https://bugzilla.redhat.com/show_bug.cgi?id=2047943 --- Comment #5 from Chris Rapier <rapier@xxxxxxx> --- (In reply to Jerry James from comment #4) > https://bugzilla.redhat.com/show_bug.cgi?id=2047943 > > Jerry James <loganjerry@xxxxxxxxx> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |loganjerry@xxxxxxxxx > > > > --- Comment #4 from Jerry James <loganjerry@xxxxxxxxx> --- > Welcome to Fedora, Chris. Here is my review of this package. > > Package Review > ============== > > Legend: > [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated > > Issues: > ======= > I realize that you inherited many of these issues from the Fedora openssh > spec file, but I'm reporting them anyway as a conscientious reviewer. Which is a good thing > First the automatically generated issues: > > - systemd_post is invoked in %post, systemd_preun in %preun, and > systemd_postun in %postun for Systemd service files. > Note: Systemd service file(s) in hpnssh-server > See: https://docs.fedoraproject.org/en-US/packaging- > guidelines/Scriptlets/#_scriptlets > - systemd_user_post is invoked in %post and systemd_user_preun in %preun > for Systemd user units service files. > Note: Systemd user unit service file(s) in hpnssh-clients > See: https://docs.fedoraproject.org/en-US/packaging- > guidelines/Scriptlets/#_user_units > > And now my comments: > > - There is already a package named pam_ssh_agent_auth. You cannot reuse this > name. Either rename it or, if it does not need to be different from the > openssh version, suppress it. If you rename the package, we also have to be > sure the two packages can be installed in parallel. Ugh. Okay, I'll look into that. My guess is that it needs to be renamed as I need to patch the pam_ssh_agent_auth to build against pthreads. I'll verify to see if that's actually true or a hold over from an earlier build attempt. Stupidly I forgot to make notes about that when I did that back in 2020. > - There is already a directory named /usr/libexec/openssh, owned by the openssh > package. Is it write to add the hpnssh files there, or should it use > /usr/libexec/hpnssh? Actually, it makes sense to rename that. The only think in the the sftp-server and I've already renamed that. I can move the install location and update the path. > - Dependencies between the main package and subpackages should include %{?_isa} > when the packages are both archful. In the clients subpackage, for example, > the dependency on the main package should look like this: > > Requires: %{name}%{?_isa} = %{version}-%{release} > > See: > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package Okay, I was following the openssh package on that. I'll review the documentation and update to match best paractices. > - Are Source0 and Source1 downloadable from somewhere? If so, please change > both of those to full URLs. Not at this time but I think I can swing that through work. > - Since the main package has License: BSD, there is no point repeating that in > the pam_ssh_agent_auth subpackage. Again, taken from the openssh package. I can remove that. > - Speaking of the license, there are other licenses besides BSD at play here: > Beerware: md5crypt.{c,h} > Public domain: rijndael.{c,h} > ISC: addr.{c,h}, addrmatch.c, auth-options.{c,h}, bitmatp.{c,h}, etc. > Yeah, the source code is a mishmash of a bunch of difference licenses and I can't normalize them on to a single license. Is that a problem? > - There is a macro for doing GPG verification. The first line in %prep should > be: > > %{gpgverify} --keyring='%{SOURCE3}' --signature='%{SOURCE1}' > --data='%{SOURCE0}' I'll get that resovled. More cruft from the openssh package. Which probably doesn't surprise you. > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures > > - The openssh spec file has switched from gtk2 to gtk3. Should that change > be made to hpnssh as well? Yup. When I started this they were still using gtk2 and I didn't check if that had changed in newer versions of openssh. > - The comment on line 468 of the spec