Spec URL: http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils.spec SRPM URL: http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils-0.6-1.fc19.src.rpm Description: Hi, I just finished packaging ima-evm-utils. I would appreciate if it can be reviewed for inclusion in Fedora 20. This utilties will help sign a binary and store its signature in security.ima xattr. And these signatures can be verified at run time. IMA is designed to do lot more but above is primary use case I am interested in right now. Fedora Account System Username: vgoyal
Here is rpmlint report. $ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm ima-evm-utils.spec: W: invalid-url Source0: ima-evm-utils-0.6.tar.gz ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices ima-evm-utils.src: W: invalid-url Source0: ima-evm-utils-0.6.tar.gz 3 packages and 1 specfiles checked; 0 errors, 5 warnings.
I will sponsor Vivek, but as I started this package review originally, I will let someone else formally review it (though I'll review it as well)
I can do the review. I'm taking the bug.
Where does your source come from? I can only see 0.2... http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/
Created attachment 791795 [details] Package review document Here are the only things I found in this review that need to be addressed. The spec file claims this package is covered under LGPLv2. The COPYING file is for GPLv2, the single source file uses LGPLv2 in its header comment. - I'm not a lawyer, I don't know how to sort this one (generally we include the COPYING file in the docs directory). Spot can probably clarify. I can't find the upstream source tarball for this. Can the full URL be added to the spec file. Otherwise it looked good. The full report is attached.
(In reply to Christopher Meng from comment #4) > Where does your source come from? > > I can only see 0.2... > > http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/ Maintainer has released 0.6 yesterday but for some reason URL of that tar file is not showing up at sourceforge. Even maintainer is confused. When he logs in he can see the file there and it says URL will show up shortly and it has been close to 24 hours and URL is not showing yet. He sent me tar file in mail personally and that's what I used for this source rpm. I will ping him again and see if he can do something to make situation better. BTW, git tree for this source is here and there one can see that version 0.6 has been released. http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/
(In reply to Josh Bressers from comment #5) > > The spec file claims this package is covered under LGPLv2. The COPYING file > is for GPLv2, the single source file uses LGPLv2 in its header comment. - > I'm not a lawyer, I don't know how to sort this one (generally we include > the COPYING file in the docs directory). Spot can probably clarify. Thanks Josh. This is a good point. I have sent mail to upstream maintainer for clarification in this matter.
re licensing - please see https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#How_do_I_figure_out_what_version_of_the_GPL.2FLGPL_my_package_is_under.3F and https://fedoraproject.org/wiki/Licensing
Ok, both licensing and source issues have been sorted out. I have uploaded a new set of spec and source rpm file. Pleaese review.. http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils.spec http://people.redhat.com/vgoyal/ima-evm-utils/ima-evm-utils-0.6-1.fc19.src.rpm
Following is rpmlint report. [makerpm@localhost SPECS]$ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices 3 packages and 1 specfiles checked; 0 errors, 3 warnings.
Now this package is GPLV2. Both COPYING and src/evmct.c have been modified to reflect this fact.
Maintainer has got the sourceforge linke working. Original source of tar ball is following. http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/ima-evm-utils-0.6.tar.gz/
bresser mentioned that new spec file does not have COPYING file in %doc. Fixed that and uploaded new files.
Following is rpmlint output with new spec file and rpms. [makerpm@localhost SPECS]$ rpmlint ima-evm-utils.spec ../RPMS/*/ima-evm-utils*.rpm ../SRPMS/ima-evm-utils*.rpm ima-evm-utils.x86_64: W: spelling-error %description -l en_US executables -> executable, executable s, executrices ima-evm-utils.x86_64: E: incorrect-fsf-address /usr/share/doc/ima-evm-utils-0.6/COPYING ima-evm-utils.x86_64: W: no-manual-page-for-binary evmctl ima-evm-utils.src: W: spelling-error %description -l en_US executables -> executable, executable s, executrices 3 packages and 1 specfiles checked; 1 errors, 3 warnings.
Notice fsf address is old one in COPYING file. I have informed upstream maintainer about it.
Created attachment 794444 [details] Package review The only possible issue here is an incorrect fsf address. This will be addressed upstream and isn't a reason to hold up the package.
scratch koji build of package. http://koji.fedoraproject.org/koji/taskinfo?taskID=5902553
New Package SCM Request ======================= Package Name: ima-evm-utils Short Description: IMA/EVM support utilities Owners: vgoyal Branches: f20 InitialCC:
fedora-review flag not set
Git done (by process-git-requests).
Please clear the FE-NEEDSPONSOR blocker when you sponsor someone (or intend to do so). This makes it easier to find packages that really do require sponsorship in the tracker bug. Thanks!
Please remember to close the bug.