Spec URL: http://smani.fedorapeople.org/review/mingw-freeimage.spec SRPM URL: http://smani.fedorapeople.org/review/mingw-freeimage-3.15.4-1.fc21.src.rpm Description: MinGW Windows freeimage library Fedora Account System Username: smani
Note: this package contains two bundled libraries, libtiff and libjpeg: * LibJPEG is needed for JPEGTransform.cpp which needs the private transupp.h. Theoretically, one could just keep the transupp.h and transupp.c files from the bundled libjpeg, and compile these against the packaged libjpeg-turbo. However, the packaged libjpeg-turbo has JPEG_LIB_VERSION = 62, while transupp.c needs JPEG_LIB_VERSION >= 70. (All other files in the package are compiled against the packaged libjpeg-turbo) * libTIFF4 is needed because all sorts of private headers are used, and there really seems to way to work around this.
Quick peek at libtiff package uncovers following CVEs: CVE-2012-4447 CVE-2012-4564 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4244 and anothers are upcoming. Even with exception from FPC, it would be quite hard to maintain this... But, in the original patch of native freeimage, bundling of libjpeg and libtiff is solved (or rather worked around): JPEG transformation functions are simply disabled, libtiff needs some patch and disabling G3 (fax). I've looked at your patch and combined it with the current freeimage patch and updated, and here are the results: http://scientific.zcu.cz/git/?p=FreeImage.git;a=summary Or one tarball with the patches: http://scientific.zcu.cz/fedora/freeimage-3.5.14/patches.tar.gz - it looks like libmng dependency is not needed anymore - convert newlines before patching is very good idea :-) - separated patches could be good for future maintenance, but that's up to packagers and co-maintainers of course - main problem now is testing (it could help to push the patches to native freeimage package...) Frantisek
Thanks a lot for your effort into this. I agree with you that having bundled libraries is very maintainer-unfriendly, and I guess disabling the features to get around the bundling requirement is a very valid approach. I'll update the package tomorrow and post back.
I don't understand; why can't you use the patches in the native freeimage-3.10.0 which avoid bundled libraries without disabling features?
Because they added new stuff in 3.15.4 which makes it impossible to do so unfortunately.
So, until that can be fixed, would it not be better to use a fully-featured 3.10.0 than a crippled 3.15.4?
Both the JPEGTransform functions as well as the G3 plugin are disabled in the native 3.10.0 as well, so there is no difference from that point of view.
Ok here we are! Spec URL: http://smani.fedorapeople.org/review/mingw-freeimage.spec SRPM URL: http://smani.fedorapeople.org/review/mingw-freeimage-3.15.4-2.fc21.src.rpm
I helped with a patch, but let's say I'm not disqualified from doing a review. :-) Found issues: - Source/ZLib needs to be also deleted. Generator scripts add all directories with header files to includes paths, so there would be accidentaly used local bundled headers, which could be incompatible with zlib library binary. - rpmlint (mingw-freeimage.src): strange-permission FreeImage3154.zip 0600L Usually, a file should have 0644 permissions. - rpmlint: file-not-utf8 /usr/share/doc/mingw32-freeimage/license-gplv3.txt, /usr/share/doc/mingw32-freeimage/Whatsnew.txt It is only about quotation marks there. I think the files are in cp1252 encoding (Western European for Windows), but cp1250 would work too.
Thanks! Updated SRPM also contains FreeImage3154.zip with correct permissions (I have no idea actually why it was 0600L). Spec URL: http://smani.fedorapeople.org/review/mingw-freeimage.spec SRPM URL: http://smani.fedorapeople.org/review/mingw-freeimage-3.15.4-3.fc21.src.rpm * Sun Jan 26 2014 Sandro Mani <manisandro> - 3.15.4-3 - Delete Source/ZLib folder - Convert Whatsnew.txt, license-gplv3.txt to UTF-8
I think you forgot "rm -rf Source/ZLib". Also the encoding is WINDOWS-1252 (or CP-1252). The file Whatsnew.txt is recoded properly, but license-gplv3.txt ends with unprintable characters (although everything is correct UTF-8).
