https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #2 from Christopher Meng cickumqt@gmail.com --- Hi,
License check shows this package is 2-clause and 3-clause mix licensed. And I found that there shouldn't have any problems if there is no uthash library bundled.
BSD (2 clause) -------------- /var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/mosquitto-1.1.3/src/uthash.h
This package bundle library uthash, I just packaged it in June so please unbundle it.
===============
Another problem is in its code, as warnings said:
mosquitto.i686: E: missing-call-to-setgroups /usr/sbin/mosquitto
This error output has been renamed to missing-call-to-setgroups-before-setuid.
This will be available in the next version.
And the explanation is:
This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.
Ref POS36-C:
https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observ...
So consider an upstream fix.
======= Other issues:
mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libssl.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libcrypto.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libpthread.so.0 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libm.so.6 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libgcc_s.so.1
Please see http://fedoraproject.org/wiki/Common_Rpmlint_issues
and fix.