Bug 1368855 - (radare2) Review Request: radare2 - The reverse engineering framework [NEEDINFO]
Review Request: radare2 - The reverse engineering framework
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lubomir Rintel
Fedora Extras Quality Assurance
:
: 1425815 1450572 (view as bug list)
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2016-08-21 17:50 EDT by Michal Ambroz
Modified: 2018-08-04 08:36 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-01-23 06:14:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lkundrak: fedora‑review?
rschiron: needinfo? (lkundrak)


Attachments (Terms of Use)

  None (edit)
Description Michal Ambroz 2016-08-21 17:50:46 EDT
SPEC URL: https://rebus.fedorapeople.org/SPECS/radare2.spec
SRPM URL: https://rebus.fedorapeople.org/SRPMS/radare2-0.10.5-1.fc23.src.rpm

The radare2 is a reverse-engineering framework that is multi-architecture,
multi-platform, and highly scriptable.  It provides a hexadecimal
editor, wrapped I/O, file system support, debugger support, diffing
between two functions or binaries, and code analysis at opcode,
basic block, and function levels.

Fedora Account System Username: rebus

Link to the Koji scratch build -
http://koji.fedoraproject.org/koji/taskinfo?taskID=15328663

Link to COPR build:
https://copr.fedorainfracloud.org/coprs/rebus/infosec-rebus/build/443316/

Available also from my COPR repository:
dnf copr enable rebus/infosec-rebus
dnf install radare2
Comment 1 Igor Gnatenko 2016-09-10 11:13:49 EDT
Please unbundle sdb as you packaged it.
Comment 2 Michal Ambroz 2016-09-12 09:28:49 EDT
Unbubdling of sdb currently not supported upstream. There used to be such option, but it is not possible right now.
Comment 3 Lubomir Rintel 2017-01-04 15:13:18 EST
Talked to Igor; I'm stealing this review as it's taking too long and Igor's busy.
Comment 4 Lubomir Rintel 2017-01-04 16:02:46 EST
Looks generally good. A few comments inline. Note that the style comments are in generally merely my opinions, not blockers.

> Name:           radare2
> Version:        0.10.5

Please update to the 1.1.0 release tarball.

> Release:        1%{?dist}
> Summary:        The %{name} reverse engineering framework

This looks terrible. Please consider *not* using macro expansion for every single occurrence of a substring.

> Group:          Applications/Engineering

Probably not the right category. Development/Tools is more suitable (or Development/Debuggers).

> License:        LGPLv3

Some parts of the package use a different license; e.g. shlr/grub is apparently GPLv3+, shlr/qnx is probably GPL+, shlr/zip looks like BSD, etc.

> URL:            http://radare.org/
> #URL:           https://github.com/radare/radare2

Drop a useless comment please.

> Source0:        https://github.com/%{gituser}/%{gitname}/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz
> Source1:        https://github.com/%{gituser}/%{sdbgitname}/archive/%{sdbcommit}/%{sdbgitname}-%{version}-%{sdbshort}.tar.gz

This source is not used at all.

> %description
> The %{name} is a reverse-engineering framework that is multi-architecture,
> multi-platform, and highly scriptable.  %{name} provides a hexadecimal
> editor, wrapped I/O, file system support, debugger support, diffing
> between two functions or binaries, and code analysis at opcode,
> basic block, and function levels.

Another couple of useless macro expansions. Please get rid of them.

> %build
> %configure --with-sysmagic --with-syszip --with-syscapstone

You don't enable openssl. Why? (no idea what is it used for)

> CFLAGS="%{optflags} -fPIC -I../include" make %{?_smp_mflags} LIBDIR=%{_libdir} PREFIX=%{_prefix} DATADIR=%{DATADIR}

%{DATADIR}?

> %install
> rm -rf %{buildroot}

Cleaning buildroot is not needed anymore.

> NOSUDO=1 make install DESTDIR=%{buildroot} LIBDIR=%{_libdir} PREFIX=%{_prefix}
> cp shlr/sdb/src/libsdb.a %{buildroot}/%{_libdir}/libsdb.a

No static libraries please; drop this one.

> %files
> %doc AUTHORS.md CONTRIBUTING.md DEVELOPERS.md README.md TODO.md doc/*
> %doc %{_datadir}/doc/%{name}

Drop this one; it's no longer needed or allowed.

> %post -n %{name}-devel -p /sbin/ldconfig
> %postun -n %{name}-devel -p /sbin/ldconfig

Why? You're not supposed to ship libraries in -devel packages; and you most likely are not.
Comment 5 Lubomir Rintel 2017-01-20 10:22:32 EST
Ping?
Comment 6 Lubomir Rintel 2017-02-03 13:06:03 EST
Hello? Still interested in the package?
Comment 7 Michal Ambroz 2017-02-25 16:55:35 EST
still interested
Comment 8 Michal Ambroz 2017-03-18 21:03:37 EDT
SPEC URL: https://rebus.fedorapeople.org/SPECS/radare2.spec
SRPM URL: https://rebus.fedorapeople.org/SRPMS/radare2-1.3.0-1.fc24.src.rpm

>Please update to the 1.1.0 release tarball.
Updated to 1.3.0 release.

>> Release:        1%{?dist}
>> Summary:        The %{name} reverse engineering framework
> Please consider *not* using macro expansion for every single occurrence of a substring.
Sure ... was mistake. Fixed.

>> Group:          Applications/Engineering
>Probably not the right category. Development/Tools is more suitable (or Development/Debuggers).
Agreed.

>> License:        LGPLv3
>Some parts of the package use a different license; e.g. shlr/grub is apparently GPLv3+, 
>shlr/qnx is probably GPL+, shlr/zip looks like BSD, etc.
Changed to GPLv3+ due to its viral nature, although majority of the package is meant to be licensed LGPL.
This would definitely deserve some second look.

>> URL:            http://radare.org/
>> #URL:           https://github.com/radare/radare2
>Drop a useless comment please.
No. I consider it useful when updating the package. While the browser friendly is the radare.org, when updating the package it is more handy the link to github.


>> Source0:        https://github.com/%{gituser}/%{gitname}/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz
>> Source1:        https://github.com/%{gituser}/%{sdbgitname}/archive/%{sdbcommit}/%{sdbgitname}-%{version}-%{sdbshort}.tar.gz
>This source is not used at all.
True. Not used for the release packing. Source0 used when packing from git directly (in case of patches preventing build on fedora).


>> %build
>> %configure --with-sysmagic --with-syszip --with-syscapstone
>You don't enable openssl. Why? (no idea what is it used for)
Option is in the configure, but it is not working in radare for anything now.
At least that was answer from Pancake last time I asked about that (see sys/*.sh for the recommended build path - doesn't contain this option).


>> CFLAGS="%{optflags} -fPIC -I../include" make %{?_smp_mflags} LIBDIR=%{_libdir} PREFIX=%{_prefix} DATADIR=%{DATADIR}
>%{DATADIR}?
fixed

>> %install
>> rm -rf %{buildroot}
>Cleaning buildroot is not needed anymore.
dropped

>> NOSUDO=1 make install DESTDIR=%{buildroot} LIBDIR=%{_libdir} PREFIX=%{_prefix}
>> cp shlr/sdb/src/libsdb.a %{buildroot}/%{_libdir}/libsdb.a
>No static libraries please; drop this one.
dropped

>> %files
>> %doc AUTHORS.md CONTRIBUTING.md DEVELOPERS.md README.md TODO.md doc/*
>> %doc %{_datadir}/doc/%{name}
>Drop this one; it's no longer needed or allowed.
I do not understand your request - please explain why the %files and %doc should be dropped.

