https://bugzilla.redhat.com/show_bug.cgi?id=2053822 Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|nobody@xxxxxxxxxxxxxxxxx |zbyszek@xxxxxxxxx Status|NEW |POST Flags| |fedora-review+ --- Comment #12 from Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> --- + package name is OK + license is acceptable for Fedora (BSD-3-Clause) + license is specified correctly as SPDX + latest version + gpg signature is checked + builds and installs OK + builds flags are passed to the build commands + BR/P/R look OK + appdata file is present - %check is not present. Maybe add a test run to make sure that the executable works, e.g. just print '--help' output? rpmlint: feather.src: E: spelling-error ('Monero', 'Summary(en_US) Monero -> Moreno, Monroe, Monera') feather.x86_64: E: spelling-error ('Monero', 'Summary(en_US) Monero -> Moreno, Monroe, Monera') Obviously bogus. feather.x86_64: W: no-manual-page-for-binary feather feather.x86_64: W: no-documentation True, but not a big issue. feather.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/feather SSL_CTX_set_cipher_list Hmm, this requires investigation. feather-2.6.8/monero/contrib/epee/src/net_ssl.cpp 312: SSL_CTX_set_cipher_list(ssl_context.native_handle(), "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"); https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ says: > OpenSSL applications: > If the application doesn’t have a configuration file, ensure that there is no default cipher list specified, or that the default list is set as "PROFILE=SYSTEM". That is, check the source code for SSL_CTX_set_cipher_list(). If it is not present then nothing needs to be done (the default is used). Otherwise, if that call is present and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call. But also: > Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the Fedora crypto team. Feather sets a *stronger* policy, clearly on purpose. I think this clearly falls into the exception quoted above and doesn't need to be discussed with the "Fedora crypto team". Package is APPROVED. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2053822 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202053822%23c12 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
