Bug 881443

Hi Mohammed:

Initial comments: 

- Don't use rm -rf $RPM_BUILD_ROOT in %install, only required if build you the package for epel5

- There is a faster way to convert a file from DOS to UNIX : 
sed -i -e 's/\r$//g' file 

- The package does not include a license file, and as reflected in the guidelines: 
"If the source package does not include the text of the license(s), the packager should contact upstream and encourage them to correct this mistake."

See https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text

In the source, run licensecheck -r * in the directory src, 

you'll find the following output:

licensecheck -r *
3way.c: GPL (v2 or later)
bf_tab.h: *No copyright* UNKNOWN
blowfish.c: GPL (v2 or later)
blowfish.h: *No copyright* UNKNOWN
Bra86.c: *No copyright* UNKNOWN
Bra.h: *No copyright* UNKNOWN
des.c: LGPL (v2.1)
des.h: *No copyright* UNKNOWN
dunno.c: GPL (v2 or later)
gost.c: GPL (v2 or later)
idea.c: MIT/X11 (BSD like) GPL (v2 or later)
loki91.c: GPL (v2 or later)
loki.h: GPL (v2 or later)
LzmaDec.c: *No copyright* UNKNOWN
LzmaDec.h: *No copyright* UNKNOWN
magiciso_is_shit.h: GPL (v2 or later)
rc5.c: GPL (v2 or later)
seal.c: GPL (v2 or later)
Types.h: *No copyright* UNKNOWN
uif2iso.c: GPL (v2 or later)

In my experience, when there are many licenses involved in the upstream source files and these licenses do not apply to your own source, is clear indication that may contain bundled libs or bundled files

See https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries

In some of these files, I see upstream comments

*/
// modified by Luigi Auriemma for emulating the shameful customizations of Magic
ISO
/*

Check these files to see if these incurred in the policy "no bundled lib"

- Please remove uif2iso.exe

Regards

A quick way to check would be to:

repoquery --whatprovides expression

and in case the header or source file is in Fedora patch the Makefile to build against them, otherwise build the devel package containing these files. Moreover, if the library or archive are drastically modified, you can ask for an exception to the FPC

Hi Eduardo,

Thank you for your thorough review. I've worked through all your comments as follows:

- I removed rm -rf $RPM_BUILD_ROOT in %install; it was initially generated by rpmdev-newspec.

- I'm skeptic about using
sed -i -e 's/\r$//g' file
for DOS to UNIX conversion as it changes the original file timestamp. The three-line way of doing this preserves the file timestamp.

- For licensing issues
I've analyzed all the source files to see to which library(if any) each belongs. I've concluded the following results.
3way.c, rc5.c: unidentified source
bf_tab.h, blowfish.c, blowfish.h: publicly available source code from http://www.di-mgt.com.au/crypto.html
Bra86.c, Bra.h, LzmaDec.h, LzmaDec.c, Types.h: from lzma-sdk-devel RPM package in fedora
des.c, des.h: publicly available source code from http://www.mobilec.org/
gost.c: modified from the files provided by libmcrypt RPM package in fedora
idea.c: from the book Applied Cryptography. John Wiley & Sons, 1996. ISBN 0-471-11709-9. . by Bruce Schneier: (implements a patented algorithm)
dunno.c, magiciso_is_shit.h, uif2iso.c: authentic sources(by uif2iso upstream themselves)
loki91.c, loki.h: publicly available source code from http://www.mavi1.org/web_security/cryptography/aes-testing/loki/
seal.c: publicly available source code from http://www.mavi1.org/web_security/cryptography/General/

I've created a patch to modify the Makefile and related source files to reference the lzmasdk library(in lzma-sdk-devel library). In the case of the modified libmcrypt sources, I compared it with the sources from libmcrypt SRPM and I found huge changes. This's something I'm going to consult upstream about. I might then appeal to the FPC for an exception for libmcrypt in this package.

- For uif2iso.exe, it's part of the original source zip archive and I don't know if I'm allowed to alter the original archive used to build the package. uif2iso.exe doesn't appear in any of the produced RPM packages either. Anyway I added rm uif2iso.exe in %prep to make sure it no longer exists.

I've sent an email upstream asking them to include the text of the GPLv2+ license. I've also asked in the email if they can point me to libraries from which they used the source files I couldn't recognize whose original source. Finally I asked them about the version of libmcrypt they based their work and modifications on. I'm going to wait for a few days for their response. I'll then post the URL's for the fixed SPEC and SRPM files.

Thanks again for your efforts and the hints you provided.

OK. I received the upstream response and they identified the sources uif2iso is built upon. Most of the sources are derived from public domain sources as indicated above. Hence I'm going to package the files as follows:

- Bra86.c, Bra.h, LzmaDec.h, LzmaDec.c, Types.h: to be replaced by a link to lzmasdk provided by fedora
- gost.c: I'll ask the FPC for an exception to include that file into a devel subpackage as it's modified from libmcrypt available in fedora.
- dunno.c, magiciso_is_shit.h, uif2iso.c: will go to the main package
- All other files will go to the devel subpackage.

I'll wait to see how the exception request will go and I'll update the SPEC and SRPM accordingly.

Ok, Mohammed then we wait for the response of FPC on the case, and I'll take the review 
Regards

Fine, it seems my request at https://fedorahosted.org/fpc/ticket/235 is stalled; I'm stuck now. :(

Don't worry, a exception from FPC normally takes some time.