https://bugzilla.redhat.com/show_bug.cgi?id=969209
Bug ID: 969209 Summary: Review Request: nx-libs - NX X11 protocol compression libraries Product: Fedora Version: rawhide Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: orion@cora.nwra.com QA Contact: extras-qa@fedoraproject.org CC: notting@redhat.com, package-review@lists.fedoraproject.org
Spec URL: http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec SRPM URL: http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-2.fc18.src.rpm
Description: NX is a software suite which implements very efficient compression of the X11 protocol. This increases performance when using X applications over a network, especially a slow one.
This package provides the core nx-X11 libraries customized for nxagent/x2goagent.
Fedora Account System Username: orion
This is part of this feature: https://fedoraproject.org/wiki/Features/X2Go
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Orion Poplawski orion@cora.nwra.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |969212
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Orion Poplawski orion@cora.nwra.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |969220
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Mario Ceresa mrceresa@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mrceresa@gmail.com
--- Comment #1 from Mario Ceresa mrceresa@gmail.com --- Thanks Orion, for pursuing x2go packaging!
I had the following errors trying to mock build it with fedora-review:
../../config/makedepend/makedepend: warning: imake.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." ../../config/makedepend/makedepend: warning: makestrs.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." ../../config/makedepend/makedepend: warning: AuDispose.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." ../../config/makedepend/makedepend: warning: A8Eq.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." /builddir/build/BUILD/nx-libs-3.5.0.20/my_configure: line 8: syntax error near unexpected token `./nx-X11/lib/Xft/config.guess'
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #2 from Orion Poplawski orion@cora.nwra.com --- Ah, new configure macro in rawhide was causing issues. Fixed.
http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-3.fc18.src.rpm
* Fri May 31 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-3 - Fix quoting when creating my_configure script
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #3 from Mario Ceresa mrceresa@gmail.com --- Okay, I point out some potential issues:
* mock fails to install the package:
Error: Package: x2goagent-3.5.0.20-3.fc20.x86_64 (/x2goagent-3.5.0.20-3.fc20.x86_64) Requires: x2goserver
* rpmlint is not silent:
- Several non standard executable permission (0775L) on libraries. Not sure if it's intentional - Several only-non-binary-in-usr-lib - Several devel-file-in-non-devel-package - Others:
nx-libs.x86_64: W: self-obsoletion nx <= 3.5.0.20-3.fc20 obsoletes nx = 3.5.0.20-3.fc20 nx-libs.x86_64: W: self-obsoletion nx(x86-64) <= 3.5.0.20-3.fc20 obsoletes nx(x86-64) = 3.5.0.20-3.fc20 nx-libs.x86_64: E: no-binary nx-libs.x86_64: W: non-conffile-in-etc /etc/ld.so.conf.d/nx-libs-x86_64.conf nx-libs.x86_64: E: incorrect-fsf-address /usr/share/doc/nx-libs-3.5.0.20/LICENSE libXcomp.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/libXcomp.so.3.5.0 libXcomp.x86_64: E: incorrect-fsf-address /usr/share/doc/libXcomp-3.5.0.20/LICENSE libXcompext.x86_64: E: incorrect-fsf-address /usr/share/doc/libXcompext-3.5.0.20/LICENSE libXcompshad.x86_64: E: incorrect-fsf-address /usr/share/doc/libXcompshad-3.5.0.20/LICENSE nx-devel.x86_64: W: no-dependency-on nx/nx-libs/libnx nx-fontconfig-devel.x86_64: W: no-dependency-on nx-fontconfig/nx-fontconfig-libs/libnx-fontconfig nx-freetype2-devel.x86_64: W: no-dependency-on nx-freetype2/nx-freetype2-libs/libnx-freetype2 nxagent.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/bin/nxagent x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent
* there are unversioned so-files: libNX_X11: /usr/lib64/nx/X11/libximcp.so libNX_X11: /usr/lib64/nx/X11/libxlcDef.so libNX_X11: /usr/lib64/nx/X11/libxlcUTF8Load.so libNX_X11: /usr/lib64/nx/X11/libxlibi18n.so libNX_X11: /usr/lib64/nx/X11/libxlocale.so libNX_X11: /usr/lib64/nx/X11/libxomGeneric.so
However, they seem private, so maybe it is not an issue
I'll also attach the fedora-review output if you need it as a reference
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #4 from Mario Ceresa mrceresa@gmail.com --- Created attachment 755522 --> https://bugzilla.redhat.com/attachment.cgi?id=755522&action=edit Initial review
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #5 from Orion Poplawski orion@cora.nwra.com --- (In reply to Mario Ceresa from comment #3)
Okay, I point out some potential issues:
- mock fails to install the package:
Error: Package: x2goagent-3.5.0.20-3.fc20.x86_64 (/x2goagent-3.5.0.20-3.fc20.x86_64) Requires: x2goserver
x2goserver and x2goagent each require each other at run-time, so this is expected.
