[Bug 2182151] Review Request: ktls-utils - TLS Handshake agent for kernel sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=2182151



--- Comment #17 from Petr Pisar <ppisar@xxxxxxxxxx> ---
URL is Ok.

FIX: Source0 address is broken:

$ spectool -g   ../SPECS/ktls-utils.spec 
Downloading:
https://github.com/oracle/ktls-utils/archive/v0.8/ktls-utils-0.8.tar.gz
[...]
HTTP request sent, awaiting response... 404 Not Found
2023-04-24 16:13:23 ERROR 404: Not Found.

The address advertised by upstream is
<https://github.com/oracle/ktls-utils/releases/download/ktls-utils-0.8/ktls-utils-0.8.tar.gz>.
I don't know whether it's because of a git tag being "v0.8" while the release
archive just "0.8" without "v", or it's a bug in %forgemeta macro. If you do
not want to debug it, I recommend specifying Source0 address manually like
this:

Source0:
%{forgeurl}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz

Source0 archive (SHA-512:
027824a8ffb42bf8b39ce8d8a83f8f3d0c3d2e6cd0c2867f622e04ce914f578767ce7803617fe922c44a5fb5e69636efc6c0fc1726be1a3852b41cb6ad7579eb)
is original. Ok.
Summary is Ok.
Description verified in README. Ok.

GPL-2.0-only license verified from configure.ac, autogen.sh, LICENSE.txt,
src/tlshd/handshake.c, src/tlshd/config.c, src/tlshd/ktls.c,
src/tlshd/tlshd.man, src/tlshd/main.c, src/tlshd/log.c,
src/tlshd/tlshd.conf.man, src/tlshd/tlshd.conf, src/tlshd/netlink.c,
src/tlshd/server.c, src/tlshd/client.c, src/tlshd/keyring.c, src/tlshd/tlshd.h,
COPYING (a duplicate of LICENSE.txt).

FIX: These licenses are missing from a License tag:
GPL-2.0-only OR BSD-3-Clause: src/tlshd/netlink.h (Fedora ignores
Linux-syscall-note "exception"
<https://gitlab.com/fedora/legal/fedora-license-data/-/issues/198>).
GPL-1.0-or-later: README.md.
TODO: I believe a license declaration in REAMDE.md ("Released under the GNU
GENERAL PUBLIC LICENSE") is an upstream's omission and that they rather
intended "GNU GENERAL PUBLIC LICENSE version 2" there. Please report it to
them.

Licenses of nonpackaged files:
FSFAP: INSTALL
FSFUL: configure
FSFULLRWD AND GPL-2.0-only: Makefile.in, src/Makefile.in,
src/tlshd/Makefile.in, systemd/Makefile.in
FSFULLR ANDF FSFULLRWD AND GPL-2.0-or-later WITH Autoconf-exception-generic:
aclocal.m4
GPL-1.0-or-later: README
GPL-2.0-only: Makefile.am, src/Makefile.am, src/tlshd/Makefile.am,
systemd/Makefile.am
GPL-2.0-or-later WITH Autoconf-exception-generic: compile, depcomp, missing
X11: install-sh

FIX: Build-require 'bash' (autogen.sh:1).
TODO: Constrain 'autoconf' build dependency with '>= 2.69' (configure.ac:20).
FIX: Build-require 'pkgconf-pkg-config >= 0.9.0' (configure.ac:49).
TODO: Build-require 'pkgconfig(gnutls) >= 3.3.0' instead of 'gnutls-devel'
(configure.ac:50). In Fedora we prefer depending on pkg-config modules over
devel subpackages
<https://docs.fedoraproject.org/en-US/packaging-guidelines/PkgConfigBuildRequires/>.
TODO: Build-require 'pkgconfig(libkeyutils)' instead of 'keyutils-libs-devel'
(configure.ac:53).
TODO: Build-require 'pkgconfig(glib-2.0) >= 2.6' instead of 'glib2-devel'
(configure.ac:56).
TODO: Build-require 'pkgconfig(libnl-3.0) >= 3.1' instead of 'libnl3-devel'
(configure.ac:59).
FIX: Build-require 'coreutils' (systemd/Makefile.am:28).

No tests, no %check section. Ok.

TODO: Package AUTHORS and ChangeLog files with %doc macro.

Systemd unit file, including the disabled default dependencies, is Ok.

$ rpmlint ktls-utils.spec ../SRPMS/ktls-utils-0.8-1.fc39.src.rpm
../RPMS/x86_64/ktls-utils-*
======================================== rpmlint session starts
=======================================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 5

ktls-utils.x86_64: W: crypto-policy-non-compliance-gnutls-1 /usr/sbin/tlshd
gnutls_priority_set_direct
========= 4 packages and 1 specfiles checked; 0 errors, 1 warnings, 0 badness;
has taken 0.3 s ========

FIX: The daemon does not respect distribution-wide crypto policies. It enables
algorithms in tlshd_make_priorities_string() based on what Linux supported at
build time of this package. Ideally the daemon should consult crypto policy
<https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/> and
only enable a disjunction of what Linux offers and what user-space crypto
policy mandates. Please contact <security@xxxxxxxxxxxxxxxxxxxxxxx> for help.
There is a possibility that Linux already does that in other way. Please get a
crypto review from the security team on that mailing list.

