Bug 1009998

Summary: Review Request: ubu-keyring - GnuPG keys of the Ubuntu archive
Product: [Fedora] Fedora Reporter: Sandro Mani <manisandro>
Component: Package ReviewAssignee: Mario Blättermann <mario.blaettermann>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mario.blaettermann, notting, private
Target Milestone: ---Flags: mario.blaettermann: fedora-review+
gwync: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ubu-keyring-2012.05.19-2.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-30 01:50:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1010857    
Bug Blocks: 182235    

Description Sandro Mani 2013-09-19 16:36:38 UTC
Spec URL: http://smani.fedorapeople.org/review/ubuntu-keyring.spec
SRPM URL: http://smani.fedorapeople.org/review/ubuntu-keyring-2012.05.19-1.fc21.src.rpm
Description: GnuPG keys of the Ubuntu archive
Fedora Account System Username: smani

Comment 1 Sandro Mani 2013-09-19 16:42:54 UTC
Note: the %{_datadir}/keyrings folder is unowned. I am unsure what is the best way to proceed, see fedora-devel post [1].

[1] https://lists.fedoraproject.org/pipermail/devel/2013-September/189400.html

Comment 2 Sandro Mani 2013-09-23 08:27:42 UTC
Spec URL: http://smani.fedorapeople.org/review/ubuntu-keyring.spec
SRPM URL: http://smani.fedorapeople.org/review/ubuntu-keyring-2012.05.19-2.fc21.src.rpm

* Mon Sep 23 2013 Sandro Mani <manisandro> - 2012.05.19-2
- Add keyrings-filesystem Requires and BuildRequires.

Comment 3 Mario Blättermann 2013-09-26 19:25:30 UTC
As far as I can see, it could cause problem to use "ubuntu" in the package name due to those trademark policy:
http://www.ubuntu.com/intellectual-property-policy

"You can use the Trademarks, in accordance with Canonical’s brand guidelines, with Canonical’s permission in writing. If you require a Trademark licence, please contact us (as set out below).

You will require Canonical’s permission to use: (i) any mark ending with the letters UBUNTU or BUNTU which is sufficiently similar to the Trademarks or any other confusingly similar mark, and (ii) any Trademark in a domain name or URL or for merchandising purposes.

You cannot use the Trademarks in software titles. If you are producing software for use with or on Ubuntu you may reference Ubuntu, but must avoid: (i) any implication of endorsement, or (ii) any attempt to unfairly or confusingly capitalise on the goodwill of Canonical or Ubuntu.

You can use the Trademarks in discussion, commentary, criticism or parody, provided that you do not imply endorsement by Canonical.

You can write articles, create websites, blogs or talk about Ubuntu, provided that it is clear that you are in no way speaking for or on behalf of Canonical and that you do not imply endorsement by Canonical."


BTW, this policy has been changed recently (May 2013) so probably you wasn't aware of it. However, there's at least one package in Fedora which would also break this restrictive policy: ubuntu-title-fonts. It was introduced three years ago, it might need a name change now. I will block FE-LEGAL to clarify this.

Comment 4 mejiko 2013-10-01 11:11:41 UTC
Bug reported (ubuntu-title-fonts).

URI: https://bugzilla.redhat.com/show_bug.cgi?id=1014065

Thanks.

Comment 5 Sandro Mani 2013-10-01 11:31:33 UTC
Should we contact canonical concerning this issue?

Comment 6 Mario Blättermann 2013-10-01 18:40:40 UTC
(In reply to Sandro Mani from comment #5)
> Should we contact canonical concerning this issue?

Good idea. They should say if we may use *buntu in package names. This would be also of special interest for adding it to the wiki pages (https://fedoraproject.org/wiki/Legal:Main).

Comment 7 Sandro Mani 2013-10-01 20:49:30 UTC
I've filled out the corresponding form at https://forms.canonical.com/trademark/

Comment 8 Sandro Mani 2013-10-10 12:34:36 UTC
So canonical has (still) not replied, I've posted to fedora-legal concerning this issue: https://lists.fedoraproject.org/pipermail/legal/2013-October/002256.html

Comment 9 Mario Blättermann 2013-10-10 17:35:11 UTC
(In reply to Sandro Mani from comment #8)
> So canonical has (still) not replied, I've posted to fedora-legal concerning
> this issue:
> https://lists.fedoraproject.org/pipermail/legal/2013-October/002256.html

Tom Callaway responsed, and he discouraged us to use "ubuntu" in package names, referring to the trademark policy I already cited in comment #3. Any idea how to rename the package in a way that makes it understandable for users what it is for? As far as I can see, we could leave the summary as it is.

Comment 10 Sandro Mani 2013-10-10 17:38:34 UTC
I guess we could call the package ubu-keyring. Should be obvious enough?

Comment 11 Mario Blättermann 2013-10-10 17:42:28 UTC
(In reply to Sandro Mani from comment #10)
> I guess we could call the package ubu-keyring. Should be obvious enough?

Good idea. The trademark policy speaks about Ubuntu and *buntu only, so if we omit the "ntu" at the end, it should be sufficient.

