Bug 1005552 - Review Request: galette - Online tool for nonprofit organizations to manage membership and fees
Review Request: galette - Online tool for nonprofit organizations to manage m...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jamie Nguyen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-08 06:20 EDT by Johan Cwiklinski
Modified: 2015-08-02 04:13 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-02 04:13:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jamielinux: fedora‑review?


Attachments (Terms of Use)

  None (edit)
Description Johan Cwiklinski 2013-09-08 06:20:14 EDT
Spec URL: http://odysseus.x-tnd.be/fedora/galette/galette.spec
SRPM URL: http://odysseus.x-tnd.be/fedora/galette/galette-0.7.5.1-1.fc19.src.rpm
Description:
Galette is an online tool to manage membership and fees dedicated to non
profit organizations. It mainly allows executive members to know which
fees will soon reach their due dates. Beside that, each member can have
it's own credential to review (or change) it's personal information.
On the technical side, all you need is a web server supporting
PHP and a database (MySQL or PostgreSQL)

Fedora Account System Username: trasher
Comment 1 Jamie Nguyen 2013-09-08 09:40:28 EDT
Issues:
=======

1) BUNDLED: galette/includes/html2text.php

This appears to be a fork of this EPL v1.0 licensed script:
http://code.google.com/p/iaml/source/browse/trunk/org.openiaml.model.runtime/src/include/html2text/html2text.php

If the original script can't be used, you'll need to open an FPC ticket and request a bundling exception.


2) BUNDLED: galette/includes/sql_parse.php

This GPLv2+ licensed file appears to be bundled from the (obsolete?) phpBB 2.x branch. You'll need to open an FPC ticket and request a bundling exception.


3) BUNDLED: galette/includes/ca/cacert.crt

This MPL v1.1 OR GPLv2+ OR LGPLv2+ licensed file is bundled from the mozilla source tree. How is this being used by galette? Is it not possible to use the system ca-certicates instead?


4) BUNDLED: galette/includes/jquery/*

The MIT licensed jQuery is bundled. There are also numerous bundled jQuery plugins, several of which have no copyright or license header. (NB: There is a jQuery review request currently open: bz#857992 )


5) BUNDLED: galette/lang/make_lang_l12n.py

This GPL licensed software is bundled. This software probably needs to be packaged separately.


6) BUNDLED: galette/lang/xgettext.py

This GPL licensed software is bundled. This software probably needs to be packaged separately.


7) BUNDLED: galette/templates/default/jquery-ui/*

The MIT licensed jquery-ui-1.10.3.custom.css file is bundled, as well as several other png/gif files. Are these necessary for galette to function normally? Can they be removed?


8) https://fedoraproject.org/wiki/Packaging:Guidelines#Documentation

Documentation sub-package is recommended to be called %{name}-doc and should have "Group: Documentation" tag.


9) SELinux file contexts.

I couldn't find official guidelines, but the SELinux file contexts that galette requires should be put into the system SELinux policy, instead of running semanage/restorecon in the package scriplets. Please open a bug report against selinux-policy with a complete list of the required file contexts. The maintainers will probably prefer that you open separate bugs for every required branch. You can then remove the selinux dependencies (which pull in a lot if the admin has removed selinux on their server, as unwise as that may be) and installation/removal of galette will be faster.


10) Restarting httpd

The package is restarting httpd in the post/postun scriptlets. I couldn't find guidelines about this, but I think these scriptlets should be removed. I'm not aware of any other web applications that restart httpd.


11) rpmlint

galette.noarch: W: spelling-error %description -l fr d'identifiants -> t'identifiant, s'identifiant, t'identifiât
galette.noarch: W: conffile-without-noreplace-flag /etc/galette/versions.inc.php
galette.noarch: E: non-executable-script /usr/share/galette/post_contribution_test.php 0644L /usr/bin/php
galette.noarch: W: dangerous-command-in-%preun rm
Comment 2 Jamie Nguyen 2013-09-08 09:59:49 EDT
12) %changelog

Why is '.trashy' appended to the release tag on every changelog entry?
Comment 3 Johan Cwiklinski 2013-09-08 11:29:29 EDT
(In reply to Jamie Nguyen from comment #1)
> Issues:
> =======
> 
> 1) BUNDLED: galette/includes/html2text.php
> 
> This appears to be a fork of this EPL v1.0 licensed script:
> http://code.google.com/p/iaml/source/browse/trunk/org.openiaml.model.runtime/
> src/include/html2text/html2text.php
> 
> If the original script can't be used, you'll need to open an FPC ticket and
> request a bundling exception.

