Bug 461305

rpmlint on SRPM:

pam_kcoda.src: W: no-url-tag
The URL tag is missing.

rpmlint on RPMS:

pam_kcoda.i386: W: no-documentation
The package contains no documentation (README, doc, etc). You have to include
documentation files.

pam_kcoda.i386: W: no-url-tag
The URL tag is missing.

pam_kcoda.i386: W: unstripped-binary-or-object /lib/security/pam_kcoda.so
pam_kcoda-debuginfo.i386: E: empty-debuginfo-package
This debuginfo package contains no files.  This is often a sign of binaries
being unexpectedly stripped too early during the build, rpmbuild not being
able to strip the binaries, the package actually being a noarch one but
erratically packaged as arch dependent, or something else.  Verify what the
case is, and if there's no way to produce useful debuginfo out of it, disable
creation of the debuginfo package.

pam_kcoda-debuginfo.i386: W: no-url-tag
The URL tag is missing.


I'd like to see something in the spec explaining the patches and whether or not they've been submitted upstream.

The license tag claims GPLv1, the README specifies GPL, but the license included is BSD.  This will need to be clarified.  The URL tag would help with this.

Provides a shared library, should include:
%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

Running a mock build to check BR. . .

Mock build, BRs OK.  Just address the above and we're good.

added a url to the spec

I checked the License, GPLv1 is listed in the REadme and the pam_kcoda.c file.  Not sure where you saw a BSD license.  Given the url tag, I think GPL is the safe conclusion

I did include the only docs to come with the pkg (the readme), I marked it as a %doc in the new package below

I'm not sure why the debuginfo stuff isn't getting populated.  The pma_kcoda.so file isn't stripped, even after packaging (verify with an install and file /lib64/security/pam_kcoda.so)


New files for you, thanks!

SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-2.fc8.src.rpm

Look in pam_koda.c, lines 50-60. 

BSD License:
http://swik.net/License:BSD/BSD+License+Text

See what I mean?  And it doesn't include a copy of the GPL anywhere.

As for debuginfo, see: https://fedoraproject.org/wiki/Packaging/Debuginfo, and see if that sheds any light.  If you can't get -debuginfo populate, disable generation of the -debugingo package.

Only for debuginfo issue:

(In reply to comment #4)
> If you can't get -debuginfo populate, disable generation of the -debugingo package.
  We should not allow this. All packages must create debuginfo rpm correctly unless they
  are noarch rpms, monos, or so.

  2 issues:
  - build log actually shows that Fedora specific compilation flags are not honored
    correctly:
----------------------------------------------------------
+ CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fPIC'
+ export CFLAGS
+ make
mkdir -p ./dynamic
gcc -O2 -Dlinux -DLINUX_PAM -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -pedantic -fPIC -DPAM_DYNAMIC  -c pam_kcoda.c -o dynamic/pam_kcoda.o
-----------------------------------------------------------
    So -g debug option flag is not used.
    'make %{?_smp_mflags} CC="gcc $RPM_OPT_FLAGS"' seems to work
  - pam_kcoda.so is installed with 0644 permission. find-debuginfo.sh will tries to strip binaries
    only with executable permission flag. pam_kcoda.so should be installed with 0755 permission
    (change SHLIBMODE).

Fair enough.  +1.

>Look in pam_koda.c, lines 50-60. 
Look at lines 47-48 of the same file, indicating GPL License.  The stuff on
lines 50-60 isn't the BSD license, thats just the standard disclaimer. This is
the full BSD license:
http://www.opensource.org/licenses/bsd-license.php

Which isn't included anywhere in the code or accomanying documentation

Although it is odd that they don't include a COPYING file.  Unfortunately, the
maintainers still haven't responded to me on any of my queries.

I've gone through the debuginfo link you provided, and none of those tips seems
to be the cause of the empty debuginfo package, so I'm disabling it for now:

New Files for you.  Thanks!

SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-3.fc8.src.rpm

Ok, hopefully they can clarify what the license should be.  Let me know.  We need to know what version of the GPL it should be.  Including a copy of the relevant version would be the best.