- rpmlint is not silent:
- Several non standard executable permission (0775L) on libraries. Not sure
if it's intentional
Nope, fixed.
- Several only-non-binary-in-usr-lib
Bug in rpmlint, see bug 483199
- Several devel-file-in-non-devel-package
Fixed
- Others:
nx-libs.x86_64: W: self-obsoletion nx <= 3.5.0.20-3.fc20 obsoletes nx = 3.5.0.20-3.fc20 nx-libs.x86_64: W: self-obsoletion nx(x86-64) <= 3.5.0.20-3.fc20 obsoletes nx(x86-64) = 3.5.0.20-3.fc20
Fixed
nx-libs.x86_64: E: no-binary
nx-libs is kind of just a container.
nx-libs.x86_64: W: non-conffile-in-etc /etc/ld.so.conf.d/nx-libs-x86_64.conf
Fixed.
nx-libs.x86_64: E: incorrect-fsf-address /usr/share/doc/nx-libs-3.5.0.20/LICENSE
Fixed.
libXcomp.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/libXcomp.so.3.5.0
Hmm, this is an odd one...
nx-devel.x86_64: W: no-dependency-on nx/nx-libs/libnx
Fixed.
nx-fontconfig-devel.x86_64: W: no-dependency-on nx-fontconfig/nx-fontconfig-libs/libnx-fontconfig nx-freetype2-devel.x86_64: W: no-dependency-on nx-freetype2/nx-freetype2-libs/libnx-freetype2
Fixed the naming.
nxagent.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/bin/nxagent
Ah, okay, looking into it.
x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent
- there are unversioned so-files:
libNX_X11: /usr/lib64/nx/X11/libximcp.so libNX_X11: /usr/lib64/nx/X11/libxlcDef.so libNX_X11: /usr/lib64/nx/X11/libxlcUTF8Load.so libNX_X11: /usr/lib64/nx/X11/libxlibi18n.so libNX_X11: /usr/lib64/nx/X11/libxlocale.so libNX_X11: /usr/lib64/nx/X11/libxomGeneric.so
However, they seem private, so maybe it is not an issue
These are links to versioned files.
http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-4.fc18.src.rpm
* Tue Jun 11 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-4 - Fix 775 library permissions - Move nx/X11 .so files to -devel - Fix nx obsoletes - Mark ld.so.conf.d files config(noreplace) - Fix requires
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #6 from Mario Ceresa mrceresa@gmail.com --- Hello Orion! here there is another round of questions:
* rpmlint: x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent
* has any of the nx packages ever been granted an FPC exception for all the libraries it bundles? I couldn't find any ticket around.
* Not sure about this: "Fully versioned dependency in subpackages, if present." Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in libNX_ICE-devel , libNX_SM-devel , libNX_X11-devel , libNX_Xau-devel , libNX_Xext-devel , libNX_Xfixes-devel , libNX_Xi-devel , libNX_Xmu-devel , libNX_Xpm-devel , libNX_Xrender-devel , libNX_Xt-devel , libNX_Xv-devel , libNX_fontenc-devel , libNX_xkbfile-devel , libXcomp-devel , libXcompext-devel , libXcompshad-devel , libNX_Mesa-devel , nx-bitmaps-devel , nx-devel , libNX_fontconfig-devel , libNX_freetype-devel , nx-proto-devel , nxagent , nxauth , nxproxy , x2goagent
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #7 from Orion Poplawski orion@cora.nwra.com --- (In reply to Mario Ceresa from comment #6)
Hello Orion! here there is another round of questions:
- rpmlint:
x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent
Okay because x2goagent requires nxagent.