>> %post -n %{name}-devel -p /sbin/ldconfig
>> %postun -n %{name}-devel -p /sbin/ldconfig
>Why? You're not supposed to ship libraries in -devel packages; and you most likely are not.
OK .. gone
Comment 9 Michael Scherer 2017-04-02 09:21:35 EDT
>>> %doc %{_datadir}/doc/%{name}
>>Drop this one; it's no longer needed or allowed.
> I do not understand your request - please explain why the %files and %doc should be dropped.

That's just the line for the directory that should dropped, since that's done by rpm already.

> True. Not used for the release packing. Source0 used when packing from git 
> directly (in case of patches preventing build on fedora).

I think it would be better to remove it, since this will requires to upload the file to the lookaside cache for no reason. 

> Changed to GPLv3+ due to its viral nature, although majority of the package is > meant to be licensed LGPL.

I think you need to list all licenses:
https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#Multiple_Licensing_Scenarios
Comment 10 Michael Scherer 2017-04-02 09:25:55 EDT
Ok so looking at the spec file, I didn't see the 2nd source was commented already.

The spec do look fine from a quick verification, but I can't run fedora-review right now.
Comment 11 Michal Ambroz 2017-04-23 16:16:02 EDT
SPEC URL: https://rebus.fedorapeople.org/SPECS/radare2.spec
SRPM URL: https://rebus.fedorapeople.org/SRPMS/radare2-1.4.0-1.fc24.src.rpm

>That's just the line for the directory that should dropped, since that's done by rpm already.

No it should not be dropped, otherwise the files, which are installed there by the radare2 during the installation would be treated as installed, but unpackaged.

>I think you need to list all licenses:
I have tried to list the original licenses, but anyway due to theviral nature of GPL I believe that as the original project released all those with GPL-ed project, these are probably GPL-ed as well.
Comment 12 Michael Scherer 2017-05-15 20:58:33 EDT
> No it should not be dropped, otherwise the files, which are installed there by 
> the radare2 during the installation would be treated as installed, but 
> unpackaged.

I know that some upstream do that, but that mean this will be broken (or rather, not coherent) if %_docdir_fmt is changed, like on EL, where the value is %{NAME}-%{VERSION} while on Fedora, that's %{NAME}.

Hardcoding "%{_datadir}/doc/%{name}" is not correct (even if in practice, it would likely work).

> I have tried to list the original licenses, but anyway due to theviral nature 
> of GPL I believe that as the original project released all those with GPL-ed 
> project, these are probably GPL-ed as well.

That's not my understanding of the guidelines, as it clearly say all licenses must be listed in the tag, and I am sure that we should stick to it when it come to licensing. The comments can't be queried in case of problem with one license or anything, and I think that's the main use of that tag. 

Or it can be used to verify that all licenses text that requires to be included are included in the rpm, as that's a requirement from both the GPL, the LGPL and the Apache License 2.0.

Speaking of that, the text of the Apache 2 license is missing from the package, since there is only GPL v3 and LGPL. That's a issue upstream, but technically, that's a license violation (as that's one of the few requirements of the Apache 2.0 license)

Also, there is a few small error in the spec:
# shlr/zip/zlib - 3 clause BSD (system installed sared zlib is used instead)
=> shared ?

# shlr/www/enyo/vendors/jquery.min.js - Aplache License version 2.0
Apache ?
Comment 13 Elliott Sales de Andrade 2017-07-08 06:00:34 EDT
Please update the review when you change the SPEC (as it appears you have done) because otherwise it confuses the fedora-review tool.
Comment 14 Elliott Sales de Andrade 2017-07-08 18:34:28 EDT
This is not a formal review. Radare2 seems to be a bit of bundling nightmare to
me; I'd think you'd need an exception for it, but I'm not too sure you'd get
it. The custom build system also makes it difficult to say whether nothing is
statically linked (because I'm too lazy atm), so I'd be much happier when they
switch to Meson.

Please run rpmlint on the spec, srpm, *and* the binary rpms. There are several
trivial issues that could be fixed from that (also noted below.)


Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- Development (unversioned) .so files in -devel subpackage, if present.
  Note: Unversioned so-files directly in %_libdir.
  See: https://fedoraproject.org/wiki/Packaging/Guidelines#DevelPackages
- Package does not contain duplicates in %files.
  Note: warning: File listed twice: /usr/share/doc/radare2
  See: https://fedoraproject.org/wiki/Packaging/Guidelines#DuplicateFiles
- If (and only if) the source package includes the text of the license(s)
  in its own file, then that file, containing the text of the license(s)
  for the package is included in %license.
  Note: License file license is not marked as %license
  See: https://fedoraproject.org/wiki/Packaging/LicensingGuidelines#License_Text
  Not sure why this comes up; maybe because it's not tagged in -devel?
- Packaged files:
  * Bare .so files in in the main package; they should be -devel.
  * /usr/share/doc/radare2/bash_autocompletion.sh should probably be installed
    as a real completion file.
  * What are these /usr/share/doc/radare2/fortunes.* for? Not sure about the
    nsfw ones. Pretty sure the offensive entries in the real fortune-mod package
    are disabled.
  * Stuff like doc/crosscompile seem irrelevant.
  * Can the global magic database be used instead of /usr/share/radare2/1.4.0/magic?
  * Are the sdb files arch-independent? fedora-review suggests that the
    share/radare2 directory could be a separate non-arch package.
  * The /usr/bin/r2-indent and /usr/bin/r2-docker symlinks are broken.
- Dependencies:
  * Needs a BuildRequires: gcc at least. The bundled tcc might also need a Requires
    as well.
  * zlib-devel should be added, I believe.
  * fedora-review complains about Perl; I'm not sure if it's used for the build or
    just an example, so I don't know if it should be  required.
- Group is not needed in Fedora packages any more.
- I think the r2pm script should be patched to disallow global modifications if
  possible, or make sure to use something like /usr/local. This always ends up
  causing trouble with pip...
- Extra comments should be removed.


===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[?]: Package contains no static executables.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig called in %post and %postun if required.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[!]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "GPL", "GPL (v2) (with incorrect FSF address)", "*No copyright*
     CC0", "*No copyright* MPL (v2.0)", "BSD (3 clause)", "GPL (v1 or
     later)", "LGPL (v2 or later)", "GPL (v3 or later)", "zlib/libpng",
     "GPL (v2 or later) (with incorrect FSF address)", "BSD (2 clause)",
     "GPL (v3)", "GPL (v1 or later) (with incorrect FSF address)", "Apache
     (v2.0)", "GPL (v2 or later)", "LGPL (v3.0 or later)", "MIT/X11 (BSD
     like)", "BSD (3 clause) GPL (v3 or later)", "*No copyright* Public
     domain", "MPL (v1.1) GPL (v2 or later)", "BSD (unspecified)", "*No
     copyright* GPL LGPL", "LGPL", "Unknown or generated", "BSD (4
     clause)", "NTP", "*No copyright* LGPL (v3)". 2042 files have unknown
     license. Detailed output of licensecheck in 1368855-radare2/licensecheck.txt
[!]: License file installed when any subpackage combination is installed.
     No license in -devel package.
[x]: %build honors applicable compiler flags or justifies otherwise.
[!]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[?]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[!]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[?]: Package does not generate any conflict.
[?]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[!]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[?]: Package is not known to require an ExcludeArch tag.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 276480 bytes in 83 files.
[!]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

Perl:
[?]: Package contains the mandatory BuildRequires and Requires:.
     Note: Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`";
     echo $version)) missing?

