Bug 974852 - Review Request: fish - A Friendly Interactive SHell
Review Request: fish - A Friendly Interactive SHell
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Matthias Runge
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-16 11:03 EDT by laurence.mcglashan
Modified: 2014-01-16 04:21 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-12 03:13:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
p: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description laurence.mcglashan 2013-06-16 11:03:30 EDT
Spec URL: https://github.com/lrm29/fish-rpm/blob/master/fish.spec
SRPM URL: https://github.com/lrm29/fish-rpm/blob/master/fish-2.0.0-1.fc18.src.rpm
Description: fish is a shell geared towards interactive use. Its features are
focused on user friendliness and discoverability. The language syntax
is simple but incompatible with other shell languages.
Fedora Account System Username: lrm29
Koji Build: http://koji.fedoraproject.org/koji/taskinfo?taskID=5509440

This is my first package, and I am seeking a sponsor.
Comment 1 Michael Schwendt 2013-06-17 05:22:25 EDT
Note that it's a retired ("deprecated") package due to lack of a maintainer and will need to be unretired.

http://pkgs.fedoraproject.org/cgit/fish.git/
 -> http://pkgs.fedoraproject.org/cgit/fish.git/plain/dead.package
Comment 3 Christopher Meng 2013-12-06 02:11:08 EST
I will package it for personal use in the future development so Laurence do you want to continue?
Comment 4 Andy Lutomirski 2013-12-09 20:08:39 EST
I'd like to take this over.  I need a sponsor.

Spec URL: http://web.mit.edu/luto/www/fedora/fish.spec
SRPM URL: http://web.mit.edu/luto/www/fedora/fish-2.1.0-1.fc19.src.rpm

There's one rpmlint error about mktemp.  The code in question actually appears to be secure -- it calls mktemp and then opens the file with O_CREAT | O_EXCL.  This is silly (it should use mkostemp), but it appears to be safe.
Comment 5 Christopher Meng 2013-12-09 23:29:21 EST
(In reply to Andy Lutomirski from comment #4)
> I'd like to take this over.  I need a sponsor.
> 
> Spec URL: http://web.mit.edu/luto/www/fedora/fish.spec
> SRPM URL: http://web.mit.edu/luto/www/fedora/fish-2.1.0-1.fc19.src.rpm
> 
> There's one rpmlint error about mktemp.  The code in question actually
> appears to be secure -- it calls mktemp and then opens the file with O_CREAT
> | O_EXCL.  This is silly (it should use mkostemp), but it appears to be safe.

I also want to take it.

But the problem is that the reporter is in unknown status, I want to know his attitude. Before we get permission to take it over, I think it's impolite to do that.

Your spec is not OK also. I will contact you off bugzilla.
Comment 6 Christopher Meng 2013-12-09 23:36:17 EST
Laurence, if you can't response to this in 2 weeks, I will close the bug and submit a new one.
Comment 7 laurence.mcglashan 2013-12-10 05:18:49 EST
Hi,

I use fish itself a lot but not Fedora so much, so happy for someone to take it over.

At the time I was in contact with some people on the fish mailing list to try and get a standard rpm file as possible, and incorporate it into the fish repo on github. It would be good if whoever takes it over could continue that.

P.S. I cannot access those web.mit.edu links. mkostemp is not POSIX. Why is it mkstemp 'silly' when it uses the correct flags?
Comment 8 Christopher Meng 2013-12-10 05:30:10 EST
(In reply to laurence.mcglashan from comment #7)
> Hi,
> 
> I use fish itself a lot but not Fedora so much, so happy for someone to take
> it over.
> 
> At the time I was in contact with some people on the fish mailing list to
> try and get a standard rpm file as possible, and incorporate it into the
> fish repo on github. It would be good if whoever takes it over could
> continue that.

RPM should be built by yourself but not others.

Btw Andy has prepared spec/srpm, he also want to maintain it, if you can't find time to package it, tell us and I will close this bug and let Andy submit a new one. We don't want to wait anymore.

Thanks.
Comment 9 laurence.mcglashan 2013-12-10 06:29:07 EST
Sorry, correction on my part: A more standard SPEC file, not RPM file.