The original script has been modified to suits Galette needs (don't know where it came from), I'll have to check if it's possible to use original one, but I do no think so.
There is maybe another lib/script that would do the job without any changes.

> 2) BUNDLED: galette/includes/sql_parse.php
> 
> This GPLv2+ licensed file appears to be bundled from the (obsolete?) phpBB
> 2.x branch. You'll need to open an FPC ticket and request a bundling
> exception.

This script is not "obsolete" regarding to Galette (no need to follow upstream original changes since there is no bug).
I do not want to make Galette package dependant of PHPBB just for a script that has been copy years ago.
The better solution would be to find a lib that would do the same, I do not know if something like that actually exists.

> 3) BUNDLED: galette/includes/ca/cacert.crt
> 
> This MPL v1.1 OR GPLv2+ OR LGPLv2+ licensed file is bundled from the mozilla
> source tree. How is this being used by galette? Is it not possible to use
> the system ca-certicates instead?

That one is used only for windows installations. I'm pretty sure it's no longer required anyways, and it should be removed from upstream sources.

> 4) BUNDLED: galette/includes/jquery/*
> 
> The MIT licensed jQuery is bundled. There are also numerous bundled jQuery
> plugins, several of which have no copyright or license header. (NB: There is
> a jQuery review request currently open: bz#857992 )

The review you've pointed out seems stalled and Galette requires 1.10+ versions of JQuery and JQuery-UI to work.
As far as I remember, unbundling JQuery is not a recent issue and many of packages actually bundle it.
Scripts are actually minified, and should not be (there already is a ticket opened upstream from debian maintainer for that).

> 5) BUNDLED: galette/lang/make_lang_l12n.py
> 
> This GPL licensed software is bundled. This software probably needs to be
> packaged separately.

That one is part of Galette (see http://www.mail-archive.com/galette-devel@gna.org/msg00296.html); it just has been omitted when main galette licence and headers has been changed.

> 6) BUNDLED: galette/lang/xgettext.py
> 
> This GPL licensed software is bundled. This software probably needs to be
> packaged separately.

Since the author is not a Galette contributor, it may be a 3rd party script; but I cannot find any upstream.

> 7) BUNDLED: galette/templates/default/jquery-ui/*
> 
> The MIT licensed jquery-ui-1.10.3.custom.css file is bundled, as well as
> several other png/gif files. Are these necessary for galette to function
> normally? Can they be removed?

Those files are the Galette theme for JQuery UI, derived from official UI theme. They are required for Galette to display correctly, they can't be removed.
Also, I'm not sure they should be considered as bundled; they're part of Galette.

> 8) https://fedoraproject.org/wiki/Packaging:Guidelines#Documentation
> 
> Documentation sub-package is recommended to be called %{name}-doc and should
> have "Group: Documentation" tag.

OK.

> 9) SELinux file contexts.
> 
> I couldn't find official guidelines, but the SELinux file contexts that
> galette requires should be put into the system SELinux policy, instead of
> running semanage/restorecon in the package scriplets. Please open a bug
> report against selinux-policy with a complete list of the required file
> contexts. The maintainers will probably prefer that you open separate bugs
> for every required branch. You can then remove the selinux dependencies
> (which pull in a lot if the admin has removed selinux on their server, as
> unwise as that may be) and installation/removal of galette will be faster.

Point is there are no no guidelines :/ I'm ok to open requests, but only once I'll be sure all paths are OK.
I also can remove completely selinux related stuff.

> 10) Restarting httpd
> 
> The package is restarting httpd in the post/postun scriptlets. I couldn't
> find guidelines about this, but I think these scriptlets should be removed.
> I'm not aware of any other web applications that restart httpd.

That should be removed.

> 11) rpmlint
> 
> galette.noarch: W: spelling-error %description -l fr d'identifiants ->
> t'identifiant, s'identifiant, t'identifiât

Not an issue.

