Request for review: keychain
Ed Hill
ed at eh3.com
Tue Jul 12 02:10:35 UTC 2005
On Tue, 2005-07-12 at 01:52 +0200, Alexander Dalloz wrote:
> keychain: agent manager for OpenSSH, ssh.com, Sun SSH, and GnuPG
> http://www.uni-x.org/keychain.spec
> http://www.uni-x.org/keychain-2.5.4.1-1.src.rpm
Hi Alexander,
Hey, thats funny! I've been referring people to those well-written IBM
developerWorks articles on SSH:
http://www-106.ibm.com/developerworks/linux/library/l-keyc2/
that are referenced from the main keychain web site but I never actually
took the time to learn about or use keychain itself. I just use ssh-add
and ssh-agent. Silly me!
So heres a quick review of keychain which mostly looks good:
please fix:
- rpmlint complains:
W: keychain summary-not-capitalized agent manager ...
- BuildRoot should be:
%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
- please add dist to version: 2.5.4.1%{?dist}
good:
- names OK
- spec mostly OK (except above) -- *very* simple!
- src matches upstream
- license OK
- seems to build, install, and work on FC3
- cleans OK
- perms OK
- code not content OK
And, if possible, it would be nice if we could get a second opinion on
the security implications of the actual "keychain" shell script. I'm
*no* security guru and maybe someone more knowledgeable could step in
and say the script looks OK. Or that its probably OK since its widely
used and widely reviewed...?
Or, is that just too much to ask for as part of the package review
process?
Ed -- who doesn't want to become known as "that moron who said it was
just dandy to include a security nightmare in Extras" ;-)
--
Edward H. Hill III, PhD
office: MIT Dept. of EAPS; Rm 54-1424; 77 Massachusetts Ave.
Cambridge, MA 02139-4307
emails: eh3 at mit.edu ed at eh3.com
URLs: http://web.mit.edu/eh3/ http://eh3.com/
phone: 617-253-0098
fax: 617-253-4464
More information about the fedora-extras-list
mailing list