The package build in Fedora 39
(https://koji.fedoraproject.org/koji/taskinfo?taskID=100344410). Ok.

$ rpm -q -lv -p ../RPMS/x86_64/ktls-utils-0.8-1.fc39.x86_64.rpm
-rw-r--r--    1 root     root                     1016 Apr  5 17:24
/etc/tlshd.conf
drwxr-xr-x    2 root     root                        0 Apr 24 02:00
/usr/lib/.build-id
drwxr-xr-x    2 root     root                        0 Apr 24 02:00
/usr/lib/.build-id/d8
lrwxrwxrwx    1 root     root                       26 Apr 24 02:00
/usr/lib/.build-id/d8/09e2707e2a4a7eb2335e8e605f7e05f9402d7a ->
../../../../usr/sbin/tlshd
-rw-r--r--    1 root     root                      226 Apr 24 02:00
/usr/lib/systemd/system/tlshd.service
-rwxr-xr-x    1 root     root                    50440 Apr 24 02:00
/usr/sbin/tlshd
drwxr-xr-x    2 root     root                        0 Apr 24 02:00
/usr/share/doc/ktls-utils
-rw-r--r--    1 root     root                     2140 Apr  5 17:24
/usr/share/doc/ktls-utils/README.md
-rw-r--r--    1 root     root                     1742 Apr  5 17:24
/usr/share/doc/ktls-utils/SECURITY.md
drwxr-xr-x    2 root     root                        0 Apr 24 02:00
/usr/share/licenses/ktls-utils
-rw-r--r--    1 root     root                    17994 Apr  5 17:24
/usr/share/licenses/ktls-utils/COPYING
-rw-r--r--    1 root     root                     1420 Apr  5 17:24
/usr/share/man/man5/tlshd.conf.5.gz
-rw-r--r--    1 root     root                     1387 Apr  5 17:24
/usr/share/man/man8/tlshd.8.gz
File layout and permission are Ok.

$ rpm -q --requires -p ../RPMS/x86_64/ktls-utils-0.8-1.fc39.x86_64.rpm | sort
-f | uniq -c
      3 /bin/sh
      1 config(ktls-utils) = 0.8-1.fc39
      1 libc.so.6()(64bit)
      1 libc.so.6(GLIBC_2.2.5)(64bit)
      1 libc.so.6(GLIBC_2.3.4)(64bit)
      1 libc.so.6(GLIBC_2.33)(64bit)
      1 libc.so.6(GLIBC_2.34)(64bit)
      1 libc.so.6(GLIBC_2.4)(64bit)
      1 libglib-2.0.so.0()(64bit)
      1 libgnutls.so.30()(64bit)
      1 libgnutls.so.30(GNUTLS_3_4)(64bit)
      1 libgnutls.so.30(GNUTLS_3_6_9)(64bit)
      1 libgnutls.so.30(GNUTLS_3_7_3)(64bit)
      1 libkeyutils.so.1()(64bit)
      1 libkeyutils.so.1(KEYUTILS_0.3)(64bit)
      1 libkeyutils.so.1(KEYUTILS_1.5)(64bit)
      1 libnl-3.so.200()(64bit)
      1 libnl-3.so.200(libnl_3)(64bit)
      1 libnl-genl-3.so.200()(64bit)
      1 libnl-genl-3.so.200(libnl_3)(64bit)
      1 rpmlib(CompressedFileNames) <= 3.0.4-1
      1 rpmlib(FileDigests) <= 4.6.0-1
      1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
      1 rpmlib(PayloadIsZstd) <= 5.4.18-1
      1 rtld(GNU_HASH)
Binary requires are Ok.

$ rpm -q --provides -p ../RPMS/x86_64/ktls-utils-0.8-1.fc39.x86_64.rpm | sort
-f | uniq -c
      1 config(ktls-utils) = 0.8-1.fc39
      1 ktls-utils = 0.8-1.fc39
      1 ktls-utils(x86-64) = 0.8-1.fc39
Binary provides are Ok.

$ resolvedeps rawhide ../RPMS/x86_64/ktls-utils-0.8-1.fc39.x86_64.rpm 
Binary dependencies are resolvable. Ok.

Otherwise, this package is in line with Fedora packaging guidelines.
Please correct all FIX items, consider fixing TODO items, and provide an
updated spec file.


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2182151
_______________________________________________
package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite Conditions]     [KDE Users]

  Powered by Linux