Bug 922438 - Review Request: libreswan - IPsec implementation with IKEv1 and IKEv2 keying protocols
Summary: Review Request: libreswan - IPsec implementation with IKEv1 and IKEv2 keying ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Patrick Uiterwijk
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-16 21:31 UTC by Paul Wouters
Modified: 2013-07-15 20:16 UTC (History)
4 users (show)

Fixed In Version: libreswan-3.3-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-29 00:59:07 UTC
Type: ---
Embargoed:
puiterwijk: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Paul Wouters 2013-03-16 21:31:17 UTC
Spec URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan.spec
SRPM URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan-3.1-1.fc18.src.rpm
Description: Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services.  These services allow you
to build secure tunnels through untrusted networks.  Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and 
decrypted by the gateway at the other end of the tunnel.  The resulting
tunnel is a virtual private network or VPN.

This package contains the daemons and userland tools for setting up
Libreswan. To build KLIPS, see the kmod-libreswan.spec file.

Libreswan also supports IKEv2 (RFC4309) and Secure Labeling

Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

Fedora Account System Username: pwouters

Comment 1 Patrick Uiterwijk 2013-03-28 21:37:07 UTC
I'll take this review

Comment 2 Patrick Uiterwijk 2013-04-10 05:37:17 UTC
OK - Package meets naming and packaging guidelines
OK - Spec file matches base package name. 
NO, See below - Spec has consistant macro usage. 
OK - Meets Packaging Guidelines. 
OK - License GPLv2
OK - License field in spec matches
OK - License file included in package
OK - Spec in American English
OK - Spec is legible.
OK - Sources match upstream md5sum:
e00f5b5672a74f93ca6e5667254de5be  libreswan-3.1.tar.gz
e00f5b5672a74f93ca6e5667254de5be  libreswan-3.1.tar.gz

OK - BuildRequires correct
OK, See below - Package has %defattr and permissions on files is good. 
OK - Package is code or permissible content. 
OK - Packages %doc files don't affect runtime. 
OK - Package compiles and builds on at least one arch. 
OK - Package has no duplicate files in %files. 
NO, See below - Package doesn't own any directories other packages own. 
OK - Package owns all the directories it creates. 
OK - Package obey's FHS standard (except for 2 exceptions)
See below - No rpmlint output. 
OK - final provides and requires are sane.

SHOULD Items:

OK - Should build in mock. 
OK - Should build on all supported archs
OK - Should function as described. 
OK - Should have dist tag
OK - Should package latest version
OK - Should not use file requires outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin

Issues: 
1. Macro usage
Both $RPM_BUILD_ROOT and %{buildroot} styles are used

2. Directory owner
It owns some packages also owned by openswan, but it contains an Obsoletes/Provides for this.
I just wonder if this complies to the notes in the packaging guidelines "If a package is being renamed without any functional changes, or is a compatible enough replacement to an existing package (where "enough" means that it includes only changes of magnitude that are commonly found in version upgrade changes)".
So: are the changes of magnitude of version upgrade changes, or have there been major changes as openswan-2.6.38-12?

3. rpmlint says: 
Checking: libreswan-3.1-1.fc18.x86_64.rpm
libreswan.x86_64: W: spelling-error Summary(en_US) IPsec -> Eclipse
libreswan.x86_64: W: spelling-error %description -l en_US IPsec -> Eclipse
libreswan.x86_64: W: spelling-error %description -l en_US untrusted -> entrusted, trusted, encrusted
libreswan.x86_64: W: spelling-error %description -l en_US decrypted -> encrypted
libreswan.x86_64: W: spelling-error %description -l en_US userland -> user land, user-land, slanderous
libreswan.x86_64: W: spelling-error %description -l en_US kmod -> mod, k mod, mood
libreswan.x86_64: W: only-non-binary-in-usr-lib
libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d/policies 0700L
libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d/crls 0700L
libreswan.x86_64: E: non-standard-dir-perm /var/run/pluto 0700L
libreswan.x86_64: E: non-readable /etc/ipsec.secrets 0600L
libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d 0700L
libreswan.x86_64: E: non-standard-dir-perm /etc/ipsec.d/cacerts 0700L
libreswan.x86_64: E: non-standard-dir-perm /var/log/pluto/peer 0700L
1 packages and 0 specfiles checked; 7 errors, 7 warnings.