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[!]: Final provides and requires are sane (see attachments).
[?]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in
     radare2-debuginfo
[?]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[!]: Patches link to upstream bugs/comments/lists or are otherwise
     justified.
     Patch is outdated and should be dropped.
[x]: Scriptlets must be sane, if used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[?]: Package should compile and build into binary rpms on all supported
     architectures.
[!]: %check is present and all tests pass.
[?]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: The placement of pkgconfig(.pc) files are correct.
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[!]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
     Note: Arch-ed rpms have a total of 6533120 bytes in /usr/share
[x]: Rpmlint is run on debuginfo package(s).
     Note: There are rpmlint messages (see attachment).
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: radare2-1.5.0-1.fc27.x86_64.rpm
          radare2-devel-1.5.0-1.fc27.x86_64.rpm
          radare2-debuginfo-1.5.0-1.fc27.x86_64.rpm
          radare2-1.5.0-1.fc27.src.rpm
radare2.x86_64: W: name-repeated-in-summary C radare2
radare2.x86_64: W: spelling-error %description -l en_US multi -> mulch, mufti
radare2.x86_64: W: spelling-error %description -l en_US scriptable -> scrip table, scrip-table, script able
radare2.x86_64: W: spelling-error %description -l en_US opcode -> op code, op-code, code
radare2.x86_64: E: invalid-soname /usr/lib64/libr_bp.so.1.5.0 libr_bp.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_lang.so.1.5.0 libr_lang.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_lang.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_config.so.1.5.0 libr_config.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_egg.so.1.5.0 libr_egg.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_egg.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_hash.so.1.5.0 libr_hash.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_util.so.1.5.0 libr_util.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_magic.so.1.5.0 libr_magic.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_bin.so.1.5.0 libr_bin.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_crypto.so.1.5.0 libr_crypto.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_asm.so.1.5.0 libr_asm.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_debug.so.1.5.0 libr_debug.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_cons.so.1.5.0 libr_cons.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_socket.so.1.5.0 libr_socket.so
radare2.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libr_socket.so.1.5.0
radare2.x86_64: E: invalid-soname /usr/lib64/libr_syscall.so.1.5.0 libr_syscall.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_search.so.1.5.0 libr_search.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_fs.so.1.5.0 libr_fs.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_flag.so.1.5.0 libr_flag.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_io.so.1.5.0 libr_io.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_core.so.1.5.0 libr_core.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_core.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_anal.so.1.5.0 libr_anal.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_reg.so.1.5.0 libr_reg.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_parse.so.1.5.0 libr_parse.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_parse.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_magic.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_egg.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_syscall.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_flag.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_crypto.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_config.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_util.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_anal.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_debug.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_core.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_bin.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_asm.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr2.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_reg.so
radare2.x86_64: E: script-without-shebang /usr/share/radare2/1.5.0/www/enyo/vendors/jquery.min.js
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_search.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_bp.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_hash.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_cons.so
radare2.x86_64: W: dangling-symlink /usr/bin/r2-indent /builddir/build/BUILD/radare2-1.5.0/sys/indent.sh
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_parse.so
radare2.x86_64: W: dangling-symlink /usr/bin/r2-docker /builddir/build/BUILD/radare2-1.5.0/sys/r2-docker.sh
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_fs.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_io.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_socket.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_lang.so
radare2.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
radare2.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
radare2.x86_64: W: no-manual-page-for-binary r2-indent
radare2-devel.x86_64: W: only-non-binary-in-usr-lib
radare2-devel.x86_64: W: no-documentation
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/tricore-opc.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/tricore-dis.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/sh/gnu/sh-opc.h
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/sh/gnu/sh-dis.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/include/opcode/tricore.h
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/hash/md4.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/cpu-tricore.c
radare2.src: W: name-repeated-in-summary C radare2
radare2.src: W: spelling-error %description -l en_US multi -> mulch, mufti
radare2.src: W: spelling-error %description -l en_US scriptable -> scrip table, scrip-table, script able
radare2.src: W: spelling-error %description -l en_US opcode -> op code, op-code, code
radare2.src:9: W: macro-in-comment %{shortcommit}
radare2.src:40: W: macro-in-comment %{gituser}
radare2.src:40: W: macro-in-comment %{gitname}
radare2.src:40: W: macro-in-comment %{commit}
radare2.src:40: W: macro-in-comment %{name}
radare2.src:40: W: macro-in-comment %{version}
radare2.src:40: W: macro-in-comment %{shortcommit}
radare2.src:73: W: macro-in-comment %{gitname}
radare2.src:73: W: macro-in-comment %{commit}
radare2.src:75: W: macro-in-comment %patch0
radare2.src:83: W: macro-in-comment %check
radare2.src:84: W: make-check-outside-check-section # make tests
radare2.src: W: patch-not-applied Patch0: %{name}-capstone4.patch
4 packages and 0 specfiles checked; 31 errors, 55 warnings.

Spelling errors are spurious; devel file should be moved as noted above. Comments and patches should be cleaned up. Symlinks need to be fixed.



Rpmlint (debuginfo)
-------------------
Checking: radare2-debuginfo-1.5.0-1.fc27.x86_64.rpm
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/cpu-tricore.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/include/opcode/tricore.h
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/sh/gnu/sh-opc.h
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/tricore-dis.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/tricore-opc.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/hash/md4.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/sh/gnu/sh-dis.c
1 packages and 0 specfiles checked; 7 errors, 0 warnings.