Comment 13 Mario Blättermann 2013-10-15 08:12:20 UTC
Scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=6061247

$ rpmlint -i -v *
ubu-keyring.noarch: I: checking
ubu-keyring.noarch: I: checking-url https://launchpad.net/ubuntu-keyring (timeout 10 seconds)
ubu-keyring.noarch: E: zero-length /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
ubu-keyring.src: I: checking
ubu-keyring.src: I: checking-url https://launchpad.net/ubuntu-keyring (timeout 10 seconds)
ubu-keyring.src: W: strange-permission ubuntu-keyring_2012.05.19.tar.gz 0600L
A file that you listed to include in your package has strange permissions.
Usually, a file should have 0644 permissions.

ubu-keyring.src: I: checking-url https://launchpad.net/ubuntu/saucy/+source/ubuntu-keyring/2012.05.19/+files/ubuntu-keyring_2012.05.19.tar.gz (timeout 10 seconds)
ubu-keyring.spec: I: checking-url https://launchpad.net/ubuntu/saucy/+source/ubuntu-keyring/2012.05.19/+files/ubuntu-keyring_2012.05.19.tar.gz (timeout 10 seconds)
2 packages and 1 specfiles checked; 1 errors, 1 warnings.


What's the purpose of the file /usr/share/keyrings/ubuntu-archive-removed-keys.gpg? It is empty.

Besides that, you should fix the permissions of the source tarball before building the srpm.

Comment 14 Sandro Mani 2013-10-15 09:31:43 UTC
Thanks, I've fixed the issues pointed out. Now I'd say we should wait until say end of the week to see whether I hear anything from Canonical, since [1] gives some hope they might answer.

[1] https://lists.fedoraproject.org/pipermail/legal/2013-October/002267.html

Spec URL: http://smani.fedorapeople.org/review/ubu-keyring.spec
SRPM URL: http://smani.fedorapeople.org/review/ubu-keyring-2012.05.19-2.fc21.src.rpm

%changelog
* Tue Oct 15 2013 Sandro Mani <manisandro> - 2012.05.19-2
- Remove empty file

Comment 15 Sandro Mani 2013-10-18 13:57:13 UTC
I'd say let's finish this review as ubu-keyring, my hope of hearing something from Canonical is fading.

Comment 16 Mario Blättermann 2013-10-20 17:00:14 UTC
Scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=6081275

$ rpmlint -i -v *
ubu-keyring.noarch: I: checking
ubu-keyring.noarch: I: checking-url https://launchpad.net/ubuntu-keyring (timeout 10 seconds)
ubu-keyring.src: I: checking
ubu-keyring.src: I: checking-url https://launchpad.net/ubuntu-keyring (timeout 10 seconds)
ubu-keyring.src: I: checking-url https://launchpad.net/ubuntu/saucy/+source/ubuntu-keyring/2012.05.19/+files/ubuntu-keyring_2012.05.19.tar.gz (timeout 10 seconds)
ubu-keyring.spec: I: checking-url https://launchpad.net/ubuntu/saucy/+source/ubuntu-keyring/2012.05.19/+files/ubuntu-keyring_2012.05.19.tar.gz (timeout 10 seconds)
2 packages and 1 specfiles checked; 0 errors, 0 warnings.

No issues so far.


---------------------------------
key:

[+] OK
[.] OK, not applicable
[X] needs work
---------------------------------

[+] MUST: rpmlint must be run on the source rpm and all binary rpms the build produces. The output should be posted in the review.
[+] MUST: The package must be named according to the Package Naming Guidelines.
[+] MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption.
[+] MUST: The package must meet the Packaging Guidelines.
[+] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines.
[+] MUST: The License field in the package spec file must match the actual license.
    Public Domain
[.] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
[+] MUST: The spec file must be written in American English.
[+] MUST: The spec file for the package MUST be legible.
[+] MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.
    $ sha256sum *
    8b3bb00770c7b1e5c0abb215ecf8c383cb3b709292a52aeb1022b5556e768b69  ubuntu-keyring_2012.05.19.tar.gz
    8b3bb00770c7b1e5c0abb215ecf8c383cb3b709292a52aeb1022b5556e768b69  ubuntu-keyring_2012.05.19.tar.gz.orig

[+] MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture.
[.] MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line.
[+] MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense.
[.] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
[.] MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun.
[.] MUST: Packages must NOT bundle copies of system libraries.
[.] MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker.
[+] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory.
[+] MUST: A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations)
[+] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example.
[+] MUST: Each package must consistently use macros.
[+] MUST: The package must contain code, or permissable content.
[.] MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity).
[+] MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present.
[.] MUST: Static libraries must be in a -static package.
[.] MUST: Development files must be in a -devel package.
[.] MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release}
[.] MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.
[.] MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation.
[+] MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. 
[+] MUST: All filenames in rpm packages must be valid UTF-8.


[.] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
[.] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
[+] SHOULD: The reviewer should test that the package builds in mock.
    See Koji build above (which uses Mock anyway).
[+] SHOULD: The package should compile and build into binary rpms on all supported architectures.
[.] SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.
[.] SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity.
[.] SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency.
[.] SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb.
[.] SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.
[.] SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense.


----------------

PACKAGE APPROVED

----------------

Comment 17 Sandro Mani 2013-10-20 17:10:52 UTC
Thanks!

New Package SCM Request
=======================
Package Name: ubu-keyring
Short Description: GnuPG keys of the Ubuntu archive
Owners: smani
Branches: f19 f20

Comment 18 Gwyn Ciesla 2013-10-21 01:37:34 UTC
Git done (by process-git-requests).

Comment 19 Fedora Update System 2013-10-21 08:52:34 UTC
ubu-keyring-2012.05.19-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ubu-keyring-2012.05.19-2.fc19

Comment 20 Fedora Update System 2013-10-22 05:02:31 UTC
ubu-keyring-2012.05.19-2.fc19 has been pushed to the Fedora 19 testing repository.

Comment 21 Fedora Update System 2013-10-30 01:50:36 UTC
ubu-keyring-2012.05.19-2.fc19 has been pushed to the Fedora 19 stable repository.