Bug 976770 - Review Request: sstp-client - Secure Socket Tunneling Protocol (SSTP) Client
Review Request: sstp-client - Secure Socket Tunneling Protocol (SSTP) Client
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Mattes
Fedora Extras Quality Assurance
: 875450 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2013-06-21 08:09 EDT by Christopher Meng
Modified: 2013-08-10 16:01 EDT (History)
4 users (show)

See Also:
Fixed In Version: sstp-client-1.0.9-4.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-10 16:01:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
richmattes: fedora‑review+
limburgher: fedora‑cvs+

Attachments (Terms of Use)

  None (edit)
Description Christopher Meng 2013-06-21 08:09:10 EDT
Spec URL: http://cicku.me/sstp-client.spec
SRPM URL: http://cicku.me/sstp-client-1.0.9-1.fc20.src.rpm

Description: This is a client for the Secure Socket Tunneling Protocol, SSTP. It can be used to establish a SSTP connection to a Windows Server.

Fedora Account System Username: cicku
Comment 1 Christopher Meng 2013-06-21 08:09:27 EDT
*** Bug 875450 has been marked as a duplicate of this bug. ***
Comment 2 Rich Mattes 2013-07-22 08:48:03 EDT
I'll take this review.
Comment 3 Rich Mattes 2013-07-22 22:48:26 EDT
rpmlint provides some feedback:

Checking: sstp-client-1.0.9-1.fc19.x86_64.rpm
sstp-client.x86_64: E: explicit-lib-dependency libevent
sstp-client.x86_64: E: binary-or-shlib-defines-rpath /usr/sbin/sstpc ['/usr/lib64']
sstp-client.x86_64: E: missing-call-to-setgroups /usr/sbin/sstpc
sstp-client.x86_64: E: binary-or-shlib-defines-rpath /usr/lib64/pppd/2.4.5/sstp-pppd-plugin.so ['/usr/lib64']
sstp-client-devel.x86_64: W: no-documentation
2 packages and 0 specfiles checked; 4 errors, 1 warnings.

First off, the shared libs need to have their rpaths removed as per [1].  Once that's done, rpmlint will probably complain that there's no ldconfig being called.  You should specify %post and %postun -p /sbin/ldconfig if that's the case

Libevent doesn't need to be an explicit Requires: in the package; libsstp_api-0.so links to libevent so rpm will generate the dependency automatically.
ldd ./libsstp_api-0.so  |grep libevent
	libevent-2.0.so.5 => /lib64/libevent-2.0.so.5 (0x00007f334a29b000)

libsstp_api.so is a symlink to libsstp_api-0.so, which is the real library. The libsstp_api.so symlink should probably be in the -devel package.

Finally, the missing-call-to-setgroups error is something you should bring up upstream.  rpmlint is pointing this out as an error, but I'm not sure which packaging guideline this violates (though it does look like a security issue that needs to be addressed.)

[1] http://fedoraproject.org/wiki/Packaging:Guidelines#Beware_of_Rpath
Comment 4 Christopher Meng 2013-07-23 01:12:55 EDT
missing-call-to-setgroups has been renamed to missing-call-to-setgroups-before-setuid.

This will be available in the next version.

And the explanation is:

This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and this
would be a potential security issue to be fixed. Seek POS36-C on the web for
details about the problem.

Ref POS36-C:


Spec URL: http://cicku.me/sstp-client.spec
SRPM URL: http://cicku.me/sstp-client-1.0.9-2.fc20.src.rpm
Comment 5 Rich Mattes 2013-07-24 22:20:19 EDT
Package Review

[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated

- Development (unversioned) .so files in -devel subpackage, if present.
  Note: Unversioned so-files directly in %_libdir.
  See: http://fedoraproject.org/wiki/Packaging/Guidelines#DevelPackages

===== MUST items =====

[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf %{buildroot} present but not required
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[!]: Development files must be in a -devel package
[x]: Package requires other packages for directories it uses.
[x]: Package uses nothing in %doc for runtime.
[x]: Package is not known to require ExcludeArch.
[x]: Package complies to the Packaging Guidelines
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "GPL (v2 or later)", "Unknown or generated". 2 files have unknown
     license. Detailed output of licensecheck in /home/rich/tmp/976770-sstp-
[x]: License file installed when any subpackage combination is installed.
[x]: Package consistently uses macro is (instead of hard-coded directory
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[!]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[-]: Large documentation must go in a -doc subpackage.
     Note: Documentation size is 40960 bytes in 8 files.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Each %files section contains %defattr if rpm < 4.4
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Fully versioned dependency in subpackages, if present.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't
[x]: Package is named using only allowed ASCII characters.
[x]: Package do not use a name that already exist
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).

===== SHOULD items =====

[x]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[!]: Final provides and requires are sane (see attachments).
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Scriptlets must be sane, if used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Uses parallel make.
[x]: The placement of pkgconfig(.pc) files are correct.
[x]: SourceX tarball generation or download is documented.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define.

===== EXTRA items =====

[x]: Large data in /usr/share should live in a noarch subpackage if package is
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.