Rpmlint (installed packages)
----------------------------
sh: /usr/bin/python: No such file or directory
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/include/opcode/tricore.h
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/sh/gnu/sh-dis.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/sh/gnu/sh-opc.h
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/cpu-tricore.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/tricore-dis.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/asm/arch/tricore/gnu/tricore-opc.c
radare2-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/radare2-1.5.0-1.fc27.x86_64/libr/hash/md4.c
radare2-devel.x86_64: W: only-non-binary-in-usr-lib
radare2-devel.x86_64: W: no-documentation
radare2.x86_64: W: name-repeated-in-summary C radare2
radare2.x86_64: W: spelling-error %description -l en_US multi -> mulch, mufti
radare2.x86_64: W: spelling-error %description -l en_US scriptable -> scrip table, scrip-table, script able
radare2.x86_64: W: spelling-error %description -l en_US opcode -> op code, op-code, code
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libdl.so.2
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_parse.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_search.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_cons.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_config.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_bin.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_debug.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_anal.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_reg.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_bp.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_io.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_lang.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_asm.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_syscall.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_hash.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_crypto.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_magic.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_socket.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_flag.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_egg.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libr_fs.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr2.so.1.5.0 /lib64/libutil.so.1
radare2.x86_64: E: invalid-soname /usr/lib64/libr_anal.so.1.5.0 libr_anal.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_asm.so.1.5.0 libr_asm.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_asm.so.1.5.0 /lib64/libr_lang.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_asm.so.1.5.0 /lib64/libr_cons.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_asm.so.1.5.0 /lib64/libr_reg.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_bin.so.1.5.0 libr_bin.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_bin.so.1.5.0 /lib64/libr_socket.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_bin.so.1.5.0 /lib64/libr_magic.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_bp.so.1.5.0 libr_bp.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_config.so.1.5.0 libr_config.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_cons.so.1.5.0 libr_cons.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_core.so.1.5.0 libr_core.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_core.so.1.5.0 /lib64/libdl.so.2
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_core.so.1.5.0 /lib64/libr_magic.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_core.so.1.5.0 /lib64/libutil.so.1
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_core.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_crypto.so.1.5.0 libr_crypto.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_crypto.so.1.5.0 /lib64/libr_hash.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_debug.so.1.5.0 libr_debug.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_debug.so.1.5.0 /lib64/libr_parse.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_debug.so.1.5.0 /lib64/libutil.so.1
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_debug.so.1.5.0 /lib64/libr_flag.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_debug.so.1.5.0 /lib64/libr_socket.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_egg.so.1.5.0 libr_egg.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_egg.so.1.5.0 /lib64/libr_parse.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_egg.so.1.5.0 /lib64/libr_reg.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_egg.so.1.5.0 /lib64/libr_anal.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_egg.so.1.5.0 /lib64/libr_flag.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_egg.so.1.5.0 /lib64/libr_cons.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_egg.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_flag.so.1.5.0 libr_flag.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_fs.so.1.5.0 libr_fs.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_fs.so.1.5.0 /lib64/libr_io.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_hash.so.1.5.0 libr_hash.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_io.so.1.5.0 libr_io.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_io.so.1.5.0 /lib64/libutil.so.1
radare2.x86_64: E: invalid-soname /usr/lib64/libr_lang.so.1.5.0 libr_lang.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_lang.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_magic.so.1.5.0 libr_magic.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_magic.so.1.5.0 /lib64/libr_util.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_parse.so.1.5.0 libr_parse.so
radare2.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libr_parse.so.1.5.0 /lib64/libr_cons.so
radare2.x86_64: W: shared-lib-calls-exit /usr/lib64/libr_parse.so.1.5.0 exit@GLIBC_2.2.5
radare2.x86_64: E: invalid-soname /usr/lib64/libr_reg.so.1.5.0 libr_reg.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_search.so.1.5.0 libr_search.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_socket.so.1.5.0 libr_socket.so
radare2.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libr_socket.so.1.5.0
radare2.x86_64: E: invalid-soname /usr/lib64/libr_syscall.so.1.5.0 libr_syscall.so
radare2.x86_64: E: invalid-soname /usr/lib64/libr_util.so.1.5.0 libr_util.so
radare2.x86_64: W: dangling-symlink /usr/bin/r2-docker /builddir/build/BUILD/radare2-1.5.0/sys/r2-docker.sh
radare2.x86_64: W: dangling-symlink /usr/bin/r2-indent /builddir/build/BUILD/radare2-1.5.0/sys/indent.sh
radare2.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
radare2.x86_64: W: hidden-file-or-dir /usr/lib/.build-id
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr2.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_anal.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_asm.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_bin.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_bp.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_config.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_cons.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_core.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_crypto.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_debug.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_egg.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_flag.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_fs.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_hash.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_io.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_lang.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_magic.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_parse.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_reg.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_search.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_socket.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_syscall.so
radare2.x86_64: W: devel-file-in-non-devel-package /usr/lib64/libr_util.so
radare2.x86_64: E: script-without-shebang /usr/share/radare2/1.5.0/www/enyo/vendors/jquery.min.js
radare2.x86_64: W: no-manual-page-for-binary r2-indent
3 packages and 0 specfiles checked; 31 errors, 82 warnings.



Requires
--------
radare2-debuginfo (rpmlib, GLIBC filtered):

radare2-devel (rpmlib, GLIBC filtered):
    /usr/bin/pkg-config
    radare2(x86-64)

radare2 (rpmlib, GLIBC filtered):
    /bin/sh
    /sbin/ldconfig
    libc.so.6()(64bit)
    libcapstone.so.3()(64bit)
    libdl.so.2()(64bit)
    libm.so.6()(64bit)
    libmagic.so.1()(64bit)
    libpthread.so.0()(64bit)
    libr2.so.1.5.0()(64bit)
    libr_anal.so()(64bit)
    libr_asm.so()(64bit)
    libr_bin.so()(64bit)
    libr_bp.so()(64bit)
    libr_config.so()(64bit)
    libr_cons.so()(64bit)
    libr_core.so()(64bit)
    libr_crypto.so()(64bit)
    libr_debug.so()(64bit)
    libr_egg.so()(64bit)
    libr_flag.so()(64bit)
    libr_fs.so()(64bit)
    libr_hash.so()(64bit)
    libr_io.so()(64bit)
    libr_lang.so()(64bit)
    libr_magic.so()(64bit)
    libr_parse.so()(64bit)
    libr_reg.so()(64bit)
    libr_search.so()(64bit)
    libr_socket.so()(64bit)
    libr_syscall.so()(64bit)
    libr_util.so()(64bit)
    libutil.so.1()(64bit)
    rtld(GNU_HASH)



Provides
--------
radare2-debuginfo:
    radare2-debuginfo
    radare2-debuginfo(x86-64)

radare2-devel:
    pkgconfig(r_anal)
    pkgconfig(r_asm)
    pkgconfig(r_bin)
    pkgconfig(r_bp)
    pkgconfig(r_config)
    pkgconfig(r_cons)
    pkgconfig(r_core)
    pkgconfig(r_debug)
    pkgconfig(r_flag)
    pkgconfig(r_fs)
    pkgconfig(r_hash)
    pkgconfig(r_io)
    pkgconfig(r_lang)
    pkgconfig(r_magic)
    pkgconfig(r_parse)
    pkgconfig(r_reg)
    pkgconfig(r_search)
    pkgconfig(r_socket)
    pkgconfig(r_syscall)
    pkgconfig(r_util)
    radare2-devel
    radare2-devel(x86-64)

radare2:
    libr2.so.1.5.0()(64bit)
    libr_anal.so()(64bit)
    libr_asm.so()(64bit)
    libr_bin.so()(64bit)
    libr_bp.so()(64bit)
    libr_config.so()(64bit)
    libr_cons.so()(64bit)
    libr_core.so()(64bit)
    libr_crypto.so()(64bit)
    libr_debug.so()(64bit)
    libr_egg.so()(64bit)
    libr_flag.so()(64bit)
    libr_fs.so()(64bit)
    libr_hash.so()(64bit)
    libr_io.so()(64bit)
    libr_lang.so()(64bit)
    libr_magic.so()(64bit)
    libr_parse.so()(64bit)
    libr_reg.so()(64bit)
    libr_search.so()(64bit)
    libr_socket.so()(64bit)
    libr_syscall.so()(64bit)
    libr_util.so()(64bit)
    radare2
    radare2(x86-64)



Unversioned so-files
--------------------
radare2: /usr/lib64/libr2.so
radare2: /usr/lib64/libr_anal.so
radare2: /usr/lib64/libr_asm.so
radare2: /usr/lib64/libr_bin.so
radare2: /usr/lib64/libr_bp.so
radare2: /usr/lib64/libr_config.so
radare2: /usr/lib64/libr_cons.so
radare2: /usr/lib64/libr_core.so
radare2: /usr/lib64/libr_crypto.so
radare2: /usr/lib64/libr_debug.so
radare2: /usr/lib64/libr_egg.so
radare2: /usr/lib64/libr_flag.so
radare2: /usr/lib64/libr_fs.so
radare2: /usr/lib64/libr_hash.so
radare2: /usr/lib64/libr_io.so
radare2: /usr/lib64/libr_lang.so
radare2: /usr/lib64/libr_magic.so
radare2: /usr/lib64/libr_parse.so
radare2: /usr/lib64/libr_reg.so
radare2: /usr/lib64/libr_search.so
radare2: /usr/lib64/libr_socket.so
radare2: /usr/lib64/libr_syscall.so
radare2: /usr/lib64/libr_util.so
radare2: /usr/lib64/radare2/1.5.0/asm_LM32.so
radare2: /usr/lib64/radare2/1.5.0/asm_propeller.so
radare2: /usr/lib64/radare2/1.5.0/bin_xtr_dyldcache.so
radare2: /usr/lib64/radare2/1.5.0/parse_z80_pseudo.so

