Bug 498203

Summary: Review Request: perl-YAML-LibYAML - YAML::LibYAML Perl module
Product: [Fedora] Fedora Reporter: Marcela Mašláňová <mmaslano>
Component: Package ReviewAssignee: Parag AN(पराग) <panemade>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: fedora-package-review, notting, panemade, ppisar, tremble
Target Milestone: ---Flags: panemade: fedora-review+
tibbs: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-04 08:25:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 498204    

Description Marcela Mašláňová 2009-04-29 13:00:54 UTC
Spec URL: http://mmaslano.fedorapeople.org/review/perl-YAML-LibYAML.spec
SRPM URL: http://mmaslano.fedorapeople.org/review/perl-YAML-LibYAML-0.32-1.fc11.src.rpm
Description:
Kirill Siminov's "libyaml" is arguably the best YAML
implementation. The C library is written precisely to the YAML 1.1
specification. It was originally bound to Python and was later
bound to Ruby.

Comment 1 Parag AN(पराग) 2009-04-29 15:42:37 UTC
Review:
+ package builds in mock (rawhide i586).
koji Build => http://koji.fedoraproject.org/koji/taskinfo?taskID=1328734
+ rpmlint is silent for SRPM and for RPM.
+ source files match upstream url
7a8b9258a311e52d0938744ad2ddfc4d  YAML-LibYAML-0.32.tar.gz

Build failed.
Add BR:perl-Test-More

Comment 2 Marcela Mašláňová 2009-04-29 16:43:34 UTC
You are fast, thank you.

http://koji.fedoraproject.org/koji/taskinfo?taskID=1328927

Comment 4 Parag AN(पराग) 2009-04-29 16:59:17 UTC
+ make test gave
All tests successful.
Files=25, Tests=254,  4 wallclock secs ( 0.08 usr  0.03 sys +  3.47 cusr  0.39 csys =  3.97 CPU)
+ Package perl-YAML-LibYAML-0.32-2.fc12.i586 =>
  Provides: LibYAML.so perl(YAML::LibYAML) = 0.18 perl(YAML::XS) = 0.32 perl(YAML::XS::LibYAML)
Requires: libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.3.4) perl >= 0:5.008003 perl(B::Deparse) perl(XSLoader) perl(YAML::XS::LibYAML) perl(base) perl(constant) perl(strict) perl(warnings) rtld(GNU_HASH)

APPROVED.

Comment 5 Marcela Mašláňová 2009-04-30 06:09:37 UTC
New Package CVS Request
=======================
Package Name: perl-YAML-LibYAML
Short Description: YAML Serialization using XS and libyaml
Owners: mmaslano
Branches: F-11
InitialCC: perl-sig

Comment 6 Dennis Gilmore 2009-05-01 21:02:06 UTC
CVS Done

Comment 7 Mark Chappell 2010-07-01 12:58:54 UTC
Package Change Request
======================
Package Name: perl-YAML-LibYAML
New Branches: EL-6
Owners: tremble    
   

https://bugzilla.redhat.com/show_bug.cgi?id=609807
+
IRC : 
13:42 <marca_> do you need my help or can you take them in EPEL?
13:42 <tremble> I'm quite happy to take them in EPEL, just need your approval as the Fedora owner
13:43 <marca_> ok, so I only write into bz comment
13:43 <tremble> Ok
13:44 <tremble> Would you prefer to be in there as a co-owner or would you rather just leave the EL branches to me?
13:45  * tremble thanks you.
13:45 <marca_> no, I don't have time for EL. Take it

Comment 8 Jason Tibbitts 2010-07-01 17:33:21 UTC
CVS done (by process-cvs-requests.py).

Comment 9 Petr Pisar 2014-03-27 07:27:51 UTC
Perl YAML-LibYAML bundles libyaml.

lib/YAML/XS.pm:

> Kirill Siminov's C<libyaml> is arguably the best YAML implementation.
> The C library is written precisely to the YAML 1.1 specification. It was
> originally bound to Python and was later bound to Ruby.
>
> This module is a Perl XS binding to libyaml which offers Perl the best
> YAML support to date.

However this is not just a binding. This a pure bundling because LibYAML directory copies yaml sources:

$ find -name '*.c' -o -name '*.h'
./LibYAML/yaml_private.h
./LibYAML/yaml.h
./LibYAML/parser.c
./LibYAML/writer.c
./LibYAML/scanner.c
./LibYAML/perl_libyaml.h
./LibYAML/dumper.c
./LibYAML/loader.c
./LibYAML/api.c
./LibYAML/perl_libyaml.c
./LibYAML/emitter.c
./LibYAML/config.h
./LibYAML/ppport_sort.h
./LibYAML/ppport.h
./LibYAML/reader.c

How is possible this review has passed?

Comment 10 Parag AN(पराग) 2014-03-27 12:23:42 UTC
Just wonder then how this can be detected in Automated Review Server???

looks like above is related to recently filed security bugs.

Comment 11 Petr Pisar 2014-03-27 13:04:41 UTC
(In reply to Parag AN(पराग) from comment #10)
> Just wonder then how this can be detected in Automated Review Server???
> 
If bundled code does not mangle function names, one can check symbols from debuginfo against exported symbols from system libraries.

Or one can check compilation source file names or compilation unit names between debuginfo packages. I've already receieved a bug report based on this heuristic.

However this is the reason why the Automated Review Server, whatever it is, will never supersede human reviewer and thus I believe Fedora will always require human reviews.

> looks like above is related to recently filed security bugs.

Yes.

Comment 12 Parag AN(पराग) 2014-03-27 13:30:34 UTC
Petr,

I just checked the package and found its bundling the source of libyaml which should have been checked at the time of initial package review but looks like got overlooked.

Should this need FESCo ticket for exception? if not then this package need to be dropped.

Comment 13 Petr Pisar 2014-03-27 13:55:23 UTC
We will try to unbundle it.