On Wed, 2011-12-14 at 12:45 +0000, Paul Howarth wrote:
On 12/14/2011 12:29 PM, Nelson Manuel Marques wrote:
> Hi all
> I want to submit lcm (Lightweight Communications and Marshaling) to
> EPEL soon, but I'm currently struggling with a few issues found by
> rpmlint (and probably more).
> I was wondering if I could get some help before submitting the package
> to fix 2 particular issues. The spec file and a sample SRPM file are
> available here.
> The current errors I'm struggling with are the following:
> lcm.x86_64: W: dangerous-command-in-%post mv
> lcm.x86_64: E: use-tmp-in-%post
> lcm.x86_64: W: dangerous-command-in-%preun mv
> lcm.x86_64: E: use-tmp-in-%preun
> 1 packages and 0 specfiles checked; 2 errors, 2 warnings.
> Any indications or help regarding this particular issues would be
The scriptlets use predictable temporary filenames, which is a security
vulnerability (see http://www.linuxsecurity.com/content/view/115462/151/
for an explanation).
Thanks for this link, it's actually pretty much useful not only to this
situations to others I forsee.
Think carefully about whether it's actually necessary to edit
/etc/sysctl.conf in %post/%postun; an alternative approach might be to
document the required changes in a README.rpm file. It's hard to say as
I don't know how important the suggested changes are for the package's
operation and what any drawbacks might be of setting those values.
I've consulted the engineers who work with this component and they
pointed to me this are optimal values for internal usage. They do
recommend them, but we will do this internally using another methodoly
so we can maintain this package on EPEL. The 'offending/superfluous' %
post and %postun for lcm package are removed.
I will proceed now into submission to EPEL.
Thanks for your help, it was most welcome.
epel-devel-list mailing list