Bug 1305655 - (liblsl) Review Request: liblsl - Lab streaming layer API
Review Request: liblsl - Lab streaming layer API
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Zbigniew Jędrzejewski-Szmek
Fedora Extras Quality Assurance
:
Depends On:
Blocks: fedora-neuro
  Show dependency treegraph
 
Reported: 2016-02-08 15:24 EST by Dmitry Mikhirev
Modified: 2016-02-14 14:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-14 14:48:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
zbyszek: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description Dmitry Mikhirev 2016-02-08 15:24:51 EST
Spec URL: http://copr-dist-git.fedorainfracloud.org/cgit/bizdelnick/neuro/liblsl.git/plain/liblsl.spec?id=729813c15a8a55ba190517bf49a303a83f24faf0
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/bizdelnick/neuro/fedora-rawhide-x86_64/00158389-liblsl/liblsl-1.11.0-1.fc24.src.rpm
Description: The lab streaming layer is a simple all-in-one approach to streaming experiment data between applications in a lab, e.g. instrument time series, event markers, audio, and so on.
Fedora Account System Username: bizdelnick
Comment 1 Zbigniew Jędrzejewski-Szmek 2016-02-09 08:23:50 EST
Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated

===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig called in %post and %postun if required.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.
[x]: Development (unversioned) .so files in -devel subpackage, if present.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[?]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "MIT/X11 (BSD like)", "BSL (v1.0)", "Unknown or generated". 80
     files have unknown license. Detailed output of licensecheck in
     /var/tmp/1305655-liblsl/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[!]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[x]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[?]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 6 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in liblsl-
     debuginfo
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Patches link to upstream bugs/comments/lists or are otherwise
     justified.
[x]: Scriptlets must be sane, if used.
[x]: SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[?]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[!]: Spec use %global instead of %define unless justified.
     Note: %define requiring justification: %define version_major 1,
     %define version_minor 11, %define version_patch 0, %define commit
     9b91384
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: SourceX is a working URL.

Rpmlint
-------
Checking: liblsl-1.11.0-1.fc24.x86_64.rpm
          liblsl-devel-1.11.0-1.fc24.x86_64.rpm
          liblsl-debuginfo-1.11.0-1.fc24.x86_64.rpm
          liblsl-1.11.0-1.fc24.src.rpm
liblsl-devel.x86_64: W: only-non-binary-in-usr-lib
liblsl-devel.x86_64: W: no-documentation
liblsl.src:18: W: macro-in-comment %{name}
liblsl.src:18: W: macro-in-comment %{version}
liblsl.src:18: W: macro-in-comment %{commit}
liblsl.src:18: W: macro-in-comment %{SOURCE0}
liblsl.src: E: specfile-error warning: Macro expanded in comment on line 18: # git archive --prefix=%{name}-%{version}/ %{commit} `ls | grep -v '^external$'` | xz > %{SOURCE0}
liblsl.src: E: specfile-error 
4 packages and 0 specfiles checked; 2 errors, 6 warnings.




Requires
--------
liblsl-debuginfo (rpmlib, GLIBC filtered):

liblsl (rpmlib, GLIBC filtered):
    /sbin/ldconfig
    ld-linux-x86-64.so.2()(64bit)
    libboost_chrono.so.1.60.0()(64bit)
    libboost_filesystem.so.1.60.0()(64bit)
    libboost_serialization.so.1.60.0()(64bit)
    libboost_system.so.1.60.0()(64bit)
    libboost_thread.so.1.60.0()(64bit)
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libm.so.6()(64bit)
    libpthread.so.0()(64bit)
    librt.so.1()(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libstdc++.so.6(CXXABI_1.3.9)(64bit)
    rtld(GNU_HASH)

liblsl-devel (rpmlib, GLIBC filtered):
    liblsl(x86-64)
    liblsl.so.1.11()(64bit)



Provides
--------
liblsl-debuginfo:
    liblsl-debuginfo
    liblsl-debuginfo(x86-64)

liblsl:
    liblsl
    liblsl(x86-64)
    liblsl.so.1.11()(64bit)

liblsl-devel:
    liblsl-devel
    liblsl-devel(x86-64)



Issues
------

Do not use %define, use %global instead [https://fedoraproject.org/wiki/Packaging:Guidelines#.25global_preferred_over_.25define].

You might want to also package examples/ as docs in devel.

You do not provide the licensing breakdown in a comment in the spec file.
I'm don't think boost license applies to the binary rpm, but let's
see the breakdown first.

