Spec URL: http://cicku.me/sstp-client.spec SRPM URL: http://cicku.me/sstp-client-1.0.9-1.fc20.src.rpm Description: This is a client for the Secure Socket Tunneling Protocol, SSTP. It can be used to establish a SSTP connection to a Windows Server. Fedora Account System Username: cicku
*** Bug 875450 has been marked as a duplicate of this bug. ***
I'll take this review.
rpmlint provides some feedback: Checking: sstp-client-1.0.9-1.fc19.x86_64.rpm sstp-client-devel-1.0.9-1.fc19.x86_64.rpm sstp-client.x86_64: E: explicit-lib-dependency libevent sstp-client.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/sstpc ['/usr/lib64'] sstp-client.x86_64: E: missing-call-to-setgroups /usr/sbin/sstpc sstp-client.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/pppd/2.4.5/sstp-pppd-plugin.so ['/usr/lib64'] sstp-client-devel.x86_64: W: no-documentation 2 packages and 0 specfiles checked; 4 errors, 1 warnings. First off, the shared libs need to have their rpaths removed as per [1]. Once that's done, rpmlint will probably complain that there's no ldconfig being called. You should specify %post and %postun -p /sbin/ldconfig if that's the case Libevent doesn't need to be an explicit Requires: in the package; libsstp_api-0.so links to libevent so rpm will generate the dependency automatically. ldd ./libsstp_api-0.so |grep libevent libevent-2.0.so.5 => /lib64/libevent-2.0.so.5 (0x00007f334a29b000) libsstp_api.so is a symlink to libsstp_api-0.so, which is the real library. The libsstp_api.so symlink should probably be in the -devel package. Finally, the missing-call-to-setgroups error is something you should bring up upstream. rpmlint is pointing this out as an error, but I'm not sure which packaging guideline this violates (though it does look like a security issue that needs to be addressed.) [1] http://fedoraproject.org/wiki/Packaging:Guidelines#Beware_of_Rpath
missing-call-to-setgroups has been renamed to missing-call-to-setgroups-before-setuid. This will be available in the next version. And the explanation is: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges Spec URL: http://cicku.me/sstp-client.spec SRPM URL: http://cicku.me/sstp-client-1.0.9-2.fc20.src.rpm
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= - Development (unversioned) .so files in -devel subpackage, if present. Note: Unversioned so-files directly in %_libdir. See: http://fedoraproject.org/wiki/Packaging/Guidelines#DevelPackages ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf %{buildroot} present but not required [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [!]: Development files must be in a -devel package [x]: Package requires other packages for directories it uses. [x]: Package uses nothing in %doc for runtime. [x]: Package is not known to require ExcludeArch. [x]: Package complies to the Packaging Guidelines [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "GPL (v2 or later)", "Unknown or generated". 2 files have unknown license. Detailed output of licensecheck in /home/rich/tmp/976770-sstp- client/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [x]: Package consistently uses macro is (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [!]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [-]: Large documentation must go in a -doc subpackage. Note: Documentation size is 40960 bytes in 8 files. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Each %files section contains %defattr if rpm < 4.4 [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Fully versioned dependency in subpackages, if present. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package do not use a name that already exist [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). ===== SHOULD items ===== Generic: [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [!]: Final provides and requires are sane (see attachments). [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Scriptlets must be sane, if used. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: Dist tag is present. [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Uses parallel make. [x]: The placement of pkgconfig(.pc) files are correct. [x]: SourceX tarball generation or download is documented. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define. ===== EXTRA items ===== Generic: [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: sstp-client-1.0.9-2.fc19.x86_64.rpm sstp-client-devel-1.0.9-2.fc19.x86_64.rpm sstp-client.x86_64: E: missing-call-to-setgroups /usr/sbin/sstpc sstp-client-devel.x86_64: W: no-documentation 2 packages and 0 specfiles checked; 1 errors, 1 warnings. Rpmlint (installed packages) ---------------------------- # rpmlint sstp-client sstp-client-devel sstp-client.x86_64: E: missing-call-to-setgroups /usr/sbin/sstpc sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libutil.so.1 sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libevent-2.0.so.5 sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libssl.so.10 sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libcrypto.so.10 sstp-client-devel.x86_64: W: no-documentation 2 packages and 0 specfiles checked; 1 errors, 5 warnings. # echo 'rpmlint-done:' Requires -------- sstp-client (rpmlib, GLIBC filtered): /sbin/ldconfig libc.so.6()(64bit) libcrypto.so.10()(64bit) libcrypto.so.10(libcrypto.so.10)(64bit) libevent-2.0.so.5()(64bit) libssl.so.10()(64bit) libssl.so.10(libssl.so.10)(64bit) libsstp_api-0.so()(64bit) libutil.so.1()(64bit) openssl ppp rtld(GNU_HASH) sstp-client-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config sstp-client(x86-64) Provides -------- sstp-client: libsstp_api-0.so()(64bit) sstp-client sstp-client(x86-64) sstp-pppd-plugin.so()(64bit) sstp-client-devel: pkgconfig(sstp-client-1.0) sstp-client-devel sstp-client-devel(x86-64) Unversioned so-files -------------------- sstp-client: /usr/lib64/libsstp_api-0.so sstp-client: /usr/lib64/libsstp_api.so sstp-client: /usr/lib64/pppd/2.4.5/sstp-pppd-plugin.so Source checksums ---------------- http://downloads.sourceforge.net/project/sstp-client/sstp-client/1.0.9/sstp-client-1.0.9.tar.gz : CHECKSUM(SHA256) this package : d3d8a26485b2cf0b24e148301b94b3ab9cdb17700ecd7c408b8fd6ad16f7fc4e CHECKSUM(SHA256) upstream package : d3d8a26485b2cf0b24e148301b94b3ab9cdb17700ecd7c408b8fd6ad16f7fc4e Generated by fedora-review 0.4.1 (b2e211f) last change: 2013-04-29 Buildroot used: fedora-19-x86_64 Command line :/usr/bin/fedora-review -b 976770 ========================================== The unversioned so files is a false alarm. libsstp_api-0.so does have a version with a proper soname, I think fedora-review just looks for versioning in the form of libsstp_api.so.0 instead of libsstp_api-0.so. The libsstp_api.so symlink just points to the first file, and should be in the -devel subpackage. Finally, sstp-pppd-plugin.so is a private library, and should be filtered from the Provides [1] The unused shlib dependency is easy to fix, it has to do with extraneous libraries on the linker command line. See [2]. The pppd/ subdirectory of %{_libdir} isn't currently owned by your package, the way it's specified (%{_libdir}/pppd/2.4.5/sstp-pppd-plugin.so) only asserts ownership over the library in the subfolders. You should specify %{_libdir}/pppd, which will recursively own pppd/, pppd/2.4.5/ and the library. [1] https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Filtering_provides_and_requires_after_scanning [2] http://fedoraproject.org/wiki/Common_Rpmlint_issues#unused-direct-shlib-dependency
I don't need to own pppd/2.4.5, it's not mine. Only thing is the library itself. NEW SPEC URL: http://cicku.me/sstp-client.spec NEW SRPM URL: http://cicku.me/sstp-client-1.0.9-2.fc20.src.rpm
Sorry, NEW SPEC URL: http://cicku.me/sstp-client.spec NEW SRPM URL: http://cicku.me/sstp-client-1.0.9-3.fc20.src.rpm
Sorry about the delay. It looks pretty good, i'm just wondering why the libsstp_api.so symlink is still in the base package and not the -devel package. According to [1], unversioned symlinks should be in a -devel package when a matching versioned system library is also present. Once that's taken care of, I think this package is ready for approval. [1] http://fedoraproject.org/wiki/Packaging:Guidelines#Devel_Packages
Oh...I forgot to fix them... NEW SPEC URL: http://cicku.me/sstp-client.spec NEW SRPM URL: http://cicku.me/sstp-client-1.0.9-4.fc20.src.rpm
Great, everything looks good now. This package is APPROVED
Thanks, Rich. New Package SCM Request ======================= Package Name: sstp-client Short Description: Secure Socket Tunneling Protocol (SSTP) Client Owners: cicku Branches: f19 InitialCC:
Git done (by process-git-requests).
sstp-client-1.0.9-4.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sstp-client-1.0.9-4.fc19
sstp-client-1.0.9-4.fc19 has been pushed to the Fedora 19 testing repository.
sstp-client-1.0.9-4.fc19 has been pushed to the Fedora 19 stable repository.