Bug 800526 - Review Request: seahorse-sharing - Sharing of PGP public keys via DNS-SD and HKP
Summary: Review Request: seahorse-sharing - Sharing of PGP public keys via DNS-SD and HKP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Michael S.
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-06 16:32 UTC by Rui Matos
Modified: 2012-04-12 21:33 UTC (History)
5 users (show)

Fixed In Version: seahorse-sharing-3.4.0-1.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-12 02:11:40 UTC
Type: ---
Embargoed:
misc: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Rui Matos 2012-03-06 16:32:49 UTC
Spec URL: http://glua.ua.pt/~rmatos/seahorse-sharing.spec
SRPM URL: http://glua.ua.pt/~rmatos/seahorse-sharing-3.2.1-1.fc16.src.rpm
http://koji.fedoraproject.org/koji/taskinfo?taskID=3858614

This was split out of the main seahorse package upstream. Please review.

Comment 1 Michael S. 2012-03-19 13:09:28 UTC
Hi,

a few comments : 

- %{_datadir}/pixmaps/seahorse/*/seahorse-share-keys.* 
this will create unowned directory, this should be corrected ( I think )

- there is libegg bundled, and so this requires to have a specific provides :

https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Packages_granted_exceptions

-

Comment 2 Rui Matos 2012-03-19 17:07:08 UTC
Thanks for the review!

(In reply to comment #1)
> - %{_datadir}/pixmaps/seahorse/*/seahorse-share-keys.* 
> this will create unowned directory, this should be corrected ( I think )

Should be fixed now.

> - there is libegg bundled, and so this requires to have a specific provides :
> 
> https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Packages_granted_exceptions

Does this make sense when there's no "official" libegg.so on the filesystem provided by any package? Consumers of this library usually just use some files from it and statically link them into their binaries. From a quick glance at both evince.spec and eog.spec neither lists this bundled(egglib) Provides although both use libegg files.

I also updated to the latest release:
Spec URL: http://glua.ua.pt/~rmatos/seahorse-sharing.spec
SRPM URL: http://glua.ua.pt/~rmatos/seahorse-sharing-3.3.92-1.fc16.src.rpm
http://koji.fedoraproject.org/koji/taskinfo?taskID=3910422

Comment 3 Michael S. 2012-03-19 18:07:28 UTC
I think the goal is to be able to see where we should push fixes if there is a security issue with libegg. And I think that both evince and eog where in the repository long before this policy have been created, so I guess no one spotted it before.

And indeed, that's because this is statically linked that there is a exception for the policy.

Comment 4 Matthias Clasen 2012-03-22 14:05:37 UTC
Yeah, I don't think we have any bundled() provides in desktop packages, currently. So why not make a start here ?

Comment 6 Michael S. 2012-03-29 20:45:02 UTC
Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



==== C/C++ ====
[x]: MUST Header files in -devel subpackage, if present.
[x]: MUST Package does not contain any libtool archives (.la)
[x]: MUST Package does not contain kernel modules.
[x]: MUST Package contains no static executables.
[x]: MUST Rpath absent or only used for internal libs.
[x]: MUST Package is not relocatable.


==== Generic ====
[x]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[x]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: MUST Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: MUST Package contains no bundled libraries.
[x]: MUST Changelog in prescribed format.
[x]: MUST Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL is required
[x]: MUST Sources contain only permissible code or content.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[x]: MUST Macros in Summary, %description expandable at SRPM build time.
[x]: MUST Package contains a properly installed %{name}.desktop using desktop-
     file-install file if it is a GUI application.
[x]: MUST Package requires other packages for directories it uses.
[x]: MUST Package uses nothing in %doc for runtime.
[x]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[x]: MUST Large documentation files are in a -doc subpackage, if required.
[x]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[x]: MUST License field in the package spec file matches the actual license.
[x]: MUST The spec file handles locales properly.
[x]: MUST Package consistently uses macros (instead of hard-coded directory
     names).
[x]: MUST Package is named according to the Package Naming Guidelines.
[x]: MUST Package does not generate any conflict.
[x]: MUST Package obeys FHS, except libexecdir and /usr/target.
[x]: MUST Package must own all directories that it creates.
[x]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[x]: MUST Requires correct, justified where necessary.
[!]: MUST Rpmlint output is silent.

rpmlint seahorse-sharing-3.4.0-1.fc18.i686.rpm

seahorse-sharing.i686: W: obsolete-not-provided seahorse
seahorse-sharing.i686: W: non-conffile-in-etc /etc/xdg/autostart/seahorse-sharing.desktop
seahorse-sharing.i686: E: incorrect-fsf-address /usr/share/doc/seahorse-sharing-3.4.0/COPYING
1 packages and 0 specfiles checked; 1 errors, 2 warnings.


rpmlint seahorse-sharing-debuginfo-3.4.0-1.fc18.i686.rpm

seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-hkp-server.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-sharing.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-daemon.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-unix-signal.h
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/libegg/eggdesktopfile.h
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-unix-signal.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-daemon.h
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/libegg/eggdesktopfile.c
1 packages and 0 specfiles checked; 8 errors, 0 warnings.


rpmlint seahorse-sharing-3.4.0-1.fc18.src.rpm

seahorse-sharing.src:11: W: unversioned-explicit-provides bundled(egglib)
1 packages and 0 specfiles checked; 0 errors, 1 warnings.


