar.xz :
  CHECKSUM(SHA256) this package     : 19cef04830aec13e2f1873263ba91b6a6bdd5366643e7d7c15e8415f428b9154
  CHECKSUM(SHA256) upstream package : 19cef04830aec13e2f1873263ba91b6a6bdd5366643e7d7c15e8415f428b9154


Generated by fedora-review 0.2.2 (9f8c0e5) last change: 2012-08-09
Command line :/usr/bin/fedora-review -b 855283
External plugins:

Comment 9 Michael S. 2012-09-07 17:33:59 UTC
So all is good, except the license file do not contain the full license, just a note saying "the license should be distributed with the tarbll, if not, contact fsf". Could the license be added in the file ?


Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated


Issues:
=======
[!]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.


===== MUST items =====

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[-]: %build honors applicable compiler flags or justifies otherwise.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package contains no bundled libraries.
[x]: Changelog in prescribed format.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[x]: Sources contain only permissible code or content.
[x]: Each %files section contains %defattr if rpm < 4.4
     Note: %defattr macros not found. They would be needed for EPEL5
[x]: Macros in Summary, %description expandable at SRPM build time.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package requires other packages for directories it uses.
[x]: Package uses nothing in %doc for runtime.
[x]: Package is not known to require ExcludeArch.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package complies to the Packaging Guidelines
[x]: Spec file lacks Packager, Vendor, PreReq tags.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. No licenses
     found. Please check the source files for licenses manually.
[x]: Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: Package is named using only allowed ASCII characters.
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: Package do not use a name that already exist
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package installs properly.
[x]: Package is not relocatable.
[x]: Requires correct, justified where necessary.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file is legible and written in American English.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[-]: Package contains systemd file(s) if in need.
[x]: File names are valid UTF-8.
[-]: Large documentation must go in a -doc subpackage.
[x]: Packages must not store files under /srv, /opt or /usr/local
     Note: Cannot unpack rpms (using --prebuilt?)

===== SHOULD items =====

Generic:
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL5 is required
[!]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: The placement of pkgconfig(.pc) files are correct.
[x]: SourceX tarball generation or download is documented.
[!]: SourceX / PatchY prefixed with %{name}.
     Note: Source0 (password-store-1.1.3.tar.xz)
[x]: SourceX is a working URL.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed files.
[x]: Spec use %global instead of %define.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.
[x]: Large data in /usr/share should live in a noarch subpackage if package is
     arched.


Rpmlint
-------
Checking: pass-1.1.3-1.fc17.noarch.rpm
          pass-1.1.3-1.fc17.src.rpm
pass.noarch: W: spelling-error %description -l en_US gpg -> pg, gig, gag
pass.noarch: W: invalid-url URL: http://zx2c4.com/projects/password-store/ timed out
pass.noarch: W: non-conffile-in-etc /etc/bash_completion.d/password-store
pass.src: W: spelling-error %description -l en_US gpg -> pg, gig, gag
pass.src: W: spelling-error %description -l en_US pwgen -> pungent
pass.src: W: invalid-url URL: http://zx2c4.com/projects/password-store/ timed out
pass.src: W: no-%build-section
2 packages and 0 specfiles checked; 0 errors, 7 warnings.




Rpmlint (installed packages)
----------------------------
# rpmlint pass
pass.noarch: W: spelling-error %description -l en_US gpg -> pg, gig, gag
pass.noarch: W: invalid-url URL: http://zx2c4.com/projects/password-store/ timed out
pass.noarch: W: non-conffile-in-etc /etc/bash_completion.d/password-store
1 packages and 0 specfiles checked; 0 errors, 3 warnings.
# echo 'rpmlint-done:'



Requires
--------
pass-1.1.3-1.fc17.noarch.rpm (rpmlib, GLIBC filtered):
    