file is a bit puzzling. RPM does handle > nested %if statements. More from the openssh package. I can resolve that if you think it is important. > - The first line of %install should be removed. See the 3rd bullet here: > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_tags_and_sections > > - Nearly all of the %attr directives in the %files are unnecessary. See > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_permissions > > - The mechanisms used to create users and groups have changed. See > https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ > > - The most recent changelog entry has an incorrect version number. Instead of > 8.8p1-2, it should be 8.8p1_hpn16v1-2. > > - See the rpmlint output below for a few other minor issues. And again, the perils of building on someone else's work when you aren't entirely sure of what you are doing. I think I can resolve these issues. I'll also work on cleaning up as much as I can in the lint output. > ===== MUST items ===== > > C/C++: > [x]: Package does not contain kernel modules. > [x]: Package contains no static executables. > [x]: Development (unversioned) .so files in -devel subpackage, if present. > Note: Unversioned so-files in private %_libdir subdirectory (see > attachment). Verify they are not in ld path. > [x]: If your application is a C or C++ application you must list a > BuildRequires against gcc, gcc-c++ or clang. > [x]: Header files in -devel subpackage, if present. > [x]: Package does not contain any libtool archives (.la) > [x]: Rpath absent or only used for internal libs. > > Generic: > [x]: Package is licensed with an open-source compatible license and meets > other legal requirements as defined in the legal section of Packaging > Guidelines. > [!]: License field in the package spec file matches the actual license. > Note: Checking patched sources after %prep for licenses. Licenses > found: "Unknown or generated", "ISC License", "BSD 2-Clause License", > "ISC License BSD 2-Clause License", "GNU General Public License v3.0 > or later", "X11 License [generated file]", "*No copyright* Beerware > License", "*No copyright* Public domain", "BSD 3-Clause License BSD > 2-Clause License", "BSD 3-Clause License", "BSD 4-Clause License", > "BSD 2-clause NetBSD License BSD 2-Clause License", "ISC License BSD > 3-Clause License", "ISC License BSD 2-clause NetBSD License BSD > 2-Clause License", "SSLeay", "MIT License", "OpenSSL License", "GNU > General Public License v2.0 or later [generated file]", "FSF Unlimited > License [generated file]", "BSD 2-Clause with views sentence", > "Historical Permission Notice and Disclaimer - sell variant [generated > file]", "curl License", "BSD 2-Clause with views sentence GNU General > Public License". 577 files have unknown license. Detailed output of > licensecheck in /home/jamesjer/2/review-hpnssh/licensecheck.txt > [x]: License file installed when any subpackage combination is installed. > [x]: Package must own all directories that it creates. > Note: Directories without known owners: /usr/lib/systemd/user, > /usr/lib/systemd, /usr/lib64/security, /etc/profile.d, /etc/pam.d > [!]: Package does not own files or directories owned by other packages. > Note: Dirs in package are owned also by: /usr/libexec/openssh(openssh, > x11-ssh-askpass) > [x]: %build honors applicable compiler flags or justifies otherwise. > [x]: Package contains no bundled libraries without FPC exception. > [x]: Changelog in prescribed format. > [!]