Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 174546
Summary: | Review Request: trac | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joost Soeterbroek <joost.soeterbroek> | ||||||||
Component: | Package Review | Assignee: | Ville Skyttä <scop> | ||||||||
Status: | CLOSED NEXTRELEASE | QA Contact: | David Lawrence <dkl> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | dcantrell, fedora-package-review, joshuadfranklin | ||||||||
Target Milestone: | --- | Flags: | tcallawa:
fedora-cvs+
|
||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://www.edgewall.com/trac | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2006-01-16 21:05:48 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 174529 | ||||||||||
Bug Blocks: | 163779 | ||||||||||
Attachments: |
|
Description
Joost Soeterbroek
2005-11-29 21:37:08 UTC
0.9.1 is out, fixes a SQL injection vulnerability. http://seclists.org/lists/bugtraq/2005/Dec/0014.html (In reply to comment #1) > 0.9.1 is out, fixes a SQL injection vulnerability. > http://seclists.org/lists/bugtraq/2005/Dec/0014.html Spec file and SRPM updated to 0.9.1: Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.1-1.src.rpm Spec file and SRPM updated to 0.9.2: - fixes SQL Injection Vulnerability in ticket search module. - fixes broken ticket email notifications. Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.2-1.src.rpm Spec file and SRPM updated (0.9.2-2): - added /etc/init.d/tracd - added /etc/sysconfig/tracd Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.2-2.src.rpm Partial review: I don't think it's acceptable to run tracd as root. Please create a dedicated restricted user account for it in case you wish to ship it configured ready to run. tracd shouldn't be set to autostart by default. Replacing "2345" by "-" in the init script's chkconfig line fixes it. tracd init script lacks reload, status, force-reload, and condrestart/try-restart actions. See for example /usr/share/fedora/template.init from fedora-rpmdevtools. --daemonize shouldn't probably be in /etc/sysconfig/tracd but rather hardcoded in the tracd init file. trac.cgi needs configuration, suggesting something like this in /etc/httpd/conf.d/trac.conf: # Replace /path/to/trac_env with your trac root below, and uncomment the # SetHandler, PythonHandler, PythonOption and SetEnv lines. <Location /cgi-bin/trac.cgi> # mod_python: <IfModule mod_python.c> #SetHandler mod_python #PythonHandler trac.web.modpython_frontend #PythonOption TracEnv /path/to/trac_env </IfModule> # normal CGI script: <IfModule !mod_python.c> #SetEnv TRAC_ENV /path/to/trac_env </IfModule> </Location> Actually, I'd recommend removing the tracd init script and sysconfig snippet and maybe consider not distributing tracd at all. I think that it just causes packaging problems and one daemon that doesn't really add any value; the CGI script should be just fine. Spec file and SRPM updated (0.9.3-1): - 0.9.3 release - removed tracd (see comment #6) - added trac.conf for httpd Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.3-1.src.rpm Created attachment 122963 [details]
Simplified httpd conf snippet
Hm, tracd has not been removed like the changelog says, but just the init
script etc. Was that intentional? No objections, just curious.
The "find trac -type f -name test.py | xargs chmod -x" at end of %install seems
to chmod uninstalled files. I guess %{python_sitelib}/trac/test.py doesn't
need to be installed at all...
/usr/share/trac/htdocs/js/wikitoolbar.js shouldn't need executable permissions.
There's quite a lot of commented out stuff in the specfile that would be better
off just be removed. The TODO block at the top is stale too.
Attached is a simplified httpd conf snippet for trac.*cgi. I don't know if
shipping both the *.cgi and the *.fcgi brings anything useful to the table
especially as mod_python can be used with the *.cgi; if not, maybe remove the
*.fcgi? If done, the httpd conf snippet could be simplified further, eg. by
removing <LocationMatch>, and moving <IfModule> and SetEnv inside <Location>.
Created attachment 122964 [details]
Simplified httpd conf snippet if trac.fcgi is not shipped
Spec file and SRPM updated (0.9.3-1): - all tracd removed - removed trac/test.py - removed commented out stuff - change perms on htdocs/js/wikitoolbar.js - added simplified trac.conf (from attachment id=122964) Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.3-1.src.rpm It seems you took the simplified config that was meant to be applied if trac.fcgi is removed from the package, but it's still there. If you think the fcgi version adds some value, grab the config from comment 9 instead. (But I tend to think trac.fcgi could be just dropped.) tracd man page is still installed. Minor nit: you'll probably want to say %%{python_sitelib} with two '%'s in %changelog in order to prevent it from expanding. Another nit: please bump the release tag every time you make changes to it, that makes it much easier for me to track changes between revisions during review. (In reply to comment #11) > It seems you took the simplified config that was meant to be applied if > trac.fcgi is removed from the package, but it's still there. If you think the > fcgi version adds some value, grab the config from comment 9 instead. Aargh, not comment 9, but comment 8. Spec file and SRPM updated (0.9.3-2): - removed trac.fcgi (comment #11) - removed tracd man page - added extra % to pythonlib in changelog Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.3-2.src.rpm Created attachment 123008 [details]
Really remove trac.fcgi, cleanups
trac.fcgi was not removed, but just moved to /usr/share/trac/cgi-bin/trac.fcgi
The attached patch fixes it and does some minor specfile cleanups. Approved
after applying it.