> galette.noarch: W: conffile-without-noreplace-flag
> /etc/galette/versions.inc.php

This one is not a user config file, and must be updated with the package. but has been placed upstream as part of the config.

> galette.noarch: E: non-executable-script
> /usr/share/galette/post_contribution_test.php 0644L /usr/bin/php

Should probably be set as executable, I'll fix this.

> galette.noarch: W: dangerous-command-in-%preun rm

This one is to remove template cache after update to avoid issues.

> 12)

The package was built on a personal repository, I forgot to remove those ones, will fix in next version.

Thank you.
Comment 4 Johan Cwiklinski 2013-09-08 11:53:22 EDT
> > 6) BUNDLED: galette/lang/xgettext.py
> > 
> > This GPL licensed software is bundled. This software probably needs to be
> > packaged separately.
> 
> Since the author is not a Galette contributor, it may be a 3rd party script;
> but I cannot find any upstream.

That one is aslo part of Galette, see https://mail.gna.org/public/galette-devel/2005-12/msg00014.html
Comment 5 Johan Cwiklinski 2013-09-08 13:09:12 EDT
Points 3, 5 and 6 have been reported upstream and will be fixed on the next minor release (probably this week or next week - see http://redmine.ulysses.fr/issues/704 and http://redmine.ulysses.fr/issues/705).

I've fixed 8, 10 and 12, and also relevant part of 11.

Here the new version:
Spec URL: http://odysseus.x-tnd.be/fedora/galette/galette.spec
SRPM URL: http://odysseus.x-tnd.be/fedora/galette/galette-0.7.5.1-2.fc19.src.rpm
Comment 6 Jamie Nguyen 2013-09-08 15:33:20 EDT
(In reply to Johan Cwiklinski from comment #3)
> (In reply to Jamie Nguyen from comment #1)
> > 1) BUNDLED: galette/includes/html2text.php
> > 
> > This appears to be a fork of this EPL v1.0 licensed script:
> > http://code.google.com/p/iaml/source/browse/trunk/org.openiaml.model.runtime/
> > src/include/html2text/html2text.php
> > 
> > If the original script can't be used, you'll need to open an FPC ticket and
> > request a bundling exception.
> 
> The original script has been modified to suits Galette needs (don't know
> where it came from), I'll have to check if it's possible to use original
> one, but I do no think so.
> There is maybe another lib/script that would do the job without any changes.

If there are important changes for Galette's needs and Galette wouldn't function properly with the unchanged original, then you can open a bundling exception ticket. I've done this for many Node.js packages.


> > 2) BUNDLED: galette/includes/sql_parse.php
> > 
> > This GPLv2+ licensed file appears to be bundled from the (obsolete?) phpBB
> > 2.x branch. You'll need to open an FPC ticket and request a bundling
> > exception.
> 
> This script is not "obsolete" regarding to Galette (no need to follow
> upstream original changes since there is no bug).
> I do not want to make Galette package dependant of PHPBB just for a script
> that has been copy years ago.
> The better solution would be to find a lib that would do the same, I do not
> know if something like that actually exists.

When saying "obsolete", I was referring to phpBB 2.x branch (though I'm not familiar with phpBB). I certainly don't suggest that Galette should be dependent on phpBB! But I think it should be straightforward to request an FPC bundling exception in this case. It really would be silly to require an obsolete version of phpBB.


> > 3) BUNDLED: galette/includes/ca/cacert.crt
> > 
> > This MPL v1.1 OR GPLv2+ OR LGPLv2+ licensed file is bundled from the mozilla
> > source tree. How is this being used by galette? Is it not possible to use
> > the system ca-certicates instead?
> 
> That one is used only for windows installations. I'm pretty sure it's no
> longer required anyways, and it should be removed from upstream sources.

Cool!


> > 4) BUNDLED: galette/includes/jquery/*
> > 
> > The MIT licensed jQuery is bundled. There are also numerous bundled jQuery
> > plugins, several of which have no copyright or license header. (NB: There is
> > a jQuery review request currently open: bz#857992 )
> 
> The review you've pointed out seems stalled and Galette requires 1.10+
> versions of JQuery and JQuery-UI to work.
> As far as I remember, unbundling JQuery is not a recent issue and many of
> packages actually bundle it.
> Scripts are actually minified, and should not be (there already is a ticket
> opened upstream from debian maintainer for that).