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the > beginning of %install. > Note: rm -rf %{buildroot} present but not required > [x]: Sources contain only permissible code or content. > [-]: Package contains desktop file if it is a GUI application. > [-]: Development files must be in a -devel package > [x]: Package uses nothing in %doc for runtime. > [x]: Package consistently uses macros (instead of hard-coded directory > names). > [x]: Package is named according to the Package Naming Guidelines. > [!]: Package does not generate any conflict. > [x]: Package obeys FHS, except libexecdir and /usr/target. > [-]: If the package is a rename of another package, proper Obsoletes and > Provides are present. > [x]: Requires correct, justified where necessary. > [x]: Spec file is legible and written in American English. > [x]: Package contains systemd file(s) if in need. > [x]: Useful -debuginfo package or justification otherwise. > [x]: Package is not known to require an ExcludeArch tag. > [x]: Large documentation must go in a -doc subpackage. Large could be size > (~1MB) or number of files. > Note: Documentation size is 143360 bytes in 19 files. > [x]: Package complies to the Packaging Guidelines > [x]: Package successfully compiles and builds into binary rpms on at least > one supported primary architecture. > [x]: Package installs properly. > [x]: Rpmlint is run on all rpms the build produces. > Note: There are rpmlint messages (see attachment). > [x]: If (and only if) the source package includes the text of the > license(s) in its own file, then that file, containing the text of the > license(s) for the package is included in %license. > [x]: Package requires other packages for directories it uses. > [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT > [x]: Macros in Summary, %description expandable at SRPM build time. > [x]: Dist tag is present. > Note: Multiple Release: tags found > [x]: Package does not contain duplicates in %files. > [x]: Permissions on files are set properly. > [x]: Package must not depend on deprecated() packages. > [x]: Package use %makeinstall only when make install DESTDIR=... doesn't > work. > [x]: Package is named using only allowed ASCII characters. > [x]: Package does not use a name that already exists. > [x]: Package is not relocatable. > [x]: Sources used to build the package match the upstream source, as > provided in the spec URL. > [x]: Spec file name must match the spec package %{name}, in the format > %{name}.spec. > [x]: File names are valid UTF-8. > [x]: Packages must not store files under /srv, /opt or /usr/local > > ===== SHOULD items ===== > > Generic: > [!]: Uses parallel make %{?_smp_mflags} macro. > [-]: If the source package does not include license text(s) as a separate > file from upstream, the packager SHOULD query upstream to include it. > [x]: Final provides and requires are sane (see attachments). > [!]: Fully versioned dependency in subpackages if applicable. > Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in hpnssh- > clients , hpnssh-server , hpnssh-keycat , hpnssh-askpass , > pam_ssh_agent_auth > [?]: Package functions as described. > [x]: Latest version is packaged. > [x]: Package does not include license text files separate from upstream. > [x]: Patches link to upstream bugs/comments/lists or are otherwise > justified. > [x]: Scriptlets must be sane, if used. > [!]: SourceX tarball generation or download is documented. > Note: Package contains tarball without URL, check comments > [x]: Sources are verified with gpgverify first in %prep if upstream > publishes signatures. > Note: gpgverify is not used. > [-]: Description and summary sections in the package spec file contains > translations for supported Non-English languages, if available. > [x]: Package should compile and build into binary rpms on all supported > architectures. > [x]: %check is present and all tests pass. > [x]: Packages should try to preserve timestamps of original installed > files. > [x]: Reviewer should test that the package builds in mock. > [x]: Buildroot is not present > [x]: Package has no %clean section with rm -rf %{buildroot} (or > $RPM_BUILD_ROOT) > [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. > [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file > [x]: Sources can be downloaded from URI in Source: tag > [x]: SourceX is a working URL. > [x]: Spec use %global instead of %define unless justified. > > ===== EXTRA items ===== > > Generic: > [x]: Rpmlint is run on debuginfo package(s). > Note: There are rpmlint messages (see attachment). > [x]: