Bug 881443
Summary: | Review Request: uif2iso - Universal Image Format to ISO image file converter | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mohammed Safwat <Mohammed_ElAfifi> |
Component: | Package Review | Assignee: | Nobody's working on this, feel free to take it <nobody> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | echevemaster, package-review |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-13 00:00:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mohammed Safwat
2012-11-28 22:27:36 UTC
Hi Mohammed: Initial comments: - Don't use rm -rf $RPM_BUILD_ROOT in %install, only required if build you the package for epel5 - There is a faster way to convert a file from DOS to UNIX : sed -i -e 's/\r$//g' file - The package does not include a license file, and as reflected in the guidelines: "If the source package does not include the text of the license(s), the packager should contact upstream and encourage them to correct this mistake." See https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text In the source, run licensecheck -r * in the directory src, you'll find the following output: licensecheck -r * 3way.c: GPL (v2 or later) bf_tab.h: *No copyright* UNKNOWN blowfish.c: GPL (v2 or later) blowfish.h: *No copyright* UNKNOWN Bra86.c: *No copyright* UNKNOWN Bra.h: *No copyright* UNKNOWN des.c: LGPL (v2.1) des.h: *No copyright* UNKNOWN dunno.c: GPL (v2 or later) gost.c: GPL (v2 or later) idea.c: MIT/X11 (BSD like) GPL (v2 or later) loki91.c: GPL (v2 or later) loki.h: GPL (v2 or later) LzmaDec.c: *No copyright* UNKNOWN LzmaDec.h: *No copyright* UNKNOWN magiciso_is_shit.h: GPL (v2 or later) rc5.c: GPL (v2 or later) seal.c: GPL (v2 or later) Types.h: *No copyright* UNKNOWN uif2iso.c: GPL (v2 or later) In my experience, when there are many licenses involved in the upstream source files and these licenses do not apply to your own source, is clear indication that may contain bundled libs or bundled files See https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries In some of these files, I see upstream comments */ // modified by Luigi Auriemma for emulating the shameful customizations of Magic ISO /* Check these files to see if these incurred in the policy "no bundled lib" - Please remove uif2iso.exe Regards A quick way to check would be to: repoquery --whatprovides expression and in case the header or source file is in Fedora patch the Makefile to build against them, otherwise build the devel package containing these files. Moreover, if the library or archive are drastically modified, you can ask for an exception to the FPC Hi Eduardo, Thank you for your thorough review. I've worked through all your comments as follows: - I removed rm -rf $RPM_BUILD_ROOT in %install; it was initially generated by rpmdev-newspec. - I'm skeptic about using sed -i -e 's/\r$//g' file for DOS to UNIX conversion as it changes the original file timestamp. The three-line way of doing this preserves the file timestamp. - For licensing issues I've analyzed all the source files to see to which library(if any) each belongs. I've concluded the following results. 3way.c, rc5.c: unidentified source bf_tab.h, blowfish.c, blowfish.h: publicly available source code from http://www.di-mgt.com.au/crypto.html Bra86.c, Bra.h, LzmaDec.h, LzmaDec.c, Types.h: from lzma-sdk-devel RPM package in fedora des.c, des.h: publicly available source code from http://www.mobilec.org/ gost.c: modified from the files provided by libmcrypt RPM package in fedora idea.c: from the book Applied Cryptography. John Wiley & Sons, 1996. ISBN 0-471-11709-9. . by Bruce Schneier: (implements a patented algorithm) dunno.c, magiciso_is_shit.h, uif2iso.c: authentic sources(by uif2iso upstream themselves) loki91.c, loki.h: publicly available source code from http://www.mavi1.org/web_security/cryptography/aes-testing/loki/ seal.c: publicly available source code from http://www.mavi1.org/web_security/cryptography/General/ I've created a patch to modify the Makefile and related source files to reference the lzmasdk library(in lzma-sdk-devel library). In the case of the modified libmcrypt sources, I compared it with the sources from libmcrypt SRPM and I found huge changes. This's something I'm going to consult upstream about. I might then appeal to the FPC for an exception for libmcrypt in this package. - For uif2iso.exe, it's part of the original source zip archive and I don't know if I'm allowed to alter the original archive used to build the package. uif2iso.exe doesn't appear in any of the produced RPM packages either. Anyway I added rm uif2iso.exe in %prep to make sure it no longer exists. I've sent an email upstream asking them to include the text of the GPLv2+ license. I've also asked in the email if they can point me to libraries from which they used the source files I couldn't recognize whose original source. Finally I asked them about the version of libmcrypt they based their work and modifications on. I'm going to wait for a few days for their response. I'll then post the URL's for the fixed SPEC and SRPM files. Thanks again for your efforts and the hints you provided. OK. I received the upstream response and they identified the sources uif2iso is built upon. Most of the sources are derived from public domain sources as indicated above. Hence I'm going to package the files as follows: - Bra86.c, Bra.h, LzmaDec.h, LzmaDec.c, Types.h: to be replaced by a link to lzmasdk provided by fedora - gost.c: I'll ask the FPC for an exception to include that file into a devel subpackage as it's modified from libmcrypt available in fedora. - dunno.c, magiciso_is_shit.h, uif2iso.c: will go to the main package - All other files will go to the devel subpackage. I'll wait to see how the exception request will go and I'll update the SPEC and SRPM accordingly. Ok, Mohammed then we wait for the response of FPC on the case, and I'll take the review Regards Fine, it seems my request at https://fedorahosted.org/fpc/ticket/235 is stalled; I'm stuck now. :( Don't worry, a exception from FPC normally takes some time. |