Spec URL: http://slaanesh.fedorapeople.org/ndoutils.spec SRPM URL: http://slaanesh.fedorapeople.org/ndoutils-1.5.2-1.fc20.src.rpm Description: The NDOUtils add on is designed to store all configuration and event data from Nagios in a database. Storing information from Nagios in a database will allow for quicker retrieval and processing of that data. Fedora Account System Username: slaanesh
This is a review for re-enabling the retired package: https://lists.fedoraproject.org/pipermail/devel/2014-February/195901.html I'm the current owner of the EPEL 5 & 6 branches and I'm missing the Fedora branches.
Spec URL: http://slaanesh.fedorapeople.org/ndoutils.spec SRPM URL: http://slaanesh.fedorapeople.org/ndoutils-2.0.0-1.fc20.src.rpm Updated to 2.0.0.
Fails to build in current rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=6720014 but built successfully for F20: http://koji.fedoraproject.org/koji/taskinfo?taskID=6720014
Sorry bad paste: > but built successfully for F20: > http://koji.fedoraproject.org/koji/taskinfo?taskID=6720014 http://koji.fedoraproject.org/koji/taskinfo?taskID=6720060
Thanks, the compilation error is due to: https://fedoraproject.org/wiki/Format-Security-FAQ I'm looking into it.
Spec URL: http://slaanesh.fedorapeople.org/ndoutils.spec SRPM URL: http://slaanesh.fedorapeople.org/ndoutils-2.0.0-2.fc20.src.rpm Added patch for GCC format-security feature (fix rawhide build).
Please have a look at various issues found by fedora-review: Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= - Permissions on files are set properly. Note: See rpmlint output See: http://fedoraproject.org/wiki/Packaging/Guidelines#FilePermissions - Package do not use a name that already exist Note: A package already exist with this name, please check https://admin.fedoraproject.org/pkgdb/acls/name/ndoutils See: https://fedoraproject.org/wiki/Packaging/NamingGuidelines#Conflicting_Package_Names This is a re-review of a formerly retired package. - No license file seems to be included in the package ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Development (unversioned) .so files in -devel subpackage, if present. Note: Unversioned so-files in private %_libdir subdirectory (see attachment). Verify they are not in ld path. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [!]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Some of the source files say GPLv2 but no license file included. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [!]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Apache (v2.0)", "*No copyright* GPL (v2) (with incorrect FSF address)", "GPL (v2) (with incorrect FSF address)", "Unknown or generated". 61 files have unknown license. Detailed output of licensecheck in /home/petersen/pkgreview/1069259-ndoutils/licensecheck.txt See attachment below https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Clarification [!]: Package requires other packages for directories it uses. Note: No known owner of /usr/lib64/nagios/brokers [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/lib64/nagios/brokers [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [-]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf %{buildroot} present but not required EPEL5 branch exists [x]: Sources contain only permissible code or content. [-]: Each %files section contains %defattr if rpm < 4.4 Note: %defattr present but not needed [x]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. [?]: Requires correct, justified where necessary. See above for unowned dirs [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 624640 bytes in 83 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package does not own files or directories owned by other packages. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: %config files are marked noreplace or the reason is justified. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package does not contain duplicates in %files. [x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: No %config files under /usr. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: Buildroot is not present Note: Buildroot: present but not needed [-]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) Note: %clean present but not required [!]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [!]: Final provides and requires are sane (see attachments). [?]: Package functions as described. [ ]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. please add comment above the Patch lines [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [?]: Files in /run, var/run and /var/lock uses tmpfiles.d when appropriate [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Dist tag is present (not strictly required in GL). [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Uses parallel make %{?