Rpmlint is run on all installed packages. > Note: There are rpmlint messages (see attachment). > [x]: Large data in /usr/share should live in a noarch subpackage if package > is arched. > [x]: Package should not use obsolete m4 macros > [x]: Spec file according to URL is the same as in SRPM. > > > Rpmlint > ------- > ================================================ rpmlint session starts > ================================================ > rpmlint: 2.2.0 > configuration: > /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml > /etc/xdg/rpmlint/fedora.toml > /etc/xdg/rpmlint/licenses.toml > /etc/xdg/rpmlint/scoring.toml > /etc/xdg/rpmlint/users-groups.toml > /etc/xdg/rpmlint/warn-on-functions.toml > checks: 32, packages: 7 > > hpnssh.x86_64: E: setgid-binary /usr/libexec/openssh/hpnssh-keysign ssh_keys > 2555 > pam_ssh_agent_auth.x86_64: E: pam-unauthorized-module pam_ssh_agent_auth.so > hpnssh.x86_64: W: non-standard-gid /usr/libexec/openssh/hpnssh-keysign ssh_keys > hpnssh.x86_64: E: non-standard-executable-perm > /usr/libexec/openssh/hpnssh-keysign 2555 > hpnssh.x86_64: E: non-standard-executable-perm > /usr/libexec/openssh/hpnssh-keysign 2555 > hpnssh-server.x86_64: E: non-standard-dir-perm /usr/share/empty.hpnsshd 711 > hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config 600 > hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config.d/50-redhat.conf > 600 > hpnssh-server.x86_64: E: non-readable /etc/sysconfig/hpnsshd 640 > hpnssh-askpass.x86_64: W: non-conffile-in-etc > /etc/profile.d/gnome-hpnssh-askpass.csh > hpnssh-askpass.x86_64: W: non-conffile-in-etc > /etc/profile.d/gnome-hpnssh-askpass.sh > hpnssh-askpass.x86_64: W: no-documentation > hpnssh.spec:584: W: mixed-use-of-spaces-and-tabs (spaces: line 584, tab: line > 416) > hpnssh.spec: W: invalid-url Source1: hpnssh-8.8p1_hpn16v1.tar.gz.asc > hpnssh.spec: W: invalid-url Source0: hpnssh-8.8p1_hpn16v1.tar.gz > hpnssh.x86_64: W: incoherent-version-in-changelog 8.8p1-2 > ['8.8p1_hpn16v1-2.fc36', '8.8p1_hpn16v1-2'] > hpnssh-server.x86_64: W: dangerous-command-in-%post rm > hpnssh-server.x86_64: W: binary-or-shlib-calls-gethostbyname /usr/sbin/hpnsshd > ================ 7 packages and 0 specfiles checked; 8 errors, 10 warnings, 8 > badness; has taken 19.3 s ================ > > > Rpmlint (installed packages) > ---------------------------- > ================================================ rpmlint session starts > ================================================ > rpmlint: 2.2.0 > configuration: > /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml > /etc/xdg/rpmlint/fedora.toml > /etc/xdg/rpmlint/licenses.toml > /etc/xdg/rpmlint/scoring.toml > /etc/xdg/rpmlint/users-groups.toml > /etc/xdg/rpmlint/warn-on-functions.toml > checks: 32, packages: 6 > > hpnssh.x86_64: E: setgid-binary /usr/libexec/openssh/hpnssh-keysign ssh_keys > 2555 > pam_ssh_agent_auth.x86_64: E: pam-unauthorized-module pam_ssh_agent_auth.so > hpnssh.x86_64: W: non-standard-gid /usr/libexec/openssh/hpnssh-keysign ssh_keys > hpnssh.x86_64: E: non-standard-executable-perm > /usr/libexec/openssh/hpnssh-keysign 2555 > hpnssh.x86_64: E: non-standard-executable-perm > /usr/libexec/openssh/hpnssh-keysign 2555 > hpnssh-server.x86_64: E: non-standard-dir-perm /usr/share/empty.hpnsshd 711 > hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config 600 > hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config.d/50-redhat.conf > 600 > hpnssh-server.x86_64: E: non-readable /etc/sysconfig/hpnsshd 640 > hpnssh-askpass.x86_64: W: non-conffile-in-etc > /etc/profile.d/gnome-hpnssh-askpass.csh > hpnssh-askpass.x86_64: W: non-conffile-in-etc > /etc/profile.d/gnome-hpnssh-askpass.sh > hpnssh-askpass.x86_64: W: no-documentation > hpnssh.x86_64: W: incoherent-version-in-changelog 8.8p1-2 > ['8.8p1_hpn16v1-2.fc36', '8.8p1_hpn16v1-2'] > hpnssh-server.x86_64: W: dangerous-command-in-%post rm > hpnssh-server.x86_64: W: binary-or-shlib-calls-gethostbyname /usr/sbin/hpnsshd > ================= 6 packages and 0 specfiles checked; 