Hi all
I want to submit lcm[1] (Lightweight Communications and Marshaling) to EPEL soon, but I'm currently struggling with a few issues found by rpmlint (and probably more).
I was wondering if I could get some help before submitting the package to fix 2 particular issues. The spec file and a sample SRPM file are available here[2].
The current errors I'm struggling with are the following: lcm.x86_64: W: dangerous-command-in-%post mv lcm.x86_64: E: use-tmp-in-%post lcm.x86_64: W: dangerous-command-in-%preun mv lcm.x86_64: E: use-tmp-in-%preun 1 packages and 0 specfiles checked; 2 errors, 2 warnings.
Any indications or help regarding this particular issues would be welcomed.
Best Regards, NM
[1] - http://code.google.com/p/lcm [2] - http://nmarques.fedorapeople.org/packages/lcm-0.7.1/
On 12/14/2011 12:29 PM, Nelson Manuel Marques wrote:
Hi all
I want to submit lcm[1] (Lightweight Communications and Marshaling) to EPEL soon, but I'm currently struggling with a few issues found by rpmlint (and probably more).
I was wondering if I could get some help before submitting the package to fix 2 particular issues. The spec file and a sample SRPM file are available here[2].
The current errors I'm struggling with are the following: lcm.x86_64: W: dangerous-command-in-%post mv lcm.x86_64: E: use-tmp-in-%post lcm.x86_64: W: dangerous-command-in-%preun mv lcm.x86_64: E: use-tmp-in-%preun 1 packages and 0 specfiles checked; 2 errors, 2 warnings.
Any indications or help regarding this particular issues would be welcomed.
The scriptlets use predictable temporary filenames, which is a security vulnerability (see http://www.linuxsecurity.com/content/view/115462/151/ for an explanation).
Think carefully about whether it's actually necessary to edit /etc/sysctl.conf in %post/%postun; an alternative approach might be to document the required changes in a README.rpm file. It's hard to say as I don't know how important the suggested changes are for the package's operation and what any drawbacks might be of setting those values.
Paul.
On Wed, 2011-12-14 at 12:45 +0000, Paul Howarth wrote:
On 12/14/2011 12:29 PM, Nelson Manuel Marques wrote:
Hi all
I want to submit lcm[1] (Lightweight Communications and Marshaling) to EPEL soon, but I'm currently struggling with a few issues found by rpmlint (and probably more).
I was wondering if I could get some help before submitting the package to fix 2 particular issues. The spec file and a sample SRPM file are available here[2].
The current errors I'm struggling with are the following: lcm.x86_64: W: dangerous-command-in-%post mv lcm.x86_64: E: use-tmp-in-%post lcm.x86_64: W: dangerous-command-in-%preun mv lcm.x86_64: E: use-tmp-in-%preun 1 packages and 0 specfiles checked; 2 errors, 2 warnings.
Any indications or help regarding this particular issues would be welcomed.
The scriptlets use predictable temporary filenames, which is a security vulnerability (see http://www.linuxsecurity.com/content/view/115462/151/ for an explanation).
Hi Paul,
Thanks for this link, it's actually pretty much useful not only to this situations to others I forsee.
Think carefully about whether it's actually necessary to edit /etc/sysctl.conf in %post/%postun; an alternative approach might be to document the required changes in a README.rpm file. It's hard to say as I don't know how important the suggested changes are for the package's operation and what any drawbacks might be of setting those values.
I've consulted the engineers who work with this component and they pointed to me this are optimal values for internal usage. They do recommend them, but we will do this internally using another methodoly so we can maintain this package on EPEL. The 'offending/superfluous' % post and %postun for lcm package are removed.
I will proceed now into submission to EPEL.
Thanks for your help, it was most welcome.
Nelson
Paul.
epel-devel-list mailing list epel-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/epel-devel-list
epel-devel@lists.fedoraproject.org