Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at

Bug 196146

Summary: Review Request: mod_nss
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: Package ReviewAssignee: Jason Tibbitts <j>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Package Reviews List <fedora-package-review>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-20 14:09:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 163779, 200958    

Description Rob Crittenden 2006-06-21 15:24:49 UTC
Spec URL:
Description: SSL/TLS module for the Apache HTTP server

The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.

This is my first package. I need a sponsor.

Comment 1 Jarod Wilson 2006-07-13 14:10:38 UTC
I don't have sponsor status, but can do the review and then kick someone who
does have sponsor status when the package is approved.

Comment 2 Jarod Wilson 2006-07-13 23:15:08 UTC
Based on my initial tour through the spec and rpmlint'ing:

1) Source: should be a URL if possible:{name}-%{version}.tar.gz

2) BuildRequires: for make and perl should both be removed, per

3) Please explain why "AutoReq: 0" is necessary

4) Quotes around $RPM_OPT_FLAGS are recommended

5) Use %configure instead of ./configure

6) Should be smp_mflags instead of smp_flags

7) I believe DESTDIR is only relevant for make install (rpmlint complains).

8) Use macros for things like /etc (%{_sysconfdir}), /usr/sbin (%{_sbindir}), etc.

9) Watch out for lib/lib64 issues, you have a hard-coded /usr/lib in there,
*must* be %{_libdir} so that its properly set to /usr/lib64 on 64-bit platforms.

10) don't use install -s, let rpm do the stripping so we get a valid debuginfo

11) don't create directories in %post, create them in the package, or they
aren't owned by the package, which violates FE packaging policy

12) the %ifarch stuff around copying should be removed, this is
another case where %{_libdir} is your friend. However, copying a file into place
in %post is also a no-no. Just duplicate it within the package if you absolutely
must, otherwise the file isn't owned by the package.

13) Oy. Just realized the file being copied in %post is from another package.
That's also a no-no. I think a relative symlink (while still ugly) is okay
though, and at least it would be owned by the package.

14) secmod.db (and cert8.db, key3.db) can be created in the build and marked
%config(noreplace) instead of creating unowned files in %post. Note that this
does add a BuildRequires: on nss-tools though. Of course, it also means the
buildhost name winds up in the file instead of the target host. This one may
need some more thought... I suppose doing it the way you have it may be best,
given that mod_ssl does essentially the same. Ah! Just had an idea... I think
creating dummy files in the buildroot and including them in the package itself
and then creating actual files in %post may be the sanest thing.

15) Need to add to %files some to account for the above (and switch to using macros)

Okay, all of the above are addressed (I believe) by the following spec diff,
including the tweak to let mod_nss own the .db files:

--- mod_nss-orig.spec   2006-07-13 17:38:26.000000000 -0400
+++ mod_nss.spec        2006-07-13 19:12:45.000000000 -0400
@@ -1,13 +1,12 @@
 Name: mod_nss
 Version: 1.0.3
-Release: 1
+Release: 1%{?dist}
 Summary: SSL/TLS module for the Apache HTTP server
 Group: System Environment/Daemons
 License: Apache Software License
-Source: %{name}-%{version}.tar.gz
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: make, perl
 BuildRequires: nspr-devel >= 4.6, nss-devel >= 3.11
 BuildRequires: httpd-devel >= 0:2.0.52, apr-devel, apr-util-devel
 Requires: httpd >= 0:2.0.52
@@ -36,7 +35,7 @@
 # regenerate configure scripts
 autoconf || exit 1

 export CFLAGS

 NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
@@ -47,24 +46,35 @@

 NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`

-./configure --with-nss-lib=$NSS_LIB_DIR --with-nss-inc=$NSS_INCLUDE_DIR
--with-nspr-lib=$NSPR_LIB_DIR --with-nspr-inc=$NSPR_INCLUDE_DIR
--with-apr-config --enable-ecc
+%configure \
+    --with-nss-lib=$NSS_LIB_DIR \
+    --with-nss-inc=$NSS_INCLUDE_DIR \
+    --with-nspr-lib=$NSPR_LIB_DIR \
+    --with-nspr-inc=$NSPR_INCLUDE_DIR \
+    --with-apr-config --enable-ecc
+#./configure --with-nss-lib=$NSS_LIB_DIR --with-nss-inc=$NSS_INCLUDE_DIR
--with-nspr-lib=$NSPR_LIB_DIR --with-nspr-inc=$NSPR_INCLUDE_DIR
--with-apr-config --enable-ecc

