Bug 2115901

Summary: Review Request: imhex - Hex Editor
Product: [Fedora] Fedora Reporter: Jonathan Wright <jonathan>
Component: Package ReviewAssignee: Richard Shaw <hobbes1069>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: alebastr89, hobbes1069, package-review
Target Milestone: ---Flags: hobbes1069: fedora-review+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-12 13:58:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Wright 2022-08-05 16:20:42 UTC
Spec URL: https://jonathanspw.fedorapeople.org/ImHex.spec
SRPM URL: https://jonathanspw.fedorapeople.org/ImHex-1.20.0-1.fc37.src.rpm

Description:  ImHex is a Hex Editor, a tool to display, decode and analyze binary data to reverse engineer their format, extract information or patch values in them. 

Fedora Account System Username: jonathanspw

Comment 1 Jonathan Wright 2022-08-05 17:27:30 UTC
Spec URL: https://jonathanspw.fedorapeople.org/ImHex.spec
SRPM URL: https://jonathanspw.fedorapeople.org/ImHex-1.20.0-2.fc37.src.rpm

Updated to exclude s390x (unsupported upstream) and fix my name in the changelog.

Comment 2 Jonathan Wright 2022-08-05 17:47:30 UTC
Koji build: https://koji.fedoraproject.org/koji/taskinfo?taskID=90503181

Comment 3 Aleksei Bavshin 2022-08-06 19:16:55 UTC
> BuildRequires:  mesa-libGL-devel

You'll likely want `libglvnd-devel` instead, as it is the actual provider of OpenGL headers/libraries.

> # [11:38 AM] WerWolv: Officially supported are x86_64 and aarch64
> ExcludeArch:    i686
> ExcludeArch:    armv7hl

%{ix86} and %{arm32} correspondingly. But given the upstream support status, it would make sense to do `ExclusiveArch: x86_64 %{arm64}`. And ppc64le if you are sure it works there.

> make -C redhat-linux-build -j unit_tests

Both `make` and `redhat-linux-build` are %cmake macro implementation details that may change. Maybe `%cmake_build -- --target unit_tests` would work?


 - Please, also declare `Provides: bundled()` for all third-party libraries built in the package: yara (conditionally), capstone, imgui, libromfs, microtar, nativefiledialog, pattern_language, xdgpp... Now that I listed all of that, I feel that the License tag is incomplete :)
Also, consider unbundling at least some of those.


 - As it is a GUI app, it should provide an AppStream metainfo file (otherwise you won't be able to find and install ImHex with gnome-software). See https://docs.fedoraproject.org/en-US/packaging-guidelines/AppData/

Comment 4 Jonathan Wright 2022-08-06 21:47:27 UTC
Thanks for taking a look.

(In reply to Aleksei Bavshin from comment #3)
> > BuildRequires:  mesa-libGL-devel
> 
> You'll likely want `libglvnd-devel` instead, as it is the actual provider of
> OpenGL headers/libraries.

Fixed.

> 
> > # [11:38 AM] WerWolv: Officially supported are x86_64 and aarch64
> > ExcludeArch:    i686
> > ExcludeArch:    armv7hl
> 
> %{ix86} and %{arm32} correspondingly. But given the upstream support status,
> it would make sense to do `ExclusiveArch: x86_64 %{arm64}`. And ppc64le if
> you are sure it works there.

Swapped to using ExclusiveArch and macros where possible.

> > make -C redhat-linux-build -j unit_tests
> 
> Both `make` and `redhat-linux-build` are %cmake macro implementation details
> that may change. Maybe `%cmake_build -- --target unit_tests` would work?

Indeed this works!  Thank you!

>  - Please, also declare `Provides: bundled()` for all third-party libraries
> built in the package: yara (conditionally), capstone, imgui, libromfs,
> microtar, nativefiledialog, pattern_language, xdgpp... Now that I listed all
> of that, I feel that the License tag is incomplete :)
> Also, consider unbundling at least some of those.

Do they need to be listed as bundled even if none of them actually end up installed in the filesystem anywhere and are only used to build?

This application is very bleeding edge in terms of the libs it uses and some of the things simply can't be packaged separately yet.  capstone for example hasn't release v5 but the packaged version is basically v5 which is required for ImHex.

A few of the other things like pattern_language and libromfs I fully intend to package separately.  They're from the same upstream developer so I was planning to do that a bit later on as to not delay getting this package itself into the repos.

Upstream has to do some work to permit system libs for some of these things to be used such as proper versioning and releases.  All possible system libs are being used with the cmake flags currently.  yara is about to be non-conditional too as the latest yara is being pushed back to f36 I'm just waiting on bodhi to push it to stable.

>  - As it is a GUI app, it should provide an AppStream metainfo file
> (otherwise you won't be able to find and install ImHex with gnome-software).
> See https://docs.fedoraproject.org/en-US/packaging-guidelines/AppData/

Added.

