Bug 509658

Summary: Review Request: h5py - A Python interface to the HDF5 library
Product: [Fedora] Fedora Reporter: Joseph Smidt <josephsmidt>
Component: Package ReviewAssignee: Jason Tibbitts <tibbs>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: fedora-package-review, notting, ravi, tcallawa, terjeros
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-03 10:39:11 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 201449    

Description Joseph Smidt 2009-07-04 14:14:26 EDT
Spec URL: http://jsmidt.fedorapeople.org/h5py.spec
SRPM URL: http://jsmidt.fedorapeople.org/h5py-1.2.0-1.fc11.src.rpm

Description: 
Please Review: The h5py package provides both a high- and low-level interface to the HDF5 library from Python. 

rpmlint gives no warnings or errors.

Builds cleanly on f-12:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1454385
Builds cleanly on f-11:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1454390
Builds cleanly on f-10:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1454405
on all archs.
Comment 1 Jason Tibbitts 2009-07-11 01:41:48 EDT
Indeed, this builds fine and rpmlint is silent.

In the source I see four files in the lzf/lzf directory which are dual-licensed 2-clause BSD and GPLv2+.  The h5py authors are supposed to choose one license (or leave it as dual licensed if they want) but then I'm not at all sure how the GPL makes its way into the rest of the code.  The lzf code gets linked directly into h5.so.

I guess I can bother spot again and block FE-Legal.  My best guess is that the license of this code ends up as "BSD and (BSD or GPLv2+)", with h5.so being dual-licensed.

There's an entirely separate question of whether this package should be including the lzf code at all.  It wouldn't be the first package (that honor belongs to php-pecl-lzf) but it sure would be nice if there was some library version of this that things could link against, especially since this code currently has an open security issue.  Actually, I would recommend not importing this package until that issue is fixed. 

I note that you package up all of the tests.  Is there any reason to do so?  Shouldn't those tests be run at build time instead?

* source files match upstream.  sha256sum:         
   4edf35fa6c538c5e9132414061ac18258cf8a1a743fc16db94176657e382c6d7  
   h5py-1.2.0.tar.gz
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.                                                              
* description is OK.                                                          
* dist tag is present.
* build root is OK.
? unsure about the license tag.
* license is open source-compatible.
* license text included in package.
* latest version is being packaged.
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (rawhide, x86_64).
* package installs properly.
* debuginfo package looks complete.
* rpmlint is silent.
* final provides and requires are sane:
   h5.so()(64bit)
   h5a.so()(64bit)
   h5d.so()(64bit)
   h5e.so()(64bit)
   h5f.so()(64bit)
   h5fd.so()(64bit)
   h5g.so()(64bit)
   h5i.so()(64bit)
   h5l.so()(64bit)
   h5o.so()(64bit)
   h5p.so()(64bit)
   h5r.so()(64bit)
   h5s.so()(64bit)
   h5t.so()(64bit)
   h5z.so()(64bit)
   utils.so()(64bit)
   h5py = 1.2.0-1.fc12
   h5py(x86-64) = 1.2.0-1.fc12
  =
   libgomp.so.1()(64bit)
   libhdf5.so.6()(64bit)
   libpython2.6.so.1.0()(64bit)
   numpy >= 1.0.3
   python(abi) = 2.6

? %check is not present, but a test suite is included.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no generically named files
* code, not content.
* documentation is small, so no -doc subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* no headers.
* no pkgconfig files.
* no static libraries.
* no libtool .la files.

The package review process needs reviewers!  If you haven't done any package
reviews recently, please consider doing one.
Comment 2 Jason Tibbitts 2009-07-29 15:30:52 EDT
Any comments on the above?  We can at least finish up the review while we await input from the legal folks.
Comment 3 Ravikiran Rajagopal 2009-08-10 16:43:09 EDT
The specfile needs to add the command line parameter --api=18 in order to use the features provided by the currently shipping version of HDF5 libraries. Also, use BuildRequires: hdf5-devel >= 1.8.2 for the same reason (though F11 currently ships 1.8.3). Also add Requires: hdf5 >= 1.8.2 for runtime.
Comment 4 Tom "spot" Callaway 2009-08-12 14:20:42 EDT
The proposed License tag of "BSD and (BSD or GPLv2+)" with a comment explaining the situation seems like the correct solution to me. Lifting FE-Legal.
Comment 5 Jason Tibbitts 2009-08-12 14:45:09 EDT
The legal blocker nonwithstanding, there's still been no response to my review commentary in over a month now.  Setting needinfo; I will close this ticket soon if there is no response.
Comment 6 Jason Tibbitts 2009-11-03 10:39:11 EST
Well, close to three months later there's been no response.  I'm closing this out.
Comment 7 Terje Røsten 2010-12-27 08:22:29 EST
Hi Jason,

I submitted h5py 1.3.1 for review, the license issue seems to have been fixed upstream. The review request is here: bug #665853 .
Comment 8 Jason Tibbitts 2010-12-27 10:54:30 EST

*** This bug has been marked as a duplicate of bug 665853 ***