 make %{?_smp_flags} DESTDIR=$RPM_BUILD_ROOT all


-mkdir -p $RPM_BUILD_ROOT/etc/httpd/conf
-mkdir -p $RPM_BUILD_ROOT/etc/httpd/conf.d
-mkdir -p $RPM_BUILD_ROOT/usr/lib/httpd/modules
-mkdir -p $RPM_BUILD_ROOT/usr/sbin
-install -m 644 nss.conf $RPM_BUILD_ROOT/etc/httpd/conf.d
-install -s -m 755 .libs/ $RPM_BUILD_ROOT/usr/lib/httpd/modules
-install -s -m 755 nss_pcache $RPM_BUILD_ROOT/usr/sbin
-install -m 755 gencert $RPM_BUILD_ROOT/usr/sbin
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
+mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules
+mkdir -p $RPM_BUILD_ROOT%{_sbindir}
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias
+install -m 644 nss.conf $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
+install -m 755 .libs/ $RPM_BUILD_ROOT%{_libdir}/httpd/modules/
+install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
+install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
+ln -s ../../..%{_libdir}/ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/
+echo "temporary file" > $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/secmod.db
+echo "temporary file" > $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/cert8.db
+echo "temporary file" > $RPM_BUILD_ROOT%{_sysconfdir}/httpd/alias/key3.db

-perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT/usr/sbin/gencert
+perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert

@@ -72,36 +82,35 @@
 umask 077

-if [ $1 -eq 1 ]; then
-    if [ ! -d /etc/httpd/alias ] ; then
-        mkdir /etc/httpd/alias
-    fi
-    if [ ! -f /etc/httpd/alias/secmod.db ] ; then
-        /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
-        echo ""
-        echo "Certificate database generated."
-        echo ""
-    fi
+if [ "$1" -eq 1 ] ; then
+    for file in %{_sysconfdir}/httpd/alias/{secmod,cert8,key3}.db
+    do
+        # Just to be safe...
+        if [ `grep -c "temporary file" $file` -eq 1 ]; then
+            rm -f $file
+        else
+            mv $file $file.rpmsave
+            echo "%{_sysconfdir}/httpd/alias/$file saved as
+        fi
+    done
+    %{_sbindir}/gencert %{_sysconfdir}/httpd/alias >
%{_sysconfdir}/httpd/alias/install.log 2>&1
+    echo ""
+    echo "%{name} certificate database generated."
+    echo ""

-# copy the root certificate library to our database location
-%ifarch x86_64
-cp -p /usr/lib64/ /etc/httpd/alias
-cp -p /usr/lib/ /etc/httpd/alias
 %doc README LICENSE docs/mod_nss.html
-%config(noreplace) /etc/httpd/conf.d/nss.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/nss.conf
+%config(noreplace) %{_sysconfdir}/httpd/alias/secmod.db
+%config(noreplace) %{_sysconfdir}/httpd/alias/cert8.db
+%config(noreplace) %{_sysconfdir}/httpd/alias/key3.db
+%dir %{_sysconfdir}/httpd/alias/

 * Tue Jun 20 2006 Rob Crittenden <rcritten> 1.0.3-1

This leaves only two warnings from rpmlint:
W: mod_nss dangling-relative-symlink /etc/httpd/alias/
W: mod_nss dangerous-command-in-%post rm

I think we'll probably have to live with those though.

However, I just now noticed that the Makefile actually contains an install
target. Why isn't it being used here?

Time to go home, more tomorrow, or after you finish digesting all this... :)

Comment 3 Rob Crittenden 2006-07-14 15:03:52 UTC
Thanks for the thorough review!

The spec and SRPM files are updated.

Here are specific responses:

1. Done, added source url
2. Removed extraneous BuildRequires (left over from the httpd spec file I
initially used as a template)
3. AutoReq isn't needed, removed
4. Added quotes around $RPM_OPT_FLAGS
5. Using %configure over ./configure
6. Switched to smp_mflags
7. $DESTDIR removed fro make
8. Using appropriate macros
9. Yes, I was worried about the lib64 thing, macros make things much easier
10. Ok, removed -s from install.
11. Yes, better to have RPM own the alias dir
12. using macros instead to resolve issue
13. Using symlink as recommended 
14. Keeping cert8.db, key3.db and secmod.db is desired when the RPM is removed.
These files contain any certificates that were issued and any private key
material. One should have to be very conscious when removing these files as
certificates can be an expensive proposition.
15. Added %dir for alias directory

The only warning I see now is the dangling symlink.

Because this depends on the NSS package this file will always exist, so I think
it's relatively safe.

While it's true that mod_nss has an install target it is cleaner to do it by
hand. We are only installing a couple of files anyway. If it really causes
heartburn I can see about switching to that but most Apache modules are
installed by hand this way.