Ok. I'm not actually sure of current jQuery situation. I'll look on packaging ML for more information about this..


> > 5) BUNDLED: galette/lang/make_lang_l12n.py
> > 
> > This GPL licensed software is bundled. This software probably needs to be
> > packaged separately.
> 
> That one is part of Galette (see
> http://www.mail-archive.com/galette-devel@gna.org/msg00296.html); it just
> has been omitted when main galette licence and headers has been changed.

Ok, fine.


> > 6) BUNDLED: galette/lang/xgettext.py
> > 
> > This GPL licensed software is bundled. This software probably needs to be
> > packaged separately.
> 
> Since the author is not a Galette contributor, it may be a 3rd party script;
> but I cannot find any upstream.

Is there any way to find out if it is in fact 3rd party script for sure? If the origin is definitely unknown, I think you would need to ask for additional advice on packaging ML about this, or open an FPC ticket. I'm not sure what best course of action is in this situation.


> > 7) BUNDLED: galette/templates/default/jquery-ui/*
> > 
> > The MIT licensed jquery-ui-1.10.3.custom.css file is bundled, as well as
> > several other png/gif files. Are these necessary for galette to function
> > normally? Can they be removed?
> 
> Those files are the Galette theme for JQuery UI, derived from official UI
> theme. They are required for Galette to display correctly, they can't be
> removed.
> Also, I'm not sure they should be considered as bundled; they're part of
> Galette.

Oh, that was my mistake then. This is probably fine.


> > 9) SELinux file contexts.
> > 
> > I couldn't find official guidelines, but the SELinux file contexts that
> > galette requires should be put into the system SELinux policy, instead of
> > running semanage/restorecon in the package scriplets. Please open a bug
> > report against selinux-policy with a complete list of the required file
> > contexts. The maintainers will probably prefer that you open separate bugs
> > for every required branch. You can then remove the selinux dependencies
> > (which pull in a lot if the admin has removed selinux on their server, as
> > unwise as that may be) and installation/removal of galette will be faster.
> 
> Point is there are no no guidelines :/ I'm ok to open requests, but only
> once I'll be sure all paths are OK.
> I also can remove completely selinux related stuff.

Cool.


> > 10) Restarting httpd
> > 
> > The package is restarting httpd in the post/postun scriptlets. I couldn't
> > find guidelines about this, but I think these scriptlets should be removed.
> > I'm not aware of any other web applications that restart httpd.
> 
> That should be removed.

Great.


> > 11) rpmlint
> > 
> > galette.noarch: W: spelling-error %description -l fr d'identifiants ->
> > t'identifiant, s'identifiant, t'identifiât
> 
> Not an issue.

Fine. My french is rather poor so I wasn't sure whether this was a real issue.

> > galette.noarch: W: conffile-without-noreplace-flag
> > /etc/galette/versions.inc.php
> 
> This one is not a user config file, and must be updated with the package.
> but has been placed upstream as part of the config.

Ok.


> > galette.noarch: E: non-executable-script
> > /usr/share/galette/post_contribution_test.php 0644L /usr/bin/php
> 
> Should probably be set as executable, I'll fix this.

Thanks.


> > galette.noarch: W: dangerous-command-in-%preun rm
> 
> This one is to remove template cache after update to avoid issues.

I think would be useful if you could put that info as a comment.


> > 12)
> 
> The package was built on a personal repository, I forgot to remove those
> ones, will fix in next version.

Thanks!


> Thank you.

No problem.
Comment 7 Jamie Nguyen 2013-09-08 15:37:46 EDT
(In reply to Johan Cwiklinski from comment #4)
> > > 6) BUNDLED: galette/lang/xgettext.py
> > > 
> > > This GPL licensed software is bundled. This software probably needs to be
> > > packaged separately.
> > 
> > Since the author is not a Galette contributor, it may be a 3rd party script;
> > but I cannot find any upstream.
> 
> That one is aslo part of Galette, see
> https://mail.gna.org/public/galette-devel/2005-12/msg00014.html

Oh cool. In that case, ignore my note about this in comment #6 :)
Comment 8 Jamie Nguyen 2013-09-08 15:49:01 EDT
Ok, to keep track:

Issues 1 and 2 will require either:
  a) upstream to use a different library or
  b) FPC bundling exception to be opened

Issues 3, 5 and 6 will be fixed upstream soon.