8 errors, 7 warnings, 8 > badness; has taken 0.8 s ================= > > > Unversioned so-files > -------------------- > pam_ssh_agent_auth: /usr/lib64/security/pam_ssh_agent_auth.so > > Source checksums > ---------------- > https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-0.10.4.tar.gz > : > CHECKSUM(SHA256) this package : > 9d440de6627940c09eadc342cc7d8bc9823654fd1a2be11c4f5820dd073054e0 > CHECKSUM(SHA256) upstream package : > 9d440de6627940c09eadc342cc7d8bc9823654fd1a2be11c4f5820dd073054e0 > > > Requires > -------- > hpnssh (rpmlib, GLIBC filtered): > /bin/sh > /sbin/nologin > audit-libs > config(hpnssh) > libc.so.6()(64bit) > libcrypto.so.3()(64bit) > libcrypto.so.3(OPENSSL_3.0.0)(64bit) > libselinux > libselinux.so.1()(64bit) > libselinux.so.1(LIBSELINUX_1.0)(64bit) > libz.so.1()(64bit) > rtld(GNU_HASH) > > hpnssh-clients (rpmlib, GLIBC filtered): > /bin/sh > /usr/bin/sh > config(hpnssh-clients) > crypto-policies > hpnssh > libc.so.6()(64bit) > libcrypto.so.3()(64bit) > libcrypto.so.3(OPENSSL_3.0.0)(64bit) > libedit.so.0()(64bit) > libfido2.so.1()(64bit) > libgcc_s.so.1()(64bit) > libgcc_s.so.1(GCC_3.0)(64bit) > libgcc_s.so.1(GCC_3.3.1)(64bit) > libgssapi_krb5.so.2()(64bit) > libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) > libselinux.so.1()(64bit) > libselinux.so.1(LIBSELINUX_1.0)(64bit) > libz.so.1()(64bit) > rtld(GNU_HASH) > > hpnssh-server (rpmlib, GLIBC filtered): > /bin/sh > /usr/bin/bash > /usr/sbin/useradd > config(hpnssh-server) > crypto-policies > hpnssh > libaudit.so.1()(64bit) > libc.so.6()(64bit) > libcom_err.so.2()(64bit) > libcrypt.so.2()(64bit) > libcrypt.so.2(XCRYPT_2.0)(64bit) > libcrypto.so.3()(64bit) > libcrypto.so.3(OPENSSL_3.0.0)(64bit) > libgcc_s.so.1()(64bit) > libgcc_s.so.1(GCC_3.0)(64bit) > libgcc_s.so.1(GCC_3.3.1)(64bit) > libgssapi_krb5.so.2()(64bit) > libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) > libkrb5.so.3()(64bit) > libkrb5.so.3(krb5_3_MIT)(64bit) > libpam.so.0()(64bit) > libpam.so.0(LIBPAM_1.0)(64bit) > libselinux.so.1()(64bit) > libselinux.so.1(LIBSELINUX_1.0)(64bit) > libsystemd.so.0()(64bit) > libsystemd.so.0(LIBSYSTEMD_209)(64bit) > libz.so.1()(64bit) > pam > rtld(GNU_HASH) > systemd > > hpnssh-keycat (rpmlib, GLIBC filtered): > config(hpnssh-keycat) > hpnssh > libc.so.6()(64bit) > libpam.so.0()(64bit) > libpam.so.0(LIBPAM_1.0)(64bit) > rtld(GNU_HASH) > > hpnssh-askpass (rpmlib, GLIBC filtered): > hpnssh > libX11.so.6()(64bit) > libc.so.6()(64bit) > libgdk-x11-2.0.so.0()(64bit) > libglib-2.0.so.0()(64bit) > libgobject-2.0.so.0()(64bit) > libgtk-x11-2.0.so.0()(64bit) > rtld(GNU_HASH) > > pam_ssh_agent_auth (rpmlib, GLIBC filtered): > libc.so.6()(64bit) > libcrypto.so.3()(64bit) > libcrypto.so.3(OPENSSL_3.0.0)(64bit) > libpam.so.0()(64bit) > libpam.so.0(LIBPAM_1.0)(64bit) > rtld(GNU_HASH) > > hpnssh-debuginfo (rpmlib, GLIBC filtered): > > hpnssh-debugsource (rpmlib, GLIBC filtered): > > > > Provides > -------- > hpnssh: > config(hpnssh) > hpnssh > hpnssh(x86-64) > > hpnssh-clients: > config(hpnssh-clients) > hpnssh-clients > hpnssh-clients(x86-64) > > hpnssh-server: > config(hpnssh-server) > hpnssh-server > hpnssh-server(x86-64) > > hpnssh-keycat: > config(hpnssh-keycat) > hpnssh-keycat > hpnssh-keycat(x86-64) > > hpnssh-askpass: > hpnssh-askpass > hpnssh-askpass(x86-64) > > pam_ssh_agent_auth: > pam_ssh_agent_auth > pam_ssh_agent_auth(x86-64) > > hpnssh-debuginfo: > debuginfo(build-id) > hpnssh-debuginfo > hpnssh-debuginfo(x86-64) > > hpnssh-debugsource: > hpnssh-debugsource > hpnssh-debugsource(x86-64) > > > > Generated by fedora-review 0.7.6 (b083f91) last change: 2020-11-10 > Command line :/usr/bin/fedora-review -n hpnssh -m fedora-36-x86_64 > Buildroot used: fedora-36-x86_64 > Active plugins: C/C++, Generic, Shell-api > Disabled plugins: Python, Ruby, Perl, R, Java, SugarActivity, Ocaml, PHP, > fonts, Haskell > Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH > -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2047943 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