[x]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
/tmp/800526/seahorse-sharing-3.4.0.tar.xz :
  MD5SUM this package     : 6f5dac5fbf4ef064ccb48469663b5fe2
  MD5SUM upstream package : 6f5dac5fbf4ef064ccb48469663b5fe2

[x]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[-]: MUST Package contains a SysV-style init script if in need of one.
[x]: MUST File names are valid UTF-8.
[x]: MUST Useful -debuginfo package or justification otherwise.
[x]: SHOULD Reviewer should test that the package builds in mock.
[x]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[x]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[x]: SHOULD Package functions as described.
[x]: SHOULD Latest version is packaged.
[x]: SHOULD Package does not include license text files separate from
     upstream.
[x]: SHOULD SourceX is a working URL.
[-]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[-]: SHOULD %check is present and all tests pass.
[x]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[x]: SHOULD Spec use %global instead of %define.

Issues:
[!]: MUST Rpmlint output is silent.

rpmlint seahorse-sharing-3.4.0-1.fc18.i686.rpm

seahorse-sharing.i686: W: obsolete-not-provided seahorse
seahorse-sharing.i686: W: non-conffile-in-etc /etc/xdg/autostart/seahorse-sharing.desktop
seahorse-sharing.i686: E: incorrect-fsf-address /usr/share/doc/seahorse-sharing-3.4.0/COPYING
1 packages and 0 specfiles checked; 1 errors, 2 warnings.


rpmlint seahorse-sharing-debuginfo-3.4.0-1.fc18.i686.rpm

seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-hkp-server.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-sharing.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-daemon.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-unix-signal.h
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/libegg/eggdesktopfile.h
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-unix-signal.c
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/daemon/seahorse-daemon.h
seahorse-sharing-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/seahorse-sharing-3.4.0/libegg/eggdesktopfile.c
1 packages and 0 specfiles checked; 8 errors, 0 warnings.


rpmlint seahorse-sharing-3.4.0-1.fc18.src.rpm

seahorse-sharing.src:11: W: unversioned-explicit-provides bundled(egglib)
1 packages and 0 specfiles checked; 0 errors, 1 warnings.


See: http://fedoraproject.org/wiki/Packaging/Guidelines#rpmlint


Generated by fedora-review 0.1.3
External plugins:


So the rpmlint warning are either normal ( ie, obsolete without conflict is the thing to do, I think ), or something that should be corrected upstream ( the FSF address ), or just wrong ( ie, /etc/xdg/autostart, maybe this should be moved to /usr/lib, like what is done with systemd ).

So the package is good to go.

Comment 7 Rui Matos 2012-03-30 12:27:56 UTC
New Package SCM Request
=======================
Package Name: seahorse-sharing
Short Description: Sharing of PGP public keys via DNS-SD and HKP
Owners: rtcm
Branches: f17
InitialCC:

Comment 8 Gwyn Ciesla 2012-03-30 12:50:38 UTC
Git done (by process-git-requests).

Comment 9 Fedora Update System 2012-03-30 13:24:10 UTC
seahorse-sharing-3.4.0-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/seahorse-sharing-3.4.0-1.fc17

Comment 10 Fedora Update System 2012-03-30 18:00:35 UTC
seahorse-sharing-3.4.0-1.fc17 has been pushed to the Fedora 17 testing repository.

Comment 11 Kalev Lember 2012-04-01 10:52:08 UTC
I am pretty uncomfortable seeing Obsoletes: seahorse < 3.1.4 in this spec file. What this does on upgrades is removing seahorse and installing seahorse-sharing instead. Is this behaviour intended?

Comment 12 Michael S. 2012-04-01 12:45:43 UTC
From what I understand, if I have the old seahorse, and if I install the new seahorse-sharing , it will remove the old seahorse, that's all.

If I do a upgrade from one fedora version to another one, it should also install a new seahorse, and so the Obsoletes should not apply on it.

But I do not know enough yum to be sure

Comment 13 Kalev Lember 2012-04-01 17:59:25 UTC
(In reply to comment #12)
> From what I understand, if I have the old seahorse, and if I install the new
> seahorse-sharing , it will remove the old seahorse, that's all.

Exactly, and this will also happen on package update: seahorse gets removed and replaced with seahorse-sharing.

Yum has a nice wiki page that describes behaviour with Obsoletes:
http://yum.baseurl.org/wiki/YumPackageUpdates


If we consider a system with seahorse-3.0.0-1.fc15 installed and a repo with seahorse-3.4.0-1.fc17 and seahorse-sharing-3.4.0-1.fc17 available, there are 3 different ways to do the upgrade:

a)
Installed:
seahorse-3.0.0-1.fc15
After distro update:
seahorse-3.4.0-1.fc17

b)
Installed:
seahorse-3.0.0-1.fc15
After distro update:
seahorse-3.4.0-1.fc17
seahorse-sharing-3.4.0-1.fc17

c)
Installed:
seahorse-3.0.0-1.fc15
After distro update:
seahorse-sharing-3.4.0-1.fc17


Which one of these is desired here? What currently happens with the way Obsoletes are used in this package is option (c).

Comment 14 Michael S. 2012-04-01 19:32:28 UTC
If we want A, that's indeed incorrect. 

But since the feature was present in seahorse before, I assume that's B.
According to the page you gave, this should requires adding Obsoletes to seahorse and seahorse-sharing is correct.

So i think a new bug should be opened against seahorse for that.

Comment 15 Kalev Lember 2012-04-04 23:02:43 UTC
Yes, I agree, adding self-obsoletes to seahorse sounds like the right thing to do here.

Comment 16 Fedora Update System 2012-04-12 02:11:40 UTC
seahorse-sharing-3.4.0-1.fc17 has been pushed to the Fedora 17 stable repository.

Comment 17 Kalev Lember 2012-04-12 21:33:18 UTC
Added the self-obsoletes in seahorse-3.4.0-2.fc17:
http://pkgs.fedoraproject.org/gitweb/?p=seahorse.git;a=commit;h=7b450ab5


Note You need to log in before you can comment on or make changes to this bug.