I've gotten a bounce from the email listed in the docs.  Some googling has found me an alternate email to try.  I copied you on the note asking for licence clarification.

sorry, I fat fingered your email on my note to him, and your copy bounced, This is the reply from the author:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neil Horman wrote:
> I'm in the process of trying to get
> pam_kcoda packaged for fedora:

cool ;) - pam_kcoda was one of my first FLOSS projects while student;
Ivan Popov took over maintaining the software in 2001 and added Kerberos
support - I have not heard from him since years now.

> https://bugzilla.redhat.com/show_bug.cgi?id=461305
> Your name is in the docs, but I just got a bounce from the address that was
> listed there.  Some quick googling led me to you at this address so I thought I
> would write and ask, if you are indeed the author of that package:
> http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_kcoda-v0.4.tgz

I'm the original author, but no license expert ;)

> And if you are, if you could clarify what version of the GPL you intended to
> distribute it under.  My impression is that you intended to distribute under the
> GPLv1 but I'd like to be sure.

Feel free to release pam_kcoda under GPL v2 or 3.., MIT or BSD license
whatever suits you best.
I wrote the original code in GPL v1 as was Coda (and PAM?) in 1999 -
IIRC Ivan asked to release it under BSD conditions and probably then the
license mess started..

> Could you by any chance update the upstream
> package with a COPYING file with a specific license, or clarify what your intent
> was, either in the above bugzilla or via email?

I have no idea how this ended up on
http://www.kernel.org/pub/linux/libs/pam/pre/modules/ and don't have
write permissions there [yet].

If necessary I con roll a new release mid next week (I'll be traveling
and am only sporadically online during the next days) . Do you know any
PAM devs?

cheers,
robin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjIAFAACgkQeVUk8U+VK0KLqwCgoCDRuJxkhKqhKVsPTFT19buI
x38An1DtWXjQ2HK7aJ4CpbNZ99sAJhfi
=Sfjy
-----END PGP SIGNATURE-----

So, if we change the spec License tag to be GPLv2+, will that be sufficient until a new version is released from Robin with a proper license file?

Honestly, it'd be simpler to wait for a new release that includes the version the author wants (hopefully GPLv2+, IMHO).  Then we can get a better URL for upstream, as well, and the one we have currently gives no info, just the bits.

Its going to be a few weeks on that, and we're not going to get a better URL.  My understanding is that Robin is just going to upload a new version to his space on kernel.org

If it's really to be that long, create a pam_koda-license-README.txt for %doc that  explicitly documents the above, and we'll run it by legal to see if that passes muster.

copy that, I'll post a new rpm shortly.

ok new files for review:
SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-4.fc8.src.rpm

pam_kcoda.i386: W: incoherent-version-in-changelog 0.4.3 0.4-4.fc9
The last entry in %changelog contains a version identifier that is not
coherent with the epoch:version-release tuple of the package.

Fix.

pam_kcoda.i386: W: unstripped-binary-or-object /lib/security/pam_kcoda.so

Manually stripping this in the spec should silence this.

Sorted.  New package/spec:

SPEC:
http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM:
http://nhorman.fedorapeople.org/pam_kcoda-0.4-5.fc8.src.rpm

Good enough.  Just waiting on legal then.

ping, any update here?

Still nothing from legal.  ETA on new release?

No, I expect that will be a few weeks, origional author indicated he would be traveling for a few weeks.  I'll try contact him again

I've heard from the upstream maintainer, who posted a new version with GPLv3 license langage.  I've got a package put together here:

SPEC: http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM: http://nhorman.fedorapeople.org/pam_kcoda-0.5-1.fc8.src.rpm

Clearing legal blocker.

The source still says GPLv2, as does COPYING.  Changlog in source says GPLv3, though that's a start.  Upstream may want to correct.

pam_kcoda.i386: E: library-not-linked-against-libc /lib/security/pam_kcoda.so
1 packages and 0 specfiles checked; 1 errors, 0 warnings.

upstream noticed at the same time you did.  New package w/ fixed licensing, and corrected linkage.

SPEC: http://nhorman.fedorapeople.org/pam_kcoda.spec
SRPM: http://nhorman.fedorapeople.org/pam_kcoda-0.5.1-1.fc8.src.rpm

That, my friend, is hysterical. :)

APPROVED.

Cool Thanks!

New Package CVS Request
=======================
Package Name: pam_kcoda
Short Description: pam module to automate autentication to coda servers
Owners: nhorman
Branches: devel F-9
InitialCC:

cvs done

Built, closing.