[Bug 239097] Review Request: nikto - Web server scanner

Mon May 28 15:39:55 UTC 2007

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: nikto - Web server scanner

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239097

------- Additional Comments From faucamp at csir.co.za  2007-05-28 11:39 EST -------
Ok, doing review:

MUST items:
 * rpmlint is silent
 * package and spec file are named well
 * package meets Packaging Guidelines
 * package contains code licensed under the GPL, license file included 
 * package contains code NOT licensed under the GPL. The following is the
license contained in the *.db files:

# This file may only be distributed and used with the full Nikto package.
# This file may not be used with any software product without written permission
from CIRT, Inc.
# (c) 2001-2007 CIRT, Inc., All Rights Reserved.
# By sending any database updates to CIRT, Inc., it is assumed that you
# grant CIRT, Inc., the unlimited, non-exclusive right to reuse, modify and
relicense the changes.

IMO this is acceptable, since the content (the plugin db's) are freely
distributable along with (and for use with) the nikto package (however, IANAL),
but it does impact the license of RPM as a whole (see next point)

X* "License" field in spec is MOSTLY correct (applies to code, not the content)
!* license file is included in %doc (might want to add a second one, see NOTES
below)
 * spec file is written in American English and legible
 * package source md5sum matches upstream source:

d70107deb225489ecf20e2b46684674e  nikto-1.36.tar.bz2

 * package is noarch, builds successfully
 * BuildRequires are good
X* Unnecessary "Requires" entry (see comment #6)
 * package handles locales properly (no locales)
 * package has no need for %post and %postun sections
 * package is not relocatable
 * package owns directories it creates
 * no duplicate entries in %files
 * file permissions are good
 * proper %clean section
 * spec file macros are used consistently
!* package contains GPL'ed code a content under a different license
 * no -doc, -devel subpackages necessary
X- some docs are missing (see NOTES below)
 * contents in %doc not required for runtime functionality of application

SHOULD items:
 * package builds in mock (fc6/i386)
 * package functions properly

NOTES:

Patches:
Do note that the "nikto-1.36-config.patch" patch hardcodes the package's config
file location. There at least needs to be a comment about this in the spec; if
someone moved %{_sysconfdir} they would want to know why the package won't work
anymore... What I would recommend, however, is removing the patch, and replacing
it with sed scripts in %prep, making use of RPM's macros. For example, the
following line (if used in %prep) would do what the first entry in the patch
does, except that the package just needs to be rebuilt (without modification) if
any dir locations ever change:

sed -i
"s:$CFG{configfile}=\"config.txt\":$CFG{configfile}=\"%{_sysconfdir}/nikto/config\":"
nikto.pl

Docs:
Maybe include the READE_plugins.txt file? It might be outdated, but its the only
plug-in documentation in the package...

License:
As the content is licensed under a GPL-incompatible license, and CIRT only
allows for the distribution of the necessary plugin content along with the FULL
nikto package, you will have to change the "License" field of the RPM to
something like "Custom, see LICENSE.txt" (or whatever file is appropriate).
Also, I would recommend adding a "database-license.txt" (or something similar)
file containing the license information to %doc (the license is in the header of
each .db file). rpmlint is going to moan about such a "custom" License field
entry, but it's unavoidable here.

Other than these points, the package looks good. Fix the mentioned issues (or
argue against them ;-) ), and I'll approve the package.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.