Source checksums
----------------
https://github.com/radare/radare2/archive/1.5.0.tar.gz#/radare2-1.5.0.tar.gz :
  CHECKSUM(SHA256) this package     : c6b465cb2f36a206d5e9380c0bcbb4c05ed5cb7995e554703206e0bbdc9c74a1
  CHECKSUM(SHA256) upstream package : c6b465cb2f36a206d5e9380c0bcbb4c05ed5cb7995e554703206e0bbdc9c74a1


Generated by fedora-review 0.6.1 (f03e4e7) last change: 2016-05-02
Command line :/usr/bin/fedora-review -m fedora-rawhide-x86_64 -n radare2
Buildroot used: fedora-rawhide-x86_64
Active plugins: Generic, Shell-api, C/C++, Perl
Disabled plugins: Java, Python, fonts, SugarActivity, Ocaml, Haskell, R, PHP
Disabled flags: EXARCH, DISTTAG, EPEL5, BATCH, EPEL6
Comment 15 Michal Ambroz 2017-08-04 10:48:05 EDT
Radare has custom build which doesn't have 2 links to library, but just one.
For example:
/lib64/libr_core.so -> /lib64/libr_core.so.1.6.0

Radare2 is linked against the /lib64/libr_core.so:
ldd `which radare2`
linux-vdso.so.1 (0x00007ffce9dfb000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f349242f000)
	libr_core.so => /lib64/libr_core.so (0x00007f34920e1000)
	libr_parse.so => /lib64/libr_parse.so (0x00007f3491e8f000)
...


So it is needed in the binary package in order to run, not just for linking.
Comment 16 Lubomir Rintel 2017-08-30 06:49:45 EDT
*** Bug 1425815 has been marked as a duplicate of this bug. ***
Comment 17 Lubomir Rintel 2017-09-14 08:46:07 EDT
This starts to look well. Sorry for the delays. Let's help get this sorted out. Thanks for your work on this, having radare in the distro would be very nice.

There's a couple of issues remaining, but I think there's a clear way forward. Feel free to ping me on freenode (I'm "lubko", on #nm and #fedora-devel) if anything I suggested below is wrong or unclear, or you need help. That might improve the chances of a speedier response. Also, feel free to reach me with a direct e-mail if this bug needs attention, because the regular bugzilla traffic seems to drown in the loads of bug-mail :(

Are you in touch with upstream? Are they by chance open to making life easier for distro maintainers? I'm asking because they seem to be opinionated about the "right" way to install the software, but that doesn't seem to be too well aligned with what we'd need.

0.) Simple things first:

>>> URL:            http://radare.org/
>>> #URL:           https://github.com/radare/radare2
>>Drop a useless comment please.
>No. I consider it useful when updating the package. While the browser friendly is the radare.org, when updating the package it is more handy the link to github.

That sounds reasonable. Please don't make it masquerade as a commented out URL tag then though. Something like this would look less messy:

  # GitHub project: https://github.com/radare/radare2

>>> Source0:        https://github.com/%{gituser}/%{gitname}/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz
>>> Source1:        https://github.com/%{gituser}/%{sdbgitname}/archive/%{sdbcommit}/%{sdbgitname}-%{version}-%{sdbshort}.tar.gz
>>This source is not used at all.
>True. Not used for the release packing. Source0 used when packing from git directly (in case of patches preventing build on fedora).

This looks like a general issue here -- you seem to include a lot of cruft that's only useful for snapshot builds:

> %global         gituser         radare
> %global         gitname         radare2
> %global         commit          4b77cb2c36f8c99d09d14ee411e9c5c14b55c609
> %global         shortcommit     %(c=%{commit}; echo ${c:0:7})
...
> #Release:       1.git%{shortcommit}%{?dist}
...
> #Source0:       https://github.com/%{gituser}/%{gitname}/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz

It arguably harms readability of the SPEC file. Snapshot builds are largely irrelevant to Fedora and I'd prefer if you left that out.

Nevertheless, this seems not to be an exceptional practice, so I don't consider this a review blocker if you insist on leaving it in place.

>>> %build
>>> %configure --with-sysmagic --with-syszip --with-syscapstone
>>You don't enable openssl. Why? (no idea what is it used for)
>Option is in the configure, but it is not working in radare for anything now.
>At least that was answer from Pancake last time I asked about that (see sys/*.sh for the recommended build path - doesn't contain this option).

Fair enough. I'm wondering if you add a comment explaining how do you determine the right configure arguments?

>Radare has custom build which doesn't have 2 links to library, but just one.
>For example:
>/lib64/libr_core.so -> /lib64/libr_core.so.1.6.0
>
>Radare2 is linked against the /lib64/libr_core.so:
>ldd `which radare2`
>linux-vdso.so.1 (0x00007ffce9dfb000)
>       libdl.so.2 => /lib64/libdl.so.2 (0x00007f349242f000)
>       libr_core.so => /lib64/libr_core.so (0x00007f34920e1000)
>       libr_parse.so => /lib64/libr_parse.so (0x00007f3491e8f000)
>...
>
> So it is needed in the binary package in order to run, not just for linking.

This is clearly a bug. Their SONAME is wrong:

> [lkundrak@belphegor SPECS]$ readelf -a /usr/lib64/libr_core.so.1.4.0 |grep SONAME
>  0x000000000000000e (SONAME)             Library soname: [libr_core.so]
> [lkundrak@belphegor SPECS]$

It should be libr_core.so.1.4.0, not libr_core.so. This is a review blocker since, apart from the proper slit of the -devel package, the SONAME is used for generating the package dependencies and ensuring packages built against incompatible version won't run (and, presumably, crash encountering undefined behavior) against the wrong library. (I can help with a fix if needed.)

1.) Now onto the difficult stuff, which arguably is the overabundance of bundling:

1.1.) The License tag:

>> Changed to GPLv3+ due to its viral nature, although majority of the package is > meant to be licensed LGPL.
>
>I think you need to list all licenses:
>https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#Multiple_Licensing_Scenarios

Yes. The safest thing to do here is to just include the list of licences joined with an AND.

That said, I believe you don't need to include all variants of GPL and LGPL since in general later versions of them are not compatible with the previous thus the "or later" clauses turn then into the later ones. (It seems to be that wherever you say "GPL" and "LGPL" you actually mean "GPL+" and "LGPL+" otherwise it wouldn't make much sense.) Also, in practical terms, "GPLv2+" in "GPLv2+ and ASL2.0" and "GPLv2+ and LGPLv3+" is in fact equivalent to "GPLv3+", since LGPLv3 and ASL2.0 are not compatible with previous versions of GPL, but it's prehaps better to specify the actual licenses as specified in the source files. Thus:

  License: GPLv2+ and LGPLv3+ and BSD and MIT and ASL2.0 and MPL2.0

would work. The comment about the details is useful.

In any case, the License tag is not legally binding. It's somewhat okay to err here (meaning: if someone finds a problem, then it's just a bug to be fixed), especially on the side of caution, as long as the actual licenses permit redistribution and inclusion in Fedora, which seems to be the case.

