Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: Review Request: libhtp - Security-aware parser for the HTTP protocol and the related bits and pieces
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Summary: Review Request: libhtp - Security-aware parser for the HTTP protocol and the related bits and pieces Product: Fedora Version: rawhide Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: Package Review AssignedTo: nobody@fedoraproject.org ReportedBy: bochecha@fedoraproject.org QAContact: extras-qa@fedoraproject.org CC: notting@redhat.com, package-review@lists.fedoraproject.org Classification: Fedora Story Points: --- Type: ---
Spec URL: http://bochecha.fedorapeople.org/packages/libhtp.spec SRPM URL: http://bochecha.fedorapeople.org/packages/libhtp-0.3.0-0.1.20111010.git19896...
Description: LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. The goals of the project, in the order of importance, are as follows: 1. Completeness of coverage; 2. Permissive parsing; 3. Awareness of evasion techniques; 4. Performance;
$ rpmlint ./libhtp* libhtp.src: W: invalid-url Source0: libhtp-0.3.0-20111010.git198963d.tar.xz ./libhtp.spec: W: invalid-url Source0: libhtp-0.3.0-20111010.git198963d.tar.xz 4 packages and 1 specfiles checked; 0 errors, 2 warnings.
This warning should be ignored as I'm creating the source tarball from a Git snapshot (see comment in spec file).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
--- Comment #1 from Mathieu Bridon bochecha@fedoraproject.org 2011-10-21 03:10:10 EDT --- Spec URL: http://bochecha.fedorapeople.org/packages/libhtp.spec SRPM URL: http://bochecha.fedorapeople.org/packages/libhtp-0.3.0-0.1.20111021.git537ac...
$ rpmlint libhtp* libhtp.src: W: invalid-url Source0: libhtp-0.3.0-20111021.git537ac17.tar.xz libhtp.spec: W: invalid-url Source0: libhtp-0.3.0-20111021.git537ac17.tar.xz 4 packages and 1 specfiles checked; 0 errors, 2 warnings.
This warning should be ignored as I'm creating the source tarball from a Git snapshot (see comment in spec file).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Matthieu Saulnier casper.le.fantom@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |casper.le.fantom@gmail.com Flag| |fedora-review?
--- Comment #2 from Matthieu Saulnier casper.le.fantom@gmail.com 2011-11-22 05:45:11 EST --- Taking the review, stay tuned.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Matthieu Saulnier casper.le.fantom@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|nobody@fedoraproject.org |casper.le.fantom@gmail.com
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Matthieu Saulnier casper.le.fantom@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flag|fedora-review? |fedora-review+
--- Comment #3 from Matthieu Saulnier casper.le.fantom@gmail.com 2011-11-26 16:35:30 EST --- Hi Mathieu,
Package Review ==============
Key: - = N/A x = Pass ! = Fail ? = Not evaluated
==== C/C++ ==== [x]: MUST Header files in -devel subpackage, if present. [x]: MUST Package does not contain any libtool archives (.la) [x]: MUST Package does not contain kernel modules. [x]: MUST Package contains no static executables. [x]: MUST Rpath absent or only used for internal libs. [x]: MUST Package is not relocatable. [x]: MUST Development .so files in -devel subpackage, if present.
==== Generic ==== [x]: MUST Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: MUST Package successfully compiles and builds into binary rpms on at least one supported architecture. [x]: MUST All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: MUST Buildroot is not present Note: Unless packager wants to package for EPEL5 this is fine [x]: MUST Package contains no bundled libraries. [x]: MUST Changelog in prescribed format. [x]: MUST Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: Clean would be needed if support for EPEL is required [x]: MUST Sources contain only permissible code or content. [!]: MUST Each %files section contains %defattr if rpm < 4.4 Note: defattr(....) present in %files devel section. This is OK if packaging for EPEL5. Otherwise not needed [x]: MUST Macros in Summary, %description expandable at SRPM build time. [x]: MUST Package requires other packages for directories it uses. [x]: MUST Package uses nothing in %doc for runtime. [x]: MUST Package is not known to require ExcludeArch. [x]: MUST Permissions on files are set properly. [x]: MUST Package does not contain duplicates in %files. [x]: MUST Spec file lacks Packager, Vendor, PreReq tags. [x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf would be needed if support for EPEL5 is required [x]: MUST If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: MUST License field in the package spec file matches the actual license. [x]: MUST License file installed when any subpackage combination is installed. [x]: MUST Package consistently uses macros (instead of hard-coded directory names). [x]: MUST Package meets the Packaging Guidelines. [x]: MUST Package is named according to the Package Naming Guidelines. [x]: MUST Package does not generates any conflict. [x]: MUST Package obeys FHS, except libexecdir and /usr/target. [x]: MUST Package must own all directories that it creates. [x]: MUST Package does not own files or directories owned by other packages. [x]: MUST Package installs properly. [!]: MUST Package requires pkgconfig, if .pc files are present. (EPEL5) Note: Only applicable for EL-5 [-]: MUST Requires correct, justified where necessary. [!]: MUST Rpmlint output is silent.
