Spec URL: http://domsch.com/fedora/libspf2/libspf2.spec SRPM URL: http://domsch.com/fedora/libspf2libspf2-1.2.10-1.git0e23f41e.fc20.src.rpm Description: libspf2 implements the Sender Policy Framework, a part of the SPF/SRS protocol pair. libspf2 is a library which allows email systems such as Sendmail, Postfix, Exim, Zmailer and MS Exchange to check SPF records and make sure that the email is authorized by the domain name that it is coming from. This prevents email forgery, commonly used by spammers, scammers and email viruses/worms. Fedora Account System Username: mdomsch
All credit to Paul Howarth for this spec. I did update the code to latest git upstream, and patch for newer autotools in F20. The BR: automake-1.13 is spurious; the code is patched already, but running scratch-builds, it is still invoking automake-1.13 implicitly. Ugh. Will try to fix that before actual upload, somehow.
Are these option needed? --enable-perl --with-bind
Are you going to continue?
I haven't given it any thought since January, honestly. --enable-perl is avoidable, it just makes a test suite which we aren't otherwise using. re --with-bind: The libspf-alt configure script now has a --with-bind=DIR option to let people use a different version of the bind than the default installed with the system. This functionality was added by Emmanuel Dreyfus <manu <at> netbsd.org> I see no reason to do that, we use system libraries whenever possible.
There is a typo in the srpm url mention in comment #1. Should be http://domsch.com/fedora/libspf2/libspf2-1.2.10-1.git0e23f41e.fc20.src.rpm
with the new opendmarc package, we no longer need a standalone libspf2.
I am withdrawing this packaging request, as opendmarc now implements SPF testing internally, and without requiring libspf2. https://bugzilla.redhat.com/show_bug.cgi?id=1057876 is the opendmarc package review.
https://bugzilla.redhat.com/show_bug.cgi?id=905304 is the opendmarc package review, not 1057876.
I'm not a Fedora/Red Hat user, but I am the Debian opendmarc maintainer as well as someone who's been involved in SPF development for a long time (for instance the editor for RFC 7208). I was asked to post to this bug to suggest reopening this as a better solution than using the internal opendmarc SPF code. The internal opendmarc SPF code is not a full SPF implementation. I have reviewed it and have not been able to (as an example) find where it implements the DNS lookup limits specified in RFC 4408 section 10.1/RFC 7208 4.6.4. While it's possible I missed something (I didn't have a huge amount of time for a thorough analysis), I don't think the opendmarc SPF code is suitable for production use and have linked opendmarc in Debian against libspf2. I would recommend Red Hat/Fedora do the same. In Debian, there are additional packages that use libspf2, so providing a libspf2 package would also make those packagable too.
Thanks, Scott (I'm the one who asked Scott to come chime in here as the Debian maintainer and as someone who's involved with SPF for a while). Matt: Any chance you'd consider un-withdrawing this packaging request and forging ahead with a RedHat libspf2 package? I'd love to be able to build Fedora/EPEL opendmarc against libspf2. Thanks!
By popular request, reopening. https://domsch.com/linux/fedora/libspf2/ has current libspf2 master branch packaged up, building for Fedora 21. It needed only autotools redoing to match f21 packages.