_smp_mflags} macro. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: ndoutils-2.0.0-2.fc21.x86_64.rpm ndoutils-2.0.0-2.fc21.src.rpm ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/file2sock 0774L ndoutils.x86_64: W: non-standard-uid /var/cache/ndoutils nagios ndoutils.x86_64: W: non-standard-uid /var/run/ndoutils nagios ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/sockdebug 0774L ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/log2ndo 0774L ndoutils.x86_64: W: no-manual-page-for-binary log2ndo ndoutils.x86_64: W: no-manual-page-for-binary sockdebug ndoutils.x86_64: W: no-manual-page-for-binary ndo2db ndoutils.x86_64: W: no-manual-page-for-binary file2sock ndoutils.src: W: strange-permission ndoutils-2.0.0.tar.gz 0444L 2 packages and 0 specfiles checked; 3 errors, 7 warnings. Rpmlint (installed packages) ---------------------------- # rpmlint ndoutils ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/file2sock 0774L ndoutils.x86_64: W: non-standard-uid /var/cache/ndoutils nagios ndoutils.x86_64: W: non-standard-uid /var/run/ndoutils nagios ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/sockdebug 0774L ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/log2ndo 0774L ndoutils.x86_64: W: no-manual-page-for-binary log2ndo ndoutils.x86_64: W: no-manual-page-for-binary sockdebug ndoutils.x86_64: W: no-manual-page-for-binary ndo2db ndoutils.x86_64: W: no-manual-page-for-binary file2sock 1 packages and 0 specfiles checked; 3 errors, 6 warnings. # echo 'rpmlint-done:' Requires -------- ndoutils (rpmlib, GLIBC filtered): /bin/sh config(ndoutils) libc.so.6()(64bit) libcrypto.so.10()(64bit) libdl.so.2()(64bit) libm.so.6()(64bit) libmysqlclient.so.18()(64bit) libmysqlclient.so.18(libmysqlclient_18)(64bit) libnsl.so.1()(64bit) libpthread.so.0()(64bit) libssl.so.10()(64bit) libz.so.1()(64bit) nagios rtld(GNU_HASH) systemd Provides -------- ndoutils: config(ndoutils) ndoutils ndoutils(x86-64) Unversioned so-files -------------------- ndoutils: /usr/lib64/nagios/brokers/ndomod.so Source checksums ---------------- http://downloads.sourceforge.net/nagios/ndoutils-2.0.0.tar.gz : CHECKSUM(SHA256) this package : b95047c812fb61465e66a9e1a6d4a42bf00620f334f08a6faf5afe20bdd43ba1 CHECKSUM(SHA256) upstream package : b95047c812fb61465e66a9e1a6d4a42bf00620f334f08a6faf5afe20bdd43ba1 Generated by fedora-review 0.5.1 (bb9bf27) last change: 2013-12-13 Command line :/usr/bin/fedora-review -m fedora-rawhide-x86_64 -b 1069259 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, Shell-api, C/C++ Disabled plugins: Java, Python, fonts, SugarActivity, Ocaml, Perl, Haskell, R, PHP, Ruby Disabled flags: EXARCH, EPEL5, BATCH, DISTTAG
Created attachment 887124 [details] licensecheck.txt
> [ ]: Latest version is packaged. 2.0.0 is latest upstream version http://sourceforge.net/projects/nagios/files/ndoutils-2.x/
> [!]: Package requires other packages for directories it uses. > Note: No known owner of /usr/lib64/nagios/brokers > [!]: Package must own all directories that it creates. > Note: Directories without known owners: /usr/lib64/nagios/brokers > [!]: Final provides and requires are sane (see attachments). Fixed. > [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. > please add comment above the Patch lines Done. > ndoutils.x86_64: W: non-standard-uid /var/cache/ndoutils nagios > ndoutils.x86_64: W: non-standard-uid /var/run/ndoutils nagios This is correct, files should have those requirements as the "broker" is run by Nagios. > ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/file2sock 0774L > ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/sockdebug 0774L > ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/log2ndo 0774L Fixed, this is a bug in the installation script, I've created a patch that also removes the user/group ownership when installing (was a separate sed line in the spec file). Spec URL: http://slaanesh.fedorapeople.org/ndoutils.spec SRPM URL: http://slaanesh.fedorapeople.org/ndoutils-2.0.0-3.fc20.src.rpm A note on the obsolete tags in the spec file (%buildroot, %if rhel, etc.): the package can also be rebuilt for RHEL systems, which is something I do for my systems at work. Version 2 compared to current 1.5.2 in EPEL 5/6 has automatic aging of records.
