Why is ./configure --enable-debug present? This presumably disables optimization. Bro appears to compile with RelWithDebugInfo by default anyway.
The 0%{?_undocumented_hack_closes_scriptlets} hacks are not needed since there are no longer comments between those sections as in the rocknsm version, and do not work for me with that version anyway (still give the error described in https://bugzilla.redhat.com/show_bug.cgi?id=1315935).
Suggested patch:
diff --git a/bro.spec b/bro.spec
index 3fb0848..df31be2 100644
--- a/bro.spec
+++ b/bro.spec
@@ -36,7 +36,7 @@ Summary: The core bro installation without broctl
Requires: bind-libs
Requires: GeoIP
%ifnarch s390 s390x
-Requires: gperftools
+Requires: gperftools-libs
%endif
Requires: libpcap
%if 0%{?fedora} >= 26
@@ -80,7 +80,7 @@ and open-science communities.
Summary: Compile-time generated source files needed to build bro packages
Requires: cmake
-Requires: bro-core = %{version}-%{release}
+Requires: bro = %{version}-%{release}
%description -n bro-devel
Installs the compile-time generated files known as BRODIST needed to build bro
@@ -105,7 +105,7 @@ This package contains the header files for binpac.
%package -n broctl
Summary: A control tool for bro
-Buildarch: noarch
+BuildArch: noarch
BuildRequires: python2-devel
BuildRequires: systemd
BuildRequires: pysubnettree
@@ -220,7 +220,6 @@ sed -i -e '1i#! /usr/bin/bash' aux/broctl/bin/set-bro-path aux/broctl/bin/helper
--plugindir=%{_libdir}/bro/plugins \
--distdir=%{_usrsrc}/%{name}-%{version} \
--disable-rpath \
- --enable-debug \
--enable-mobile-ipv6 \
--enable-binpac
make %{?_smp_mflags}
@@ -326,14 +325,8 @@ exit 0
%systemd_postun bro.service
%post -n broccoli -p /sbin/ldconfig
-%if ( 0%{?_undocumented_hack_closes_scriptlets} )
-%postun
-%endif
%postun -n broccoli -p /sbin/ldconfig
-%if ( 0%{?_undocumented_hack_closes_scriptlets} )
-%postun
-%endif
%check
make test
@@ -345,7 +338,7 @@ make test
%files -n bro-core
%doc CHANGES NEWS README VERSION
%license COPYING
-%caps(cap_net_admin,cap_net_raw=pie) %{_bindir}/bro
+%attr(0750,root,bro) %caps(cap_net_admin,cap_net_raw=pie) %{_bindir}/bro
%{_bindir}/bro-config
%{_bindir}/bro-cut
%{_mandir}/man1/bro-cut.1*
N.B. I actually tested this on CentOS 7.3 from source, just lightly modifying the python-sphinx dependency. The issues above should all apply to this build as well. The python_sitelib changes in the EPEL7 branch break the build for me, the original python2_sitelib works fine.
Bug in my above suggested patch: The bro group needs to be added by bro-core not later if taking the capabilities approach there. Otherwise, /usr/bin/bro is set to root,root on machines that don't already have the bro group as the dependency relationship means broctl is installed after bro-core. All of the other files under the bro group and systemd service script are owned by the broctl package so this is a little awkward. I'm assuming here that chmoding the bro binary when broctl is installed would be frowned upon.
This update has been submitted for testing by fab.
This update has been pushed to testing.
This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes
Suggested patch:
N.B. I actually tested this on CentOS 7.3 from source, just lightly modifying the python-sphinx dependency. The issues above should all apply to this build as well. The python_sitelib changes in the EPEL7 branch break the build for me, the original python2_sitelib works fine.
Bug in my above suggested patch: The bro group needs to be added by bro-core not later if taking the capabilities approach there. Otherwise,
/usr/bin/bro
is set toroot,root
on machines that don't already have the bro group as the dependency relationship means broctl is installed after bro-core. All of the other files under the bro group and systemd service script are owned by the broctl package so this is a little awkward. I'm assuming here that chmoding the bro binary when broctl is installed would be frowned upon.works