Thanks for all your suggestions.

Spec URL: https://jonathanspw.fedorapeople.org/ImHex.spec
SRPM URL: https://jonathanspw.fedorapeople.org/ImHex-1.20.0-3.fc37.src.rpm

Comment 5 Aleksei Bavshin 2022-08-06 22:56:00 UTC
> Do they need to be listed as bundled even if none of them actually end up installed in the filesystem anywhere and are only used to build?

Yes. If something is compiled and included into the packaged binary, it should affect both the binary license and the list of bundled packages. The reason for the former should be obvious, and the latter is mostly a means of detecting code duplication from the repository metadata.

Corresponding guidelines with a deeper explanations:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling (which also asks to identify the version of a bundled library, if possible)
https://docs.fedoraproject.org/en-US/legal/license-field/

And since I haven't checked the docs above in a while, I forgot to ask to rm -rf already unbundles external libs in %prep. This way we can guarantee that the bundled sources are not used.

> Added.

Looks good to me. I'm assuming you are already aware that the Software app can find and view the metainfo from the installed package, even when it's still not available in the repositories (and most importantly in the `appstream-data` package, which is what G-S actually consumes). If not, might be good to check.

Nit: I always assumed that the "project_license" should include the project license without the (bundled) dependencies ("The license given in the project_license tag should be the ‘main’ license of the project"[1]).
I might be interpreting this wrong, so feel free to ask legal@ or just leave it as is.


[1]: https://www.freedesktop.org/software/appstream/docs/chap-Metadata.html#tag-project_license

Comment 6 Jonathan Wright 2022-08-07 19:47:12 UTC
Implemented your suggestions.

Spec URL: https://jonathanspw.fedorapeople.org/ImHex.spec
SRPM URL: https://jonathanspw.fedorapeople.org/ImHex-1.20.0-3.fc37.src.rpm

Checked it in GS and it looks great :)

Comment 7 Richard Shaw 2022-08-09 01:00:31 UTC
Looks like you've already gotten quite a bit of feedback! Don't hate me but I see one thing in the spec review...

New packages have to be in all lower case:

https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#_common_character_set_for_package_naming

Now rereading it says SHOULD not MUST/SHALL. Hmm...

Comment 8 Jonathan Wright 2022-08-09 01:50:10 UTC
I was following upstream on that.  I prefer things in lower-case, but I figured following upstream made the most sense here.

Either way results in the same usage of macros.  Had all lower-case let me use more macros I'd have gone with that.

I'll probably flip to all lower for final packaging/release since the docs recommend it.

Comment 9 Jonathan Wright 2022-08-09 22:45:04 UTC
@hobbes1069 does everything look good to you or would you like to see additional changes?

Comment 10 Richard Shaw 2022-08-10 00:57:47 UTC
I'll let you worry about the case of the package name :) Working on the rest of the review. I think 90% will be the licenses involved.

So I would say to simplify our other conversation, the license of the package is based on what distributed in the package (not build system files and other irrelevant stuff). That being said some of the text files such as READMEs have some specific licenses which is not something I've considered before.

Comment 11 Richard Shaw 2022-08-11 02:03:47 UTC
So overall I'm okay with the licensing but there does seem to be some MIT stuff. Are you sure they're not being included?

Comment 12 Richard Shaw 2022-08-11 12:57:41 UTC
I've got the review mostly completed but want to make sure we're both good on the licensing. This may be a pain but I think any of the bundled libraries should have their license file included:

$ grep LICENSE licensecheck.txt 
ImHex/lib/libimhex-rs/imgui-rs/LICENSE-APACHE
ImHex/lib/libimhex-rs/imgui-sys/LICENSE-APACHE
ImHex/lib/external/nativefiledialog/LICENSE
ImHex/lib/external/capstone/LICENSE.TXT
ImHex/lib/external/capstone/bindings/python/LICENSE.TXT
ImHex/lib/external/capstone/suite/regress/LICENSE
ImHex/LICENSE
ImHex/lib/external/pattern_language/LICENSE
ImHex/resources/LICENSE.rtf
ImHex/resources/romfs/LICENSE
ImHex/lib/external/microtar/LICENSE
ImHex/lib/external/pattern_language/external/fmt/LICENSE.rst
ImHex/lib/external/pattern_language/external/intervaltree/LICENSE
ImHex/lib/external/xdgpp/LICENSE
ImHex/lib/libimhex-rs/imgui-rs/LICENSE-MIT
ImHex/lib/libimhex-rs/imgui-sys/LICENSE-MIT
ImHex/lib/external/capstone/LICENSE_LLVM.TXT

In some cases they may be identical, so either include one? Or maybe just a little bash scripting in %install:

cp ImHex/lib/libimhex-rs/imgui-rs/LICENSE-APACHE ./imgui-rs-LICENSE-APACHE
etc...

And then include in %license.

Thoughts?

