[Bug 618059] Review Request: x509watch - Simple tool to list expiring or expired X.509 certificates

bugzilla at redhat.com bugzilla at redhat.com
Mon Jul 26 10:05:31 UTC 2010 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=618059

--- Comment #5 from manuel wolfshant <wolfy at nobugconsulting.ro> 2010-07-26 06:05:30 EDT ---
Package Review
==============

Key:
 - = N/A
 x = Check
 ! = Problem
 ? = Not evaluated

=== REQUIRED ITEMS ===
 [x] Package is named according to the Package Naming Guidelines.
 [x] Spec file name must match the base package %{name}, in the format
%{name}.spec.
 [x] Package meets the Packaging Guidelines.
 [x] Package successfully compiles and builds into binary rpms on at least one
supported architecture.
     Tested on: i386
 [x] Rpmlint output:
source RPM: empty
binary RPM:
x509watch.noarch: E: executable-marked-as-config-file /etc/cron.daily/x509watch
Executables must not be marked as config files because that may prevent
upgrades from working correctly. If you need to be able to customize an
executable, make it for example read a config file in /etc/sysconfig.
=> See issue 1 below

 [x] Package is not relocatable.
 [x] Package is licensed with an open-source compatible license and meets other
legal requirements as defined in the legal section of Packaging Guidelines.
 [x] License field in the package spec file matches the actual license.
     License type: GPLv2+
 [x] If (and only if) the source package includes the text of the license(s) in
its own file, then that file, containing the text of the license(s) for the
package is included in %doc.
 [x] Spec file is legible and written in American English.
 [x] Sources used to build the package match the upstream source, as provided
in the spec URL.
     SHA1SUM of source file: f74f4804aab7470d6a451d47438c54d839e926e0 
x509watch-0.1.0.tar.gz
See also issue 2 below
 [x] Package is not known to require ExcludeArch
 [x] All build dependencies are listed in BuildRequires, except for any that
are listed in the exceptions section of Packaging Guidelines.
 [-] The spec file handles locales properly.
 [-] ldconfig called in %post and %postun if required.
 [x] Package must own all directories that it creates.
 [x] Package requires other packages for directories it uses.
 [x] Package does not contain duplicates in %files.
 [x] Permissions on files are set properly.
 [x] Package consistently uses macros.
 [x] Package contains code, or permissable content.
 [-] Large documentation files are in a -doc subpackage, if required.
 [x] Package uses nothing in %doc for runtime.
 [-] Header files in -devel subpackage, if present.
 [-] Static libraries in -devel subpackage, if present.
  [-] Package requires pkgconfig, if .pc files are present.
 [-] Development .so files in -devel subpackage, if present.
 [-] Fully versioned dependency in subpackages, if present.
 [x] Package does not contain any libtool archives (.la).
 [-] Package contains a properly installed %{name}.desktop file if it is a GUI
application.
 [x] Package does not own files or directories owned by other packages.
 [x] Final provides and requires are sane.

=== SUGGESTED ITEMS ===
 [x] Latest version is packaged.
 [x] Package does not include license text files separate from upstream.
 [-] Description and summary sections in the package spec file contains
translations for supported Non-English languages, if available.
 [x] Reviewer should test that the package builds in mock.
     Tested on: koji scratch build for EL-4
 [x] Package should compile and build into binary rpms on all supported
architectures.
     Tested on: koji scratch build for EL-4
 [!] Package functions as described.
See issue 3 below
 [x] Scriptlets must be sane, if used.
 [-] The placement of pkgconfig(.pc) files is correct.
 [-] File based requires are sane.
 [x] %check is present and the test passes.

=== OPTIONAL ITEMS ===
 [x] Buildroot is correct
(%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n))
 [x] Package has a %clean section, which contains rm -rf %{buildroot} (or
$RPM_BUILD_ROOT).

=== Issues ===
1. using " %config(noreplace) %{_sysconfdir}/cron.daily/%{name} " is a bit odd
and identified as an error by rpmlint. Can you please explain the reason to
mark this script as config file ?
2. the site requires registration in order to download files. that's beyond
optimal as it breaks automatic testing. please consider switching to another
hosting site ( such as sourceforge for instance) if you cannot ensure proper /
normal access.
3. In Centos 4 the option "-L" passed to "find" is not recognised AND there is
no error triggered. Removing this option makes the program to behave normally.
 I suggest to improve error processing and more important, to stop using the
find tool and use the perl File::Find  (
http://search.cpan.org/~lbrocard/perl5.005_04/lib/File/Find.pm) module instead.
Your approach is prone to very simple attacks. As you can see below, you perl
commnand
  open(CERTS, "find -L $directory -name '*.pem' -o -name '*.crt' 2> /dev/null
|");
is translated into:
 execve("/bin/sh", ["sh", "-c", "find -L /etc/pki -name '*.pem' -"...], [/* 57
vars */] <unfinished ...>
which is quite simple to abuse, given that it relies on the first "find" that
is found in $PATH.

 The same problem is valid for the openssl invocation, too. I strongly suggest
to use a proper perl module for that.


==== Final notes ====

Packaging wise except for issue 1 above the rest is OK. But I cannot approve
this application unless my security concerns are addressed.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list