- Applied patch (id=123008) - rpmlint clean - imported - built successfully in plague (devel) I for one was bitten by the removal of the fastcgi program. I fail to understand the motivation for its removal. Not everybody uses mod_python, there are a *lot* of folks running it as fastcgi under lighttpd. It's not that fedora ships - for example - only apache modules that are used in the default configuration. Does it really hurt that much to ship cgi-bin/trac.fcgi? btw. I also found it very handy to have tracd just for the occasional debugging. Also it is used in the documentation/howto. Leave out the configfile if you must, but please can we have the fcgi program back? Spec file and SRPM updated (0.9.3-3): - re-added trac.fcgi and tracd (comment #16) - re-added tracd man page Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.3-3.src.rpm Please check if this works for you (bkw). If yes, I will push for new build. (In reply to comment #17) > Please check if this works for you (bkw). If yes, I will push for > new build. Works like a charm. Thanks a bunch, that was *quick*! Again, if you include trac.fgci, also take care of it in trac.conf (see comments 8 and 11). Please include something like this (note also the "better" commented out default paths) as trac.conf in that case: # Replace all occurrences of /srv/trac with your trac root below # and uncomment the respective SetEnv and PythonOption directives. <LocationMatch /cgi-bin/trac\.f?cgi> #SetEnv TRAC_ENV /srv/trac </LocationMatch> <IfModule mod_python.c> <Location /cgi-bin/trac.cgi> SetHandler mod_python PythonHandler trac.web.modpython_frontend #PythonOption TracEnv /srv/trac </Location> </IfModule> Spec file and SRPM updated (0.9.3-4): - updated trac.conf to allow for trac.*cgi Spec Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac.spec SRPM Name or Url: http://www.soeterbroek.com/linux/fedora/extras/trac/trac-0.9.3-4.src.rpm Looks good to me. I was surprised that tracd was removed from the package. It is definately confusing for end users who get pointed to it, and tracd is definately easier to configure than through apache (I've set up a lot of tracs at work, and I still get thrown by the various complexities added through apache). Could the removal of tracd be reconsidered ? Also, I added this line locally to trac.conf: Alias /trac/ "/usr/share/trac/htdocs/" Without it, my trac is missing all of the UI (images, CSS, ...). I personally have htdocs_location = /trac/ in all my trac.ini files. How did you have it configured to work out of the box ? (In reply to comment #22) > Could the removal of tracd be reconsidered ? yes, tracd has been re-added in 0.9.3-4 by user demand. (In reply to comment #23) > How did you have it configured to work out of the box ? Obviously it's not really doable completely out of the box especially with pre-existing trac envs because of varying paths to them, but for example like this (yes, ugly, but to demonstrate) works with very minimal configuration: svnadmin create /tmp/svn trac-admin /tmp/trac initenv # accept all defaults except set svn dir tracd --port 8000 /tmp/trac ...and with httpd, just follow the instructions in /etc/httpd/conf.d/trac.conf and ensure that apache has enough permissions to the trac env. No problems with images, css etc with either tracd or httpd. trac.ini not touched at all, it's the one that trac-admin creates out of the box. htdocs_location is not in that file at all. (In reply to comment #25) Also, see http://projects.edgewall.com/trac/wiki/TracOnFedoraCore > (In reply to comment #23) > > How did you have it configured to work out of the box ? > > Obviously it's not really doable completely out of the box especially with > pre-existing trac envs because of varying paths to them, but for example like > this (yes, ugly, but to demonstrate) works with very minimal configuration: > > svnadmin create /tmp/svn > trac-admin /tmp/trac initenv # accept all defaults except set svn dir > tracd --port 8000 /tmp/trac > > ...and with httpd, just follow the instructions in /etc/httpd/conf.d/trac.conf > and ensure that apache has enough permissions to the trac env. No problems with > images, css etc with either tracd or httpd. trac.ini not touched at all, it's > the one that trac-admin creates out of the box. htdocs_location is not in that > file at all. Could you add a directory to store the project in the RPM during the next bump? The trac wiki you reference suggests /var/trac and that it probably needs to be owned by apache. Not everyone wants to store their project in /tmp. :) FWIW, the default httpd.conf snippet in the package suggests /srv/trac and the tools default to /srv/svn for the subversion location, maybe the Wiki should be just changed to reflect those locations instead. re: comment #27: I am unsure what you mean by your comment. Please elaborate. re: comment #28: Changed all occurences of /svn to /srv in Trac on Fedora wiki: http://projects.edgewall.com/trac/wiki/TracOnFedoraCore page. Well, the wiki may be the place to make this change, but its example currently has: sudo trac-admin /srv/trac/foobar initenv This will fail unless /srv/trac already exists, so it could be included in the rpm. Alternatively the wiki could be updated to do just sudo trac-admin /srv/trac initenv though first-time users might be confused that they are creating a trac environment actually named "trac". Package Change Request
======================
Package Name: trac
New Branches: EL-4 EL-5
Current owner approved me to own package for EPEL
From:
"Jeffrey C. Ollie" <jeff>
To:
Jesse Keating <jkeating>
Date:
Today 16:29:32
Message was signed with unknown key 0xAED93BC72C884111.
The validity of the signature cannot be verified.
Status: No public key to verify the signature
On Fri, 2007-06-01 at 15:17 -0400, Jesse Keating wrote:
> I'd like clearsilver in EPEL, so that I can use Trac in EPEL. Would you be
> opposed to me branching these and building them for EPEL?
Nope... go right ahead.
Jeff
cvs done. |