Hi Chris,

First of all, welcome!

Could you put up the files somewhere else? Dropbox only works if you're logged in, which breaks automated tools like fedora-review which scrapes the spec and SRPM URLs from bugzilla. 

Putting it up in COPR is probably easiest: https://copr.fedorainfracloud.org/

Also, I've made this blocks FE-NEEDSPONSOR so sponsors watching that ticket will be notified. And... what's your FAS (Fedora Account System) username? Thanks

Note that you *can't* use /opt - /opt/fedora is an exception, but requires approval from the packaging committee, see https://docs.fedoraproject.org/en-US/packaging-guidelines/#_limited_usage_of_opt_etcopt_and_varopt

It might be better to just rename the binaries (e.g. ssh => /usr/bin/hpnssh) - but I can go in more details later.

Hell Michel, 

Thanks for taking the time to look at this. This is my first time getting into this process so please excuse any head scratching ignorance on my part. 

I've created an account and repository on COPR. The URL is https://copr.fedorainfracloud.org/coprs/rapier1/hpnssh/. The SRPM can be found at https://download.copr.fedorainfracloud.org/results/rapier1/hpnssh/srpm-builds/03282686/hpnssh-8.8p1_hpn15v5-5.fc35.src.rpm. Let me know if those aren't correct and I'll try again.  

My FAS username is rapier1. 

Not being able to use opt makes sense but is somewhat problematic on my end. When I started doing work on this (I think it was in 2002) the idea was simply to have a set of patches that would be so obviously awesome that OpenSSH would incorporate them right away. Since that didn't happen (for various reasons only partly related to the code itself) my goal hasn't been to fork OpenSSH as much as spoon up against it. So I've never actually reimplemented the majority of OpenSSH but modified the code over time while maintaining concurrency and strict compatibility. I thought about renaming the binaries at one point but I felt that would interfere with the long running goal of upstream inclusion. It was also felt that it would be harder to train users in the various communities I support to use the enhanced version. I'll be discussing this with my boss, the program office at the National Science Foundation (they're currently supporting this work through a grant), and hpnssh community members. 

As I said, I absolutely understand why Fedora has the no /opt rule and I want to assure you that I'm not going to push back against that. As I look at it, I'm a guest here. 4

(In reply to Michel Alexandre Salim from comment #1)
> Hi Chris,
> 
> First of all, welcome!
> 
> Could you put up the files somewhere else? Dropbox only works if you're
> logged in, which breaks automated tools like fedora-review which scrapes the
> spec and SRPM URLs from bugzilla. 
> 
> Putting it up in COPR is probably easiest: https://copr.fedorainfracloud.org/
> 
> Also, I've made this blocks FE-NEEDSPONSOR so sponsors watching that ticket
> will be notified. And... what's your FAS (Fedora Account System) username?
> Thanks
> 
> It might be better to just rename the binaries (e.g. ssh => /usr/bin/hpnssh)
> - but I can go in more details later.

Michel, Just wanted to let you know that I've reworked the package so that it doesn't use /opt. I've renamed all of the binaries and support files that overlapped with openssh. In my tests I've been able to install it and remove it without interfering with openssh package installs.

I've uploaded it to copr and it successfully built (https://copr.fedorainfracloud.org/coprs/rapier1/hpnssh/build/3529733/). The SRPM is available at https://download.copr.fedorainfracloud.org/results/rapier1/hpnssh/srpm-builds/03529733/hpnssh-8.8p1_hpn16v1-2.fc35.src.rpm 

If you have a moment to review it or could suggest someone that might be willing to sponsor this package please let me know. 

Thanks for your time, 

Chris Rapier

Welcome to Fedora, Chris. Here is my review of this package.

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated

Issues:
=======
I realize that you inherited many of these issues from the Fedora openssh
spec file, but I'm reporting them anyway as a conscientious reviewer. :-)
First the automatically generated issues:

- systemd_post is invoked in %post, systemd_preun in %preun, and
  systemd_postun in %postun for Systemd service files.
  Note: Systemd service file(s) in hpnssh-server
  See: https://docs.fedoraproject.org/en-US/packaging-
  guidelines/Scriptlets/#_scriptlets
- systemd_user_post is invoked in %post and systemd_user_preun in %preun
  for Systemd user units service files.
  Note: Systemd user unit service file(s) in hpnssh-clients
  See: https://docs.fedoraproject.org/en-US/packaging-
  guidelines/Scriptlets/#_user_units

And now my comments:

- There is already a package named pam_ssh_agent_auth.  You cannot reuse this
  name.  Either rename it or, if it does not need to be different from the
  openssh version, suppress it.  If you rename the package, we also have to be
  sure the two packages can be installed in parallel.

- There is already a directory named /usr/libexec/openssh, owned by the openssh
  package.  Is it write to add the hpnssh files there, or should it use
  /usr/libexec/hpnssh?

- Dependencies between the main package and subpackages should include %{?_isa}
  when the packages are both archful.  In the clients subpackage, for example,
  the dependency on the main package should look like this:

  Requires: %{name}%{?_isa} = %{version}-%{release}

  See:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package

- Are Source0 and Source1 downloadable from somewhere?  If so, please change
  both of those to full URLs.

