https://bugzilla.redhat.com/show_bug.cgi?id=969209

Orion Poplawski orion@cora.nwra.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Blocks| |969212

https://bugzilla.redhat.com/show_bug.cgi?id=969209

Mario Ceresa mrceresa@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |mrceresa@gmail.com

--- Comment #1 from Mario Ceresa mrceresa@gmail.com --- Thanks Orion, for pursuing x2go packaging!

I had the following errors trying to mock build it with fedora-review:

../../config/makedepend/makedepend: warning: imake.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." ../../config/makedepend/makedepend: warning: makestrs.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." ../../config/makedepend/makedepend: warning: AuDispose.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." ../../config/makedepend/makedepend: warning: A8Eq.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead." /builddir/build/BUILD/nx-libs-3.5.0.20/my_configure: line 8: syntax error near unexpected token `./nx-X11/lib/Xft/config.guess'

https://bugzilla.redhat.com/show_bug.cgi?id=969209

--- Comment #3 from Mario Ceresa mrceresa@gmail.com --- Okay, I point out some potential issues:

* mock fails to install the package:

Error: Package: x2goagent-3.5.0.20-3.fc20.x86_64 (/x2goagent-3.5.0.20-3.fc20.x86_64) Requires: x2goserver

* rpmlint is not silent:

- Several non standard executable permission (0775L) on libraries. Not sure if it's intentional - Several only-non-binary-in-usr-lib - Several devel-file-in-non-devel-package - Others:

nx-libs.x86_64: W: self-obsoletion nx <= 3.5.0.20-3.fc20 obsoletes nx = 3.5.0.20-3.fc20 nx-libs.x86_64: W: self-obsoletion nx(x86-64) <= 3.5.0.20-3.fc20 obsoletes nx(x86-64) = 3.5.0.20-3.fc20 nx-libs.x86_64: E: no-binary nx-libs.x86_64: W: non-conffile-in-etc /etc/ld.so.conf.d/nx-libs-x86_64.conf nx-libs.x86_64: E: incorrect-fsf-address /usr/share/doc/nx-libs-3.5.0.20/LICENSE libXcomp.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/libXcomp.so.3.5.0 libXcomp.x86_64: E: incorrect-fsf-address /usr/share/doc/libXcomp-3.5.0.20/LICENSE libXcompext.x86_64: E: incorrect-fsf-address /usr/share/doc/libXcompext-3.5.0.20/LICENSE libXcompshad.x86_64: E: incorrect-fsf-address /usr/share/doc/libXcompshad-3.5.0.20/LICENSE nx-devel.x86_64: W: no-dependency-on nx/nx-libs/libnx nx-fontconfig-devel.x86_64: W: no-dependency-on nx-fontconfig/nx-fontconfig-libs/libnx-fontconfig nx-freetype2-devel.x86_64: W: no-dependency-on nx-freetype2/nx-freetype2-libs/libnx-freetype2 nxagent.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/bin/nxagent x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent

* there are unversioned so-files: libNX_X11: /usr/lib64/nx/X11/libximcp.so libNX_X11: /usr/lib64/nx/X11/libxlcDef.so libNX_X11: /usr/lib64/nx/X11/libxlcUTF8Load.so libNX_X11: /usr/lib64/nx/X11/libxlibi18n.so libNX_X11: /usr/lib64/nx/X11/libxlocale.so libNX_X11: /usr/lib64/nx/X11/libxomGeneric.so

However, they seem private, so maybe it is not an issue

I'll also attach the fedora-review output if you need it as a reference

https://bugzilla.redhat.com/show_bug.cgi?id=969209

--- Comment #5 from Orion Poplawski orion@cora.nwra.com --- (In reply to Mario Ceresa from comment #3)

Okay, I point out some potential issues:

• mock fails to install the package:

Error: Package: x2goagent-3.5.0.20-3.fc20.x86_64 (/x2goagent-3.5.0.20-3.fc20.x86_64) Requires: x2goserver

x2goserver and x2goagent each require each other at run-time, so this is expected.

• rpmlint is not silent:

• Several non standard executable permission (0775L) on libraries. Not sure

if it's intentional

Nope, fixed.

• Several only-non-binary-in-usr-lib

Bug in rpmlint, see bug 483199

• Several devel-file-in-non-devel-package

Fixed

• Others:

nx-libs.x86_64: W: self-obsoletion nx <= 3.5.0.20-3.fc20 obsoletes nx = 3.5.0.20-3.fc20 nx-libs.x86_64: W: self-obsoletion nx(x86-64) <= 3.5.0.20-3.fc20 obsoletes nx(x86-64) = 3.5.0.20-3.fc20

Fixed

nx-libs.x86_64: E: no-binary

nx-libs is kind of just a container.

nx-libs.x86_64: W: non-conffile-in-etc /etc/ld.so.conf.d/nx-libs-x86_64.conf

Fixed.

nx-libs.x86_64: E: incorrect-fsf-address /usr/share/doc/nx-libs-3.5.0.20/LICENSE

Fixed.

libXcomp.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/libXcomp.so.3.5.0

Hmm, this is an odd one...