> No license file seems to be included in the package > [!]: Package is licensed with an open-source compatible license and meets > other legal requirements as defined in the legal section of Packaging > Guidelines. > [!]: License field in the package spec file matches the actual license. > Note: Checking patched sources after %prep for licenses. Licenses found: > "Apache (v2.0)", "*No copyright* GPL (v2) (with incorrect FSF address)", > "GPL (v2) (with incorrect FSF address)", "Unknown or generated". 61 files > have unknown license. Detailed output of licensecheck in > /home/petersen/pkgreview/1069259-ndoutils/licensecheck.txt > [!]: If the source package does not include license text(s) as a separate file > from upstream, the packager SHOULD query upstream to include it. > Some of the source files say GPLv2 but no license file included. I've included a GPLv2 license text file from gnu.org, I will contact upstream to include it. Regarding the files that are Apache (2.0), the licensing guidelines [1] state that the ASL 2.0 license is not compatible with GPLv2. The only header file that is licensed like that is the Nagios header that is required for building the broker module. Also Nagios, from where the header comes from [2], contains the header in question with ASL 2.0 but has only GPLv2 as the license in the spec file [2]. I'm not sure this poses a problem on the resulting shared object; so I'm lifting FE-LEGAL for it. [1] https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses [2] http://sourceforge.net/p/nagios/nagioscore/ci/master/tree/lib/pqueue.c [3] http://pkgs.fedoraproject.org/cgit/nagios.git/tree/nagios.spec#n9
Thanks for updating (In reply to Simone Caronni from comment #10) > > [!]: Package requires other packages for directories it uses. > > Note: No known owner of /usr/lib64/nagios/brokers > > [!]: Package must own all directories that it creates. > > Note: Directories without known owners: /usr/lib64/nagios/brokers > > [!]: Final provides and requires are sane (see attachments). > > Fixed. Thanks > > [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. > > please add comment above the Patch lines > > Done. Great > > ndoutils.x86_64: W: non-standard-uid /var/cache/ndoutils nagios > > ndoutils.x86_64: W: non-standard-uid /var/run/ndoutils nagios > > This is correct, files should have those requirements as the "broker" is run > by Nagios. Ok > > ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/file2sock 0774L > > ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/sockdebug 0774L > > ndoutils.x86_64: E: non-standard-executable-perm /usr/sbin/log2ndo 0774L > > Fixed, this is a bug in the installation script, I've created a patch that > also removes the user/group ownership when installing (was a separate sed > line in the spec file). Cool I will wait a bit more then to see what fedora legal may say. You may want to send a mail to fedora legal list directly to discuss the license issue.
Emailed libpqueue upstream to see if there is any chance of resolving the licensing concern.
Update: * The nagios package in fedora does not contain any libpqueue code, so there is no issue there. * libpqueue upstream today relicensed their code as BSD to resolve compatibility issues, and since the ndoutils copy of pqueue.h is almost identical, the core can also be considered to be BSD, with the changes from ndoutils/nagios being GPLv2. Thus, if we include a comment in the spec file pointing to the libpqueue upstream relicensing commit, I think we can move forward with this item without legal concern. # libpqueue has been relicensed to BSD to resolve this issue: # https://github.com/vy/libpqueue/commit/de6480009c60afff22d4c7edf4353ef87797e497 Lifting FE-Legal.
Many thanks! Will update the spec file tomorrow.
Added licensing note: Spec URL: http://slaanesh.fedorapeople.org/ndoutils.spec SRPM URL: http://slaanesh.fedorapeople.org/ndoutils-2.0.0-4.fc20.src.rpm
Thanks Guys! I will try to resume the review soon.
Any chance to finish the review? The license issues were the only things left. Thanks, --Simone
Looks good now - thanks: all issues resolved. Package APPROVED
Thanks!
New Package SCM Request ======================= Package Name: ndoutils Short Description: Store Nagios configuration and event data in a database Upstream URL: http://www.nagios.org/ Owners: slaanesh Branches: f19 f20
Git done (by process-git-requests).
Package Change Request ====================== Package Name: ndoutils New Branches: f19 f20 devel Owners: slaanesh