Spec URL: http://git.annexia.org/?p=fedora-specs.git;a=blob_plain;f=nbdkit.spec;hb=HEAD SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-1.fc18.src.rpm Description: NBD server Fedora Account System Username: rjones https://github.com/libguestfs/nbdkit NBD is a protocol for accessing block devices (hard disks and disk-like things) over the network. 'nbdkit' is a toolkit for creating NBD servers. The key features are: * Multithreaded NBD server written in C with good performance. * Well-documented, simple plugin API with a stable ABI guarantee. Let's you export "unconventional" block devices easily. * Liberal license (BSD) allows nbdkit to be linked to proprietary libraries or included in proprietary code. Several example plugins are included in the package. To develop plugins, install the nbdkit-devel package and start by reading the nbdkit(1) and nbdkit-plugin(3) manual pages.
Koji scratch build against f20: http://koji.fedoraproject.org/koji/taskinfo?taskID=5535852 rpmlint output: nbdkit.src: W: spelling-error %description -l en_US devel -> delve, devil, revel nbdkit.x86_64: W: spelling-error %description -l en_US devel -> delve, devil, revel 4 packages and 0 specfiles checked; 0 errors, 2 warnings.
We might want to put the plugins in a subpackage (now or later). The reason is that if we have then in the main nbdkit package, then that package will depend on all the libraries that the plugins need. Currently: $ rpm -qR nbdkit libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_2.7)(64bit) libc.so.6(GLIBC_2.8)(64bit) libdl.so.2()(64bit) libdl.so.2(GLIBC_2.2.5)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) liblzma.so.5()(64bit) # needed by xz plugin liblzma.so.5(XZ_5.0)(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libvirt.so.0()(64bit) # needed by libvirt plugin libvirt.so.0(LIBVIRT_0.0.3)(64bit) libvirt.so.0(LIBVIRT_0.4.2)(64bit) libvirt.so.0(LIBVIRT_0.8.1)(64bit) libz.so.1()(64bit) # needed by gzip plugin libz.so.1(ZLIB_1.2.3.5)(64bit) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rtld(GNU_HASH) rpmlib(PayloadIsXz) <= 5.2-1
Apparently fedora-review doesn't like my spec URL.
Spec URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit.spec SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-1.fc18.src.rpm Description: NBD server Fedora Account System Username: rjones
Raw fedora-review output: ===== MUST items ===== C/C++: [ ]: Package does not contain kernel modules. [ ]: Package contains no static executables. [ ]: Development (unversioned) .so files in -devel subpackage, if present. Note: Unversioned so-files in private %_libdir subdirectory (see attachment). Verify they are not in ld path. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [ ]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [ ]: %build honors applicable compiler flags or justifies otherwise. [ ]: Package contains no bundled libraries without FPC exception. [ ]: Changelog in prescribed format. [ ]: Sources contain only permissible code or content. [ ]: Package contains desktop file if it is a GUI application. [ ]: Development files must be in a -devel package [ ]: Package requires other packages for directories it uses. [ ]: Package uses nothing in %doc for runtime. [ ]: Package is not known to require ExcludeArch. [ ]: Fully versioned dependency in subpackages, if present. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in nbdkit- devel [ ]: Package complies to the Packaging Guidelines [ ]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "BSD (3 clause)", "GPL (v2 or later)". Detailed output of licensecheck in /home/mbooth/977446-nbdkit/licensecheck.txt [ ]: License file installed when any subpackage combination is installed. [ ]: Package consistently uses macro is (instead of hard-coded directory names). [ ]: Package is named according to the Package Naming Guidelines. [ ]: Package does not generate any conflict. [ ]: Package obeys FHS, except libexecdir and /usr/target. [ ]: If the package is a rename of another package, proper Obsoletes and Provides are present. [ ]: Package must own all directories that it creates. [ ]: Package does not own files or directories owned by other packages. [ ]: Requires correct, justified where necessary. [ ]: Spec file is legible and written in American English. [ ]: Package contains systemd file(s) if in need. [ ]: Useful -debuginfo package or justification otherwise. [ ]: Large documentation must go in a -doc subpackage. Note: Documentation size is 40960 bytes in 8 files. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Each %files section contains %defattr if rpm < 4.4 [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package do not use a name that already exist [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). ===== SHOULD items ===== Generic: [ ]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [ ]: Final provides and requires are sane (see attachments). [ ]: Package functions as described. [ ]: Latest version is packaged. [ ]: Package does not include license text files separate from upstream. [ ]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [ ]: Package should compile and build into binary rpms on all supported architectures. [ ]: %check is present and all tests pass. [ ]: Packages should try to preserve timestamps of original installed files. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: Dist tag is present. [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Uses parallel make. [x]: SourceX tarball generation or download is documented. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define. ===== EXTRA items ===== Generic: [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: nbdkit-1.0.0-1.fc18.x86_64.rpm nbdkit-devel-1.0.0-1.fc18.x86_64.rpm nbdkit.x86_64: W: spelling-error %description -l en_US devel -> delve, devil, revel 2 packages and 0 specfiles checked; 0 errors, 1 warnings. Rpmlint (installed packages) ---------------------------- # rpmlint nbdkit-devel nbdkit nbdkit.x86_64: W: spelling-error %description -l en_US devel -> delve, devil, revel 2 packages and 0 specfiles checked; 0 errors, 1 warnings. # echo 'rpmlint-done:' Requires -------- nbdkit-devel (rpmlib, GLIBC filtered): nbdkit nbdkit (rpmlib, GLIBC filtered): libc.so.6()(64bit) libdl.so.2()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) liblzma.so.5()(64bit) liblzma.so.5(XZ_5.0)(64bit) libpthread.so.0()(64bit) libvirt.so.0()(64bit) libvirt.so.0(LIBVIRT_0.0.3)(64bit) libvirt.so.0(LIBVIRT_0.4.2)(64bit) libvirt.so.0(LIBVIRT_0.8.1)(64bit) libz.so.1()(64bit) libz.so.1(ZLIB_1.2.3.5)(64bit) rtld(GNU_HASH) Provides -------- nbdkit-devel: nbdkit-devel nbdkit-devel(x86-64) nbdkit: nbdkit nbdkit(x86-64) nbdkit-example1-plugin.so()(64bit) nbdkit-example2-plugin.so()(64bit) nbdkit-example3-plugin.so()(64bit) nbdkit-file-plugin.so()(64bit) nbdkit-gzip-plugin.so()(64bit) nbdkit-libvirt-plugin.so()(64bit) nbdkit-xz-plugin.so()(64bit) Unversioned so-files -------------------- nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-file-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-gzip-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-libvirt-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so Source checksums ---------------- http://libguestfs.org/download/nbdkit/nbdkit-1.0.0.tar.gz : CHECKSUM(SHA256) this package : d7c46d60f071c5d85da50bb39d1551273a6c5f6cd88ed34fd89ce58335734972 CHECKSUM(SHA256) upstream package : d7c46d60f071c5d85da50bb39d1551273a6c5f6cd88ed34fd89ce58335734972 Generated by fedora-review 0.4.1 (b2e211f) last change: 2013-04-29 Buildroot used: fedora-18-x86_64 Command line :/usr/bin/fedora-review -b 977446
QUERIES ======= It's a server, but it doesn't contain a systemd unit. Should it? PROBLEMS ======== I'm pretty sure the %changelog format should be: * Mon Jun 24 2013 Richard W.M. Jones <rjones> - 1.0.0-1 (Note the additional '-', no idea why) Missing fully versioned dependency on -devel package: Requires: %{name}%{?_isa} = %{version}-%{release} in nbdkit-devel Example plugins are all packaged and installed, including: nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so REPORTED NON-PROBLEMS ===================== Detected GPL (v2 or later) is a false positive on ltmail.sh
(In reply to Matthew Booth from comment #6) > QUERIES > ======= > > It's a server, but it doesn't contain a systemd unit. Should it? It's a server/daemon, but spec doesn't enable hardened build. Why?
(In reply to Matthew Booth from comment #6) > QUERIES > ======= > > It's a server, but it doesn't contain a systemd unit. Should it? Good question, but I think not. The reason is that you can't "just run" it without at least specifying a plugin and a file to serve, and even if you assume the default plugin should be 'file' it's not clear what file you would want to serve by default. > PROBLEMS > ======== > > I'm pretty sure the %changelog format should be: > * Mon Jun 24 2013 Richard W.M. Jones <rjones> - 1.0.0-1 > (Note the additional '-', no idea why) Fixed. > Missing fully versioned dependency on -devel package: > Requires: %{name}%{?_isa} = %{version}-%{release} in nbdkit-devel I guess missing %{?_isa}? Fixed. > Example plugins are all packaged and installed, including: > nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so > nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so > nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so Yup, that's intentional. > > REPORTED NON-PROBLEMS > ===================== > > Detected GPL (v2 or later) is a false positive on ltmail.sh Second version is here: Spec URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit.spec SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-2.fc18.src.rpm Description: NBD server Fedora Account System Username: rjones
Third version adds _hardened_build: Spec URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit.spec SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-3.fc18.src.rpm Description: NBD server Fedora Account System Username: rjones
(In reply to Richard W.M. Jones from comment #9) > Third version adds _hardened_build: The sbin looks fine: usr/sbin/nbdkit: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) unprotected: poll unprotected: read unprotected: memcpy protected: snprintf protected: vfprintf protected: read protected: asprintf protected: memcpy protected: printf protected: fprintf Read-only relocations: yes Immediate binding: yes Unfortunately the plugins do not: usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: memcpy Read-only relocations: yes Immediate binding: no, not found! usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: pread Read-only relocations: yes Immediate binding: no, not found! usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: pread Read-only relocations: yes Immediate binding: no, not found! usr/lib64/nbdkit/plugins/nbdkit-file-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! unprotected: pread Read-only relocations: yes Immediate binding: no, not found! usr/lib64/nbdkit/plugins/nbdkit-gzip-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no, not found! usr/lib64/nbdkit/plugins/nbdkit-libvirt-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no, not found! usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) unprotected: read unprotected: memcpy protected: read Read-only relocations: yes Immediate binding: no, not found!