The package uses some bundled libraries: pugixml, portable_archive, boost endian.
pugixml is packaged for fedora, so is boost (package boost-devel).
According to the new rules, you must use the packaged versions unless there's
some specific reason not to.
I don't think portable_archive is packaged, so you can use the internal version,
or possible package it as a seperate package. I'd do the latter if is used in
other projects, and only then, but either way, it's your choice. If you choose
to use bundled versions, add
Provides: bundled(portable_archive) = <date-of-last-change-of-the-bundled-code>.
Comment 2 Dmitry Mikhirev 2016-02-09 17:39:48 EST
Thank you Zbigniew!

> The package uses some bundled libraries: pugixml, portable_archive, boost endian.

LSL version of endian differs from upstream boost endian (probably it is a very old fork) and incompatible to it. As this is a header only library, there are no any .so files bundled.

I'm unable to find alive upstream for portable_archive, so I don't think that packaging in separately makes any sense. This is also a header-only library, and there's nothing bundled in the binary package.

I'll fix other issues and post updated spec and srpm later.
Comment 3 Dmitry Mikhirev 2016-02-13 14:32:24 EST
> I'm don't think boost license applies to the binary rpm
You are right, the Boost license does not apply to the binary package. It is used only for headers that are not installed.

> Do not use %define, use %global instead
fixed

> pugixml is packaged for fedora
Added a patch to use system pugixml.

>You might want to also package examples/ as docs in devel.
done

Spec URL: http://copr-dist-git.fedorainfracloud.org/cgit/bizdelnick/neuro/liblsl.git/plain/liblsl.spec?id=892489a7b7018eca4dff211329f405284886b98f
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/bizdelnick/neuro/fedora-rawhide-x86_64/00159673-liblsl/liblsl-1.11.0-1.fc24.src.rpm
Comment 4 Zbigniew Jędrzejewski-Szmek 2016-02-13 17:22:16 EST
rpmlint:
liblsl.src:18: W: macro-in-comment %{name}
liblsl.src:18: W: macro-in-comment %{version}
liblsl.src:18: W: macro-in-comment %{commit}
liblsl.src:18: W: macro-in-comment %{SOURCE0}
liblsl.src: E: specfile-error warning: Macro expanded in comment on line 18: # git archive --prefix=%{name}-%{version}/ %{commit} `ls | grep -v '^external$'` | xz > %{SOURCE0}
liblsl.src: E: specfile-error 

You really should fix those because rpm will complain about those on every build (replace % with %%).

You should also add
Provides: bundled(boost-endian)
Provides: bundles(portable-archive)
I don't think it'll make any practical difference, but the guidelines require that [1], and there's no reason not to.

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries

There's a number of warnings during build about initialization issues in the code... You might want to look into those.

Package is APPROVED.
Comment 5 Dmitry Mikhirev 2016-02-14 05:46:03 EST
> You should also add
> Provides: bundled(boost-endian)
> Provides: bundles(portable-archive)
> I don't think it'll make any practical difference, but the guidelines require > that [1], and there's no reason not to.

I'm sorry, but I don't understand why сan it be needed. That are forks of original libraries maintained by liblsl developers. The guideline you pointed to requires the version of bundled library to be defined, but the code is not identical to any upstream release. Then, as I mentioned before, both endian and portable_archive are header-only libraries, so the binary package does not bundle shared libs, it does not even contain files linked to some bundled libs statically, only generated template specializations are used. If the point of defining provides is to mark possibly duplicated binary files, there's no duplication. If it is to provide a way to track security issues, it will not work, because the code is not equal to upstream and its version can't be determined.
Comment 6 Gwyn Ciesla 2016-02-14 10:23:13 EST
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/liblsl
Comment 7 Zbigniew Jędrzejewski-Szmek 2016-02-14 10:47:45 EST
The idea is to provide the information that package A is using code B. Would there be no bundling, this information would be provided by BuildRequires or other dependency. We want to provide a replacement.

The purpose is to be able to quickly find code B, not just for security issues. Imagine that next version of gcc exposes a bug in boost::endian. If someone wants to go over all packages using boost::endian and recompile them with some patch, this Provides makes their life easier because they can identify relevant packages with one or two dnf queries.

In case you cannot identify a specific version, don't include the version. There's a lot of packages which do that. You can add a comment in the specfile...
Comment 8 Dmitry Mikhirev 2016-02-14 12:47:54 EST
Thank you for explanation, I added provides as you adviced.

Note You need to log in before you can comment on or make changes to this bug.