Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1467651 - Review Request: cvechecker - Tool for compare packages installed in your system with CVE database
Summary: Review Request: cvechecker - Tool for compare packages installed in your syst...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zbigniew Jędrzejewski-Szmek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: cvechecker (view as bug list)
Depends On:
Blocks: FE-SECLAB
TreeView+ depends on / blocked
 
Reported: 2017-07-04 12:49 UTC by Zamir SUN
Modified: 2017-08-14 21:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-14 21:50:37 UTC
Type: ---
Embargoed:
zbyszek: fedora-review+

Attachments (Terms of Use)

Description Zamir SUN 2017-07-04 12:49:29 UTC 
Spec URL: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker.spec
SRPM URL: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker-3.7-1.fc25.src.rpm
Description: Tool for compare packages installed in your system with CVE database
Fedora Account System Username: zsun
Comment 1 Zamir SUN 2017-07-04 12:51:30 UTC 
*** Bug 1062808 has been marked as a duplicate of this bug. ***
Comment 2 Zbigniew Jędrzejewski-Szmek 2017-07-04 14:00:41 UTC 
> %global debug_package %{nil}
Are you sure that's needed? If yes, it deserves a comment in the spec file.

> make
Is parallel build not supported? If it is, use %make_build, otherwise, add a comment.

> %{__install}
You can just say 'install' — that's both less typing *and* clearer.

> %defattr(-,root,root)
Not needed.

Checking: cvechecker-3.7-1.fc27.x86_64.rpm
          cvechecker-3.7-1.fc27.src.rpm
cvechecker.x86_64: W: unstripped-binary-or-object /usr/bin/cvechecker
Hm. That's the first time I encounter this. Maybe this will go away if you create a debug package?

cvechecker.x86_64: W: only-non-binary-in-usr-lib
cvechecker.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
cvechecker.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
OK.

cvechecker.src:13: W: macro-in-comment %{url}
cvechecker.src:13: W: macro-in-comment %{_commit}
cvechecker.src:13: W: macro-in-comment %{_commit}
Please use %%.

cvechecker.src:14: W: mixed-use-of-spaces-and-tabs (spaces: line 6, tab: line 14)
Please fix.

2 packages and 0 specfiles checked; 0 errors, 8 warnings.

Looks all good.

(It seems that cvechecker likes to run as root. It'd be much better to create a dedicated user for it, since downloading stuff as root from the web is also a concern, but that's an upstream issue.)
Comment 3 Zamir SUN 2017-07-04 14:19:30 UTC 
Thanks for the quick response.
SPEC updated in place: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker.spec
New SRPM: https://zsun.fedorapeople.org/pub/pkgs/cvechecker/cvechecker-3.7-2.fc25.src.rpm
Comment 4 Zamir SUN 2017-07-04 14:21:28 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2)
> (It seems that cvechecker likes to run as root. It'd be much better to
> create a dedicated user for it, since downloading stuff as root from the web
> is also a concern, but that's an upstream issue.)
I am not familiar with packaging with dedicated user, so currently I'm not adding this way. Will work on this later once I figured out how to do it.
Comment 5 Zbigniew Jędrzejewski-Szmek 2017-07-04 15:13:33 UTC 
+ package name is OK
+ license is acceptable for Fedora (GPLv3)
+ license is specified correctly
+ builds and installs OK
+ fedora-review finds no issues
+ %check is present and passes
+ no scriptlets necessary
+ rpmlint has only false positives

> Group:          Applications/System
Not needed [https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections].

> %attr(0644,root,root)
You probably don't need those either, unless the build system sets some strange permissions on those files.

Package is APPROVED.
Comment 6 Gwyn Ciesla 2017-07-05 11:00:39 UTC 
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/cvechecker
Comment 7 Zamir SUN 2017-07-05 13:54:23 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> > Group:          Applications/System
> Not needed
> [https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections].
Thanks. Will remove this section in -3.
Comment 8 Fedora Update System 2017-08-06 02:40:37 UTC 
cvechecker-3.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-146693c8dc
Comment 9 Fedora Update System 2017-08-06 02:40:46 UTC 
cvechecker-3.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-146693c8dc
Comment 10 Fedora Update System 2017-08-07 06:26:03 UTC 
cvechecker-3.8-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b44ef74c4
Comment 11 Fedora Update System 2017-08-14 21:50:37 UTC 
cvechecker-3.8-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.