rpmlint libhtp-0.3.0-0.1.20111021.git537ac17.fc17.src.rpm
libhtp.src: W: invalid-url Source0: libhtp-0.3.0-20111021.git537ac17.tar.xz 1 packages and 0 specfiles checked; 0 errors, 1 warnings.
rpmlint libhtp-devel-0.3.0-0.1.20111021.git537ac17.fc17.x86_64.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
rpmlint libhtp-debuginfo-0.3.0-0.1.20111021.git537ac17.fc17.x86_64.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
rpmlint libhtp-0.3.0-0.1.20111021.git537ac17.fc17.x86_64.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
[x]: MUST Sources used to build the package match the upstream source, as provided in the spec URL. libhtp-0.3.0-20111021.git537ac17.tar.xz : MD5SUM this package : d29cb0177692cf4113dce3e674a8ac5a MD5SUM upstream package : d29cb0177692cf4113dce3e674a8ac5a
[x]: MUST Spec file is legible and written in American English. [x]: MUST Spec file name must match the spec package %{name}, in the format %{name}.spec. [-]: MUST Package contains a SysV-style init script if in need of one. [x]: MUST File names are valid UTF-8. [x]: SHOULD Reviewer should test that the package builds in mock. [-]: SHOULD If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: SHOULD Dist tag is present. [x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [-]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q --requires). [x]: SHOULD Package functions as described. [x]: SHOULD Package does not include license text files separate from upstream. [x]: SHOULD The placement of pkgconfig(.pc) files are correct. [x]: SHOULD Scriptlets must be sane, if used. [x]: SHOULD SourceX is a working URL. [-]: SHOULD Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: SHOULD Package should compile and build into binary rpms on all supported architectures. [-]: SHOULD %check is present and all tests pass. [x]: SHOULD Packages should try to preserve timestamps of original installed files. [x]: SHOULD Spec use %global instead of %define.
Issues: [!]: MUST Each %files section contains %defattr if rpm < 4.4 Note: defattr(....) present in %files devel section. This is OK if packaging for EPEL5. Otherwise not needed [!]: MUST Package requires pkgconfig, if .pc files are present. (EPEL5) Note: Only applicable for EL-5 [!]: MUST Rpmlint output is silent.
Generated by fedora-review 0.1.1
Your package looks good.
---------------- Package Approved ----------------
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Martin Gieseking martin.gieseking@uos.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.gieseking@uos.de
--- Comment #4 from Martin Gieseking martin.gieseking@uos.de 2011-11-27 14:04:53 EST --- There are some things that should be addressed before the package is checked in:
- the devel package should require the base package this way: http://fedoraproject.org/wiki/PackagingGuidelines#Requiring_Base_Package
- Don't add the %doc files several times. Drop AUTHORS, LICENSE, and COPYING from the devel package. Since it requires the base package, these files are installed anyway.
- add README and NOTICE to the base package (with %doc) and doc/QUICK_START to the devel package
- I suggest to build the doxygen API documentation (cd into docs/ and run doxygen doxygen.conf) the devel package.
- Either add a Group field to the base package (System Environment/Libraries), or remove it from the devel package. Currently, the Group field is used inconsistently.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
--- Comment #5 from Martin Gieseking martin.gieseking@uos.de 2011-11-27 14:07:30 EST --- (In reply to comment #4)
- I suggest to build the doxygen API documentation (cd into docs/ and run doxygen doxygen.conf) the devel package.
