https://bugzilla.redhat.com/show_bug.cgi?id=958585 --- Comment #2 from Christopher Meng <cickumqt@xxxxxxxxx> --- Hi, License check shows this package is 2-clause and 3-clause mix licensed. And I found that there shouldn't have any problems if there is no uthash library bundled. BSD (2 clause) -------------- /var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/mosquitto-1.1.3/src/uthash.h This package bundle library uthash, I just packaged it in June so please unbundle it. =============== Another problem is in its code, as warnings said: mosquitto.i686: E: missing-call-to-setgroups /usr/sbin/mosquitto This error output has been renamed to missing-call-to-setgroups-before-setuid. This will be available in the next version. And the explanation is: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges So consider an upstream fix. ======= Other issues: mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libssl.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libcrypto.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libpthread.so.0 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libm.so.6 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libgcc_s.so.1 Please see http://fedoraproject.org/wiki/Common_Rpmlint_issues and fix. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=X47EmCXvwi&a=cc_unsubscribe _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review