- has any of the nx packages ever been granted an FPC exception for all the
libraries it bundles? I couldn't find any ticket around.
Hmm, I never realized quite the extent of the bundling - let me poke around there some more. I've gotten rid of some, but not all.
- Not sure about this: "Fully versioned dependency in subpackages, if
present." Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in libNX_ICE-devel , libNX_SM-devel , libNX_X11-devel , libNX_Xau-devel , libNX_Xext-devel , libNX_Xfixes-devel , libNX_Xi-devel , libNX_Xmu-devel , libNX_Xpm-devel , libNX_Xrender-devel , libNX_Xt-devel , libNX_Xv-devel , libNX_fontenc-devel , libNX_xkbfile-devel , libXcomp-devel , libXcompext-devel , libXcompshad-devel , libNX_Mesa-devel , nx-bitmaps-devel , nx-devel , libNX_fontconfig-devel , libNX_freetype-devel , nx-proto-devel , nxagent , nxauth , nxproxy , x2goagent
The libN?X*-devel packages require their corresponding runtime versions (which require %{name}%{?_isa} = %{version}-%{release}), although many did not have %{version}-%{release} - fixed. Not really needed for the program sub-packages.
nx-bitmaps-devel stands on its own (and not sure if it is needed), and so does nx-proto-devel.
Fixed for nx-devel
* Thu Jun 13 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-5 - Add more explicit verioned requires - Drop unnecessary directory ownership by sub-packages - Remove many bundled libraries
http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-5.fc18.src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #8 from Orion Poplawski orion@cora.nwra.com --- I've done a lot more cleanup.
* Thu Jul 11 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-6 - Drop building and/or shipping a bunch of unneeded libraries
http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-6.fc11.src.rpm
I'm still probably shipping more than is strictly needed, but I'd like to err to that side for now.
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cickumqt@gmail.com
--- Comment #9 from Christopher Meng cickumqt@gmail.com --- I think Orion knows that error of missing-call-to-setgroups.
missing-call-to-setgroups has been renamed to missing-call-to-setgroups-before-setuid.
This will be available in the next version.
And the explanation is:
This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.
Ref POS36-C:
https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observ...
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Eric Smith spacewar@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |spacewar@gmail.com
--- Comment #10 from Eric Smith spacewar@gmail.com --- The SRPM link in comment 8 appears to be wrong or dead. It appears that it should be .fc19 rather than .fc11.
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #11 from Orion Poplawski orion@cora.nwra.com --- Oops, yeah:
http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-6.fc19.src.rpm
I'm trying to get some info out of upstream. I'm not sure why it is even calling setuid/setgid in the first place.
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #12 from Orion Poplawski orion@cora.nwra.com --- We're making great progress reviewing the dependencies :), but not nx-libs itself :(. Could someone step up and take on this review? I'm also not sure what is a blocker at this point. Thanks!
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #13 from Mario Ceresa mrceresa@gmail.com --- Orion, I'll be back next Monday, if that's okay to you, tell me and I'll take the review.
Best,
Mario
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #14 from Orion Poplawski orion@cora.nwra.com --- I would just like *somebody* to take the review. :)
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Orion Poplawski orion@cora.nwra.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |998551
--- Comment #15 from Orion Poplawski orion@cora.nwra.com --- Well, looks like we've missed the change deadline for F20. Sorry.
https://bugzilla.redhat.com/show_bug.cgi?id=969209
--- Comment #16 from Orion Poplawski orion@cora.nwra.com --- Upstream's comment on the setgid issue:
Everything in NX runs under the user who launches the X2Go session. IMHO resetting the effective GID prevents us from setgid file permission manipulations, so that the effective group ID always is the primary/real group ID of the current user that is executing the NX binary.
----
We're rapidly approaching the change deadline for F20. Are there any blockers in this package? It would be nice to get a review done soon.
https://bugzilla.redhat.com/show_bug.cgi?id=969209
Orion Poplawski orion@cora.nwra.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|package-review@lists.fedora | |project.org |
--- Comment #17 from Orion Poplawski orion@cora.nwra.com --- http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-7.fc19.src.rpm
* Thu Aug 29 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-7 - Add patch to call initgroups()
package-review@lists.fedoraproject.org