1.2.) Bundling Javascript

First thing: shipping pre-built "minified" files is a huge no-no. It is no longer free software since it strips the user of the freedom to do their modifications (in what GPL refers to as "preferred form") and thus is not appropriate for Fedora. Here's the list of "minified" components I've found in the source:

DataTables 1.10.13
FileSaver.js snapshot
JointJS 0.9.7
JointJS 1.0.3
jQuery 2.0.3
jQuery 2.2.4
jquery.layout 1.3.0.rc30.79
jquery.onoff 0.3.6
jquery.scrollTo.min.js 2.1.2
jQuery UI 1.11.4
jQuery UI context menu plugin 1.11.0
jQuery UI v1.10.3
lodash 3.10.1
material-design-lite 1.1.3
mdl-selectfield.min.css unknown
backbone-min.js unknown
Underscore.js 1.8.3

Needless to say, this is a huge mess. There's old and redundant versions of various libraries present there. It's not clear to me how to fix that. Here's what I find to be a good plan on how to proceed:

* If the up-to-date versions of the libraries are good enough, they should be replaced with Fedora packages. This is how it's typically done for jQuery.
* If a particular version is required, the minified version should be replaced with a pristine non-minified copy in the source package. If minification is desired, then it should be done as a part of the build process. This then requires the bundling exceptions, but I think they could be justified here.

The latter can be done either by you (start with "find -name '*[-.]min.*' -delete" in %prep and then replace the files from %{SOURCEx}s) or, better, by upstream. I highly suggest you talk to the upstream -- if you convince them to improve the track of their third party js libraries so that it's always clear how and where to get their sources from it would be a huge improvement.

Until this is done, you can drop the web frontend from the package.

2.2.) Bundling of C libraries

Upstream seems to have their opinion about the bundling. Let's assume they understand the implications and we need to proceed with it. The guidelines currently allow that:

https://fedoraproject.org/wiki/Bundled_Software_policy

The first step here would be to audit the bundled libraries and add the Provides:

https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries#Requirement_if_you_bundle

If there's a known reason for bundling, it would be nice to have a Provide line accompanied with a comment explaining the rationale for bundling.
Comment 18 Lubomir Rintel 2017-09-14 08:47:39 EDT
Also, please drop the last %changelog message. tito is arguably something different from this package.
Comment 19 Peter Lemenkov 2017-10-04 08:09:01 EDT
(In reply to Lubomir Rintel from comment #17)

> 1.2.) Bundling Javascript
> 
> First thing: shipping pre-built "minified" files is a huge no-no. It is no
> longer free software since it strips the user of the freedom to do their
> modifications (in what GPL refers to as "preferred form") and thus is not
> appropriate for Fedora. Here's the list of "minified" components I've found
> in the source:
> 
> DataTables 1.10.13
> FileSaver.js snapshot
> JointJS 0.9.7
> JointJS 1.0.3
> jQuery 2.0.3
> jQuery 2.2.4
> jquery.layout 1.3.0.rc30.79
> jquery.onoff 0.3.6
> jquery.scrollTo.min.js 2.1.2
> jQuery UI 1.11.4
> jQuery UI context menu plugin 1.11.0
> jQuery UI v1.10.3
> lodash 3.10.1
> material-design-lite 1.1.3
> mdl-selectfield.min.css unknown
> backbone-min.js unknown
> Underscore.js 1.8.3
> 
> Needless to say, this is a huge mess. There's old and redundant versions of
> various libraries present there. It's not clear to me how to fix that.
> Here's what I find to be a good plan on how to proceed:

Frankly speaking we have lots of examples where we allow bundling like that (or mislooked previously). I also must admit I am guilty as well.

So I wouldn't consider this as a huge blocker really. Still if it can be unbundled in a foreseeable time, I can only support that. If it blocks inclusion of radare2 for few months more - I'd allow it (with promise from maintainer to fix it in a some next build).
Comment 20 Till Maas 2017-10-23 11:53:02 EDT
*** Bug 1450572 has been marked as a duplicate of this bug. ***
Comment 21 Lubomir Rintel 2017-10-31 11:49:18 EDT
Ping?

(In reply to Peter Lemenkov from comment #19)

> So I wouldn't consider this as a huge blocker really. Still if it can be
> unbundled in a foreseeable time, I can only support that. If it blocks
> inclusion of radare2 for few months more - I'd allow it (with promise from
> maintainer to fix it in a some next build).

Yes. Bundling in general is not a blocker. Minifications, on the other hand, certainly is.
Comment 22 Michal Ambroz 2017-11-14 22:48:44 EST
Bump to release 2.0.1
https://rebus.fedorapeople.org/SPECS/radare2.spec
https://rebus.fedorapeople.org/SRPMS/radare2-2.0.1-1.fc25.src.rpm

I have addressed some of the your findings (comments, license, changelog), but there is still more work to do on the area of minified JS code.

The bundled JS libraries are not the core of the package functionality. These are various templates to generated beautified reports out of the binary code. I do not even know how to generate some of these in order to test the modified functionality. I understand the reasons, simply I need some more time for that.


> This is clearly a bug. Their SONAME is wrong:
I would not call it bug. It is just not the double linking as you would expect.

You expect that there would be (compare for example with libzip.so.4.0.0):
libr_reg.so.2.0.1 with soname libr_reg.so.2
libr_reg.so.2 link pointing to libr_reg.so.2.0.1
and libr_reg.so in devel package pointing to libr_reg.so.2.0.1

While they have:
libr_reg.so.2.0.1 with soname libr_reg.so
libr_reg.so link pointing to libr_reg.so.2.0.1

The structure is the same, just one level shallower. They use the same link for pointing to the library for runtime and for devel. The usual structure allows changing devel link while keeping the runtime link operational with old version.
So you could be having trouble compiling new radare package on a machine where already is old one (not something we would need in fedora).

We can think of changing that in future, but right now I do not know how to do that without breaking the stuff.


> Also, please drop the last %changelog message. 
> tito is arguably something different from this package.
Changing "tito" to "radare2" - originally I thought it is refering to some nickname.
The line came from the original radare2.spec from the project (and was presumably created for the project by Pavel Odvody) so I would not like to just drop it. He deserves credit as well.

Best regards
Michal Ambroz
Comment 23 Lubomir Rintel 2017-11-23 08:01:52 EST
(In reply to Michal Ambroz from comment #22)
>Bump to release 2.0.1
>https://rebus.fedorapeople.org/SPECS/radare2.spec
>https://rebus.fedorapeople.org/SRPMS/radare2-2.0.1-1.fc25.src.rpm
>
>I have addressed some of the your findings (comments, license, changelog), but there is still more work to do on the area of minified JS code.

Thank you. This indeed looks better.

>The bundled JS libraries are not the core of the package functionality. These are various templates to generated beautified reports out of the binary code. I do not even know how to generate some of these in order to test the modified functionality. I understand the reasons, simply I need some more time for that.

As I mentioned earlier, one option is to drop the affected functionality.

I've said above that fixing this almost certainly needs upstream to take action. If you haven't talking to them about the way they track their third party bundles please do so.

>> This is clearly a bug. Their SONAME is wrong:
>I would not call it bug. It is just not the double linking as you would expect.
>
>You expect that there would be (compare for example with libzip.so.4.0.0):
>libr_reg.so.2.0.1 with soname libr_reg.so.2
>libr_reg.so.2 link pointing to libr_reg.so.2.0.1
>and libr_reg.so in devel package pointing to libr_reg.so.2.0.1
>
>While they have:
>libr_reg.so.2.0.1 with soname libr_reg.so
>libr_reg.so link pointing to libr_reg.so.2.0.1
>
>The structure is the same, just one level shallower. They use the same link for pointing to the library for runtime and for devel. The usual structure allows changing devel link while keeping the runtime link operational with old version.
>So you could be having trouble compiling new radare package on a machine where already is old one (not something we would need in fedora).
>
>We can think of changing that in future, but right now I do not know how to do that without breaking the stuff.

