Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 193478 - Review Request: wordpress - database driven blogging software
Summary: Review Request: wordpress - database driven blogging software
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jarod Wilson
QA Contact: Fedora Package Reviews List
URL:
Whiteboard:
Depends On:
Blocks: FE-ACCEPT
TreeView+ depends on / blocked
 
Reported: 2006-05-29 13:53 UTC by John Berninger
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-21 02:18:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Berninger 2006-05-29 13:53:05 UTC
Description: Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web.

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.2-0.src.rpm

Comment 1 Ville Skyttä 2006-05-30 21:49:42 UTC
Direct static code injection vulnerability in WordPress 2.0.2 and earlier:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2667

Comment 2 John Berninger 2006-05-31 00:35:31 UTC
Well, there doesn't appear to be a patch available, so this review will have to
wait until there is one.  I'm watching the svn and testers lists upstream.

Comment 3 John Berninger 2006-05-31 13:26:45 UTC
I'll have to correct myself - it appears this was patched on 5-26 in SVN.  I've
added that patch, rebuilt, and tested the given exploit, and the exploit now fails.

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.2-1.src.rpm

Comment 4 Ville Skyttä 2006-05-31 20:53:51 UTC
Happened to notice another one today, IP spoofing issue:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2702

(Note: just parroting my findings here, I have no experience with wordpress nor
am I planning to review it, and I've only _very_ quickly peeked into the SRPM,
so sorry in advance if this turns out to be noise.)

Comment 5 Jarod Wilson 2006-06-19 19:50:23 UTC
I'll go ahead and take on this review, since I'm familiar with the software.

My findings thus far:

1) There's a new version (2.0.3) out now (obsoletes the patch), need to update

2) Web apps should be installed in /usr/share/<name>, not /var/www, per fedora
extras guidelines

3) rpmlint complains about a bunch of empty files, they should be removed

4) config files should be broken out into /etc/ somewhere

5) %doc lines aren't quite correct, you should be removing them from the
installed packages and then sucking them in w/the %doc line, referring to them
by their relative path within the source

6) the Source0: url doesn't appear to actually work, upstream only post a
'latest.tar.gz' (rather annoying of them...)

I'm rather partial to proposing fixes for issues I come up with in review in the
form of an updated spec file, so you can see exactly what I'm suggesting:

http://wilsonet.com/packages/wordpress/


Comment 6 John Berninger 2006-06-19 20:58:03 UTC
Packages updated to 2.0.3, other suggestions integrated.  New packages:

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.3-1.src.rpm

Comment 7 Jarod Wilson 2006-06-20 02:25:15 UTC
One thing I forgot to mention: the way you specify all the files is a matter of preference, but if you're 
going to list them all out rather than simply having a single line '%{_datadir}/wordpress/', you must also 
have a line '%dir %{_datadir}/wordpress/' so that the created directories are also owned by the package.

Also note that the symlink %{_datadir}/wordpress/wp-config.php shouldn't be marked as a config file, 
and symlinks generally should be relative, rather than absolute (otherwise they're hanging within the 
buildroot).

Ah, the wordpress-httpd-conf file needs /var/www/wordpress replaced with /usr/share/wordpress.

Personally, I'd also just do away with the '%define installdir %{_datadir}' and simply replace all cases of %
{installdir} with %{_datadir}, because it just adds unnecessary and non-standard cruft.

Additional review details:

* package meets naming and packaging guidelines: okay
* specfile is properly named, is cleanly written and uses macros consistently: my only beef on that is 
the now unnecessary use of %{installdir}
* dist tag is present: okay
* build root is correct.
      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n): okay
* license field matches the actual license: GPL, okay
* license is open source-compatible, license text included in package: okay
* source files match upstream: okay
      $ md5sum latest.tar.gz wordpress-2.0.3.tar.gz
        0ad0696351cba9ef9b4a3dd97b1f327b  latest.tar.gz
        0ad0696351cba9ef9b4a3dd97b1f327b  wordpress-2.0.3.tar.gz
* latest version is being packaged: v2.0.3, okay
* BuildRequires are proper: okay
* package builds in mock: okay (fedora development, x86_64)
* rpmlint is silent: not quite yet, it complains about /usr/share/wordpress/wp-config.php being 
marked as a config file
* final provides and requires are sane: okay
    wordpress-2.0.3-1.fc6.noarch.rpm
    config(wordpress) = 2.0.3-1.fc6
    wordpress = 2.0.3-1.fc6
    =
    config(wordpress) = 2.0.3-1.fc6
    httpd  
    mysql-server  
    php >= 4.1.

* no shared libraries are present: okay
* package is not relocatable: okay
* owns the directories it creates: not yet, need to add /usr/share/wordpress to %files
* doesn't own any directories it shouldn't: okay
* no duplicates in %files: okay
* file permissions are appropriate: okay
* %clean is present: okay
* %check is present and all tests pass: n/a
* no scriptlets present: okay
* code, not content: okay
* documentation is small, so no -docs subpackage is necessary: okay
* %docs are not necessary for the proper functioning of the package: okay
* no headers: okay
* no pkgconfig files: okay
* no libtool .la files: okay
* not a GUI app: okay
* not a web app: okay


Comment 8 John Berninger 2006-06-20 06:25:08 UTC
Removed %{installdir} macro, symlink no longer marked config, correct4ed dir
ownerships

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.3-2.src.rpm

Comment 9 Jarod Wilson 2006-06-20 14:44:30 UTC
And you also corrected the httpd conf file. :) Everything looks good to go now,
package APPROVED.

Comment 10 John Berninger 2006-06-21 02:18:12 UTC
imported and built for FC4, FC5, and devel.


Note You need to log in before you can comment on or make changes to this bug.