Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958585
Bug ID: 958585 Summary: Review Request: mosquitto - An Open Source MQTT v3.1 Broker Product: Fedora Version: rawhide Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: richmattes@gmail.com QA Contact: extras-qa@fedoraproject.org CC: notting@redhat.com, package-review@lists.fedoraproject.org Category: ---
Spec URL: http://rmattes.fedorapeople.org/RPMS/mosquitto/mosquitto.spec SRPM URL: http://rmattes.fedorapeople.org/RPMS/mosquitto/mosquitto-1.1.3-1.fc18.src.rp...
Description: Mosquitto is an open source (BSD licensed) message broker that implements the MQ Telemetry Transport protocol version 3.1. MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.
Fedora Account System Username: rmattes
rpmlint: $ rpmlint mosquitto.spec ../RPMS/x86_64/mosquitto-* 3 packages and 1 specfiles checked; 0 errors, 0 warnings.
scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=5323009
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958585
Rich Mattes richmattes@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |esandeen@redhat.com
--- Comment #1 from Rich Mattes richmattes@gmail.com --- *** Bug 638459 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |cickumqt@gmail.com Assignee|nobody@fedoraproject.org |cickumqt@gmail.com Flags| |fedora-review?
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #2 from Christopher Meng cickumqt@gmail.com --- Hi,
License check shows this package is 2-clause and 3-clause mix licensed. And I found that there shouldn't have any problems if there is no uthash library bundled.
BSD (2 clause) -------------- /var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/mosquitto-1.1.3/src/uthash.h
This package bundle library uthash, I just packaged it in June so please unbundle it.
===============
Another problem is in its code, as warnings said:
mosquitto.i686: E: missing-call-to-setgroups /usr/sbin/mosquitto
This error output has been renamed to missing-call-to-setgroups-before-setuid.
This will be available in the next version.
And the explanation is:
This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.
Ref POS36-C:
https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observ...
So consider an upstream fix.
======= Other issues:
mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libssl.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libcrypto.so.10 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libpthread.so.0 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libm.so.6 mosquitto.i686: W: unused-direct-shlib-dependency /usr/lib/libmosquittopp.so.1.1.3 /lib/libgcc_s.so.1
Please see http://fedoraproject.org/wiki/Common_Rpmlint_issues
and fix.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #3 from Rich Mattes richmattes@gmail.com --- I unbundled uthash and fixed the unsued shlib dependency error by adding -Wl,--as-needed to the LDFLAGS for the build. I will contact upstream about working on a fix for the missing call to setgroups.
Updated packages can be found here Spec URL: http://rmattes.fedorapeople.org/RPMS/mosquitto/mosquitto.spec SRPM URL: http://rmattes.fedorapeople.org/RPMS/mosquitto/mosquitto-1.1.3-2.fc19.src.rp...
$ rpmlint mosquitto.spec ../RPMS/x86_64/mosquitto*1.1.3-2* mosquitto.x86_64: E: missing-call-to-setgroups /usr/sbin/mosquitto 3 packages and 1 specfiles checked; 1 errors, 0 warnings.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+
--- Comment #4 from Christopher Meng cickumqt@gmail.com --- APPROVED.
oNLY:
Remember removing "rm -rf $RPM_BUILD_ROOT" in %install section in SCM.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Rich Mattes richmattes@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |fedora-cvs?
--- Comment #5 from Rich Mattes richmattes@gmail.com --- Thanks Christopher. I'll be sure to remove that line before I build the package.
New Package SCM Request ======================= Package Name: mosquitto Short Description: An Open Source MQTT v3.1 Broker Owners: rmattes Branches: f18 f19 el6 InitialCC:
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Jon Ciesla limburgher@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-cvs? |fedora-cvs+
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #6 from Jon Ciesla limburgher@gmail.com --- Git done (by process-git-requests).