Sorry about that, late night work... Should all be fixed now: Spec URL: http://smani.fedorapeople.org/review/mingw-freeimage.spec SRPM URL: http://smani.fedorapeople.org/review/mingw-freeimage-3.15.4-3.fc21.src.rpm
Yes, everything looks good now. (I would guess both files have the same encoding, but "Whatsnew.txt" is well covered by all Western European 8-bit encodings. :-)) rpmlint grumbles about FSF address. Upstream can be notified. Package APPROVED! Full review output: ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated ===== MUST items ===== Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated". 261 files have unknown license. [x]: License file installed when any subpackage combination is installed. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: Package must own all directories that it creates. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 307200 bytes in 8 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package do not use a name that already exist [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Uses parallel make %{?_smp_mflags} macro. [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Fully versioned dependency in subpackages if applicable. [?]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: Dist tag is present (not strictly required in GL). [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: mingw32-freeimage-3.15.4-3.fc21.noarch.rpm mingw32-freeimage-static-3.15.4-3.fc21.noarch.rpm mingw64-freeimage-3.15.4-3.fc21.noarch.rpm mingw64-freeimage-static-3.15.4-3.fc21.noarch.rpm mingw-freeimage-3.15.4-3.fc21.src.rpm mingw32-freeimage.noarch: E: incorrect-fsf-address /usr/share/doc/mingw32-freeimage/license-gplv2.txt mingw32-freeimage-static.noarch: W: no-documentation mingw64-freeimage.noarch: E: incorrect-fsf-address /usr/share/doc/mingw64-freeimage/license-gplv2.txt mingw64-freeimage-static.noarch: W: no-documentation 5 packages and 0 specfiles checked; 2 errors, 2 warnings. Rpmlint (installed packages) ---------------------------- # rpmlint mingw64-freeimage-static mingw32-freeimage-static mingw32-freeimage mingw64-freeimage mingw64-freeimage-static.noarch: W: no-documentation mingw32-freeimage-static.noarch: W: no-documentation mingw32-freeimage.noarch: E: incorrect-fsf-address /usr/share/doc/mingw32-freeimage/license-gplv2.txt mingw64-freeimage.noarch: E: incorrect-fsf-address /usr/share/doc/mingw64-freeimage/license-gplv2.txt 4 packages and 0 specfiles checked; 2 errors, 2 warnings. # echo 'rpmlint-done:' Requires -------- mingw64-freeimage-static (rpmlib, GLIBC filtered): mingw64-freeimage mingw32-freeimage-static (rpmlib, GLIBC filtered): mingw32-freeimage mingw32-freeimage (rpmlib, GLIBC filtered): mingw32(freeimage-3.dll) mingw32(gdi32.dll) mingw32(kernel32.dll) mingw32(libgcc_s_sjlj-1.dll) mingw32(libhalf-11.dll) mingw32(libiex-2_1-11.dll) mingw32(libilmimf-imf_2_1-21.dll) mingw32(libjpeg-62.dll) mingw32(libopenjpeg-1.dll) mingw32(libpng16-16.dll) mingw32(libraw-10.dll) mingw32(libstdc++-6.dll) mingw32(libtiff-5.dll) mingw32(msvcrt.dll) mingw32(user32.dll) mingw32(zlib1.dll) mingw32-crt mingw32-filesystem mingw64-freeimage (rpmlib, GLIBC filtered): mingw64(freeimage-3.dll) mingw64(gdi32.dll) mingw64(kernel32.dll) mingw64(libgcc_s_seh-1.dll) mingw64(libhalf-11.dll) mingw64(libiex-2_1-11.dll) mingw64(libilmimf-imf_2_1-21.dll) mingw64(libjpeg-62.dll) mingw64(libopenjpeg-1.dll) mingw64(libpng16-16.dll) mingw64(libraw-10.dll) mingw64(libstdc++-6.dll) mingw64(libtiff-5.dll) mingw64(msvcrt.dll) mingw64(user32.dll) mingw64(zlib1.dll) mingw64-crt mingw64-filesystem Provides -------- mingw64-freeimage-static: mingw64-freeimage-static mingw32-freeimage-static: mingw32-freeimage-static mingw32-freeimage: mingw32(freeimage-3.dll) mingw32(freeimageplus-3.dll) mingw32-freeimage mingw64-freeimage: mingw64(freeimage-3.dll) mingw64(freeimageplus-3.dll) mingw64-freeimage Source checksums ---------------- http://downloads.sourceforge.net/freeimage/FreeImage3154.zip : CHECKSUM(SHA256) this package : eb6361519d33131690a0e726b085a05825e5adf9fb72c752d8d39100e48dc829 CHECKSUM(SHA256) upstream package : eb6361519d33131690a0e726b085a05825e5adf9fb72c752d8d39100e48dc829 Generated by fedora-review 0.5.1 (bb9bf27) last change: 2013-12-13 Command line :/usr/bin/fedora-review -b 1049546 -m fedora-rawhide-x86_64 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, Shell-api Disabled plugins: Java, C/C++, Python, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP, Ruby Disabled flags: EXARCH, EPEL5, BATCH, DISTTAG
Thanks a lot! New Package SCM Request ======================= Package Name: mingw-freeimage Short Description: MinGW Windows freeimage library Owners: smani Branches: f19 f20 InitialCC:
Git done (by process-git-requests).
mingw-freeimage-3.15.4-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/mingw-freeimage-3.15.4-3.fc20
mingw-freeimage-3.15.4-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/mingw-freeimage-3.15.4-3.fc19
mingw-freeimage-3.15.4-3.fc20 has been pushed to the Fedora 20 testing repository.
mingw-freeimage-3.15.4-3.fc19 has been pushed to the Fedora 19 stable repository.
mingw-freeimage-3.15.4-3.fc20 has been pushed to the Fedora 20 stable repository.