Bug 181801
| Summary: | Review Request: zeroinstall-injector | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michel Alexandre Salim <michel.salim> |
| Component: | Package Review | Assignee: | Jochen Schmitt <jochen> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | michel |
| Target Milestone: | --- | Flags: | kevin:
fedora-cvs+
|
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-03-20 00:25:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 163779 | ||
|
Description
Michel Alexandre Salim
2006-02-16 18:16:31 UTC
Good:
+ Local build works.
Bad:
- Source contains not a fullqualified URL.
- Use of %{_datadir}/man instead of %{_mandir}
Questions:
Why do you set CFLAGS for a noarch package?
The upstream source is self-signed with GPG, and there's no unsigned tarball I
can link to for the Source field.
CFLAGS removed and mandir changed to use %{_mandir}, thanks.
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-2.src.rpm
Bad: - Source0 contains not a full qualiifed URL. - BuildRequires: python should be add. I agree on the second point, but about Source0, as I explained, the upstream source is a signed GPG file. Using the upstream source would require a BuildRequires on gnupg .. The source verification can be done by downloading the GPG-ed tarball from here: http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954 So the options are: - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg - Manual verification of the source tarball (take the upstream source, gpg --decrypt ${file} > newfile, compare md5sums or do a diff) The QA checklist does not say anything about including the full Source URL, just that the source matches upstream. Let's come to an agreement on this and then I can submit the final version of the .spec file? (In reply to comment #4) > I agree on the second point, but about Source0, as I explained, the upstream > source is a signed GPG file. Using the upstream source would require a > BuildRequires on gnupg .. > > The source verification can be done by downloading the GPG-ed tarball from here: > http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954 > > So the options are: > - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg > - Manual verification of the source tarball (take the upstream source, gpg > --decrypt ${file} > newfile, compare md5sums or do a diff) I would advocate the first option; it allows people to do: $ spectool --gf zeroinstall-injector.spec to retrieve the sources directly from upstream. Shouldn't the buildreq be python-devel rather than python? I agree with Paul that we should use the first option. And I have a look. A python-devel package is existance. Becouse I'm kow on a windows machine, I don't determinate, if setup.py is contains in python-devel. If so, what I believe, python-devel should be a BuildRequire. Most Python packages actually BuildRequire on python, not python-devel : the setup.py file is included with the source tarball, and it imports distutils.core which is part of python, not python-devel. Haven't used spectool --gf before, that's handy. OK, first option it is, we need a BuildRequire on gnupg, but no BuildReq on python-devel. Will upload a new package tomorrow (actually, later today) after some testing. Thanks for all your help, - Michel So, as I posted on the mailing list, there is no clean way of using the signed
tarball that upstream provided.
This is the hackery I have so far; it works, has no side effect, but rpmlint is
deeply unhappy by the use of %{sourcedir}. Unless there is a cleaner solution
I'd suggest that either the curious user find the upstream and verify it himself.
%prep
# Decrypt upstream source, ignore error message due to unknown key
gpg --decrypt %{_sourcedir}/%{name}-%{version}.tar.gz.gpg >
%{_sourcedir}/%{name}-%{version}.tar.gz || true
# Point source to the decrypted tarball
mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpg
%{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak
mv %{_sourcedir}/%{name}-%{version}.tar.gz
%{_sourcedir}/%{name}-%{version}.tar.gz.gpg
%setup -q
# Restore upstream tarball
mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak
%{_sourcedir}/%{name}-%{version}.tar.gz
Why not use %setup -c -T to make a directory and cd into it. Decrypt %{SOURCE0}
into the current directory, untar it manually, and go on with the installation
as normal?
This is what Ville Skyttä suggested as well. I decided to do something similar, but the other way around: after %prep, back up one directory, manually untar, then call %setup with -D (do not delete) and -T (do not untar). This way, %setup gets to sanitize file ownership and permissions. Thanks for the suggestion! Changes from the previous -2 release: - Now use gpg-signed upstream tarball, BuildReq on gnupg to handle this The other BuildReq is still on Python, as explained before. Spec Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec SRPM Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-3.src.rpm I believe all issues have been resolved - Jochen, you might want to look at the latest src.rpm ? Good: + rpmlint of source rpm ok. Bad: - local build failes: zeroinstall-injector-0.18/zeroinstall/injector/__init__.py zeroinstall-injector-0.18/zeroinstall/injector/download.py zeroinstall-injector-0.18/zeroinstall/injector/reader.py zeroinstall-injector-0.18/zeroinstall/__init__.py zeroinstall-injector-0.18/COPYING + popd ~/redhat/BUILD + cd /home/pclinux/redhat/BUILD + cd zeroinstall-injector-0.18 /var/tmp/rpm-tmp.94338: line 28: cd: zeroinstall-injector-0.18: No such file or directory Fehler: Bad exit status from /var/tmp/rpm-tmp.94338 (%prep) So terribly sorry; ommitted to remove the pushd and popd. Spec Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec SRPM Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-4.src.rpm Good: + Local build worked fine. + rpmlint for SRPM ok. + rpmlint for binaries RPMs ok. + Build on mock worked fine. I'm glade that I can APPROVE you package. Could you set the blocker bug to FE-ACCEPT (#163779) ? Don't want to step on your toes.. thanks! Package Change Request ====================== Package Name: zeroinstall-injector New Branches: EL-5 Owners: salimma I've just tested and zeroinstall-injector work just fine on CentOS 5 cvs done. |