Bug 1305655 (liblsl) - Review Request: liblsl - Lab streaming layer API
Summary: Review Request: liblsl - Lab streaming layer API
Alias: liblsl
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Zbigniew Jędrzejewski-Szmek
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: fedora-neuro
TreeView+ depends on / blocked
Reported: 2016-02-08 20:24 UTC by Dmitry Mikhirev
Modified: 2016-02-14 19:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-02-14 19:48:20 UTC
zbyszek: fedora-review+

Attachments (Terms of Use)

Description Dmitry Mikhirev 2016-02-08 20:24:51 UTC
Spec URL: http://copr-dist-git.fedorainfracloud.org/cgit/bizdelnick/neuro/liblsl.git/plain/liblsl.spec?id=729813c15a8a55ba190517bf49a303a83f24faf0
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/bizdelnick/neuro/fedora-rawhide-x86_64/00158389-liblsl/liblsl-1.11.0-1.fc24.src.rpm
Description: The lab streaming layer is a simple all-in-one approach to streaming experiment data between applications in a lab, e.g. instrument time series, event markers, audio, and so on.
Fedora Account System Username: bizdelnick

Comment 1 Zbigniew Jędrzejewski-Szmek 2016-02-09 13:23:50 UTC
Package Review

[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated

===== MUST items =====

[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig called in %post and %postun if required.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.
[x]: Development (unversioned) .so files in -devel subpackage, if present.

[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
[?]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "MIT/X11 (BSD like)", "BSL (v1.0)", "Unknown or generated". 80
     files have unknown license. Detailed output of licensecheck in
[x]: License file installed when any subpackage combination is installed.
[!]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[x]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[?]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 6 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in liblsl-
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Patches link to upstream bugs/comments/lists or are otherwise
[x]: Scriptlets must be sane, if used.
[x]: SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[?]: Package should compile and build into binary rpms on all supported
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
[!]: Spec use %global instead of %define unless justified.
     Note: %define requiring justification: %define version_major 1,
     %define version_minor 11, %define version_patch 0, %define commit
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: SourceX is a working URL.

Checking: liblsl-1.11.0-1.fc24.x86_64.rpm
liblsl-devel.x86_64: W: only-non-binary-in-usr-lib
liblsl-devel.x86_64: W: no-documentation
liblsl.src:18: W: macro-in-comment %{name}
liblsl.src:18: W: macro-in-comment %{version}
liblsl.src:18: W: macro-in-comment %{commit}
liblsl.src:18: W: macro-in-comment %{SOURCE0}
liblsl.src: E: specfile-error warning: Macro expanded in comment on line 18: # git archive --prefix=%{name}-%{version}/ %{commit} `ls | grep -v '^external$'` | xz > %{SOURCE0}
liblsl.src: E: specfile-error 
4 packages and 0 specfiles checked; 2 errors, 6 warnings.

liblsl-debuginfo (rpmlib, GLIBC filtered):

liblsl (rpmlib, GLIBC filtered):

liblsl-devel (rpmlib, GLIBC filtered):





Do not use %define, use %global instead [https://fedoraproject.org/wiki/Packaging:Guidelines#.25global_preferred_over_.25define].

You might want to also package examples/ as docs in devel.

You do not provide the licensing breakdown in a comment in the spec file.
I'm don't think boost license applies to the binary rpm, but let's
see the breakdown first.

The package uses some bundled libraries: pugixml, portable_archive, boost endian.
pugixml is packaged for fedora, so is boost (package boost-devel).
According to the new rules, you must use the packaged versions unless there's
some specific reason not to.
I don't think portable_archive is packaged, so you can use the internal version,
or possible package it as a seperate package. I'd do the latter if is used in
other projects, and only then, but either way, it's your choice. If you choose
to use bundled versions, add
Provides: bundled(portable_archive) = <date-of-last-change-of-the-bundled-code>.

Comment 2 Dmitry Mikhirev 2016-02-09 22:39:48 UTC
Thank you Zbigniew!