Comment 4 Jarod Wilson 2006-07-14 18:01:35 UTC
Additional review, based on new spec and details in comment #13:

1) The switch to %configure actually eliminates the need to pass --libdir,
--sbindir and --sysconfdir (which based on ./configure --help, should actually
be /etc, not /etc/httpd/conf.d). The %configure macro sets those automatically.
So those three lines after %configure should be removed.

2) Going back to item 14 in comment #12 and #13... The 'create dummy files then
replace in %post' trick I threw together actually does leave the files around
when the RPM is removed, %config(noreplace) makes that happen. They're renamed
w/an appended .rpmsave if the package is removed.

# rpm -e mod_nss
warning: /etc/httpd/alias/secmod.db saved as /etc/httpd/alias/secmod.db.rpmsave
warning: /etc/httpd/alias/key3.db saved as /etc/httpd/alias/key3.db.rpmsave
warning: /etc/httpd/alias/cert8.db saved as /etc/httpd/alias/cert8.db.rpmsave

So this route leaves us not deleting the files, addressing your (very valid)
concern and also makes them owned by the package. Win-win, no? :)

3) For consistency, you shouldn't have spaces between lines within a single
%files section, I'd cut the extra lines after %defattr and %doc.

4) I poked around at the Makefile a bit to see if using make install was
feasible. The main issue appears to be that 'make install' uses apxs to put the
module in place, but apxs tries to be too smart for its own good, and install
and activate the module in the buildhost's httpd, rather than in the buildroot.
Would require a bit of Makefile hacking to get a viable 'make install', so
putting the bits in place by hand is understandable and acceptable.

Comment 5 Rob Crittenden 2006-07-14 19:53:08 UTC
The spec and SRPM files are updated.

1. Bah, my mistake. I was experimenting with using the make install target and
accidentally left that in. Removed.

2. Ok, you've convinved me. I made a few minor changes though. When determining
if we need to generate a database we only need to check one of the files. They
do not stand alone but work together in concert, so if one is temporary it is
safe to assume they all are. I switched to checking key3.db since that is the
most important file.

I also modified the deletion install test. I'm using if [ "$1" -eq 0 ] which
from the RPM docs means "Remove last version of package". I tested it and it
seems to work ok for me.

3. Removed the extra lines. Must be a style thing.

4. Great news.

Comment 6 Jarod Wilson 2006-07-14 20:21:58 UTC
(In reply to comment #5)
> 2. Ok, you've convinved me. I made a few minor changes though. When determining
> if we need to generate a database we only need to check one of the files. They
> do not stand alone but work together in concert, so if one is temporary it is
> safe to assume they all are. I switched to checking key3.db since that is the
> most important file.
> I also modified the deletion install test. I'm using if [ "$1" -eq 0 ] which
> from the RPM docs means "Remove last version of package". I tested it and it
> seems to work ok for me.

Heh, actually, no it doesn't. :)

$1 being 0 isn't possible in the %post context, only %postun and %preun, see
"Running scriptlets only in certain situations" at RPM itself does the work
that you're seeing, renaming them with .rpmsave. I added that extra little bit
for the edge case where the user has no mod_nss rpm installed, but does have the
.db files there, then installs the rpm, so they wouldn't be overwritten by
%post. It probably makes more sense to do nothing at all in %post on install if
we find .db files that don't have that temp string in them -- then we just end
up with .rpmnew files and the existing .db files. Now that I ponder it, I think
this makes the most sense for that section:

umask 077
if [ "$1" -eq 1 ] ; then
    if [ `grep -c "temporary file" %{_sysconfdir}/httpd/alias/key3.db` -eq 1 ]; then
        rm -f %{_sysconfdir}/httpd/alias/{secmod,cert8,key3}.db
        %{_sbindir}/gencert %{_sysconfdir}/httpd/alias >
%{_sysconfdir}/httpd/alias/install.log 2>&1
        echo ""
        echo "%{name} certificate database generated."
        echo ""

Results on install with this tweak:

rpm -ivh /build/RPMS/x86_64/mod_nss-1.0.3-1.fc5.x86_64.rpm
Preparing...                ########################################### [100%]
   1:mod_nss                warning: /etc/httpd/alias/cert8.db created as
warning: /etc/httpd/alias/key3.db created as /etc/httpd/alias/key3.db.rpmnew
warning: /etc/httpd/alias/secmod.db created as /etc/httpd/alias/secmod.db.rpmnew
########################################### [100%]

Comment 7 Rob Crittenden 2006-07-14 20:53:01 UTC
Files updated.

Ok, this method works for me. I think that the only time the rpmnew files would
be if someone went in and created a database BEFORE installing mod_nss for the
first time. I consider this fairly unlikely. And even so, there will be no data

Comment 8 Jarod Wilson 2006-07-17 15:08:10 UTC
Just moved on to trying to build in a mock chroot and got an error about
autoconf not being found, so the addition of "BuildRequires: autoconf" looks to
be necessary. Could have sworn that would always be present, but its not in the
Exceptions list... Trivial addition though.

