https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Bug ID: 1002275 Summary: Review Request: ima-evm-utils - IMA/EVM Utilities Product: Fedora Version: rawhide Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: vgoyal@redhat.com QA Contact: extras-qa@fedoraproject.org CC: notting@redhat.com, package-review@lists.fedoraproject.org
Spec URL: http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils.spec SRPM URL: http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils-0.6-1.fc19.src.r... Description:
Hi,
I just finished packaging ima-evm-utils. I would appreciate if it can be reviewed for inclusion in Fedora 20.
This utilties will help sign a binary and store its signature in security.ima xattr. And these signatures can be verified at run time.
IMA is designed to do lot more but above is primary use case I am interested in right now.
Fedora Account System Username: vgoyal
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Vivek Goyal vgoyal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |998565
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Vivek Goyal vgoyal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |177841 (FE-NEEDSPONSOR)
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
--- Comment #1 from Vivek Goyal vgoyal@redhat.com --- Here is rpmlint report.
$ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm ima-evm-utils.spec: W: invalid-url Source0: ima-evm-utils-0.6.tar.gz ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices ima-evm-utils.src: W: invalid-url Source0: ima-evm-utils-0.6.tar.gz 3 packages and 1 specfiles checked; 0 errors, 5 warnings.
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
--- Comment #2 from Paul Wouters pwouters@redhat.com --- I will sponsor Vivek, but as I started this package review originally, I will let someone else formally review it (though I'll review it as well)
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Josh Bressers bressers@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bressers@redhat.com Assignee|nobody@fedoraproject.org |bressers@redhat.com
--- Comment #3 from Josh Bressers bressers@redhat.com --- I can do the review. I'm taking the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|package-review@lists.fedora | |project.org | CC| |cickumqt@gmail.com
--- Comment #4 from Christopher Meng cickumqt@gmail.com --- Where does your source come from?
I can only see 0.2...
http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Kevin Fenzi kevin@scrye.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kevin@scrye.com, | |package-review@lists.fedora | |project.org
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
--- Comment #5 from Josh Bressers bressers@redhat.com --- Created attachment 791795 --> https://bugzilla.redhat.com/attachment.cgi?id=791795&action=edit Package review document
Here are the only things I found in this review that need to be addressed.
The spec file claims this package is covered under LGPLv2. The COPYING file is for GPLv2, the single source file uses LGPLv2 in its header comment. - I'm not a lawyer, I don't know how to sort this one (generally we include the COPYING file in the docs directory). Spot can probably clarify.
I can't find the upstream source tarball for this. Can the full URL be added to the spec file.
Otherwise it looked good. The full report is attached.
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
--- Comment #6 from Vivek Goyal vgoyal@redhat.com --- (In reply to Christopher Meng from comment #4)
Where does your source come from?
I can only see 0.2...
http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/
Maintainer has released 0.6 yesterday but for some reason URL of that tar file is not showing up at sourceforge. Even maintainer is confused. When he logs in he can see the file there and it says URL will show up shortly and it has been close to 24 hours and URL is not showing yet.
He sent me tar file in mail personally and that's what I used for this source rpm.
I will ping him again and see if he can do something to make situation better.
BTW, git tree for this source is here and there one can see that version 0.6 has been released.
http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
--- Comment #7 from Vivek Goyal vgoyal@redhat.com --- (In reply to Josh Bressers from comment #5)
The spec file claims this package is covered under LGPLv2. The COPYING file is for GPLv2, the single source file uses LGPLv2 in its header comment. - I'm not a lawyer, I don't know how to sort this one (generally we include the COPYING file in the docs directory). Spot can probably clarify.
Thanks Josh. This is a good point. I have sent mail to upstream maintainer for clarification in this matter.
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Dan Horák dan@danny.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dan@danny.cz
--- Comment #8 from Dan Horák dan@danny.cz --- re licensing - please see https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#How_do_I_figur... and https://fedoraproject.org/wiki/Licensing
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Vivek Goyal vgoyal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|package-review@lists.fedora | |project.org |
--- Comment #9 from Vivek Goyal vgoyal@redhat.com --- Ok, both licensing and source issues have been sorted out. I have uploaded a new set of spec and source rpm file. Pleaese review..
http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils.spec http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils-0.6-1.fc19.src.r...
https://bugzilla.redhat.com/show_bug.cgi?id=1002275
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1384450
package-review@lists.fedoraproject.org
-
bugzilla@redhat.com -
Red Hat Bugzilla