Bug 669858

Summary: Review Request: signpost-core - A simple, light-weight, and modular OAuth client library for the Java platform
Product: [Fedora] Fedora Reporter: Cédric OLIVIER <cedric.olivier>
Component: Package ReviewAssignee: David Nalley <david>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: akurtako, david, fedora-package-review, notting
Target Milestone: ---Flags: david: fedora-review+
gwync: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: signpost-core-1.2.1.1-4.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-04 19:50:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cédric OLIVIER 2011-01-15 06:15:43 UTC
Spec URL: http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1/signpost-core.spec
SRPM URL: http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1/signpost-core-1.2.1.1-1.fc13.src.rpm

Description: Signpost is the easy and intuitive solution for signing HTTP messages on the Java platform in conformance with the OAuth Core 1.0a standard. 
Signpost follows a modular and flexible design, allowing you to combine it with
different HTTP messaging layers

rpmlint output on signpost-core-1.2.1.1-1.fc13.src.rpm :
signpost-core.src: W: strange-permission signpost-core-generate-tarball.sh 0775L
signpost-core.src: W: invalid-url Source0: signpost-core-1.2.1.1.tar.gz
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

signpost-core-generate-tarball.sh is used to checkout sources files

rpmlint output on installed package :
signpost-core.noarch: W: no-documentation
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

I have request upstream to add license file :
http://code.google.com/p/oauth-signpost/issues/detail?id=64

Comment 1 Alexander Kurtakov 2011-01-15 15:34:07 UTC
According to current Java packaging guidelines http://fedoraproject.org/wiki/Packaging:Java there shouldn't be versioned jar and javadoc to not polute needlesly directories.

Comment 2 Cédric OLIVIER 2011-01-16 07:23:07 UTC
Spec URL:
http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1-2/signpost-core.spec
SRPM URL:
http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1-2/signpost-core-1.2.1.1-2.fc13.src.rpm

Thanks a lot for this comment. I don't understand why I was installing versioned jar and doing symlink for name-version to name. It is now corrected for this package. I was doing same mistake for some other packages which are now corrected also.

Comment 3 Cédric OLIVIER 2011-01-16 08:02:13 UTC
Spec URL:
http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1-3/signpost-core.spec
SRPM URL:
http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1-3/signpost-core-1.2.1.1-3.fc13.src.rpm

Some other thing I have corrected now
- Remove unneeded clean section (A %clean section containing only "rm -rf $RPM_BUILD_ROOT" is no longer needed)
- Remove unneeded requires in javadoc section

Comment 4 David Nalley 2011-01-23 20:37:25 UTC
Package Review
==============

Key:
- = N/A
x = Check
! = Problem
? = Not evaluated

=== REQUIRED ITEMS ===
[X]  Rpmlint output:
[ke4qqq@L1012001 SPECS]$ rpmlint ./signpost-core.spec ../SRPMS/signpost-core-1.2.1.1-3.fc14.src.rpm ../RPMS/noarch/signpost-core-*
./signpost-core.spec: W: invalid-url Source0: signpost-core-1.2.1.1.tar.gz
signpost-core.src: W: strange-permission signpost-core-generate-tarball.sh 0775L
signpost-core.src: W: invalid-url Source0: signpost-core-1.2.1.1.tar.gz
signpost-core.noarch: W: no-documentation
3 packages and 1 specfiles checked; 0 errors, 4 warnings.
[X]  Package is named according to the Package Naming Guidelines[1].
So I've marked this OK - Part of me thinks that this should really be signpost with subpackages for (or not, have signpost be core) and things like signpost-jetty be a subpackage of the same srpm. 

[X]  Spec file name must match the base package name, in the format %{name}.spec.
[X]  Package meets the Packaging Guidelines[2].
[X]  Package successfully compiles and builds into binary rpms.
[ ]  Buildroot definition is not present
[X]  Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines[3,4].
[X]  License field in the package spec file matches the actual license.
License type:
[-]  If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc.
[-]  All independent sub-packages have license of their own
[X]  Spec file is legible and written in American English.
[-]  Sources used to build the package matches the upstream source, as provided in the spec URL.
I think the shell script is probably a bit overkill - regardless -I'd prefer to see the 'why' (which I think is justified) explained a bit more in the spec. I noted that as required fix below.  
MD5SUM this package    :
MD5SUM upstream package:

I am marking NA here as the method you've used to generate your tarballs is essentially unverifiable via this means. A different md5sum is generated everytime source is downloaded. 
[X]  All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines[5].
[X]  Package must own all directories that it creates.
[-]  Package requires other packages for directories it uses.
[X]  Package does not contain duplicates in %files.
[X]  Permissions on files are set properly.
[-]  Package does NOT have a %clean section which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). (not needed anymore)
[X]  Package consistently uses macros (no %{buildroot} and $RPM_BUILD_ROOT mixing)
[X]  Package contains code, or permissable content.
[!]  Fully versioned dependency in subpackages, if present.  
I think the javadoc package needs a versioned dep on the subpackage. 
[-]  Package contains a properly installed %{name}.desktop file if it is a GUI application.
[X]  Package does not own files or directories owned by other packages.
[X]  Javadoc documentation files are generated and included in -javadoc subpackage
[X]  Javadocs are placed in %{_javadocdir}/%{name} (no -%{version} symlinks)
[X]  Packages have proper BuildRequires/Requires on jpackage-utils
[X]  Javadoc subpackages have Require: jpackage-utils
[-]  Package uses %global not %define
[!]  If package uses tarball from VCS include comment how to re-create that tarball (svn export URL, git clone URL, ...)
[-]  If source tarball includes bundled jar/class files these need to be removed prior to building
[X]  All filenames in rpm packages must be valid UTF-8.
[X]  Jar files are installed to %{_javadir}/%{name}.jar (see [6] for details)
[!]  If package contains pom.xml files install it (including depmaps) even when building with ant
I don't see this installed
[?]  pom files has correct add_to_maven_depmap call which resolves to the pom file (use "JPP." and "JPP-" correctly)

=== Other suggestions ===
[?]  If possible use upstream build method (maven/ant/javac)
[X]  Avoid having BuildRequires on exact NVR unless necessary
[X]  Package has BuildArch: noarch (if possible)
[X]  Latest version is packaged.
[X]  Reviewer should test that the package builds in mock.
Tested on:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2738464

Comment 5 Cédric OLIVIER 2011-01-25 19:00:51 UTC
Thanks a lot for this review.

Spec URL:
http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1-4/signpost-core.spec
SRPM URL:
http://cedric.olivier.free.fr/rpms/signpost-core-1.2.1.1-4/signpost-core-1.2.1.1-4.fc13.src.rpm


[!]  Fully versioned dependency in subpackages, if present.  
I think the javadoc package needs a versioned dep on the subpackage. 
-> Requirement added in javadoc section.

[!]  If package uses tarball from VCS include comment how to re-create that
tarball (svn export URL, git clone URL, ...)
-> Comment added in spec file with git command used

[!]  If package contains pom.xml files install it (including depmaps) even when
building with ant
I don't see this installed
-> There is a pom.xml, but it isn't used. I have created a build.xml from scratch because upstream pom.xml require a recent maven version which is not available in F-13 and EPEL. So I think it not necessary to install an pom.xml which is not usable.

Comment 6 David Nalley 2011-01-26 13:06:57 UTC
OK, this looks good to me.

APPROVED

Comment 7 Cédric OLIVIER 2011-01-26 18:59:48 UTC
New Package SCM Request
=======================
Package Name: signpost-core
Short Description: A simple, light-weight, and modular OAuth client library for the Java platform
Owners: cquad
Branches: f13 f14
InitialCC:

Comment 8 Jason Tibbitts 2011-01-26 19:24:18 UTC
Git done (by process-git-requests).

Comment 9 Fedora Update System 2011-01-26 20:22:58 UTC
signpost-core-1.2.1.1-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/signpost-core-1.2.1.1-4.fc14

Comment 10 Fedora Update System 2011-01-26 20:27:37 UTC
signpost-core-1.2.1.1-4.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/signpost-core-1.2.1.1-4.fc13

Comment 11 Fedora Update System 2011-01-27 20:56:53 UTC
signpost-core-1.2.1.1-4.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update signpost-core'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/signpost-core-1.2.1.1-4.fc14

Comment 12 Fedora Update System 2011-02-04 19:50:54 UTC
signpost-core-1.2.1.1-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2011-02-04 19:51:20 UTC
signpost-core-1.2.1.1-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Cédric OLIVIER 2014-11-20 18:09:21 UTC
Package Change Request
======================
Package Name: signpost-core
New Branches: epel7
Owners: cquad mcepl

Comment 15 Gwyn Ciesla 2014-11-20 18:14:36 UTC
Git done (by process-git-requests).