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Roger Light roger@atchoo.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |roger@atchoo.org
--- Comment #7 from Roger Light roger@atchoo.org --- I'm upstream, I had this pointed out by Eric Sandeen. Thanks for taking the time to do the packaging.
Thanks for the hint about setgroups/initgroups. I'll sort that out for the next release, which is likely to be this weekend unless anything other problems pop up.
I'd suggest using straight "make" rather than cmake because it adds extra bits like symbol hiding in the C library. The cmake build scripts are really intended for Windows to generate Visual Studio project files.
I spend most of my packaging effort on the debian side of things - I can make some suggestions of what to set in terms of configuration if you would like. I've made some changes in 1.2 that make life a bit easier in that regard.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #8 from Christopher Meng cickumqt@gmail.com --- (In reply to Roger Light from comment #7)
My pleasure.
If you are willing to keep it in Fedora, you can register a account at FAS and CC the bugzilla from pkgdb.
However you should let users to install it via yum but not compiling it on their own. ;)
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #9 from Roger Light roger@atchoo.org --- Thanks, but I'm trying to keep my packaging efforts low :) It's already a big effort doing a release with what I already do.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #10 from Rich Mattes richmattes@gmail.com --- Hi Roger, thanks for chipping in.
I'm a fan of cmake so I went ahead and used it, but if the makefiles are a better way of doing things on Linux then I don't have any problem switching to them. I'll make sure to do so before im
At the moment, I'm just using the default configuration file that ships with the source distribution, and I created a simple systemd unit to start and stop the server with the same options as the upstart job in the service/ subdirectory. One thing I should probably add to the systemd unit is to start the service[1] as User=mosquitto. We're creating the mosquitto user at rpm installation time for this purpose, but the default configuration is set to run as root. If you have any other suggestions, I'd be happy to hear them. Also, if you're interested in carrying a systemd unit file with the source distribution, I'll be happy to help you test and verify it.
[1] http://www.freedesktop.org/software/systemd/man/systemd.service.html
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #11 from Roger Light roger@atchoo.org --- Unless you specify otherwise, the behaviour when run as root is to drop privileges to the mosquitto user and its group (and now the supplementary groups as well). You can tell it what user to use in the config file. If that user is root, it warns that it is a bad idea, but runs. If all of the files that it needs to write are owned by mosquitto then there is no need to start running as root.
On Debian/Ubuntu I'm moving to a config file that looks like this: https://bitbucket.org/oojah/mosquitto-packaging/src/tip/debian/mosquitto.con... This gives a very simple config that is unlikely to be changed by the end user and provides a location where they can add their own customisations. mosquitto.conf will be installed as mosquitto.conf.example from 1.2, so as not to clobber anything.
The log to file there is new for 1.2 and I'm configuring the .debs to use logrotate as well: https://bitbucket.org/oojah/mosquitto-packaging/src/tip/debian/mosquitto.log...
The only other extra things that I'm doing are adding some directories in /etc/mosquitto for TLS certificates, and packaging mosquitto.py for both Python 2 and Python 3.
I'd be happy to put the systemd unit in the source distribution.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |MODIFIED
https://bugzilla.redhat.com/show_bug.cgi?id=958585
--- Comment #12 from Fedora Update System updates@fedoraproject.org --- mosquitto-1.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/mosquitto-1.2-1.fc19
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #13 from Fedora Update System updates@fedoraproject.org --- mosquitto-1.2-1.fc19 has been pushed to the Fedora 19 testing repository.
https://bugzilla.redhat.com/show_bug.cgi?id=958585
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|package-review@lists.fedora | |project.org | Status|ON_QA |CLOSED Fixed In Version| |mosquitto-1.2-1.fc19 Resolution|--- |ERRATA Last Closed| |2013-08-29 18:21:47
--- Comment #14 from Fedora Update System updates@fedoraproject.org --- mosquitto-1.2-1.fc19 has been pushed to the Fedora 19 stable repository.
package-review@lists.fedoraproject.org