Checking: sstp-client-1.0.9-2.fc19.x86_64.rpm
sstp-client.x86_64: E: missing-call-to-setgroups /usr/sbin/sstpc
sstp-client-devel.x86_64: W: no-documentation
2 packages and 0 specfiles checked; 1 errors, 1 warnings.

Rpmlint (installed packages)
# rpmlint sstp-client sstp-client-devel
sstp-client.x86_64: E: missing-call-to-setgroups /usr/sbin/sstpc
sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libutil.so.1
sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libevent-2.0.so.5
sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libssl.so.10
sstp-client.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libsstp_api-0.so /lib64/libcrypto.so.10
sstp-client-devel.x86_64: W: no-documentation
2 packages and 0 specfiles checked; 1 errors, 5 warnings.
# echo 'rpmlint-done:'

sstp-client (rpmlib, GLIBC filtered):

sstp-client-devel (rpmlib, GLIBC filtered):



Unversioned so-files
sstp-client: /usr/lib64/libsstp_api-0.so
sstp-client: /usr/lib64/libsstp_api.so
sstp-client: /usr/lib64/pppd/2.4.5/sstp-pppd-plugin.so

Source checksums
http://downloads.sourceforge.net/project/sstp-client/sstp-client/1.0.9/sstp-client-1.0.9.tar.gz :
  CHECKSUM(SHA256) this package     : d3d8a26485b2cf0b24e148301b94b3ab9cdb17700ecd7c408b8fd6ad16f7fc4e
  CHECKSUM(SHA256) upstream package : d3d8a26485b2cf0b24e148301b94b3ab9cdb17700ecd7c408b8fd6ad16f7fc4e

Generated by fedora-review 0.4.1 (b2e211f) last change: 2013-04-29
Buildroot used: fedora-19-x86_64
Command line :/usr/bin/fedora-review -b 976770

The unversioned so files is a false alarm. libsstp_api-0.so does have a version with a proper soname, I think fedora-review just looks for versioning in the form of libsstp_api.so.0 instead of libsstp_api-0.so.  The libsstp_api.so symlink just points to the first file, and should be in the -devel subpackage.  Finally, sstp-pppd-plugin.so is a private library, and should be filtered from the Provides [1]

The unused shlib dependency is easy to fix, it has to do with extraneous libraries on the linker command line.  See [2].

The pppd/ subdirectory of %{_libdir} isn't currently owned by your package, the way it's specified (%{_libdir}/pppd/2.4.5/sstp-pppd-plugin.so) only asserts ownership over the library in the subfolders.  You should specify %{_libdir}/pppd, which will recursively own pppd/, pppd/2.4.5/ and the library.

[1] https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Filtering_provides_and_requires_after_scanning
[2] http://fedoraproject.org/wiki/Common_Rpmlint_issues#unused-direct-shlib-dependency
Comment 6 Christopher Meng 2013-07-25 22:42:35 EDT
I don't need to own pppd/2.4.5, it's not mine. Only thing is the library itself.

NEW SPEC URL: http://cicku.me/sstp-client.spec
NEW SRPM URL: http://cicku.me/sstp-client-1.0.9-2.fc20.src.rpm
Comment 7 Christopher Meng 2013-07-25 22:53:06 EDT

NEW SPEC URL: http://cicku.me/sstp-client.spec
NEW SRPM URL: http://cicku.me/sstp-client-1.0.9-3.fc20.src.rpm
Comment 8 Rich Mattes 2013-07-31 19:06:46 EDT
Sorry about the delay.  It looks pretty good, i'm just wondering why the libsstp_api.so symlink is still in the base package and not the -devel package.  According to [1], unversioned symlinks should be in a -devel package when a matching versioned system library is also present.  Once that's taken care of, I think this package is ready for approval.

[1] http://fedoraproject.org/wiki/Packaging:Guidelines#Devel_Packages
Comment 9 Christopher Meng 2013-07-31 21:07:48 EDT
Oh...I forgot to fix them...

NEW SPEC URL: http://cicku.me/sstp-client.spec
NEW SRPM URL: http://cicku.me/sstp-client-1.0.9-4.fc20.src.rpm
Comment 10 Rich Mattes 2013-07-31 22:20:55 EDT
Great, everything looks good now.  This package is APPROVED
Comment 11 Christopher Meng 2013-07-31 22:55:11 EDT
Thanks, Rich.

New Package SCM Request
Package Name: sstp-client
Short Description: Secure Socket Tunneling Protocol (SSTP) Client
Owners: cicku
Branches: f19
Comment 12 Gwyn Ciesla 2013-08-01 08:13:34 EDT
Git done (by process-git-requests).
Comment 13 Fedora Update System 2013-08-01 20:40:59 EDT
sstp-client-1.0.9-4.fc19 has been submitted as an update for Fedora 19.
Comment 14 Fedora Update System 2013-08-02 18:10:05 EDT
sstp-client-1.0.9-4.fc19 has been pushed to the Fedora 19 testing repository.
Comment 15 Fedora Update System 2013-08-10 16:01:52 EDT
sstp-client-1.0.9-4.fc19 has been pushed to the Fedora 19 stable repository.

Note You need to log in before you can comment on or make changes to this bug.