Bug 1947031

Summary: Review Request: bitwarden-cli - Command line password manager
Product: [Fedora] Fedora Reporter: Michael Wojcik <mikewoj97>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: carl, decathorpe, maxwell, mbocek, mhayden, package-review, zebob.m
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-16 13:12:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 201449    

Description Michael Wojcik 2021-04-07 14:12:11 UTC
SPEC URL:
https://raw.githubusercontent.com/Nycticoraci/FriendlyFedora/gerry/bitwarden-cli/bitwarden-cli.spec
SRPM URL:
https://raw.githubusercontent.com/Nycticoraci/FriendlyFedora/gerry/bitwarden-cli/bitwarden-cli-1.15.1-1.fc35.src.rpm
Koji URL:
https://koji.fedoraproject.org/koji/taskinfo?taskID=65242411

Description:
Bitwarden CLI is a command line interface tool for accessing and managing a Bitwarden vault. The two languages used for the source code/dependencies are TypeScript and Node.js.

The dependencies for Bitwarden have been bundled together using nodejs-packaging-bundler.

The Bitwarden CLI was requested for package review in the past and I was told to submit a new ticket. The previous request's ticket number is 1918111, submitted by Michel Alexandre Salim in January 2021.

Comment 1 Robert-André Mauchin 🐧 2021-04-07 14:30:02 UTC
What's you FAS id? Why the changelog doesn't contain your name?

Comment 2 Robert-André Mauchin 🐧 2021-04-07 15:20:12 UTC
 - Add a newline between changelog entries

 - Uncomment this:

%dir %{nodejs_sitelib}/@bitwarden

 - 0BSD → BSD

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


===== MUST items =====

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated". 7 files have unknown license. Detailed
     output of licensecheck in /home/bob/packaging/review/bitwarden-
     cli/review-bitwarden-cli/licensecheck.txt
[x]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[!]: Package requires other packages for directories it uses.
     Note: No known owner of /usr/lib/node_modules/@bitwarden
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 10240 bytes in 1 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: bitwarden-cli-1.15.1-1.fc35.noarch.rpm
          bitwarden-cli-1.15.1-1.fc35.src.rpm
bitwarden-cli.noarch: W: spelling-error %description -l en_US js -> dis, ks, j
bitwarden-cli.noarch: W: invalid-license 0BSD
bitwarden-cli.noarch: W: only-non-binary-in-usr-lib
bitwarden-cli.noarch: W: hidden-file-or-dir /usr/lib/node_modules/@bitwarden/cli/node_modules/.bin
bitwarden-cli.noarch: W: hidden-file-or-dir /usr/lib/node_modules/@bitwarden/cli/node_modules_prod/.bin
bitwarden-cli.noarch: W: hidden-file-or-dir /usr/lib/node_modules/@bitwarden/cli/node_modules_prod/.bin
bitwarden-cli.noarch: W: no-manual-page-for-binary bw
bitwarden-cli.src: W: spelling-error %description -l en_US js -> dis, ks, j
bitwarden-cli.src: W: invalid-license 0BSD
bitwarden-cli.src: W: invalid-url Source1: @bitwarden-cli-1.15.1-nm-prod.tgz
2 packages and 0 specfiles checked; 0 errors, 10 warnings.


Please get back to me with your FAS info.

Comment 3 Fabio Valentini 2021-04-07 16:37:26 UTC
(In reply to Robert-André Mauchin 🐧 from comment #2)

Sorry for interrupting. :)

[...]

>  - 0BSD → BSD

[...]

> bitwarden-cli.src: W: invalid-license 0BSD

Note that this is a false positive warning in rpmlint; "0BSD" is a valid license specifier in Fedora, denoting the Zero-Clause BSD License.

See: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses (sixth one from the bottom in the "Good" list),
or:  https://fedoraproject.org/wiki/Licensing/ZeroClauseBSD

Comment 5 Robert-André Mauchin 🐧 2021-04-07 19:13:54 UTC
 - You didn't change 0BSD to BSD

 - You don't seem to be part of the packager group (https://accounts.fedoraproject.org/user/michael_wojcik/), you'll need to be sponsored into it, see https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group

Comment 6 Robert-André Mauchin 🐧 2021-04-07 19:14:54 UTC
(In reply to Fabio Valentini from comment #3)
> (In reply to Robert-André Mauchin 🐧 from comment #2)
> 
> Sorry for interrupting. :)
> 
> [...]
> 
> >  - 0BSD → BSD
> 
> [...]
> 
> > bitwarden-cli.src: W: invalid-license 0BSD
> 
> Note that this is a false positive warning in rpmlint; "0BSD" is a valid
> license specifier in Fedora, denoting the Zero-Clause BSD License.
> 
> See:
> https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
> (sixth one from the bottom in the "Good" list),
> or:  https://fedoraproject.org/wiki/Licensing/ZeroClauseBSD

(In reply to Robert-André Mauchin 🐧 from comment #5)
>  - You didn't change 0BSD to BSD
> 


oops sorry I didn't catch that.

Comment 7 Robert-André Mauchin 🐧 2021-04-07 19:16:06 UTC
The package is approved, but you still need to find a sponsor.

Comment 8 Michael Wojcik 2021-04-12 17:35:19 UTC
Excellent, I will speak with my project sponsor.

Comment 9 Major Hayden 🤠 2021-12-16 13:07:30 UTC
Any update on this one? I'd love to see this packaged. 😉

Comment 10 Maxwell G 2021-12-26 18:54:47 UTC
Robert-Andre, it looks like you are now a sponsor[1]. Are you able to sponsor Michael? I'd really like to see this packaged.

Thanks,
Maxwell

[1]: https://accounts.fedoraproject.org/group/packager/

Comment 11 Maxwell G 2021-12-26 18:59:18 UTC
Michael,

There also seems to be a new upstream version[1].

[1]: https://github.com/bitwarden/cli/releases/tag/v1.20.0

Comment 12 Robert-André Mauchin 🐧 2022-01-07 22:07:41 UTC
I haven't heard back from @mikewoj97 I am willing to sponsor him if he does some reviews/contribute some PR or anything that shows the packaging guidelines are understood.
If your hear no answer from him, consider starting a FE:DEADREVIEW process.

Comment 13 Package Review 2023-07-16 13:12:28 UTC
No reply from the original submitter, closing as DEADREVIEW.