Comment 13 Jonathan Wright 2022-08-11 15:49:32 UTC
Here's what I've come up with:

Spec URL: https://jonathanspw.fedorapeople.org/imhex.spec
SRPM URL: https://jonathanspw.fedorapeople.org/imhex-1.20.0-3.fc38.src.rpm

Comment 14 Richard Shaw 2022-08-11 16:02:55 UTC
That looks good enough for me. I can hopefully finish the review after work today.

Comment 15 Richard Shaw 2022-08-12 12:06:29 UTC
*** APPROVED ***

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig not called in %post and %postun for Fedora 28 and later.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated", "GNU General Public License, Version
     2", "*No copyright* GNU General Public License, Version 2", "BSD
     3-Clause License", "University of Illinois/NCSA Open Source License",
     "MIT License", "*No copyright* MIT License", "*No copyright* zlib
     License", "*No copyright* Apache License 2.0", "*No copyright*
     [generated file]", "*No copyright* The Unlicense [generated file]",
     "The Unlicense MIT License", "Apache License", "*No copyright* MIT
     License CNRI Python License", "CNRI Python Open Source GPL Compatible
     License Agreement". 1880 files have unknown license. Detailed output
     of licensecheck in /home/build/fedora-
     review/2115901-ImHex/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[x]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[ ]: %build honors applicable compiler flags or justifies otherwise.
[-]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[-]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 1 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package contains desktop file if it is a GUI application.
[x]: Package installs a %{name}.desktop using desktop-file-install or
     desktop-file-validate if there is such a file.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[?]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[x]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Fully versioned dependency in subpackages if applicable.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: There are rpmlint messages (see attachment).
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Cannot parse rpmlint output:


Rpmlint (debuginfo)
-------------------
Cannot parse rpmlint output:



Rpmlint (installed packages)
----------------------------
Cannot parse rpmlint output:


Source checksums
----------------
https://github.com/WerWolv/ImHex/releases/download/v1.20.0/Full.Sources.tar.gz#/ImHex-1.20.0.tar.gz :
  CHECKSUM(SHA256) this package     : 014469fe11ff52fa02c91db810e23cd94be37cc48f6cfd9207873567011ea0b3
  CHECKSUM(SHA256) upstream package : 014469fe11ff52fa02c91db810e23cd94be37cc48f6cfd9207873567011ea0b3


Requires
--------
ImHex (rpmlib, GLIBC filtered):
    ld-linux-x86-64.so.2()(64bit)
    libOpenGL.so.0()(64bit)
    libc.so.6()(64bit)
    libcurl.so.4()(64bit)
    libdbus-1.so.3()(64bit)
    libdbus-1.so.3(LIBDBUS_1_3)(64bit)
    libfmt.so.9()(64bit)
    libfreetype.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.4)(64bit)
    libgcc_s.so.1(GCC_4.2.0)(64bit)
    libglfw.so.3()(64bit)
    libimhex.so.1.20.0()(64bit)
    libm.so.6()(64bit)
    libmagic.so.1()(64bit)
    libmbedcrypto.so.7()(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libstdc++.so.6(CXXABI_1.3.11)(64bit)
    libstdc++.so.6(CXXABI_1.3.13)(64bit)
    libstdc++.so.6(CXXABI_1.3.2)(64bit)
    libstdc++.so.6(CXXABI_1.3.3)(64bit)
    libstdc++.so.6(CXXABI_1.3.5)(64bit)
    libstdc++.so.6(CXXABI_1.3.9)(64bit)
    libyara.so.9()(64bit)
    rtld(GNU_HASH)

ImHex-debuginfo (rpmlib, GLIBC filtered):

ImHex-debugsource (rpmlib, GLIBC filtered):



Provides
--------
ImHex:
    ImHex
    ImHex(x86-64)
    application()
    application(imhex.desktop)
    bundled(capstone)
    bundled(gnulib)
    bundled(imgui)
    bundled(libpl)
    bundled(libromfs)
    bundled(microtar)
    bundled(nativefiledialog)
    libimhex.so.1.20.0()(64bit)
    metainfo()
    metainfo(imhex.metainfo.xml)

ImHex-debuginfo:
    ImHex-debuginfo
    ImHex-debuginfo(x86-64)
    debuginfo(build-id)
    libimhex.so.1.20.0-1.20.0-3.fc37.x86_64.debug()(64bit)

ImHex-debugsource:
    ImHex-debugsource
    ImHex-debugsource(x86-64)



Generated by fedora-review 0.8.0 (e988316) last change: 2022-04-07
Command line :/usr/bin/fedora-review -b 2115901
Buildroot used: fedora-rawhide-x86_64
Active plugins: Shell-api, Generic, C/C++
Disabled plugins: fonts, Haskell, Ocaml, SugarActivity, PHP, Java, R, Python, Perl
Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH

Comment 16 Gwyn Ciesla 2022-08-12 13:16:01 UTC
(fedscm-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/imhex