> The package uses some bundled libraries: pugixml, portable_archive, boost endian.

LSL version of endian differs from upstream boost endian (probably it is a very old fork) and incompatible to it. As this is a header only library, there are no any .so files bundled.

I'm unable to find alive upstream for portable_archive, so I don't think that packaging in separately makes any sense. This is also a header-only library, and there's nothing bundled in the binary package.

I'll fix other issues and post updated spec and srpm later.

Comment 3 Dmitry Mikhirev 2016-02-13 19:32:24 UTC
> I'm don't think boost license applies to the binary rpm
You are right, the Boost license does not apply to the binary package. It is used only for headers that are not installed.

> Do not use %define, use %global instead

> pugixml is packaged for fedora
Added a patch to use system pugixml.

>You might want to also package examples/ as docs in devel.

Spec URL: http://copr-dist-git.fedorainfracloud.org/cgit/bizdelnick/neuro/liblsl.git/plain/liblsl.spec?id=892489a7b7018eca4dff211329f405284886b98f
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/bizdelnick/neuro/fedora-rawhide-x86_64/00159673-liblsl/liblsl-1.11.0-1.fc24.src.rpm

Comment 4 Zbigniew Jędrzejewski-Szmek 2016-02-13 22:22:16 UTC
liblsl.src:18: W: macro-in-comment %{name}
liblsl.src:18: W: macro-in-comment %{version}
liblsl.src:18: W: macro-in-comment %{commit}
liblsl.src:18: W: macro-in-comment %{SOURCE0}
liblsl.src: E: specfile-error warning: Macro expanded in comment on line 18: # git archive --prefix=%{name}-%{version}/ %{commit} `ls | grep -v '^external$'` | xz > %{SOURCE0}
liblsl.src: E: specfile-error 

You really should fix those because rpm will complain about those on every build (replace % with %%).

You should also add
Provides: bundled(boost-endian)
Provides: bundles(portable-archive)
I don't think it'll make any practical difference, but the guidelines require that [1], and there's no reason not to.

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries

There's a number of warnings during build about initialization issues in the code... You might want to look into those.

Package is APPROVED.

Comment 5 Dmitry Mikhirev 2016-02-14 10:46:03 UTC
> You should also add
> Provides: bundled(boost-endian)
> Provides: bundles(portable-archive)
> I don't think it'll make any practical difference, but the guidelines require > that [1], and there's no reason not to.

I'm sorry, but I don't understand why сan it be needed. That are forks of original libraries maintained by liblsl developers. The guideline you pointed to requires the version of bundled library to be defined, but the code is not identical to any upstream release. Then, as I mentioned before, both endian and portable_archive are header-only libraries, so the binary package does not bundle shared libs, it does not even contain files linked to some bundled libs statically, only generated template specializations are used. If the point of defining provides is to mark possibly duplicated binary files, there's no duplication. If it is to provide a way to track security issues, it will not work, because the code is not equal to upstream and its version can't be determined.

Comment 6 Gwyn Ciesla 2016-02-14 15:23:13 UTC
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/liblsl

Comment 7 Zbigniew Jędrzejewski-Szmek 2016-02-14 15:47:45 UTC
The idea is to provide the information that package A is using code B. Would there be no bundling, this information would be provided by BuildRequires or other dependency. We want to provide a replacement.

The purpose is to be able to quickly find code B, not just for security issues. Imagine that next version of gcc exposes a bug in boost::endian. If someone wants to go over all packages using boost::endian and recompile them with some patch, this Provides makes their life easier because they can identify relevant packages with one or two dnf queries.

In case you cannot identify a specific version, don't include the version. There's a lot of packages which do that. You can add a comment in the specfile...

Comment 8 Dmitry Mikhirev 2016-02-14 17:47:54 UTC
Thank you for explanation, I added provides as you adviced.

Note You need to log in before you can comment on or make changes to this bug.