Is this an upstream opinion? Did they actually do this on purpose? My guess is not.

To clarify, this absolutely needs fixing before the package can be imported. Unless the ABI is kept stable (I presume it is not. But even if it were this is still utterly useless) neither should be the SONAME and such .so files should under no circumstances appear in libdir or in RPM's provides (otherwise, things would link to it and inevitably break which is a huge no-no).

>> Also, please drop the last %changelog message.
>> tito is arguably something different from this package.
>Changing "tito" to "radare2" - originally I thought it is refering to some nickname.
>The line came from the original radare2.spec from the project (and was presumably created for the project by Pavel Odvody) so I would not like to just drop it. He deserves credit as well.

Well I'm probably just nitpicking here, but that %changelog entry doesn't reflect reality (perhaps Pavel would be surprised to learn that he did an initial radare2 package?). A comment ("# based on tito package by ...") might be a better way to credit the original author if his contributions are significant.

There's also unanswered stuff from the last review:

(In reply to Lubomir Rintel from comment #17)
>>>> %build
>>>> %configure --with-sysmagic --with-syszip --with-syscapstone
>>>You don't enable openssl. Why? (no idea what is it used for)
>>Option is in the configure, but it is not working in radare for anything now.
>>At least that was answer from Pancake last time I asked about that (see sys/*.sh for the recommended build path - doesn't contain this option).
>
>Fair enough. I'm wondering if you add a comment explaining how do you determine the right configure arguments?

This still requires action.

>2.2.) Bundling of C libraries

This is still a problem (perhaps rather easy) that needs to be addressed; in particular the "provides" tags.

With the time slow turnaround time this review has I find it difficult to keep track. What's a good way to track the unresolved issues? Should we start an Etherpad?

In any case, a word on two on each of the items would ensure me you're not ignoring them and they're not getting forgotten.

Thanks,
Lubo
Comment 24 Lubomir Rintel 2018-01-05 04:36:27 EST
Hello? Is this review still alive?
Comment 25 Lubomir Rintel 2018-01-23 06:14:54 EST
Closing this, hopefully someone else will package this.

It's been already FE-DEADREVIEW before, this doesn't seem to be progressing and submitter is not responding.
Comment 26 Michal Ambroz 2018-02-05 16:32:34 EST
Sorry it is complex package and I have only limited time. 

I doubt anyone else here is having any motivation to continue with the package.
If anyone feels like doing the packaging better - feel free to close this review and package radare2 better ... or just continue with the effort here as I would welcome co-maintainer. Until that time I would rather keep the review open to not waste the efforts you already did for the review and have a picture on what needs to be fixed.


https://github.com/shaded-enmity/r2-ropstats
Comment 27 Michal Ambroz 2018-02-06 00:03:57 EST
Bump to release 2.3.0
https://rebus.fedorapeople.org/SPECS/radare2.spec
https://rebus.fedorapeople.org/SRPMS/radare2-2.3.0-1.fc27.src.rpm

> As I mentioned earlier, one option is to drop the affected functionality.
OK dropped the webui for now.

> Is this an upstream opinion? Did they actually do this on purpose? My guess is not.
> To clarify, this absolutely needs fixing before the package can be imported.
This is the upstream default behaviour. There is actually undocumented HAVE_LIBVERSION=1 option which makes the linking of the binaries point to versioned so libraries. I believe this should be acceptable for you.
I got it checking the Debian package ... but then I found you actually had it in your spec file as well.

> Well I'm probably just nitpicking here, but that %changelog entry doesn't 
> reflect reality (perhaps Pavel would be surprised to learn that he did an 
> initial radare2 package?).
Yes I consider this nitpicking.
Here is the upstream commit of the line directly by Pavel Odvody - https://github.com/radare/radare2/commit/3640a0481c1ba8b40a40eda6834ac02d51475267
I originally thought tito was his other nick-name. Now I guess he re-used tito spec-file and possibly forgot to replace "tito" with "radare2" in the changelog.

>This still requires action.
I have added a comment.
I consider this nitpicking as well ... have not seen SPEC file where it would be described which options were not used and why.

>>2.2.) Bundling of C libraries
> This is still a problem (perhaps rather easy) that needs to be addressed; 
> in particular the "provides" tags.
I have added "provides" tag for some of the libraries I found bundled.
I do not consider this as finished, because it remains to pinpoint the versions used.

Best regards
Michal Ambroz
Comment 30 Anton Kochkov 2018-05-19 07:35:10 EDT
Please note, that new radare2 release will happen in a few days: https://github.com/radare/radare2/milestones

There will be a lot of improvements and fixes since the 2.5.0. Please target this release for inclusion.

If there are should be fixes in the mainstream regarding Fedora guidelines/best practices - please write as soon as possible (better to open a GitHub issue and link it there though).
Comment 31 Anton Kochkov 2018-05-21 23:34:06 EDT
2.6.0 was released yesterday https://github.com/radare/radare2/releases/tag/2.6.0
Comment 32 Anton Kochkov 2018-05-29 03:10:00 EDT
Please provide the feedback so we can try to target all issues with radare2 code before 2.7.0 for a smooth packaging.
Comment 33 Michal Ambroz 2018-06-08 21:19:34 EDT
Hello Anton,
thanks for the offer. The situation seems indeed bit more difficult for me as packager to solve alone. Most of the patchable changes I was already able to push upstream to you guys. What remains are probably things which work well for you and are not politically correct for Fedora.

You as Radare authors want it to make it as simple as possible for the users to download and compile from github ... which means some things are already bundled in to make it easy. I do not blame you for that.

The paradigm of Fedora is to have everything as modular as possible - so if there is library for regular expressions, it should be in the system only once as a library package and all other application should be only dynamically linking to it. As long as the API is the same, it should be possible to independently patch and update single library.

Here are notes from the spec file on what has been already removed:
Removed from the final package because of the presence of minified JS and
absence of the source JS - this should be packaged with radare2-webui
 shlr/www/m - Apache-2.0
 shlr/www/enyo/vendors/jquery-ui.min.js - GPL + MIT
 shlr/www/enyo/vendors/jquery.layout-latest.min.js - GPL + MIT
 shlr/www/enyo/vendors/jquery.scrollTo.min.js - MIT
 shlr/www/enyo/vendors/lodash.min.js - lodash license
 shlr/www/enyo/vendors/joint.* - Mozilla MPL 2.0
 shlr/www/enyo/vendors/jquery.min.js - Aplache License version 2.0
 shlr/www/p/vendors/jquery* - GPL + MIT
 shlr/www/p/vendors/dagre*|graphlib* - 3 clause BSD
 shlr/www/p/vendors/jquery.onoff.min.js - MIT

Some embedded libraries I was able to identify sofar:
 shlr/grub/grubfs.c - LGPL
 shlr/java - Apache 2.0
 shlr/sdb/src - MIT
 shlr/spp - MIT
 shlr/squashfs/src - GPLv2+
 shlr/tcc - LGPLv2+
 shlr/udis86 - 2 clause BSD
 shlr/wind - LGPL v3+
 shlr/spp - MIT
 shlr/zip/zlib - 3 clause BSD (system installed sared zlib is used instead)
 regular expressions library from BSD
 js0n library
 lz4
 binutils
 vavrdisasm
 

Sometimes it is not really clear how the library got to radare and what are the modifications to its code comparing to the upstream.
For some of these it would be possible to use some dynamic library - like for the regular expressions or json.