You can safely ignore the spelling-errors, and the non-standard-dir-perms seem logical in this case.


Please fix the macro usage as per 1 and answer the question in issue 2.

Comment 3 Paul Wouters 2013-04-10 17:02:06 UTC
1) will fix

2) Indeed. although there are quite some changes, the pacakge can be seen as a version upgrade. The configuration file and the files in /etc/ipsec.d/ are fully backwards compatible and used (only when NSS was compiled in openswan, but all fedora/rhel versions have that enabled). That was also the reasoning behind the Obsolete. Note that the name change was required due to a lawsuit between Xelerance Corporation and The Openswan Project regarding the name/ownership, which forced the community to start a fork under a name name. The fork is based of openswan 2.6.38 from March 2012. Openswan upstream has not released a single version since the libreswan fork, which is another motivation for Obsoleting openswan.

3) permissions are closed more then perhaps most software does. The only one that might have a reason to open up a little bit is /var/run/pluto, as it now prevents non-root processes from reading pluto.pid and determining if pluto is still running.....

Comment 4 Paul Wouters 2013-04-10 18:08:06 UTC
Spec URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan.spec
SRPM URL: https://download.libreswan.org/binaries/fedora/18/x86_64/libreswan-3.2-0.1.rc1.fc18.src.rpm

* Wed Apr 10 2013 Paul Wouters <pwouters> - 3.2-0.1.rc1
- Updated to 3.2rc1
- Fix mixed buildroot macro usage (rhbz#922438)
- Open up read permissions for /var/run/pluto/ (rhbz#922438)
- Added -Wformat-nonliteral -Wformat-security to compile flags, -Wl,-z,relro  to linker flags
- Enabled _hardened_build macro for added security
- Support pre-release versioning

Comment 5 Patrick Uiterwijk 2013-04-10 19:28:31 UTC
Please note that you may only use the obsoletes/provides method if this will be seen as a name change from openswan, and thus no new updates for openswan will be provided (and the package deadpackaged).

Also, please note that it is NOT allowed to put this into EPEL, as it conflicts with openswan, which is in RHEL6 base

Comment 6 Paul Wouters 2013-04-10 19:52:28 UTC
Understood, and yes I am the openswan maintainer, so I will coordinate it with myself ;)

Comment 7 Patrick Uiterwijk 2013-04-10 22:04:44 UTC
Ok, this new version looks ok.

Hereby this package is APPROVED.

Comment 8 Paul Wouters 2013-04-10 22:11:32 UTC
New Package SCM Request
=======================
Package Name: libreswan
Short Description: IPsec implementation with IKEv1 and IKEv2 keying protocols
Owners: pwouters
Branches: f18 f19
InitialCC:

Comment 9 Gwyn Ciesla 2013-04-11 11:32:41 UTC
Git done (by process-git-requests).

Comment 10 Fedora Update System 2013-05-16 21:16:20 UTC
libreswan-3.3-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libreswan-3.3-1.fc18

Comment 11 Fedora Update System 2013-05-16 22:50:09 UTC
libreswan-3.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/libreswan-3.3-1.fc19

Comment 12 Fedora Update System 2013-05-17 22:17:24 UTC
libreswan-3.3-1.fc19 has been pushed to the Fedora 19 testing repository.

Comment 13 Fedora Update System 2013-05-29 00:59:07 UTC
libreswan-3.3-1.fc18 has been pushed to the Fedora 18 stable repository.

Comment 14 Fedora Update System 2013-05-29 03:04:35 UTC
libreswan-3.3-1.fc19 has been pushed to the Fedora 19 stable repository.

Comment 15 Paul Wouters 2013-07-15 19:04:53 UTC
Package Change Request
======================
Package Name: libreswan
New Branches: el6
Owners: pwouters
InitialCC:

Comment 16 Gwyn Ciesla 2013-07-15 20:16:18 UTC
Git done (by process-git-requests).


Note You need to log in before you can comment on or make changes to this bug.