(In reply to Björn Esser from comment #10) > Unfortunately the plugins do not: > > usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: > Position Independent Executable: no, regular shared library (ignored) > Stack protected: no, not found! > Fortify Source functions: no, only unprotected functions found! > unprotected: memcpy > Read-only relocations: yes > Immediate binding: no, not found! I have no idea -- they're just built using standard automake libtool rules, eg: https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/Makefile.am#L37 We don't remove any options from CFLAGS.
Discussion of _hardened_build options aside, I think this meets the packaging guidelines. That could perhaps move into a separate BZ so it doesn't get lost.
(In reply to Richard W.M. Jones from comment #11) > I have no idea -- they're just built using standard automake > libtool rules, eg: > > https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/Makefile. > am#L37 > > We don't remove any options from CFLAGS. but autocrap's libtool does when assembling single objects to lib.so adding this BEFORE %configure in spec-file should fix one issue: # force Immediate binding for hardenend build with autocrap libtool export LDFLAGS="$LDFLAGS -Wl,-z,now"
(In reply to Björn Esser from comment #13) > (In reply to Richard W.M. Jones from comment #11) > > I have no idea -- they're just built using standard automake > > libtool rules, eg: > > > > https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/Makefile. > > am#L37 > > > > We don't remove any options from CFLAGS. > > but autocrap's libtool does when assembling single objects to lib.so > > adding this BEFORE %configure in spec-file should fix one issue: > > # force Immediate binding for hardenend build with autocrap libtool > export LDFLAGS="$LDFLAGS -Wl,-z,now" It's still not quite right. With this change, I get: $ hardening-check /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes It looks like fortify source CFLAGS are being dropped somewhere.
New Package SCM Request ======================= Package Name: nbdkit Short Description: NBD server Owners: rjones Branches: f18 f19 InitialCC:
Git done (by process-git-requests).
(In reply to Richard W.M. Jones from comment #14) > It's still not quite right. With this change, I get: > > $ hardening-check /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so > /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: > Position Independent Executable: no, regular shared library (ignored) > Stack protected: no, not found! > Fortify Source functions: no, only unprotected functions found! > Read-only relocations: yes > Immediate binding: yes > > It looks like fortify source CFLAGS are being dropped somewhere. According to build.log CFLAGS are always applied correctly. Do these plugins which fail stack-protector even do any operation on stack or are they performing on heap, only?
(In reply to Björn Esser from comment #17) > According to build.log CFLAGS are always applied correctly. Do these > plugins which fail stack-protector even do any operation on stack or are > they performing on heap, only? There's really no "funny business" about them at all. See: https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/example1.c https://github.com/libguestfs/nbdkit/blob/master/plugins/example2/example2.c https://github.com/libguestfs/nbdkit/blob/master/plugins/example3/example3.c The first one happens to have a large uninitialized data section, but the others are just normal C code. None of them are fortified according to hardening-check.
nbdkit-1.0.0-4.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/nbdkit-1.0.0-4.fc19
nbdkit-1.0.0-4.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/nbdkit-1.0.0-4.fc18
(In reply to Björn Esser from comment #17) > (In reply to Richard W.M. Jones from comment #14) > > It's still not quite right. With this change, I get: > > > > $ hardening-check /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so > > /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: > > Position Independent Executable: no, regular shared library (ignored) > > Stack protected: no, not found! > > Fortify Source functions: no, only unprotected functions found! > > Read-only relocations: yes > > Immediate binding: yes > > > > It looks like fortify source CFLAGS are being dropped somewhere. > > According to build.log CFLAGS are always applied correctly. Do these > plugins which fail stack-protector even do any operation on stack or are > they performing on heap, only? OK looks like this is a false alarm: https://lists.fedoraproject.org/pipermail/devel/2013-June/184424.html I have checked the xz plugin and it is indeed being fully hardened: https://lists.fedoraproject.org/pipermail/devel/2013-June/184428.html
nbdkit-1.0.0-4.fc18 has been pushed to the Fedora 18 testing repository.
nbdkit-1.0.0-4.fc18 has been pushed to the Fedora 18 stable repository.
nbdkit-1.0.0-4.fc19 has been pushed to the Fedora 19 stable repository.