nx-devel.x86_64: W: no-dependency-on nx/nx-libs/libnx

Fixed.

nx-fontconfig-devel.x86_64: W: no-dependency-on nx-fontconfig/nx-fontconfig-libs/libnx-fontconfig nx-freetype2-devel.x86_64: W: no-dependency-on nx-freetype2/nx-freetype2-libs/libnx-freetype2

Fixed the naming.

nxagent.x86_64: E: missing-call-to-setgroups /usr/lib64/nx/bin/nxagent

Ah, okay, looking into it.

x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent

• there are unversioned so-files:

libNX_X11: /usr/lib64/nx/X11/libximcp.so libNX_X11: /usr/lib64/nx/X11/libxlcDef.so libNX_X11: /usr/lib64/nx/X11/libxlcUTF8Load.so libNX_X11: /usr/lib64/nx/X11/libxlibi18n.so libNX_X11: /usr/lib64/nx/X11/libxlocale.so libNX_X11: /usr/lib64/nx/X11/libxomGeneric.so

However, they seem private, so maybe it is not an issue

These are links to versioned files.

http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-4.fc18.src.rpm

* Tue Jun 11 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-4 - Fix 775 library permissions - Move nx/X11 .so files to -devel - Fix nx obsoletes - Mark ld.so.conf.d files config(noreplace) - Fix requires

https://bugzilla.redhat.com/show_bug.cgi?id=969209

--- Comment #7 from Orion Poplawski orion@cora.nwra.com --- (In reply to Mario Ceresa from comment #6)

Hello Orion! here there is another round of questions:

• rpmlint:

x2goagent.x86_64: W: dangling-relative-symlink /usr/lib64/x2go/bin/x2goagent ../../nx/bin/nxagent

Okay because x2goagent requires nxagent.

• has any of the nx packages ever been granted an FPC exception for all the

libraries it bundles? I couldn't find any ticket around.

Hmm, I never realized quite the extent of the bundling - let me poke around there some more. I've gotten rid of some, but not all.

• Not sure about this: "Fully versioned dependency in subpackages, if

present." Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in libNX_ICE-devel , libNX_SM-devel , libNX_X11-devel , libNX_Xau-devel , libNX_Xext-devel , libNX_Xfixes-devel , libNX_Xi-devel , libNX_Xmu-devel , libNX_Xpm-devel , libNX_Xrender-devel , libNX_Xt-devel , libNX_Xv-devel , libNX_fontenc-devel , libNX_xkbfile-devel , libXcomp-devel , libXcompext-devel , libXcompshad-devel , libNX_Mesa-devel , nx-bitmaps-devel , nx-devel , libNX_fontconfig-devel , libNX_freetype-devel , nx-proto-devel , nxagent , nxauth , nxproxy , x2goagent

The libN?X*-devel packages require their corresponding runtime versions (which require %{name}%{?_isa} = %{version}-%{release}), although many did not have %{version}-%{release} - fixed. Not really needed for the program sub-packages.

nx-bitmaps-devel stands on its own (and not sure if it is needed), and so does nx-proto-devel.

Fixed for nx-devel

* Thu Jun 13 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-5 - Add more explicit verioned requires - Drop unnecessary directory ownership by sub-packages - Remove many bundled libraries

http://www.cora.nwra.com/~orion/fedora/nx/nx-libs.spec http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-5.fc18.src.rpm

https://bugzilla.redhat.com/show_bug.cgi?id=969209

Christopher Meng cickumqt@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |cickumqt@gmail.com

--- Comment #9 from Christopher Meng cickumqt@gmail.com --- I think Orion knows that error of missing-call-to-setgroups.

missing-call-to-setgroups has been renamed to missing-call-to-setgroups-before-setuid.

This will be available in the next version.

And the explanation is:

This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.

Ref POS36-C:

https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observ...

https://bugzilla.redhat.com/show_bug.cgi?id=969209

--- Comment #11 from Orion Poplawski orion@cora.nwra.com --- Oops, yeah:

http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-6.fc19.src.rpm

I'm trying to get some info out of upstream. I'm not sure why it is even calling setuid/setgid in the first place.

https://bugzilla.redhat.com/show_bug.cgi?id=969209

--- Comment #13 from Mario Ceresa mrceresa@gmail.com --- Orion, I'll be back next Monday, if that's okay to you, tell me and I'll take the review.

Best,

Mario

https://bugzilla.redhat.com/show_bug.cgi?id=969209

Orion Poplawski orion@cora.nwra.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Blocks| |998551

--- Comment #15 from Orion Poplawski orion@cora.nwra.com --- Well, looks like we've missed the change deadline for F20. Sorry.

https://bugzilla.redhat.com/show_bug.cgi?id=969209

Orion Poplawski orion@cora.nwra.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC|package-review@lists.fedora | |project.org |

--- Comment #17 from Orion Poplawski orion@cora.nwra.com --- http://www.cora.nwra.com/~orion/fedora/nx/nx-libs-3.5.0.20-7.fc19.src.rpm

* Thu Aug 29 2013 Orion Poplawski orion@cora.nwra.com - 3.5.0.20-7 - Add patch to call initgroups()