- Since the main package has License: BSD, there is no point repeating that in
  the pam_ssh_agent_auth subpackage.

- Speaking of the license, there are other licenses besides BSD at play here:
  Beerware: md5crypt.{c,h}
  Public domain: rijndael.{c,h}
  ISC: addr.{c,h}, addrmatch.c, auth-options.{c,h}, bitmatp.{c,h}, etc.

- There is a macro for doing GPG verification.  The first line in %prep should
  be:

  %{gpgverify} --keyring='%{SOURCE3}' --signature='%{SOURCE1}' --data='%{SOURCE0}'

  https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures

- The openssh spec file has switched from gtk2 to gtk3.  Should that change
  be made to hpnssh as well?

- The comment on line 468 of the spec file is a bit puzzling.  RPM does handle
  nested %if statements.

- The first line of %install should be removed.  See the 3rd bullet here:
  https://docs.fedoraproject.org/en-US/packaging-guidelines/#_tags_and_sections

- Nearly all of the %attr directives in the %files are unnecessary.  See
  https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_permissions

- The mechanisms used to create users and groups have changed.  See
  https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/

- The most recent changelog entry has an incorrect version number.  Instead of
  8.8p1-2, it should be 8.8p1_hpn16v1-2.

- See the rpmlint output below for a few other minor issues.

===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Development (unversioned) .so files in -devel subpackage, if present.
     Note: Unversioned so-files in private %_libdir subdirectory (see
     attachment). Verify they are not in ld path.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[!]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated", "ISC License", "BSD 2-Clause License",
     "ISC License BSD 2-Clause License", "GNU General Public License v3.0
     or later", "X11 License [generated file]", "*No copyright* Beerware
     License", "*No copyright* Public domain", "BSD 3-Clause License BSD
     2-Clause License", "BSD 3-Clause License", "BSD 4-Clause License",
     "BSD 2-clause NetBSD License BSD 2-Clause License", "ISC License BSD
     3-Clause License", "ISC License BSD 2-clause NetBSD License BSD
     2-Clause License", "SSLeay", "MIT License", "OpenSSL License", "GNU
     General Public License v2.0 or later [generated file]", "FSF Unlimited
     License [generated file]", "BSD 2-Clause with views sentence",
     "Historical Permission Notice and Disclaimer - sell variant [generated
     file]", "curl License", "BSD 2-Clause with views sentence GNU General
     Public License". 577 files have unknown license. Detailed output of
     licensecheck in /home/jamesjer/2/review-hpnssh/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[x]: Package must own all directories that it creates.
     Note: Directories without known owners: /usr/lib/systemd/user,
     /usr/lib/systemd, /usr/lib64/security, /etc/profile.d, /etc/pam.d
[!]: Package does not own files or directories owned by other packages.
     Note: Dirs in package are owned also by: /usr/libexec/openssh(openssh,
     x11-ssh-askpass)
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[!]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf %{buildroot} present but not required
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[!]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[x]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 143360 bytes in 19 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
     Note: Multiple Release: tags found
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[!]: Uses parallel make %{?_smp_mflags} macro.
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[!]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in hpnssh-
     clients , hpnssh-server , hpnssh-keycat , hpnssh-askpass ,
     pam_ssh_agent_auth
[?]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Patches link to upstream bugs/comments/lists or are otherwise
     justified.
[x]: Scriptlets must be sane, if used.
[!]: SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[x]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: There are rpmlint messages (see attachment).
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Package should not use obsolete m4 macros
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
================================================ rpmlint session starts ================================================
rpmlint: 2.2.0
configuration:
    /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/licenses.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 32, packages: 7

hpnssh.x86_64: E: setgid-binary /usr/libexec/openssh/hpnssh-keysign ssh_keys 2555
pam_ssh_agent_auth.x86_64: E: pam-unauthorized-module pam_ssh_agent_auth.so
hpnssh.x86_64: W: non-standard-gid /usr/libexec/openssh/hpnssh-keysign ssh_keys
hpnssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/hpnssh-keysign 2555
hpnssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/hpnssh-keysign 2555
hpnssh-server.x86_64: E: non-standard-dir-perm /usr/share/empty.hpnsshd 711
hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config 600
hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config.d/50-redhat.conf 600
hpnssh-server.x86_64: E: non-readable /etc/sysconfig/hpnsshd 640
hpnssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-hpnssh-askpass.csh
hpnssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-hpnssh-askpass.sh
hpnssh-askpass.x86_64: W: no-documentation
hpnssh.spec:584: W: mixed-use-of-spaces-and-tabs (spaces: line 584, tab: line 416)
hpnssh.spec: W: invalid-url Source1: hpnssh-8.8p1_hpn16v1.tar.gz.asc
hpnssh.spec: W: invalid-url Source0: hpnssh-8.8p1_hpn16v1.tar.gz
hpnssh.x86_64: W: incoherent-version-in-changelog 8.8p1-2 ['8.8p1_hpn16v1-2.fc36', '8.8p1_hpn16v1-2']
hpnssh-server.x86_64: W: dangerous-command-in-%post rm
hpnssh-server.x86_64: W: binary-or-shlib-calls-gethostbyname /usr/sbin/hpnsshd
================ 7 packages and 0 specfiles checked; 8 errors, 10 warnings, 8 badness; has taken 19.3 s ================


Rpmlint (installed packages)
----------------------------
================================================ rpmlint session starts ================================================
rpmlint: 2.2.0
configuration:
    /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/licenses.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 32, packages: 6

hpnssh.x86_64: E: setgid-binary /usr/libexec/openssh/hpnssh-keysign ssh_keys 2555
pam_ssh_agent_auth.x86_64: E: pam-unauthorized-module pam_ssh_agent_auth.so
hpnssh.x86_64: W: non-standard-gid /usr/libexec/openssh/hpnssh-keysign ssh_keys
hpnssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/hpnssh-keysign 2555
hpnssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/hpnssh-keysign 2555
hpnssh-server.x86_64: E: non-standard-dir-perm /usr/share/empty.hpnsshd 711
hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config 600
hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config.d/50-redhat.conf 600
hpnssh-server.x86_64: E: non-readable /etc/sysconfig/hpnsshd 640
hpnssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-hpnssh-askpass.csh
hpnssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-hpnssh-askpass.sh
hpnssh-askpass.x86_64: W: no-documentation
hpnssh.x86_64: W: incoherent-version-in-changelog 8.8p1-2 ['8.8p1_hpn16v1-2.fc36', '8.8p1_hpn16v1-2']
hpnssh-server.x86_64: W: dangerous-command-in-%post rm
hpnssh-server.x86_64: W: binary-or-shlib-calls-gethostbyname /usr/sbin/hpnsshd
================= 6 packages and 0 specfiles checked; 8 errors, 7 warnings, 8 badness; has taken 0.8 s =================


Unversioned so-files
--------------------
pam_ssh_agent_auth: /usr/lib64/security/pam_ssh_agent_auth.so

Source checksums
----------------
https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-0.10.4.tar.gz :
  CHECKSUM(SHA256) this package     : 9d440de6627940c09eadc342cc7d8bc9823654fd1a2be11c4f5820dd073054e0
  CHECKSUM(SHA256) upstream package : 9d440de6627940c09eadc342cc7d8bc9823654fd1a2be11c4f5820dd073054e0


Requires
--------
hpnssh (rpmlib, GLIBC filtered):
    /bin/sh
    /sbin/nologin
    audit-libs
    config(hpnssh)
    libc.so.6()(64bit)
    libcrypto.so.3()(64bit)
    libcrypto.so.3(OPENSSL_3.0.0)(64bit)
    libselinux
    libselinux.so.1()(64bit)
    libselinux.so.1(LIBSELINUX_1.0)(64bit)
    libz.so.1()(64bit)
    rtld(GNU_HASH)

hpnssh-clients (rpmlib, GLIBC filtered):
    /bin/sh
    /usr/bin/sh
    config(hpnssh-clients)
    crypto-policies
    hpnssh
    libc.so.6()(64bit)
    libcrypto.so.3()(64bit)
    libcrypto.so.3(OPENSSL_3.0.0)(64bit)
    libedit.so.0()(64bit)
    libfido2.so.1()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    libgssapi_krb5.so.2()(64bit)
    libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
    libselinux.so.1()(64bit)
    libselinux.so.1(LIBSELINUX_1.0)(64bit)
    libz.so.1()(64bit)
    rtld(GNU_HASH)

hpnssh-server (rpmlib, GLIBC filtered):
    /bin/sh
    /usr/bin/bash
    /usr/sbin/useradd
    config(hpnssh-server)
    crypto-policies
    hpnssh
    libaudit.so.1()(64bit)
    libc.so.6()(64bit)
    libcom_err.so.2()(64bit)
    libcrypt.so.2()(64bit)
    libcrypt.so.2(XCRYPT_2.0)(64bit)
    libcrypto.so.3()(64bit)
    libcrypto.so.3(OPENSSL_3.0.0)(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    libgssapi_krb5.so.2()(64bit)
    libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
    libkrb5.so.3()(64bit)
    libkrb5.so.3(krb5_3_MIT)(64bit)
    libpam.so.0()(64bit)
    libpam.so.0(LIBPAM_1.0)(64bit)
    libselinux.so.1()(64bit)
    libselinux.so.1(LIBSELINUX_1.0)(64bit)
    libsystemd.so.0()(64bit)
    libsystemd.so.0(LIBSYSTEMD_209)(64bit)
    libz.so.1()(64bit)
    pam
    rtld(GNU_HASH)
    systemd

hpnssh-keycat (rpmlib, GLIBC filtered):
    config(hpnssh-keycat)
    hpnssh
    libc.so.6()(64bit)
    libpam.so.0()(64bit)
    libpam.so.0(LIBPAM_1.0)(64bit)
    rtld(GNU_HASH)

hpnssh-askpass (rpmlib, GLIBC filtered):
    hpnssh
    libX11.so.6()(64bit)
    libc.so.6()(64bit)
    libgdk-x11-2.0.so.0()(64bit)
    libglib-2.0.so.0()(64bit)
    libgobject-2.0.so.0()(64bit)
    libgtk-x11-2.0.so.0()(64bit)
    rtld(GNU_HASH)

pam_ssh_agent_auth (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    libcrypto.so.3()(64bit)
    libcrypto.so.3(OPENSSL_3.0.0)(64bit)
    libpam.so.0()(64bit)
    libpam.so.0(LIBPAM_1.0)(64bit)
    rtld(GNU_HASH)

hpnssh-debuginfo (rpmlib, GLIBC filtered):

hpnssh-debugsource (rpmlib, GLIBC filtered):



Provides
--------
hpnssh:
    config(hpnssh)
    hpnssh
    hpnssh(x86-64)

hpnssh-clients:
    config(hpnssh-clients)
    hpnssh-clients
    hpnssh-clients(x86-64)

hpnssh-server:
    config(hpnssh-server)
    hpnssh-server
    hpnssh-server(x86-64)

hpnssh-keycat:
    config(hpnssh-keycat)
    hpnssh-keycat
    hpnssh-keycat(x86-64)

hpnssh-askpass:
    hpnssh-askpass
    hpnssh-askpass(x86-64)

pam_ssh_agent_auth:
    pam_ssh_agent_auth
    pam_ssh_agent_auth(x86-64)

hpnssh-debuginfo:
    debuginfo(build-id)
    hpnssh-debuginfo
    hpnssh-debuginfo(x86-64)

hpnssh-debugsource:
    hpnssh-debugsource
    hpnssh-debugsource(x86-64)



Generated by fedora-review 0.7.6 (b083f91) last change: 2020-11-10
Command line :/usr/bin/fedora-review -n hpnssh -m fedora-36-x86_64
Buildroot used: fedora-36-x86_64
Active plugins: C/C++, Generic, Shell-api
Disabled plugins: Python, Ruby, Perl, R, Java, SugarActivity, Ocaml, PHP, fonts, Haskell
Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH

(In reply to Jerry James from comment #4)
> https://bugzilla.redhat.com/show_bug.cgi?id=2047943
>
> Jerry James <loganjerry> changed:
>
>             What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                   CC|                            |loganjerry
>
>
>
> --- Comment #4 from Jerry James <loganjerry> ---
> Welcome to Fedora, Chris. Here is my review of this package.
>
> Package Review
> ==============
>
> Legend:
> [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
>
> Issues:
> =======
> I realize that you inherited many of these issues from the Fedora openssh
> spec file, but I'm reporting them anyway as a conscientious reviewer.

Which is a good thing

> First the automatically generated issues:
>
> - systemd_post is invoked in %post, systemd_preun in %preun, and
>    systemd_postun in %postun for Systemd service files.
>    Note: Systemd service file(s) in hpnssh-server
>    See: https://docs.fedoraproject.org/en-US/packaging-
>    guidelines/Scriptlets/#_scriptlets
> - systemd_user_post is invoked in %post and systemd_user_preun in %preun
>    for Systemd user units service files.
>    Note: Systemd user unit service file(s) in hpnssh-clients
>    See: https://docs.fedoraproject.org/en-US/packaging-
>    guidelines/Scriptlets/#_user_units
>
> And now my comments:
>
> - There is already a package named pam_ssh_agent_auth.  You cannot reuse this
>    name.  Either rename it or, if it does not need to be different from the
>    openssh version, suppress it.  If you rename the package, we also have to be
>    sure the two packages can be installed in parallel.

Ugh. Okay, I'll look into that. My guess is that it needs to be renamed as I need to patch the pam_ssh_agent_auth to build against pthreads. I'll verify to see if that's actually true or a hold over from an earlier build attempt. Stupidly I forgot to make notes about that when I did that back in 2020.

> - There is already a directory named /usr/libexec/openssh, owned by the openssh
>    package.  Is it write to add the hpnssh files there, or should it use
>    /usr/libexec/hpnssh?

Actually, it makes sense to rename that. The only think in the the sftp-server and I've already renamed that. I can move the install location and update the path.

> - Dependencies between the main package and subpackages should include %{?_isa}
>    when the packages are both archful.  In the clients subpackage, for example,
>    the dependency on the main package should look like this:
>
>    Requires: %{name}%{?_isa} = %{version}-%{release}
>
>    See:
>   https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package

Okay, I was following the openssh package on that. I'll review the documentation and update to match best paractices.

> - Are Source0 and Source1 downloadable from somewhere?  If so, please change
>    both of those to full URLs.

Not at this time but I think I can swing that through work.

> - Since the main package has License: BSD, there is no point repeating that in
>    the pam_ssh_agent_auth subpackage.

Again, taken from the openssh package. I can remove that.

> - Speaking of the license, there are other licenses besides BSD at play here:
>    Beerware: md5crypt.{c,h}
>    Public domain: rijndael.{c,h}
>    ISC: addr.{c,h}, addrmatch.c, auth-options.{c,h}, bitmatp.{c,h}, etc.
>

Yeah, the source code is a mishmash of a bunch of difference licenses and I can't normalize them on to a single license. Is that a problem?

> - There is a macro for doing GPG verification.  The first line in %prep should
>    be:
>
>    %{gpgverify} --keyring='%{SOURCE3}' --signature='%{SOURCE1}'
> --data='%{SOURCE0}'

I'll get that resovled. More cruft from the openssh package. Which probably doesn't surprise you.

> https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
>
> - The openssh spec file has switched from gtk2 to gtk3.  Should that change
>    be made to hpnssh as well?

Yup. When I started this they were still using gtk2 and I didn't check if that had changed in newer versions of openssh.

> - The comment on line 468 of the spec file is a bit puzzling.  RPM does handle
>    nested %if statements.

More from the openssh package. I can resolve that if you think it is important.

> - The first line of %install should be removed.  See the 3rd bullet here:
>    https://docs.fedoraproject.org/en-US/packaging-guidelines/#_tags_and_sections
>
> - Nearly all of the %attr directives in the %files are unnecessary.  See
>    https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_permissions
>
> - The mechanisms used to create users and groups have changed.  See
>    https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/
>
> - The most recent changelog entry has an incorrect version number.  Instead of
>    8.8p1-2, it should be 8.8p1_hpn16v1-2.
>
> - See the rpmlint output below for a few other minor issues.


And again, the perils of building on someone else's work when you aren't entirely sure of what you are doing. I think I can resolve these issues.

I'll also work on cleaning up as much as I can in the lint output.



> ===== MUST items =====
>
> C/C++:
> [x]: Package does not contain kernel modules.
> [x]: Package contains no static executables.
> [x]: Development (unversioned) .so files in -devel subpackage, if present.
>       Note: Unversioned so-files in private %_libdir subdirectory (see
>       attachment). Verify they are not in ld path.
> [x]: If your application is a C or C++ application you must list a
>       BuildRequires against gcc, gcc-c++ or clang.
> [x]: Header files in -devel subpackage, if present.
> [x]: Package does not contain any libtool archives (.la)
> [x]: Rpath absent or only used for internal libs.
>
> Generic:
> [x]: Package is licensed with an open-source compatible license and meets
>       other legal requirements as defined in the legal section of Packaging
>       Guidelines.
> [!]: License field in the package spec file matches the actual license.
>       Note: Checking patched sources after %prep for licenses. Licenses
>       found: "Unknown or generated", "ISC License", "BSD 2-Clause License",
>       "ISC License BSD 2-Clause License", "GNU General Public License v3.0
>       or later", "X11 License [generated file]", "*No copyright* Beerware
>       License", "*No copyright* Public domain", "BSD 3-Clause License BSD
>       2-Clause License", "BSD 3-Clause License", "BSD 4-Clause License",
>       "BSD 2-clause NetBSD License BSD 2-Clause License", "ISC License BSD
>       3-Clause License", "ISC License BSD 2-clause NetBSD License BSD
>       2-Clause License", "SSLeay", "MIT License", "OpenSSL License", "GNU
>       General Public License v2.0 or later [generated file]", "FSF Unlimited
>       License [generated file]", "BSD 2-Clause with views sentence",
>       "Historical Permission Notice and Disclaimer - sell variant [generated
>       file]", "curl License", "BSD 2-Clause with views sentence GNU General
>       Public License". 577 files have unknown license. Detailed output of
>       licensecheck in /home/jamesjer/2/review-hpnssh/licensecheck.txt
> [x]: License file installed when any subpackage combination is installed.
> [x]: Package must own all directories that it creates.
>       Note: Directories without known owners: /usr/lib/systemd/user,
>       /usr/lib/systemd, /usr/lib64/security, /etc/profile.d, /etc/pam.d
> [!]: Package does not own files or directories owned by other packages.
>       Note: Dirs in package are owned also by: /usr/libexec/openssh(openssh,
>       x11-ssh-askpass)
> [x]: %build honors applicable compiler flags or justifies otherwise.
> [x]: Package contains no bundled libraries without FPC exception.
> [x]: Changelog in prescribed format.
> [!]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
>       beginning of %install.
>       Note: rm -rf %{buildroot} present but not required
> [x]: Sources contain only permissible code or content.
> [-]: Package contains desktop file if it is a GUI application.
> [-]: Development files must be in a -devel package
> [x]: Package uses nothing in %doc for runtime.
> [x]: Package consistently uses macros (instead of hard-coded directory
>       names).
> [x]: Package is named according to the Package Naming Guidelines.
> [!]: Package does not generate any conflict.
> [x]: Package obeys FHS, except libexecdir and /usr/target.
> [-]: If the package is a rename of another package, proper Obsoletes and
>       Provides are present.
> [x]: Requires correct, justified where necessary.
> [x]: Spec file is legible and written in American English.
> [x]: Package contains systemd file(s) if in need.
> [x]: Useful -debuginfo package or justification otherwise.
> [x]: Package is not known to require an ExcludeArch tag.
> [x]: Large documentation must go in a -doc subpackage. Large could be size
>       (~1MB) or number of files.
>       Note: Documentation size is 143360 bytes in 19 files.
> [x]: Package complies to the Packaging Guidelines
> [x]: Package successfully compiles and builds into binary rpms on at least
>       one supported primary architecture.
> [x]: Package installs properly.
> [x]: Rpmlint is run on all rpms the build produces.
>       Note: There are rpmlint messages (see attachment).
> [x]: If (and only if) the source package includes the text of the
>       license(s) in its own file, then that file, containing the text of the
>       license(s) for the package is included in %license.
> [x]: Package requires other packages for directories it uses.
> [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
> [x]: Macros in Summary, %description expandable at SRPM build time.
> [x]: Dist tag is present.
>       Note: Multiple Release: tags found
> [x]: Package does not contain duplicates in %files.
> [x]: Permissions on files are set properly.
> [x]: Package must not depend on deprecated() packages.
> [x]: Package use %makeinstall only when make install DESTDIR=... doesn't
>       work.
> [x]: Package is named using only allowed ASCII characters.
> [x]: Package does not use a name that already exists.
> [x]: Package is not relocatable.
> [x]: Sources used to build the package match the upstream source, as
>       provided in the spec URL.
> [x]: Spec file name must match the spec package %{name}, in the format
>       %{name}.spec.
> [x]: File names are valid UTF-8.
> [x]: Packages must not store files under /srv, /opt or /usr/local
>
> ===== SHOULD items =====
>
> Generic:
> [!]: Uses parallel make %{?_smp_mflags} macro.
> [-]: If the source package does not include license text(s) as a separate
>       file from upstream, the packager SHOULD query upstream to include it.
> [x]: Final provides and requires are sane (see attachments).
> [!]: Fully versioned dependency in subpackages if applicable.
>       Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in hpnssh-
>       clients , hpnssh-server , hpnssh-keycat , hpnssh-askpass ,
>       pam_ssh_agent_auth
> [?]: Package functions as described.
> [x]: Latest version is packaged.
> [x]: Package does not include license text files separate from upstream.
> [x]: Patches link to upstream bugs/comments/lists or are otherwise
>       justified.
> [x]: Scriptlets must be sane, if used.
> [!]: SourceX tarball generation or download is documented.
>       Note: Package contains tarball without URL, check comments
> [x]: Sources are verified with gpgverify first in %prep if upstream
>       publishes signatures.
>       Note: gpgverify is not used.
> [-]: Description and summary sections in the package spec file contains
>       translations for supported Non-English languages, if available.
> [x]: Package should compile and build into binary rpms on all supported
>       architectures.
> [x]: %check is present and all tests pass.
> [x]: Packages should try to preserve timestamps of original installed
>       files.
> [x]: Reviewer should test that the package builds in mock.
> [x]: Buildroot is not present
> [x]: Package has no %clean section with rm -rf %{buildroot} (or
>       $RPM_BUILD_ROOT)
> [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
> [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
> [x]: Sources can be downloaded from URI in Source: tag
> [x]: SourceX is a working URL.
> [x]: Spec use %global instead of %define unless justified.
>
> ===== EXTRA items =====
>
> Generic:
> [x]: Rpmlint is run on debuginfo package(s).
>       Note: There are rpmlint messages (see attachment).
> [x]: Rpmlint is run on all installed packages.
>       Note: There are rpmlint messages (see attachment).
> [x]: Large data in /usr/share should live in a noarch subpackage if package
>       is arched.
> [x]: Package should not use obsolete m4 macros
> [x]: Spec file according to URL is the same as in SRPM.
>
>
> Rpmlint
> -------
> ================================================ rpmlint session starts
> ================================================
> rpmlint: 2.2.0
> configuration:
>      /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml
>      /etc/xdg/rpmlint/fedora.toml
>      /etc/xdg/rpmlint/licenses.toml
>      /etc/xdg/rpmlint/scoring.toml
>      /etc/xdg/rpmlint/users-groups.toml
>      /etc/xdg/rpmlint/warn-on-functions.toml
> checks: 32, packages: 7
>
> hpnssh.x86_64: E: setgid-binary /usr/libexec/openssh/hpnssh-keysign ssh_keys
> 2555
> pam_ssh_agent_auth.x86_64: E: pam-unauthorized-module pam_ssh_agent_auth.so
> hpnssh.x86_64: W: non-standard-gid /usr/libexec/openssh/hpnssh-keysign ssh_keys
> hpnssh.x86_64: E: non-standard-executable-perm
> /usr/libexec/openssh/hpnssh-keysign 2555
> hpnssh.x86_64: E: non-standard-executable-perm
> /usr/libexec/openssh/hpnssh-keysign 2555
> hpnssh-server.x86_64: E: non-standard-dir-perm /usr/share/empty.hpnsshd 711
> hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config 600
> hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config.d/50-redhat.conf
> 600
> hpnssh-server.x86_64: E: non-readable /etc/sysconfig/hpnsshd 640
> hpnssh-askpass.x86_64: W: non-conffile-in-etc
> /etc/profile.d/gnome-hpnssh-askpass.csh
> hpnssh-askpass.x86_64: W: non-conffile-in-etc
> /etc/profile.d/gnome-hpnssh-askpass.sh
> hpnssh-askpass.x86_64: W: no-documentation
> hpnssh.spec:584: W: mixed-use-of-spaces-and-tabs (spaces: line 584, tab: line
> 416)
> hpnssh.spec: W: invalid-url Source1: hpnssh-8.8p1_hpn16v1.tar.gz.asc
> hpnssh.spec: W: invalid-url Source0: hpnssh-8.8p1_hpn16v1.tar.gz
> hpnssh.x86_64: W: incoherent-version-in-changelog 8.8p1-2
> ['8.8p1_hpn16v1-2.fc36', '8.8p1_hpn16v1-2']
> hpnssh-server.x86_64: W: dangerous-command-in-%post rm
> hpnssh-server.x86_64: W: binary-or-shlib-calls-gethostbyname /usr/sbin/hpnsshd
> ================ 7 packages and 0 specfiles checked; 8 errors, 10 warnings, 8
> badness; has taken 19.3 s ================
>
>
> Rpmlint (installed packages)
> ----------------------------
> ================================================ rpmlint session starts
> ================================================
> rpmlint: 2.2.0
> configuration:
>      /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml
>      /etc/xdg/rpmlint/fedora.toml
>      /etc/xdg/rpmlint/licenses.toml
>      /etc/xdg/rpmlint/scoring.toml
>      /etc/xdg/rpmlint/users-groups.toml
>      /etc/xdg/rpmlint/warn-on-functions.toml
> checks: 32, packages: 6
>
> hpnssh.x86_64: E: setgid-binary /usr/libexec/openssh/hpnssh-keysign ssh_keys
> 2555
> pam_ssh_agent_auth.x86_64: E: pam-unauthorized-module pam_ssh_agent_auth.so
> hpnssh.x86_64: W: non-standard-gid /usr/libexec/openssh/hpnssh-keysign ssh_keys
> hpnssh.x86_64: E: non-standard-executable-perm
> /usr/libexec/openssh/hpnssh-keysign 2555
> hpnssh.x86_64: E: non-standard-executable-perm
> /usr/libexec/openssh/hpnssh-keysign 2555
> hpnssh-server.x86_64: E: non-standard-dir-perm /usr/share/empty.hpnsshd 711
> hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config 600
> hpnssh-server.x86_64: E: non-readable /etc/hpnssh/sshd_config.d/50-redhat.conf
> 600
> hpnssh-server.x86_64: E: non-readable /etc/sysconfig/hpnsshd 640
> hpnssh-askpass.x86_64: W: non-conffile-in-etc
> /etc/profile.d/gnome-hpnssh-askpass.csh
> hpnssh-askpass.x86_64: W: non-conffile-in-etc
> /etc/profile.d/gnome-hpnssh-askpass.sh
> hpnssh-askpass.x86_64: W: no-documentation
> hpnssh.x86_64: W: incoherent-version-in-changelog 8.8p1-2
> ['8.8p1_hpn16v1-2.fc36', '8.8p1_hpn16v1-2']
> hpnssh-server.x86_64: W: dangerous-command-in-%post rm
> hpnssh-server.x86_64: W: binary-or-shlib-calls-gethostbyname /usr/sbin/hpnsshd
> ================= 6 packages and 0 specfiles checked; 8 errors, 7 warnings, 8
> badness; has taken 0.8 s =================
>
>
> Unversioned so-files
> --------------------
> pam_ssh_agent_auth: /usr/lib64/security/pam_ssh_agent_auth.so
>
> Source checksums
> ----------------
> https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-0.10.4.tar.gz
> :
>    CHECKSUM(SHA256) this package     :
> 9d440de6627940c09eadc342cc7d8bc9823654fd1a2be11c4f5820dd073054e0
>    CHECKSUM(SHA256) upstream package :
> 9d440de6627940c09eadc342cc7d8bc9823654fd1a2be11c4f5820dd073054e0
>
>
> Requires
> --------
> hpnssh (rpmlib, GLIBC filtered):
>      /bin/sh
>      /sbin/nologin
>      audit-libs
>      config(hpnssh)
>      libc.so.6()(64bit)
>      libcrypto.so.3()(64bit)
>      libcrypto.so.3(OPENSSL_3.0.0)(64bit)
>      libselinux
>      libselinux.so.1()(64bit)
>      libselinux.so.1(LIBSELINUX_1.0)(64bit)
>      libz.so.1()(64bit)
>      rtld(GNU_HASH)
>
> hpnssh-clients (rpmlib, GLIBC filtered):
>      /bin/sh
>      /usr/bin/sh
>      config(hpnssh-clients)
>      crypto-policies
>      hpnssh
>      libc.so.6()(64bit)
>      libcrypto.so.3()(64bit)
>      libcrypto.so.3(OPENSSL_3.0.0)(64bit)
>      libedit.so.0()(64bit)
>      libfido2.so.1()(64bit)
>      libgcc_s.so.1()(64bit)
>      libgcc_s.so.1(GCC_3.0)(64bit)
>      libgcc_s.so.1(GCC_3.3.1)(64bit)
>      libgssapi_krb5.so.2()(64bit)
>      libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
>      libselinux.so.1()(64bit)
>      libselinux.so.1(LIBSELINUX_1.0)(64bit)
>      libz.so.1()(64bit)
>      rtld(GNU_HASH)
>
> hpnssh-server (rpmlib, GLIBC filtered):
>      /bin/sh
>      /usr/bin/bash
>      /usr/sbin/useradd
>      config(hpnssh-server)
>      crypto-policies
>      hpnssh
>      libaudit.so.1()(64bit)
>      libc.so.6()(64bit)
>      libcom_err.so.2()(64bit)
>      libcrypt.so.2()(64bit)
>      libcrypt.so.2(XCRYPT_2.0)(64bit)
>      libcrypto.so.3()(64bit)
>      libcrypto.so.3(OPENSSL_3.0.0)(64bit)
>      libgcc_s.so.1()(64bit)
>      libgcc_s.so.1(GCC_3.0)(64bit)
>      libgcc_s.so.1(GCC_3.3.1)(64bit)
>      libgssapi_krb5.so.2()(64bit)
>      libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
>      libkrb5.so.3()(64bit)
>      libkrb5.so.3(krb5_3_MIT)(64bit)
>      libpam.so.0()(64bit)
>      libpam.so.0(LIBPAM_1.0)(64bit)
>      libselinux.so.1()(64bit)
>      libselinux.so.1(LIBSELINUX_1.0)(64bit)
>      libsystemd.so.0()(64bit)
>      libsystemd.so.0(LIBSYSTEMD_209)(64bit)
>      libz.so.1()(64bit)
>      pam
>      rtld(GNU_HASH)
>      systemd
>
> hpnssh-keycat (rpmlib, GLIBC filtered):
>      config(hpnssh-keycat)
>      hpnssh
>      libc.so.6()(64bit)
>      libpam.so.0()(64bit)
>      libpam.so.0(LIBPAM_1.0)(64bit)
>      rtld(GNU_HASH)
>
> hpnssh-askpass (rpmlib, GLIBC filtered):
>      hpnssh
>      libX11.so.6()(64bit)
>      libc.so.6()(64bit)
>      libgdk-x11-2.0.so.0()(64bit)
>      libglib-2.0.so.0()(64bit)
>      libgobject-2.0.so.0()(64bit)
>      libgtk-x11-2.0.so.0()(64bit)
>      rtld(GNU_HASH)
>
> pam_ssh_agent_auth (rpmlib, GLIBC filtered):
>      libc.so.6()(64bit)
>      libcrypto.so.3()(64bit)
>      libcrypto.so.3(OPENSSL_3.0.0)(64bit)
>      libpam.so.0()(64bit)
>      libpam.so.0(LIBPAM_1.0)(64bit)
>      rtld(GNU_HASH)
>
> hpnssh-debuginfo (rpmlib, GLIBC filtered):
>
> hpnssh-debugsource (rpmlib, GLIBC filtered):
>
>
>
> Provides
> --------
> hpnssh:
>      config(hpnssh)
>      hpnssh
>      hpnssh(x86-64)
>
> hpnssh-clients:
>      config(hpnssh-clients)
>      hpnssh-clients
>      hpnssh-clients(x86-64)
>
> hpnssh-server:
>      config(hpnssh-server)
>      hpnssh-server
>      hpnssh-server(x86-64)
>
> hpnssh-keycat:
>      config(hpnssh-keycat)
>      hpnssh-keycat
>      hpnssh-keycat(x86-64)
>
> hpnssh-askpass:
>      hpnssh-askpass
>      hpnssh-askpass(x86-64)
>
> pam_ssh_agent_auth:
>      pam_ssh_agent_auth
>      pam_ssh_agent_auth(x86-64)
>
> hpnssh-debuginfo:
>      debuginfo(build-id)
>      hpnssh-debuginfo
>      hpnssh-debuginfo(x86-64)
>
> hpnssh-debugsource:
>      hpnssh-debugsource
>      hpnssh-debugsource(x86-64)
>
>
>
> Generated by fedora-review 0.7.6 (b083f91) last change: 2020-11-10
> Command line :/usr/bin/fedora-review -n hpnssh -m fedora-36-x86_64
> Buildroot used: fedora-36-x86_64
> Active plugins: C/C++, Generic, Shell-api
> Disabled plugins: Python, Ruby, Perl, R, Java, SugarActivity, Ocaml, PHP,
> fonts, Haskell
> Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH
>