I meant: I suggest to build the doxygen API documentation, and to add it to the devel package. ;)
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
--- Comment #6 from Mathieu Bridon bochecha@fedoraproject.org 2012-01-26 04:18:49 EST --- First of all, I want to apologize for taking so long to answer.
It seems that this review was part of Matthieu's sponsoring process and I hope my failure to react in a timely fashion didn't have any negative consequence on it, either for you, Matthieu, or for your sponsor, Martin.
(In reply to comment #3)
Issues: [!]: MUST Each %files section contains %defattr if rpm < 4.4 Note: defattr(....) present in %files devel section. This is OK if packaging for EPEL5. Otherwise not needed
Thanks, I removed the %defattr lines.
[!]: MUST Package requires pkgconfig, if .pc files are present. (EPEL5) Note: Only applicable for EL-5
I'll ignore this since I'm not targeting EPEL 5.
(In reply to comment #4)
There are some things that should be addressed before the package is checked in:
- the devel package should require the base package this way: http://fedoraproject.org/wiki/PackagingGuidelines#Requiring_Base_Package
Thanks, I somehow missed specifying the architecture.
- Don't add the %doc files several times. Drop AUTHORS, LICENSE, and COPYING from the devel package. Since it requires the base package, these files are installed anyway.
Right, I fixed that.
- add README and NOTICE to the base package (with %doc) and doc/QUICK_START to the devel package
Good catch, I added those.
- I suggest to build the doxygen API documentation (cd into docs/ and run doxygen doxygen.conf) the devel package.
Done, but since the generated doc is rather large I've added it to a -doc subpackage (noarch).
- Either add a Group field to the base package (System Environment/Libraries), or remove it from the devel package. Currently, the Group field is used inconsistently.
I had explicitly removed the one on the base package, but somehow forgot to do that for the devel subpackage as well. This is fixed.
----
I also updated to the latest upstream VCS snapshot, as it brings in a couple of bug fixes, better unit testing, and it makes it easier to build the doxygen documentation.
Spec URL: http://bochecha.fedorapeople.org/packages/libhtp.spec SRPM URL: http://bochecha.fedorapeople.org/packages/libhtp-0.3.0-0.3.20120126.git53e59...
Matthieu, were you already sponsored at the time you approved the package?
Martin, since you had a few issues with the approved package, can I consider the review granted and ask for the SCM branches?
Thanks, and once again please accept my apologies for delaying the review for such a long time.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
--- Comment #7 from Martin Gieseking martin.gieseking@uos.de 2012-01-26 04:59:23 EST --- (In reply to comment #6)
Matthieu, were you already sponsored at the time you approved the package?
Yes, Matthieu was already sponsored. Otherwise, he wouldn't had been able to set the review flags. :)
Martin, since you had a few issues with the approved package, can I consider the review granted and ask for the SCM branches?
Yes, please do so. My additional notes were almost minor ones, so there's no need to block the package.
Thanks, and once again please accept my apologies for delaying the review for such a long time.
Of course. To me, the delay isn't a problem at all.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Mathieu Bridon bochecha@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flag| |fedora-cvs?
--- Comment #8 from Mathieu Bridon bochecha@fedoraproject.org 2012-01-26 05:46:35 EST --- Thanks Matthieu and Martin!
New Package SCM Request ======================= Package Name: libhtp Short Description: Security-aware parser for the HTTP protocol and the related bits and pieces Owners: bochecha Branches: f16 el6 InitialCC:
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
--- Comment #9 from Jon Ciesla limburgher@gmail.com 2012-01-26 07:56:35 EST --- Git done (by process-git-requests).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=744977
Mathieu Bridon bochecha@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE Last Closed| |2012-01-26 23:02:55
--- Comment #10 from Mathieu Bridon bochecha@fedoraproject.org 2012-01-26 23:02:55 EST --- Thank you Jon for the VCS.
I just committed, pushed, built and requested updates for all branches.
Closing.
package-review@lists.fedoraproject.org