Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1467651

Summary: Review Request: cvechecker - Tool for compare packages installed in your system with CVE database
Product: [Fedora] Fedora Reporter: Zamir SUN <sztsian>
Component: Package ReviewAssignee: Zbigniew Jędrzejewski-Szmek <zbyszek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: i, package-review, rebus, zbyszek
Target Milestone: ---Flags: zbyszek: fedora-review+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-14 21:50:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 563471    

Description Zamir SUN 2017-07-04 12:49:29 UTC
Spec URL: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker.spec
SRPM URL: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker-3.7-1.fc25.src.rpm
Description: Tool for compare packages installed in your system with CVE database
Fedora Account System Username: zsun

Comment 1 Zamir SUN 2017-07-04 12:51:30 UTC
*** Bug 1062808 has been marked as a duplicate of this bug. ***

Comment 2 Zbigniew Jędrzejewski-Szmek 2017-07-04 14:00:41 UTC
> %global debug_package %{nil}
Are you sure that's needed? If yes, it deserves a comment in the spec file.

> make
Is parallel build not supported? If it is, use %make_build, otherwise, add a comment.

> %{__install}
You can just say 'install' — that's both less typing *and* clearer.

> %defattr(-,root,root)
Not needed.

Checking: cvechecker-3.7-1.fc27.x86_64.rpm
          cvechecker-3.7-1.fc27.src.rpm
cvechecker.x86_64: W: unstripped-binary-or-object /usr/bin/cvechecker
Hm. That's the first time I encounter this. Maybe this will go away if you create a debug package?

cvechecker.x86_64: W: only-non-binary-in-usr-lib
cvechecker.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
cvechecker.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
OK.

cvechecker.src:13: W: macro-in-comment %{url}
cvechecker.src:13: W: macro-in-comment %{_commit}
cvechecker.src:13: W: macro-in-comment %{_commit}
Please use %%.

cvechecker.src:14: W: mixed-use-of-spaces-and-tabs (spaces: line 6, tab: line 14)
Please fix.

2 packages and 0 specfiles checked; 0 errors, 8 warnings.

Looks all good.

(It seems that cvechecker likes to run as root. It'd be much better to create a dedicated user for it, since downloading stuff as root from the web is also a concern, but that's an upstream issue.)

Comment 3 Zamir SUN 2017-07-04 14:19:30 UTC
Thanks for the quick response.
SPEC updated in place: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker.spec
New SRPM: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker-3.7-2.fc25.src.rpm

Comment 4 Zamir SUN 2017-07-04 14:21:28 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2)
> (It seems that cvechecker likes to run as root. It'd be much better to
> create a dedicated user for it, since downloading stuff as root from the web
> is also a concern, but that's an upstream issue.)
I am not familiar with packaging with dedicated user, so currently I'm not adding this way. Will work on this later once I figured out how to do it.

Comment 5 Zbigniew Jędrzejewski-Szmek 2017-07-04 15:13:33 UTC
+ package name is OK
+ license is acceptable for Fedora (GPLv3)
+ license is specified correctly
+ builds and installs OK
+ fedora-review finds no issues
+ %check is present and passes
+ no scriptlets necessary
+ rpmlint has only false positives

> Group:          Applications/System
Not needed [https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections].

> %attr(0644,root,root)
You probably don't need those either, unless the build system sets some strange permissions on those files.

Package is APPROVED.

Comment 6 Gwyn Ciesla 2017-07-05 11:00:39 UTC
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/cvechecker

Comment 7 Zamir SUN 2017-07-05 13:54:23 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> > Group:          Applications/System
> Not needed
> [https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections].
Thanks. Will remove this section in -3.

Comment 8 Fedora Update System 2017-08-06 02:40:37 UTC
cvechecker-3.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-146693c8dc

Comment 9 Fedora Update System 2017-08-06 02:40:46 UTC
cvechecker-3.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-146693c8dc

Comment 10 Fedora Update System 2017-08-07 06:26:03 UTC
cvechecker-3.8-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b44ef74c4

Comment 11 Fedora Update System 2017-08-14 21:50:37 UTC
cvechecker-3.8-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.