It's not my fault you're having to "wait". I certainly won't bother you again.
Comment 10 Andy Lutomirski 2013-12-10 12:29:51 EST
Sorry, you caught me in an intermediate state.

Spec: http://web.mit.edu/luto/www/fedora/fish_rpm_v3/fish.spec
SRPM: http://web.mit.edu/luto/www/fedora/fish_rpm_v3/fish-2.1.0-1.fc19.src.rpm

This one should work correctly on F20+ and almost correctly on F19 (I removed the patch to make 'help' work locally under the assumption that, by the time this gets reviewed, either F20 will be released or the upstream bug will be fixed).

This version should be quite a bit cleaner.  I'll email upstream, too.
Comment 11 Andy Lutomirski 2013-12-10 12:41:53 EST
Can one of you either close this bug or reassign it appropriately?
Comment 12 Pádraig Brady 2013-12-11 13:17:26 EST
So this is an existing package we're reviving:
  https://admin.fedoraproject.org/pkgdb/acls/name/fish
We can following this Unorphan process as in bug #1016200


Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- Package contains BR: python2-devel or python3-devel
- Requires missing ncurses
- %check not present but I'll not mandate that

===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "GPL (v2 or later)", "GPL (v2) (with incorrect FSF address)", "LGPL (v2
     or later) (with incorrect FSF address)", "Unknown or generated", "BSD (2
     clause)". 96 files have unknown license. Detailed output of licensecheck
     in /home/padraig/974852-fish/licensecheck.txt
[x]: Package does not own files or directories owned by other packages.
     Note: Dirs in package are owned also by: /usr/share/fish(zeroinstall-
     injector), /usr/share/fish/completions(zeroinstall-injector)
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[!]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf %{buildroot} present but not required
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: The spec file handles locales properly.
[x]: Package consistently uses macros (instead of hard-coded directory names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[-]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 583680 bytes in 46 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: %config files are marked noreplace or the reason is justified.
[x]: Each %files section contains %defattr if rpm < 4.4
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: No %config files under /usr.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

Python:
[x]: Python eggs must not download any dependencies during the build process.
[x]: A package which is used by another package via an egg interface should
     provide egg info.
[x]: Package meets the Packaging Guidelines::Python
[x]: Binary eggs must be removed in %prep

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[-]: Final provides and requires are sane (see attachments).
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[!]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: Dist tag is present (not strictly required in GL).
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Fully versioned dependency in subpackages if applicable.
[x]: Uses parallel make %{?_smp_mflags} macro.
[x]: SourceX tarball generation or download is documented.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[-]: Large data in /usr/share should live in a noarch subpackage if package is
     arched.
     Note: Arch-ed rpms have a total of 3317760 bytes in /usr/share
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: fish-2.1.0-1.fc20.x86_64.rpm
          fish-2.1.0-1.fc20.src.rpm
fish.x86_64: W: spelling-error %description -l en_US zsh -> sh, ssh, ash
fish.x86_64: W: spelling-error %description -l en_US autosuggestions -> autosuggestion, auto suggestions, auto-suggestions
fish.x86_64: E: call-to-mktemp /usr/bin/fish
fish.src: W: spelling-error %description -l en_US zsh -> sh, ssh, ash
fish.src: W: spelling-error %description -l en_US autosuggestions -> autosuggestion, auto suggestions, auto-suggestions
2 packages and 0 specfiles checked; 1 errors, 4 warnings.




Rpmlint (installed packages)
----------------------------
# rpmlint fish
fish.x86_64: W: spelling-error %description -l en_US zsh -> sh, ssh, ash
fish.x86_64: W: spelling-error %description -l en_US autosuggestions -> autosuggestion, auto suggestions, auto-suggestions
fish.x86_64: E: call-to-mktemp /usr/bin/fish
1 packages and 0 specfiles checked; 1 errors, 2 warnings.
# echo 'rpmlint-done:'



Requires
--------
fish (rpmlib, GLIBC filtered):
    /bin/sh
    /usr/bin/env
    config(fish)
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libm.so.6()(64bit)
    libncurses.so.5()(64bit)
    libpthread.so.0()(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libtinfo.so.5()(64bit)
    rtld(GNU_HASH)



Provides
--------
fish:
    config(fish)
    fish
    fish(x86-64)