Issue 4 is maybe an issue. A quick search of ML and FPC trac didn't turn up much, so I'd be happier if you opened an FPC ticket about this. Are you sure there are already packages bundling jQuery? I thought there weren't.

Issue 7 is not an issue.

Issues 8, 10, 11, 12 all fixed.

And finally, I assume you are working on issue 9. Once you have opened bug reports, could you please make this bug depend on those bugs so we can keep track.
Comment 9 Johan Cwiklinski 2013-09-09 00:55:48 EDT
(In reply to Jamie Nguyen from comment #8)
> Issue 4 is maybe an issue. A quick search of ML and FPC trac didn't turn up
> much, so I'd be happier if you opened an FPC ticket about this. Are you sure
> there are already packages bundling jQuery? I thought there weren't.

Oh... There are many package shipping jquery and/or jquery-ui (trac, phpMyAdmin, owncloud, gallery3, dokuwiki, ...). Take a look at the output of:
$ yum whatprovides \*jquery-\*.js

As for issue 2, should this  script really have to be consider as a bundled lib? That script indeed came from another project, but that is not a lib at all; it becames kind of part of Galette long ago.

I'm trying to find an alternative for issue 1, that does not requires too many dependencies (from both Galette and package point of view) to keep things simple.
Comment 10 Remi Collet 2013-09-09 01:53:48 EDT
The new Guildelines about web-asset is a very recently approved one (which explain why so much js library are still bundled).

AFAIK, for now the web-asset package is unusable (no -http sub-package).

https://fedorahosted.org/fpc/ticket/323

As the new Guildelines are not announced yet, and work still in progress, I think it's fine to allow temporary bundled of jquery stuff, as soon as trashy agree to work to unbundled it as soon as possible (and probably work on jquery review to help things to go faster).
Comment 11 Johan Cwiklinski 2013-09-10 14:03:42 EDT
Thanks for the details, Remi :)

Of course, I'll unbundle jquery when it will be possible.

I can maybe help a little on jquery review, but not actually on dependant bugs (I do not know nodejs and his friends at all).
Comment 12 Jamie Nguyen 2013-09-11 02:40:47 EDT
(In reply to Johan Cwiklinski from comment #9)
> As for issue 2, should this  script really have to be consider as a bundled
> lib? That script indeed came from another project, but that is not a lib at
> all; it becames kind of part of Galette long ago.

It's code taken from another project, so I'd certainly lean towards getting an exception from FPC. I don't see any reason why an exception wouldn't be granted in this case.

Have there been any changes made to the script that differ from the original?

Examples of bundling exceptions that I have opened for Node.js packages. The second is really trivial (only 5-lines of code borrowed), but I felt it important to open a ticket nonetheless as that's what the FPC is there for:
https://fedorahosted.org/fpc/ticket/264
https://fedorahosted.org/fpc/ticket/313


(In reply to Remi Collet from comment #10)
> The new Guildelines about web-asset is a very recently approved one (which
> explain why so much js library are still bundled).
> 
> As the new Guildelines are not announced yet, and work still in progress, I
> think it's fine to allow temporary bundled of jquery stuff, as soon as
> trashy agree to work to unbundled it as soon as possible (and probably work
> on jquery review to help things to go faster).

Thanks for the input, Remi! :)
Comment 13 Jamie Nguyen 2013-09-11 02:44:11 EDT
(In reply to Johan Cwiklinski from comment #11)
> Of course, I'll unbundle jquery when it will be possible.

Great. Could you please open an FPC ticket anyway to ask for a bundling exception?
Comment 14 Johan Cwiklinski 2013-09-12 01:23:53 EDT
Ok, I'll open bundling exception tickets.

Upstream has just released a new version that fix the two licenses issues, and remove the cacert file; I'll update the spec and srpm as soon as I can.
Comment 15 Johan Cwiklinski 2015-08-02 04:13:38 EDT
Finally, I'm not going to package this soft.

Note You need to log in before you can comment on or make changes to this bug.