Bug 881443

Summary: Review Request: uif2iso - Universal Image Format to ISO image file converter
Product: [Fedora] Fedora Reporter: Mohammed Safwat <Mohammed_ElAfifi>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: echevemaster, package-review
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-13 00:00:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mohammed Safwat 2012-11-28 22:27:36 UTC
Spec URL: http://msk61.fedorapeople.org/uif2iso/uif2iso.spec
SRPM URL: http://msk61.fedorapeople.org/uif2iso/uif2iso-0.1.7c-1.fc17.src.rpm
Description: The uif2iso project is a program for converting the UIF files (Universal Image Format, used by MagicISO) to uncompressed images depending by the input file type: ISO, BIN/CUE, MDS/MDF, CCD/IMG/SUB and NRG.
Fedora Account System Username: msk61

Some notes to highlight:
- The file uif2iso.txt is part of the pristine source zip package. This file contains information about the tool, input image formats it handles, output image formats it produce, as well as nots for compiling the tool on *nix systems and even usage on windows. So far I'm shipping the file as is, but don't know if I should create a patch to remove irrelevant information from the file.

Comment 1 Eduardo Echeverria 2012-11-29 07:06:18 UTC
Hi Mohammed:

Initial comments: 

- Don't use rm -rf $RPM_BUILD_ROOT in %install, only required if build you the package for epel5

- There is a faster way to convert a file from DOS to UNIX : 
sed -i -e 's/\r$//g' file 

- The package does not include a license file, and as reflected in the guidelines: 
"If the source package does not include the text of the license(s), the packager should contact upstream and encourage them to correct this mistake."

See https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text

In the source, run licensecheck -r * in the directory src, 

you'll find the following output:

licensecheck -r *
3way.c: GPL (v2 or later)
bf_tab.h: *No copyright* UNKNOWN
blowfish.c: GPL (v2 or later)
blowfish.h: *No copyright* UNKNOWN
Bra86.c: *No copyright* UNKNOWN
Bra.h: *No copyright* UNKNOWN
des.c: LGPL (v2.1)
des.h: *No copyright* UNKNOWN
dunno.c: GPL (v2 or later)
gost.c: GPL (v2 or later)
idea.c: MIT/X11 (BSD like) GPL (v2 or later)
loki91.c: GPL (v2 or later)
loki.h: GPL (v2 or later)
LzmaDec.c: *No copyright* UNKNOWN
LzmaDec.h: *No copyright* UNKNOWN
magiciso_is_shit.h: GPL (v2 or later)
rc5.c: GPL (v2 or later)
seal.c: GPL (v2 or later)
Types.h: *No copyright* UNKNOWN
uif2iso.c: GPL (v2 or later)

In my experience, when there are many licenses involved in the upstream source files and these licenses do not apply to your own source, is clear indication that may contain bundled libs or bundled files

See https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries

In some of these files, I see upstream comments

// modified by Luigi Auriemma for emulating the shameful customizations of Magic

Check these files to see if these incurred in the policy "no bundled lib"

- Please remove uif2iso.exe


Comment 2 Eduardo Echeverria 2012-11-29 07:24:50 UTC
A quick way to check would be to:

repoquery --whatprovides expression

and in case the header or source file is in Fedora patch the Makefile to build against them, otherwise build the devel package containing these files. Moreover, if the library or archive are drastically modified, you can ask for an exception to the FPC

Comment 3 Mohammed Safwat 2012-11-30 16:26:45 UTC
Hi Eduardo,

Thank you for your thorough review. I've worked through all your comments as follows:

- I removed rm -rf $RPM_BUILD_ROOT in %install; it was initially generated by rpmdev-newspec.

- I'm skeptic about using
sed -i -e 's/\r$//g' file
for DOS to UNIX conversion as it changes the original file timestamp. The three-line way of doing this preserves the file timestamp.

- For licensing issues
I've analyzed all the source files to see to which library(if any) each belongs. I've concluded the following results.
3way.c, rc5.c: unidentified source
bf_tab.h, blowfish.c, blowfish.h: publicly available source code from http://www.di-mgt.com.au/crypto.html
Bra86.c, Bra.h, LzmaDec.h, LzmaDec.c, Types.h: from lzma-sdk-devel RPM package in fedora
des.c, des.h: publicly available source code from http://www.mobilec.org/
gost.c: modified from the files provided by libmcrypt RPM package in fedora
idea.c: from the book Applied Cryptography. John Wiley & Sons, 1996. ISBN 0-471-11709-9. . by Bruce Schneier: (implements a patented algorithm)
dunno.c, magiciso_is_shit.h, uif2iso.c: authentic sources(by uif2iso upstream themselves)
loki91.c, loki.h: publicly available source code from http://www.mavi1.org/web_security/cryptography/aes-testing/loki/
seal.c: publicly available source code from http://www.mavi1.org/web_security/cryptography/General/

I've created a patch to modify the Makefile and related source files to reference the lzmasdk library(in lzma-sdk-devel library). In the case of the modified libmcrypt sources, I compared it with the sources from libmcrypt SRPM and I found huge changes. This's something I'm going to consult upstream about. I might then appeal to the FPC for an exception for libmcrypt in this package.

- For uif2iso.exe, it's part of the original source zip archive and I don't know if I'm allowed to alter the original archive used to build the package. uif2iso.exe doesn't appear in any of the produced RPM packages either. Anyway I added rm uif2iso.exe in %prep to make sure it no longer exists.

I've sent an email upstream asking them to include the text of the GPLv2+ license. I've also asked in the email if they can point me to libraries from which they used the source files I couldn't recognize whose original source. Finally I asked them about the version of libmcrypt they based their work and modifications on. I'm going to wait for a few days for their response. I'll then post the URL's for the fixed SPEC and SRPM files.

Thanks again for your efforts and the hints you provided.

Comment 4 Mohammed Safwat 2012-12-02 00:14:15 UTC
OK. I received the upstream response and they identified the sources uif2iso is built upon. Most of the sources are derived from public domain sources as indicated above. Hence I'm going to package the files as follows:

- Bra86.c, Bra.h, LzmaDec.h, LzmaDec.c, Types.h: to be replaced by a link to lzmasdk provided by fedora
- gost.c: I'll ask the FPC for an exception to include that file into a devel subpackage as it's modified from libmcrypt available in fedora.
- dunno.c, magiciso_is_shit.h, uif2iso.c: will go to the main package
- All other files will go to the devel subpackage.

I'll wait to see how the exception request will go and I'll update the SPEC and SRPM accordingly.

Comment 5 Eduardo Echeverria 2012-12-02 02:23:31 UTC
Ok, Mohammed then we wait for the response of FPC on the case, and I'll take the review 

Comment 6 Mohammed Safwat 2013-01-05 11:53:32 UTC
Fine, it seems my request at https://fedorahosted.org/fpc/ticket/235 is stalled; I'm stuck now. :(

Comment 7 Eduardo Echeverria 2013-01-05 17:31:46 UTC
Don't worry, a exception from FPC normally takes some time.