Spec URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan.spec SRPM URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan-3.1-1.fc18.src.rpm Description: Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN. This package contains the daemons and userland tools for setting up Libreswan. To build KLIPS, see the kmod-libreswan.spec file. Libreswan also supports IKEv2 (RFC4309) and Secure Labeling Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 Fedora Account System Username: pwouters
I'll take this review
OK - Package meets naming and packaging guidelines OK - Spec file matches base package name. NO, See below - Spec has consistant macro usage. OK - Meets Packaging Guidelines. OK - License GPLv2 OK - License field in spec matches OK - License file included in package OK - Spec in American English OK - Spec is legible. OK - Sources match upstream md5sum: e00f5b5672a74f93ca6e5667254de5be libreswan-3.1.tar.gz e00f5b5672a74f93ca6e5667254de5be libreswan-3.1.tar.gz OK - BuildRequires correct OK, See below - Package has %defattr and permissions on files is good. OK - Package is code or permissible content. OK - Packages %doc files don't affect runtime. OK - Package compiles and builds on at least one arch. OK - Package has no duplicate files in %files. NO, See below - Package doesn't own any directories other packages own. OK - Package owns all the directories it creates. OK - Package obey's FHS standard (except for 2 exceptions) See below - No rpmlint output. OK - final provides and requires are sane. SHOULD Items: OK - Should build in mock. OK - Should build on all supported archs OK - Should function as described. OK - Should have dist tag OK - Should package latest version OK - Should not use file requires outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin Issues: 1. Macro usage Both $RPM_BUILD_ROOT and %{buildroot} styles are used 2. Directory owner It owns some packages also owned by openswan, but it contains an Obsoletes/Provides for this. I just wonder if this complies to the notes in the packaging guidelines "If a package is being renamed without any functional changes, or is a compatible enough replacement to an existing package (where "enough" means that it includes only changes of magnitude that are commonly found in version upgrade changes)". So: are the changes of magnitude of version upgrade changes, or have there been major changes as openswan-2.6.38-12? 3. rpmlint says: Checking: libreswan-3.1-1.fc18.x86_64.rpm libreswan.x86_64: W: spelling-error Summary(en_US) IPsec -> Eclipse libreswan.x86_64: W: spelling-error %description -l en_US IPsec -> Eclipse libreswan.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted libreswan.x86_64: W: spelling-error %description -l en_US decrypted -> encrypted libreswan.x86_64: W: spelling-error %description -l en_US userland -> user land, user-land, slanderous libreswan.x86_64: W: spelling-error %description -l en_US kmod -> mod, k mod, mood libreswan.x86_64: W: only-non-binary-in-usr-lib libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d/policies 0700L libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d/crls 0700L libreswan.x86_64: E: non-standard-dir-perm /var/run/pluto 0700L libreswan.x86_64: E: non-readable /etc/ipsec.secrets 0600L libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d 0700L libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d/cacerts 0700L libreswan.x86_64: E: non-standard-dir-perm /var/log/pluto/peer 0700L 1 packages and 0 specfiles checked; 7 errors, 7 warnings. You can safely ignore the spelling-errors, and the non-standard-dir-perms seem logical in this case. Please fix the macro usage as per 1 and answer the question in issue 2.
1) will fix 2) Indeed. although there are quite some changes, the pacakge can be seen as a version upgrade. The configuration file and the files in /etc/ipsec.d/ are fully backwards compatible and used (only when NSS was compiled in openswan, but all fedora/rhel versions have that enabled). That was also the reasoning behind the Obsolete. Note that the name change was required due to a lawsuit between Xelerance Corporation and The Openswan Project regarding the name/ownership, which forced the community to start a fork under a name name. The fork is based of openswan 2.6.38 from March 2012. Openswan upstream has not released a single version since the libreswan fork, which is another motivation for Obsoleting openswan. 3) permissions are closed more then perhaps most software does. The only one that might have a reason to open up a little bit is /var/run/pluto, as it now prevents non-root processes from reading pluto.pid and determining if pluto is still running.....
Spec URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan.spec SRPM URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan-3.2-0.1.rc1.fc18.src.rpm * Wed Apr 10 2013 Paul Wouters <pwouters> - 3.2-0.1.rc1 - Updated to 3.2rc1 - Fix mixed buildroot macro usage (rhbz#922438) - Open up read permissions for /var/run/pluto/ (rhbz#922438) - Added -Wformat-nonliteral -Wformat-security to compile flags, -Wl,-z,relro to linker flags - Enabled _hardened_build macro for added security - Support pre-release versioning
Please note that you may only use the obsoletes/provides method if this will be seen as a name change from openswan, and thus no new updates for openswan will be provided (and the package deadpackaged). Also, please note that it is NOT allowed to put this into EPEL, as it conflicts with openswan, which is in RHEL6 base
Understood, and yes I am the openswan maintainer, so I will coordinate it with myself ;)
Ok, this new version looks ok. Hereby this package is APPROVED.
New Package SCM Request ======================= Package Name: libreswan Short Description: IPsec implementation with IKEv1 and IKEv2 keying protocols Owners: pwouters Branches: f18 f19 InitialCC:
Git done (by process-git-requests).
libreswan-3.3-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libreswan-3.3-1.fc18
libreswan-3.3-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/libreswan-3.3-1.fc19
libreswan-3.3-1.fc19 has been pushed to the Fedora 19 testing repository.
libreswan-3.3-1.fc18 has been pushed to the Fedora 18 stable repository.
libreswan-3.3-1.fc19 has been pushed to the Fedora 19 stable repository.
Package Change Request ====================== Package Name: libreswan New Branches: el6 Owners: pwouters InitialCC: