On Sun, Dec 27, 2020 at 11:32 PM Dan Čermák
<dan.cer...@cgc-instruments.com> wrote:
> The spec file is mostly good, I'd suggest a few changes though:
> - use macros instead of hardcoded paths, e.g. %_bindir instead of
> /usr/bin/
> - don't disable the debug package generation, Fedora packages must
> include debuginfo versions
> - replace make %{?_smp_mflags} with:
> %set_build_flags
> %make_build
> - mark LICENSE.txt as %license and not as %doc
> - there is no need to install the documentation under
> /usr/share/doc/snebu manually, you can just add the following into
> %files and rpmbuild will copy the files into the right place:
> %doc readme.md
> %doc snebu.adoc
> - I'd recommend to replace the %pre check for the snebu user with a
> systemd-sysusers config:
> https://fedoraproject.org/wiki/Changes/SystemdSysusers
>
> And one general issue not directly related to rpmbuild itself: does your
> Makefile honor the CFLAGS & LDFLAGS environment variables? Because if it
> does not, then all the compiler hardening flags that %set_build_flags
> inject will be just ignored.
I have made these changes, and updated to the latest upstream release
version 1.1.1. I have also ran through the following:
* Successful build under mock
* Success with Koji -- Task info:
https://koji.fedoraproject.org/koji/taskinfo?taskID=58581576
* All assets (spec file, srpm, upstream source) are published as
Github Release Assets, which are referenced in the ticket and the
.spec file.
* Have created a Bugzilla ticket: 1911565, and marked it as blocking
FE-NEEDSPONSOR
Anything else I've missed?
Since the package installs a binary that is owned by a non-root
utility account and SUID that user (for privilege management and
separation), I can prepare a security writeup on that mechanism
(essentially it compares the UID with the EUID -- if they don't match,
then it looks up the UID in an accounts permissions table to determine
which actions that user can perform).
Also if further information is needed on the encryption used, that is
at https://www.snebu.com/tarcrypt.html.
--Derek Pressnall
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
