[Bug 220931] Review Request: ZoneMinder - Linux CCTV package

bugzilla at redhat.com bugzilla at redhat.com
Sat Jun 23 20:25:31 UTC 2007 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: ZoneMinder - Linux CCTV package


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220931





------- Additional Comments From tibbs at math.uh.edu  2007-06-23 16:25 EST -------
BTW, if you have other packages, you should submit them.  Sponsorship is always harder to achieve when you've only provided one packaging sample.  Maybe that's one reason this ticket has been around for so long.  But no matter; I'll take care of things now.

I think an assumption that _datadir will change only rarely is OK and better than having the absolute symlinks.

I was actually asking whether the application could be patched when I asked if it's not possible to direct the program to look directly in /var/lib/zm/*
instead of needing symlinks.  I guess the fundamental question is whether that data needs to be directly accessible from a URL.  And a related question is whether those directories need to be restricted in some way.

I just checked my zoneminder installation and I'm rather surprised to see that you can look in the events directory and see basically everything without logging in at all.  Now, it's possible that my installation is screwed up; I'm using some other packaging so whatever it does might not be duplicated by this package.  But in this package I don't see anything which would prevent this; FollowSymlinks is explicitly set, as is Indexes.

So in fact, I think that it's rather critically important that what's in /var/lib/zm not be visible at all from the web, and so it really shouldn't be present or reachable from /usr/share/zoneminder/www.  This either entails patching the software to just look in /var/lib/zm directly and to drop the symlinks, or to restrict access to those directories somehow with .htaccess files or directly in the zoneminder.conf file.

And on the subject of access control, if this package ships with some sort of default password, the default access controls in zoneminder.conf need to deny all access by default except that from localhost.  Currently just installing this package gives the world access, and that coupled with default passwords is bad.  Usually packages include a README.Fedora file explaining additional configuration bits like this which need to be done.

The scriptlets look a bit weird; it's meaningless to have the #! line in them since they are passed to /bin/sh by default unless you specify another shell with -p.  But I don't really see any issue with adding comments to a scriptlet.

I note that some additional features are enabled when Archive::Tar is installed; as it's a small module, would it be worth adding it as a dependency?

In summary, I see the access control issues as blockers.

Review:
* source files match upstream:
   6bee02be8d5e21d3435c17def157a87727330ee6480be3a8fa5b1966cc10a6bc  
   ZoneMinder-1.22.3.tar.gz
   257d2866fea1dd884810ae00828f32e852568c49cd7ef7560f67fa4f496d1c13  
   cambozola-0.68.tar.gz
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* build root is OK.
* license field matches the actual license.
* license is open source-compatible.
* license text included in package.
* latest version is being packaged.
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (development, x86_64).
* package installs properly
* debuginfo package looks complete.
* rpmlint has acceptable complaints.
* final provides and requires are sane:
   config(zoneminder) = 1.22.3-3.fc8
   perl(ZoneMinder)
   perl(ZoneMinder::Base) = 1.22.3
   perl(ZoneMinder::Config)
   perl(ZoneMinder::ConfigAdmin)
   perl(ZoneMinder::Database)
   perl(ZoneMinder::Debug)
   perl(ZoneMinder::SharedMem)
   perl(ZoneMinder::Trigger::Channel)
   perl(ZoneMinder::Trigger::Channel::File)
   perl(ZoneMinder::Trigger::Channel::Handle)
   perl(ZoneMinder::Trigger::Channel::Inet)
   perl(ZoneMinder::Trigger::Channel::Serial)
   perl(ZoneMinder::Trigger::Channel::Spawning)
   perl(ZoneMinder::Trigger::Channel::Unix)
   perl(ZoneMinder::Trigger::Connection)
   perl(ZoneMinder::Trigger::Connection::Example)
   zoneminder = 1.22.3-3.fc8
  =
   /bin/sh
   /sbin/chkconfig
   /sbin/service
   /usr/bin/perl
   config(zoneminder) = 1.22.3-3.fc8
   httpd
   libcrypto.so.6()(64bit)
   libgcc_s.so.1()(64bit)
   libgcc_s.so.1(GCC_3.0)(64bit)
   libjpeg.so.62()(64bit)
   libmysqlclient.so.15()(64bit)
   libmysqlclient.so.15(libmysqlclient_15)(64bit)
   libpcre.so.0()(64bit)
   libstdc++.so.6()(64bit)
   libstdc++.so.6(CXXABI_1.3)(64bit)
   libstdc++.so.6(GLIBCXX_3.4)(64bit)
   libz.so.1()(64bit)
   perl >= 0:5.006
   perl(Carp)
   perl(DBD::mysql)
   perl(DBI)
   perl(Data::Dumper)
   perl(Date::Manip)
   perl(Device::SerialPort)
   perl(Exporter)
   perl(Fcntl)
   perl(Getopt::Long)
   perl(IO::Handle)
   perl(LWP::UserAgent)
   perl(POSIX)
   perl(Socket)
   perl(Storable)
   perl(Sys::Syslog)
   perl(Time::HiRes)
   perl(ZoneMinder)
   perl(ZoneMinder::Base)
   perl(ZoneMinder::Config)
   perl(ZoneMinder::ConfigAdmin)
   perl(ZoneMinder::Database)
   perl(ZoneMinder::Debug)
   perl(ZoneMinder::SharedMem)
   perl(ZoneMinder::Trigger::Channel)
   perl(ZoneMinder::Trigger::Channel::Handle)
   perl(ZoneMinder::Trigger::Channel::Inet)
   perl(ZoneMinder::Trigger::Channel::Serial)
   perl(ZoneMinder::Trigger::Channel::Spawning)
   perl(ZoneMinder::Trigger::Channel::Unix)
   perl(ZoneMinder::Trigger::Connection)
   perl(bytes)
   perl(constant)
   perl(strict)
   perl(warnings)
* %check is not present; no test suite upstream.  I don't have the means to test    
  this at the moment.
* no shared libraries are added to the regular linker search paths.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* scriptlets are OK (service installation)
* code, not content.
* documentation is small, so no -docs subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Fedora-package-review mailing list