Request for review: keychain
Chris Grau
chris at chrisgrau.com
Tue Jul 12 02:41:56 UTC 2005
On Mon, Jul 11, 2005 at 10:10:35PM -0400, Ed Hill wrote:
> On Tue, 2005-07-12 at 01:52 +0200, Alexander Dalloz wrote:
> > keychain: agent manager for OpenSSH, ssh.com, Sun SSH, and GnuPG
>
> > http://www.uni-x.org/keychain.spec
> > http://www.uni-x.org/keychain-2.5.4.1-1.src.rpm
>
>
> Hi Alexander,
>
> Hey, thats funny! I've been referring people to those well-written IBM
> developerWorks articles on SSH:
>
> http://www-106.ibm.com/developerworks/linux/library/l-keyc2/
>
> that are referenced from the main keychain web site but I never actually
> took the time to learn about or use keychain itself. I just use ssh-add
> and ssh-agent. Silly me!
>
> So heres a quick review of keychain which mostly looks good:
>
> please fix:
> - rpmlint complains:
> W: keychain summary-not-capitalized agent manager ...
> - BuildRoot should be:
> %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
> - please add dist to version: 2.5.4.1%{?dist}
That shouldn't be added to revision rather than version?
> good:
> - names OK
> - spec mostly OK (except above) -- *very* simple!
> - src matches upstream
> - license OK
> - seems to build, install, and work on FC3
> - cleans OK
> - perms OK
> - code not content OK
>
> And, if possible, it would be nice if we could get a second opinion on
> the security implications of the actual "keychain" shell script. I'm
> *no* security guru and maybe someone more knowledgeable could step in
> and say the script looks OK. Or that its probably OK since its widely
> used and widely reviewed...?
>
> Or, is that just too much to ask for as part of the package review
> process?
The script is pretty long, but I've skimmed it in the past. I'm not
really an expert, but it's just a fancy wrapper around ssh-agent and
ssh-add, so the security implications are more or less passed on to
those programs.
> Ed -- who doesn't want to become known as "that moron who said it was
> just dandy to include a security nightmare in Extras" ;-)
-chris -- who will probably become known as "that moron who seconded
Ed's dandy opinion"
More information about the fedora-extras-list
mailing list