    /bin/bash  
    git  
    gnupg  
    pwgen  
    tree  
    xclip  



Provides
--------
pass-1.1.3-1.fc17.noarch.rpm:
    
    pass = 1.1.3-1.fc17



MD5-sum check
-------------
http://git.zx2c4.com/password-store/snapshot/password-store-1.1.3.tar.xz :
  CHECKSUM(SHA256) this package     : 19cef04830aec13e2f1873263ba91b6a6bdd5366643e7d7c15e8415f428b9154
  CHECKSUM(SHA256) upstream package : 19cef04830aec13e2f1873263ba91b6a6bdd5366643e7d7c15e8415f428b9154


Generated by fedora-review 0.2.0 (Unknown) last change: Unknown
Command line :./try-fedora-review -b 855283

Comment 10 Pierre-YvesChibon 2012-09-07 20:44:52 UTC
(In reply to comment #8)
> This is an informal review
[...]
> ==== Generic ====
> [x]: EXTRA Rpmlint is run on all installed packages.
>      Note: There are rpmlint messages (see attachment).
> [x]: EXTRA Spec file according to URL is the same as in SRPM.
> [ ]: MUST Package is licensed with an open-source compatible license and
> meets
>      other legal requirements as defined in the legal section of Packaging
>      Guidelines
[...]
> Generated by fedora-review 0.2.2 (9f8c0e5) last change: 2012-08-09
> Command line :/usr/bin/fedora-review -b 855283
> External plugins:

@Luis, this is not a review, informal or not. This is a copy/paste of the fedora-review output.
If reviewing was that simple, we would not need reviewers. Please do follow the review guidelines and use fedora-review as a tool to help you on this.

http://fedoraproject.org/wiki/Packaging:ReviewGuidelines

Comment 11 Christophe Fergeau 2012-09-07 23:09:50 UTC
(In reply to comment #6)
> Looking at the source code, there is a call to qdus, but qt is not in
> Requires.

Yes, I checked this with upstream, and he told me this is optional (the command is ran with >/dev/null 2&>1), imo we should not make it a Requires, it will be used if the user has Qt installed (ie if he likely can use this).

Comment 12 Jason A. Donenfeld 2012-09-07 23:25:14 UTC
(In reply to comment #6)
> Looking at the source code, there is a call to qdus, but qt is not in
> Requires.

However, qdbus should absolutely NOT be required. It's run with >/dev/null 2>&1, and in the future there are going to be other similar lines there -- gdbus org.gnome.somethingawful.clipthing ClearIt -- and the like. The idea is -- if the user has that environment, and has those services, then it will work, and otherwise this is a no-op. This is usually the cleanest thing to do in a simple shell script.


> There is also a call to pwgen, and not in Requires either.

Pwgen should absolutely be required.

Comment 13 Jason A. Donenfeld 2012-09-07 23:26:37 UTC
(In reply to comment #9)
> So all is good, except the license file do not contain the full license,
> just a note saying "the license should be distributed with the tarbll, if
> not, contact fsf". Could the license be added in the file ?

I'll go ahead and put the GPLv2 inside of COPYING for the next release.

Comment 14 Jason A. Donenfeld 2012-09-08 00:48:27 UTC
Bump the .spec to 1.1.4 and we should be all set.

Comment 15 Michael S. 2012-09-08 09:11:13 UTC
I have seen the shell magic for qdbus, but I am not sure this would interact badly with thing like PackageKit-command-not-found ( ie, that it will trigger package installation on file not found, using command_not_found_handle ). I think this should trigger just for interactive shell ( since that's in profile.d ), but that's something to take in account IMHO ( ie, someone with a wrongly configured system would face a issue ).
But a review is not here to discuss upstream source, so if the license is added, the package is approved.

Comment 16 Jason A. Donenfeld 2012-09-08 15:03:57 UTC
(In reply to comment #15)
> I have seen the shell magic for qdbus, but I am not sure this would interact
> badly with thing like PackageKit-command-not-found ( ie, that it will
> trigger package installation on file not found, using
> command_not_found_handle ). I think this should trigger just for interactive
> shell ( since that's in profile.d ), but that's something to take in account
> IMHO ( ie, someone with a wrongly configured system would face a issue ).