Booyah! Thanks, Matt! * Comment: Not sure how much additional review is needed, but in the spirit of keeping this moving right along and doing everything I can to change that review flag to +, I'll bite. :) MUST: rpmlint output (SRPM and spec): PASS libspf2.src: W: spelling-error %description -l en_US scammers -> stammers, slammers, scampers libspf2.src:45: W: macro-in-comment %{version} libspf2.src:253: W: macro-in-comment %doc libspf2.src:49: W: mixed-use-of-spaces-and-tabs (spaces: line 49, tab: line 26) libspf2.src: W: invalid-url Source0: libspf2-1.2.10-d57d79fd.tar.xz 1 packages and 0 specfiles checked; 0 errors, 5 warnings. All are bogus, except for the spaces & tabs which isn't a deal killer (but is an easy fix). MUST: rpmlint output (RPMs): PASS libspf2.i686: W: spelling-error %description -l en_US scammers -> stammers, slammers, scampers libspf2.i686: W: incoherent-version-in-changelog 1.2.10-2 ['1.2.10-2.gitd57d79fd.fc21', '1.2.10-2.gitd57d79fd'] libspf2.i686: W: install-file-in-docs /usr/share/doc/libspf2/INSTALL libspf2-debuginfo.i686: E: incorrect-fsf-address /usr/src/debug/libspf2-1.2.10-d57d79fd/src/libreplace/getopt.h libspf2-devel.i686: W: spelling-error %description -l en_US apidocs -> rapids libspf2-devel.i686: W: no-documentation libspf2-progs.i686: W: no-documentation libspf2-progs.i686: W: no-manual-page-for-binary spf_example libspf2-progs.i686: W: no-manual-page-for-binary spfquery.libspf2 libspf2-progs.i686: W: no-manual-page-for-binary spftest libspf2-progs.i686: W: no-manual-page-for-binary spfd.libspf2 4 packages and 0 specfiles checked; 1 errors, 10 warnings. I'm assuming upstream has been notified about the incorrect-fsf-address error (which is the only requirement when this error occurs, so not a show stopper). MUST: The package must be named according to the Package Naming Guidelines: PASS MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines: PASS (BSD / LGPLv2+) MUST: The License field in the package spec file must match the actual license: PASS (Also says BSD / LGPLv2+ on the upstream website) MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc: PASS MUST: The spec file must be written in American English: PASS MUST: The spec file for the package MUST be legible: PASS MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this: PASS MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture: PASS EL5: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416830 EL6: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416836 EL7: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416840 F20: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416843 F21: http://koji.fedoraproject.org/koji/taskinfo?taskID=9416939 MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line: N/A MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense: PASS MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden: N/A MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun: PASS MUST: Packages must NOT bundle copies of system libraries: PASS MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker: N/A MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory: PASS MUST: A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations): PASS MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example: PASS MUST: Each package must consistently use macros: PASS MUST: The package must contain code, or permissable content: PASS MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity): N/A MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present: PASS MUST: Static libraries must be in a -static package: NEEDSWORK (?) The description of of the -devel package says it "contains the header files and static libraries necessary for developing programs using the libspf2 (Sender Policy Framework) library." Does that mean we need a -static package AND a -devel package? Or is it acceptable to include these static libraries there? MUST: Development files must be in a -devel package: PASS MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release}: NEEDSWORK - the %{?_isa} is missing MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built: PASS MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation: N/A MUST: Packages must not own files or directories already owned by other packages: PASS MUST: All filenames in rpm packages must be valid UTF-8: PASS SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it: I did that for you! SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available: N/A SHOULD: The reviewer should test that the package builds in mock: PASS (used koji) SHOULD: The package should compile and build into binary rpms on all supported architectures: PASS SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example: PASS SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity: PASS (although allowing me to be an arbiter of sanity is questionable... ;)) SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency: NEEDSWORK (any harm in adding %{?_isa} to progs package, too?) SHOULD: The placement of pkgconfig(.pc) files depends on their usecase, and this is usually for development purposes, so should be placed in a -devel pkg. A reasonable exception is that the main pkg itself is a devel tool not installed in a user runtime, e.g. gcc or gdb: N/A (no .pc file) SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself: N/A SHOULD: your package should contain man pages for binaries/scripts. If it doesn't, work with upstream to add them where they make sense: PASS Overall result - NEEDSWORK, but extremely minor stuff... and it's possible for Matt to talk me out of at least a couple of them if I'm misunderstanding them. :)