This is an automatic check from review-stats script.

This review request ticket hasn't been updated for some time. We're sorry
it is taking so long. If you're still interested in packaging this software
into Fedora repositories, please respond to this comment clearing the
NEEDINFO flag.

You may want to update the specfile and the src.rpm to the latest version
available and to propose a review swap on Fedora devel mailing list to increase
chances to have your package reviewed. If this is your first package and you
need a sponsor, you may want to post some informal reviews. Read more at
https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group.

Without any reply, this request will shortly be considered abandoned
and will be closed.
Thank you for your patience.

This is an automatic check from review-stats script.

This review request ticket hasn't been updated for some time. We're sorry
it is taking so long. If you're still interested in packaging this software
into Fedora repositories, please respond to this comment clearing the
NEEDINFO flag.

You may want to update the specfile and the src.rpm to the latest version
available and to propose a review swap on Fedora devel mailing list to increase
chances to have your package reviewed. If this is your first package and you
need a sponsor, you may want to post some informal reviews. Read more at
https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group.

Without any reply, this request will shortly be considered abandoned
and will be closed.
Thank you for your patience.

This is an automatic action taken by review-stats script.

The ticket submitter failed to clear the NEEDINFO flag in a month.
As per https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews
we consider this ticket as DEADREVIEW and proceed to close it.