Can anyone test and confirm that god kills kittens here? If it's an issue, I'll make an upstream change. If it only happens during gross misconfigurations, I'll still probably change something, but not as immediately.


> But a review is not here to discuss upstream source, so if the license is
> added, the package is approved.

YAY!

Comment 17 Christophe Fergeau 2012-09-08 16:53:13 UTC
Spec URL: http://teuf.fedorapeople.org/reviews/pass/pass.spec
SRPM URL: http://teuf.fedorapeople.org/reviews/pass/pass-1.1.4-1.fc17.src.rpm

Update to the 1.1.4 upstream release which ships a full GPLv2 copy

Comment 18 Christophe Fergeau 2012-09-08 17:02:03 UTC
Scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=4467371
I ran a quick test by replacing the qdbus call with qdbusfoo, and this didn't trigger any user-visible package-kit stuff, so it's probably only triggering in interactive shells.

Comment 19 Jason A. Donenfeld 2012-09-08 17:08:27 UTC
Great. Well, let's ship it then.

Thanks everyone for helping out and chiming in.

Comment 20 Michael S. 2012-09-08 21:49:00 UTC
Christophe, I do not know why you are reset the fedora-review flag to '?', but that's wrong :)

Comment 21 Christophe Fergeau 2012-09-09 09:26:40 UTC
Hmm no idea how it got reset, all I know is that I did not explicitly change it, thanks for noticing!

Comment 22 Christophe Fergeau 2012-09-09 09:28:14 UTC
Grmble, it got reset again, and I'm sure I only left the comment above. I even checked fedora_review+ was set before adding this comment

Comment 23 Michael S. 2012-09-09 09:32:48 UTC
Ok, i have reset it again, just post the git request and we will see :)

Comment 24 Christophe Fergeau 2012-09-09 09:38:30 UTC
New Package SCM Request
=======================
Package Name: pass
Short Description: A unix password manager using standard tools
Owners: teuf pingou
Branches: f17 f18 el6
InitialCC:

Comment 25 Christophe Fergeau 2012-09-09 09:48:01 UTC
(In reply to comment #23)
> Ok, i have reset it again, just post the git request and we will see :)

When posting the git request, the bug was initially in misc: fedora_review+, but when I went to edit the flags to set fedora_cvs?, I noticed that ? was selected in the fedora_review combobox. I forced it to '+' so that it doesn't change its value once again, and things seem good now...

Comment 26 Gwyn Ciesla 2012-09-09 20:40:11 UTC
Git done (by process-git-requests).

Yeah, there's a bug or trac open to fix that. . .

Comment 27 Fedora Update System 2012-09-10 07:33:11 UTC
pass-1.1.4-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/pass-1.1.4-1.fc18

Comment 28 Fedora Update System 2012-09-10 08:56:53 UTC
pass-1.1.4-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pass-1.1.4-1.el6

Comment 29 Fedora Update System 2012-09-10 16:08:57 UTC
pass-1.1.4-1.fc18 has been pushed to the Fedora 18 testing repository.

Comment 30 Jason A. Donenfeld 2012-09-11 03:28:25 UTC
In response to some requests from some Fedora devs, version 1.2 has been released, before QA on 1.1.4 has even completed. There are no build changes or any other changes that will change the nature of the packaging, so a simple version bump should do the trick.

Comment 31 Fedora Update System 2012-09-25 06:17:18 UTC
pass-1.2-1.fc18 has been pushed to the Fedora 18 stable repository.

Comment 32 Fedora Update System 2012-10-01 14:34:15 UTC
pass-1.4.1-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pass-1.4.1-1.el6


Note You need to log in before you can comment on or make changes to this bug.