There are no static libraries included in the -devel package. I have added %{?_isa} to the -devel package Requires. We do not need to add %{?_isa} to other subpackage Requires, they will be handled automatically by rpmbuild. I believe the scriptlets are sane, they only run ldconfig and manage adding/removing to alternatives. libspf2-1.2.10-3.gitd57d79fd.fc21.x86_64.rpm and related files posted to https://domsch.com/linux/fedora/libspf2/ with the only change being to add %{?_isa} to the -devel package Requires. diff -urNp 2/libspf2.spec 3/libspf2.spec --- 2/libspf2.spec 2015-04-04 17:00:15.000000000 -0500 +++ 3/libspf2.spec 2015-04-05 15:08:58.000000000 -0500 @@ -4,9 +4,9 @@ # Each change to the spec requires a bump to version/release of both library and perlmod %global git d57d79fd %global library_version 1.2.10 -%global library_release 2.git%{git}%{?dist} +%global library_release 3.git%{git}%{?dist} %global perlmod_version 0.01 -%global perlmod_release 6.git%{git}%{?dist} +%global perlmod_release 7.git%{git}%{?dist} # Set to 1 for a compat-libspf2 package %global compat 0 @@ -87,7 +87,7 @@ Summary: Development tools needed to bui Group: Development/Libraries Version: %{library_version} Release: %{library_release} -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} %description devel The libspf2-devel package contains the header files and static @@ -281,6 +281,9 @@ exit 0 %endif %changelog +* Sun Apr 5 2015 Matt Domsch <mdomsch> - 1.2.10-3 +- update for review comments + * Sat Apr 4 2015 Matt Domsch <mdomsch> - 1.2.10-2 - update to upstream 1.2.10+git - update automake / autoconf for Fedora 21
I've fixed the whitespace in the .spec and uploaded it to my website. I'll drop this copy into the final package being checked in. Not worth doing a rebuild for right now.
If you posted up-to-date "Spec URL:" and "SRPM URL:" lines, it would become much more obvious what the latest files to review are, and the fedora-review tool would have an easy job fetching the latest packages, too: fedora-review -b 1057874 [...] https://domsch.com/linux/fedora/libspf/libspf2-1.2.10-3.gitd57d79fd.fc21.src.rpm This does not follow the snapshot versioning guidelines. https://fedoraproject.org/wiki/Packaging:Guidelines#Version_and_Release -> https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Snapshot_packages > %if %{compat} > Provides: libspf2 = %{version}-%{release} > %endif Quite useless, if there is no %?_isa Provides as to complement the two automatic Proides for %name and %name%{?_isa}. > There are no static libraries included in the -devel package. Then the %description should not mention "static libraries". > We do not need to add %{?_isa} to other subpackage Requires, We do: https://fedoraproject.org/wiki/Packaging:Guidelines#Requiring_Base_Package It's the same explicit Requires as in -devel packages (to keep subpackages in sync with eachother as to avoid surprising developers when releasing bug-fix updates of libraries - we want them to get a matching pair of packages). It's the only way to have strict dependencies between subpackages and library base packages. Unless library symbol versioning is used. One major flaw with that is, in external packages we rely on the automatic soname deps to pull in _any_ package that provides the needed lib: https://fedoraproject.org/wiki/Packaging:Guidelines#Explicit_Requires It's up to the maintainers to add explicit Requires, if it must be a specific version-release of the lib for something to work correctly. > they will be handled automatically by rpmbuild. Arch-specific versioned explicit Requires are more strict than a basic SONAME dependency. Also note that there's an automatic lib dependency between -devel package and base lib package based on the soname. It's just not strict enough (wrt %release). > %install > %{__rm} -rf %{buildroot} https://fedoraproject.org/wiki/Packaging:Guidelines#BuildRoot_tag > %files > %doc README INSTALL LICENSES TODO https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text > %files devel > %{_includedir}/spf2/spf*.h https://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership > %defattr(-,root,root,-) %defattr is not needed anymore for any of the target dists: https://fedoraproject.org/wiki/Packaging:Guidelines#File_Permissions
Matt: At the risk of asking a possibly overly obvious question, I'm assuming you're planning on building for all active branches EL5-7 and F20-Rawhide)? Thx.