Source checksums
----------------
http://fishshell.com/files/2.1.0/fish-2.1.0.tar.gz :
  CHECKSUM(SHA256) this package     : af527af9d145df5675ca3031c1a87007d4f4753a1cde49da88f4eb883a1cf044
  CHECKSUM(SHA256) upstream package : af527af9d145df5675ca3031c1a87007d4f4753a1cde49da88f4eb883a1cf044


Generated by fedora-review 0.5.0 (920221d) last change: 2013-08-30
Command line :/usr/bin/fedora-review -b 974852
Buildroot used: fedora-20-x86_64
Active plugins: Generic, Python, Shell-api, C/C++
Disabled plugins: Java, SugarActivity, Perl, R, PHP, Ruby
Disabled flags: EPEL5, EXARCH, DISTTAG
Comment 13 Andy Lutomirski 2013-12-11 14:08:27 EST
I'm confused about two things:

> - Package contains BR: python2-devel or python3-devel

The only thing I can see that requires python during the build process is brp-compile-python.  Everything will still work as long as python is present at runtime even if the .pyc files don't get built.

I added Requires: python, which is indeed needed for the 'config' command to work.  (I think there's support for Python 3 as an alternative, but it looks like it would require patching.)

> - Requires missing ncurses

$ rpm -qp --requires fish-2.1.0-1.fc19.x86_64.rpm
[...]
libncurses.so.5()(64bit)

Is that not enough?


Spec: http://web.mit.edu/luto/www/fedora/fish_rpm_v4/fish.spec
SRPM: http://web.mit.edu/luto/www/fedora/fish_rpm_v4/fish-2.1.0-1.fc19.src.rpm

Changes:
 - Bumped the date to today
 - Use %make_install instead of make install DESTDIR=...
 - Removed rm -rf %{buildroot}
 - Added Requires: python
Comment 14 Michael Schwendt 2013-12-11 14:19:44 EST
> There's one rpmlint error about mktemp.  The code in question actually
> appears to be secure -- it calls mktemp and then opens the file with
> O_CREAT | O_EXCL.  This is silly (it should use mkostemp), but it
> appears to be safe.

> Why is it mkstemp 'silly' when it uses the correct flags?

The code calls mktemp, which is insecure. It ought to call mkstemp instead.
Comment 15 Andy Lutomirski 2013-12-11 14:38:13 EST
The usual mktemp(3) pattern is:

mktemp(name);
open(name, O_RDWR);

this is broken -- name could be replaced by a symlink between the two calls.  fish is doing:

mktemp(name);
open(name, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_CLOEXEC);

I don't know what O_TRUNC is for there, but it should have no effect.  Critically, though, the O_EXCL flag will cause open to fail if name has been replaced by a symlink.  If that happens, fish will try again.

It isn't using mkstemp because mkstemp doesn't pass O_CLOEXEC.  mkostemp would work, but it's not portable.

So, unless fish were willing to have a separate code path for Linux, I'm not sure how it can do better, and I think that the current code is secure.
Comment 16 Michael Schwendt 2013-12-11 15:10:39 EST
Okay, that's the alternative implementation described in the bsd manual page for mk*temp.
Comment 17 Pádraig Brady 2013-12-11 20:19:57 EST
Yes you're right it's better to rely on the auto lib depends here:
http://fedoraproject.org/wiki/Packaging:Guidelines#Explicit_Requires
Ok all looks good to go for the scm request.
Comment 18 Christopher Meng 2013-12-11 23:03:51 EST
(In reply to Pádraig Brady from comment #17)
> Yes you're right it's better to rely on the auto lib depends here:
> http://fedoraproject.org/wiki/Packaging:Guidelines#Explicit_Requires
> Ok all looks good to go for the scm request.

Hey, they all need sponsor. You even don't know andy's FAS name.
Comment 19 Andy Lutomirski 2013-12-12 00:05:34 EST
Yeah -- I put it on my other package review ticket and on my post to the devel list.  I'm amluto.
Comment 20 Matthias Runge 2013-12-12 03:13:40 EST
Andy, just for the process (you're not the reporter)

could you please open another re-review request. I'll happily review that one, so please assign the request to me (mrunge@redhat.com).

Note You need to log in before you can comment on or make changes to this bug.