One thing I forgot to mention that might be worth adding is a little
documentation just after %install, explaining why 'make install' isn't used.

I'll post the full details of a full review checklist once completed. Gimme one
more rev, and I think we're golden. :) 

Comment 9 Rob Crittenden 2006-07-17 15:27:38 UTC
Files updated.

Added BuildRequires: autoconf
Added some notes about 'make install' and purpose of 'temporary file' text in
key3.db, cert8.db and secmod.db

Comment 10 Jarod Wilson 2006-07-17 16:43:33 UTC
* package meets naming and packaging guidelines
* specfile is properly named, is cleanly written and uses macros consistently
* dist tag is present
* build root is correct
      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
* license field matches the actual license: Apache
* license is open source-compatible, license text included in package
* source files match upstream:
      feb2d314983a72318cc08e0650501fac  mod_nss-1.0.3.tar.gz
* latest version is being packaged

* BuildRequires are proper:
  nspr-devel >= 4.6, nss-devel >= 3.11
  httpd-devel >= 0:2.0.52, apr-devel, apr-util-devel

Technically, the apr-devel BR could be left off, since apr-util-devel Requires:
apr-devel. Similarly, nspr-devel could be left off, as nss-devel Requires:
nspr-devel >= 4.6 already. Ah, one could get even cleaner: httpd-devel Requires:
apr-devel and apr-util-devel. So you could reduce BuildRequires: down to just:

  nss-devel >= 3.11, httpd-devel >= 0:2.0.52, autoconf

Up to you whether you want to do that or not though.

* package builds in mock (FC6/x86_64).

* rpmlint is (mostly) silent
W: mod_nss dangling-relative-symlink /etc/httpd/alias/
-Not pretty, but better than copying the file over from another package, would
be optimal to configure mod_nss to simply look for the .so in /usr/lib(64)

W: mod_nss dangerous-command-in-%post rm
-We're safeguarding that rather tightly, necessary for proper cert creation, no
worries here

* final provides and requires are sane:
  config(mod_nss) = 1.0.3-1.fc6
  mod_nss = 1.0.3-1.fc6
  config(mod_nss) = 1.0.3-1.fc6
  httpd >= 0:2.0.52
  nspr >= 4.6
  nss >= 3.11
  nss-tools >= 3.11

* no shared libraries are present
* package is not relocatable
* owns the directories it creates
* doesn't own any directories it shouldn't
* no duplicates in %files
* file permissions are appropriate
* %clean is present
* %check is present and all tests pass: n/a
* scriptlets are sane
* code, not content
* documentation is small, so no -docs subpackage is necessary
* %docs are not necessary for the proper functioning of the package
* no headers
* no pkgconfig files
* no libtool .la files lingering about
* not a GUI app
* not a web app

Package APPROVED, I'll ping someone about sponsorship...

Comment 11 Jason Tibbitts 2006-07-17 17:35:07 UTC
Rob, I'll sponsor you.  Go ahead and apply for your cvsextras membership while I
double-check the above review.

Comment 12 Jason Tibbitts 2006-07-17 18:53:27 UTC
Just a couple of questions before I can ACK this:

Rawhide is busted at the moment, but building on FC5 fails due to a missing
BuildRequires: pkgconfig.  This is probably a missing dependency in one of the
-devel packages you require.  For instance, nspr-devel has a .pc file but does
not require pkgconfig, a clear bug.  Anyway, to build on FC5 at least you'll
need to add that BR.

Why do you need to call autoconf?  Generally this is avoided if possible.  For
grins I removed it from the spec and things still built OK, although there's
always the possibility that something broke.

Comment 13 Rob Crittenden 2006-07-17 19:34:36 UTC
Files updated.

Added pkgconfig
Removed autoconf

Autoconf was a leftover from the httpd spec file I used as a template. It seemed
a bit paranoid but wasn't problematic. Should be fine, and build faster, without
it. It's gone.

I'll notify the nspr and nss maintainer(s) regarding pkgconfig.

Comment 14 Jason Tibbitts 2006-07-18 00:35:10 UTC
How odd; I thought I had committed another comment to this ticket.  Oh, well.

The changes you made look good to me.

I went approve your cvsextras membership but saw that Warren had already done
it, which is odd since he hasn't made any comments on this ticket.  I don't
think it would be productive waiting for him to ACK this since that isn't likely
to happen, so I say we're ready to go.

By the way, in the future, please do bump the version on your package when you
make changes.  Otherwise it can be difficult for the reviewers to know if they
have the most current version, and browser caching can make things even more


Comment 15 Rob Crittenden 2006-07-20 14:09:42 UTC