Michael, thank you for the review comments. I have fixed these now. Spec URL: https://domsch.com/linux/fedora/libspf2/libspf2.spec SRPM URL: https://domsch.com/linux/fedora/libspf2/libspf2-1.2.10-4.20150405gitd57d79fd.fc21.src.rpm Steve, I hadn't considered EL5. I've got it building fine on EL6 so presumably EL7 will also, and F21 so presumably rawhide. As it stands the autotools stuff is ugly. I'm having to patch each version for the autotools available in it. Maybe I can do that once for the lowest version of each and then it "just works" for newer OS versions so I'd only need to do so twice. Running the bootstrap / autoreconf in %prep isn't ideal either and would suck in autotools build deps.
I'm going to leave this bug since Steve has shown more interests on it. And Steve, next time when you take over the review, please notify me first.
The packaging request had gone cold for the better part of a year, mostly because I didn't think it was necessary any longer, partly because I didn't have time to work on it a year ago. Steve is packaging the first consumer of it in OpenDKIM which just came to light as needing it. I'm glad for everyone (Christopher, Felix, SFteve, and Michael) who have taken the time to improve on this package.
Apologies, Christopher. Matt's correct in that I figured you were likely off doing other awesome things because this had been shelved for so long, but I still should have at least fired off a courtesy email to you to see if you were interested in jumping back in before just grabbing it.
(In reply to Matt Domsch from comment #17) > Steve, I hadn't considered EL5. I've got it building fine on EL6 so > presumably EL7 will also, and F21 so presumably rawhide. > > As it stands the autotools stuff is ugly. I'm having to patch each version > for the autotools available in it. Maybe I can do that once for the lowest > version of each and then it "just works" for newer OS versions so I'd only > need to do so twice. Running the bootstrap / autoreconf in %prep isn't > ideal either and would suck in autotools build deps. That makes sense. Including EL5 would be ideal (since I get the sense that majority of RedHat-based production mail servers are on EL systems), but I won't pitch a fit if you determine it's not worth the hassle. I've changed the review flag to +, so if you're good to go, I think this baby is ready for the SCM Admin request. Thank you everyone for so expeditiously resurrecting this package and getting it back on track. Easter pun intended. :)
New Package SCM Request ======================= Package Name: libspf2 Short Description: Implementation of the Sender Policy Framework for SMTP authorization Upstream URL: http://www.libspf2.org/ Owners: mdomsch Branches: el6 epel7 f20 f21 InitialCC: steve
Please use FAS in InitialCC, not email.
Package Change Request ====================== Package Name: libspf2 New Branches: f22 Owners: mdomsch InitialCC:
Git done (by process-git-requests).
libspf2-1.2.10-5.20150405gitd57d79fd.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.fc22
libspf2-1.2.10-5.20150405gitd57d79fd.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.fc21
libspf2-1.2.10-5.20150405gitd57d79fd.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.fc20
libspf2-1.2.10-5.20150405gitd57d79fd.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.el7
libspf2-1.2.10-5.20150405gitd57d79fd.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.el6
libspf2-1.2.10-5.20150405gitd57d79fd.fc22 has been pushed to the Fedora 22 testing repository.
Package Change Request ====================== Package Name: libspf2 New Branches: el5 Owners: mdomsch InitialCC:
libspf2-1.2.10-5.20150405gitd57d79fd.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/libspf2-1.2.10-5.20150405gitd57d79fd.el5
libspf2-1.2.10-5.20150405gitd57d79fd.fc21 has been pushed to the Fedora 21 stable repository.
libspf2-1.2.10-5.20150405gitd57d79fd.fc20 has been pushed to the Fedora 20 stable repository.
libspf2-1.2.10-5.20150405gitd57d79fd.fc22 has been pushed to the Fedora 22 stable repository.
libspf2-1.2.10-5.20150405gitd57d79fd.el5 has been pushed to the Fedora EPEL 5 stable repository.
libspf2-1.2.10-5.20150405gitd57d79fd.el7 has been pushed to the Fedora EPEL 7 stable repository.
libspf2-1.2.10-5.20150405gitd57d79fd.el6 has been pushed to the Fedora EPEL 6 stable repository.