Personally I do not think there is much of things which shuold stand in a way to radare2 to be accepted as a package for Fedora, but of course I am probably biased as someone who already spent so much time with packaging and maintaining it for Fedora.
Comment 34 Michal Ambroz 2018-06-08 21:44:02 EDT
Hello Anton,
I have just tried to re-package version 2.6.0 and actually there are some 2 new issues. Compilations ends with:
make[2]: Entering directory '/home/mambroz/rpmbuild/BUILD/radare2-2.6.0/libr'
gcc -fvisibility=hidden  -shared -dynamiclib -o libr.so  \
	.libr/*.o \
	../shlr/gdb/lib/libgdbr.a ../shlr/java/libr_java.a \
	../shlr/zip/librz.a \
	../shlr/libr_shlr.a ../shlr/ar/libr_ar.a ../shlr/grub/libgrubfs.a ../shlr/windbg/libr_windbg.a ../shlr/qnx/lib/libqnxr.a ../shlr/bochs/lib/libbochs.a\
	../shlr/capstone/libcapstone.a
gcc: error: ../shlr/zip/librz.a: No such file or directory
gcc: error: ../shlr/capstone/libcapstone.a: No such file or directory


1) Seems that the build script partially ignore the "--with-syscapstone" and during the build of libr are trying to link some locally compiled libcapstone.

2) ../shlr/zip/librz.a is missing as well ... quite possibly some partial ignoring of the option --with-syszip

I will raise issues for that on github.
Michal Ambroz
Comment 35 Michal Ambroz 2018-06-08 22:53:28 EDT
Both capstone and librz have been fixed on the way to current git snapshot.

But linking of radare2 is failing right now ... seems that the third option "--with-sysmagic" to use the system installed magic library is causing some issues as well.

gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/include -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/include -MD   -fPIC -g -Wall -D__UNIX__=1 -pie -I/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/..//libr/include radare2.o -L.. -o radare2 -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -ldl    -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/core -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/parse -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/search -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/cons -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/config -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/bin -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/debug -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/anal -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/reg -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/bp -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/io -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/fs -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/lang -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/asm -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/syscall -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/hash -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/magic -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/socket -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/flag -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/egg -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/crypto -L/home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/util -lr_core -lr_parse -lr_search -lr_cons -lr_config -lr_bin -lr_debug -lr_anal -lr_reg -lr_bp -lr_io -lr_fs -lr_lang -lr_asm -lr_syscall -lr_hash -lr_magic -lr_socket -lr_flag -lr_egg -lr_crypto -lr_util -fPIC -lz -lzip -lz -lzip /home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/..//shlr/gdb/lib/libgdbr.a /home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/..//shlr/java/libr_java.a /home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/..//shlr/bochs/lib/libbochs.a /home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/..//shlr/qnx/lib/libqnxr.a /home/mambroz/rpmbuild/BUILD/radare2-555e88a1a4017a91ffb8bc0c4f68f998c8905291/libr/..//shlr/ar/libr_ar.a -lpthread -lutil -lutil
radare2.o:(.data+0xe8): undefined reference to `r_magic_version'
collect2: error: ld returned 1 exit status

Michal Ambroz
Comment 36 Michal Ambroz 2018-06-08 23:07:21 EDT
https://github.com/radare/radare2/issues/10300
Comment 37 Anton Kochkov 2018-06-12 00:25:57 EDT
That bug was fixed.

Speaking about embedded libraries.

shlw/www - can be killed, not really required for the packaging

shlr/wind - is the library used only radare2, written by radare2 developers, so no separation is required here.

shlr/java - same, written by radare2 developers, used only in radare2 itself, cannot be separated.

shlr/tcc - while based on TCC code it is heavily patched to not generate the machine code and switch between different type modes dynamically. Thus cannot be separated at all.

shlr/spp is https://github.com/radare/spp

shlr/sdb is https://github.com/radare/sdb

shlr/udis86 is basically udis86, yes, external library.
Comment 38 Anton Kochkov 2018-06-24 03:15:14 EDT
So, is there any other help or information needed? What can we do to get 2.7.0 release (will be carved in a couple weeks) in Fedora?
Comment 39 Anton Kochkov 2018-07-03 05:36:03 EDT
2.6.9 was released as an intermediate release, can you please check how it plays out with packaging? So we will be able to fix issues if any before the 2.7.0.
Comment 40 Riccardo Schirone 2018-07-06 03:25:23 EDT
Hi Anton,

As you know from upstream bugtracker, I'm trying to make r2 meson build work as expected on linux. Right now there are some installation problems with that. And as part of that, I'm also trying to allow capstone/lz4/zip/magic to be specified as system dependencies.

I'll write here updates about this.
Comment 41 Riccardo Schirone 2018-07-18 11:07:45 EDT
I'd like to bring the packaging forward with Michal Ambroz's help, if he wants. As already said in a previous message, I've pushed some commits upstream to make the meson build as good as the acr+configure+make one. I've read it would make review easier and I also prefer meson build compared to acr ones, because it is much clearer what is built and how.

I will post soon a modified version of my radare2.spec, based on the one done by Michal so far, which uses meson.

By the way, I think we should ask for an exception about bundled libraries, because capstone-devel as provided by Fedora is 3.0.4 (latest stable release, which is however 3 years old and doesn't have a lot of fixes). To make radare2 works well we need capstone from next branch, unfortunately.
Comment 42 Elliott Sales de Andrade 2018-07-18 21:09:24 EDT
3.0.5? It was released today; no need for bundling. Just ping the maintainer about it.
Comment 43 Anton Kochkov 2018-07-18 22:36:14 EDT
(In reply to Elliott Sales de Andrade from comment #42)
> 3.0.5? It was released today; no need for bundling. Just ping the maintainer
> about it.

Problem is that 3.0.5 is a release of a "stable" branch, which is not the one required for radare2. There is also a "next" branch with more architectures and instructions support. It will be released as a 4.0 version, which is awaited for years. Having an updated disassembly engine is vital. Let me illustrate it by example. x86 platform has a variable instruction size, thus if we decoded some instruction wrongly the rest of disassembly (at least for some period, like 10-40 instructions) will be totally wrong. There was a recent bug in latest Fedora, where compiler started function prelude with "endbr64" instruction, which wasn't recognized by capstone at all, thus leading to the wrong disassembly and fail to analyze function boundaries and creating one. Because this is the "main()" function it completely broke further function analysis too. Just because of one instruction https://github.com/radare/radare2/issues/10113

r2 fedora28_bin_ls 
 -- Welcome to IDA 10.0.
[0x000058b0]> s main
[0x00003e50]> pd 50
            ;-- main:
            0x00003e50      f3             invalid
            0x00003e51      0f             invalid
            0x00003e52      1e             invalid
            0x00003e53      fa             cli
            0x00003e54      4157           push r15
            0x00003e56      4156           push r14
            0x00003e58      4155           push r13
            0x00003e5a      4154           push r12
            0x00003e5c      55             push rbp

There were recently fixes for Intel MPX instructions as well in the capstone "next" branch. If you want to track the mainstream progress on it - check the issue https://github.com/aquynh/capstone/issues/1096
Comment 44 Riccardo Schirone 2018-07-19 11:21:42 EDT
SPEC URL: https://github.com/ret2libc/radare2/blob/spec-file/radare2.spec

This is a new SPEC file I've created, based on the work done in this bug.
I've tried to address some of the comments made. In particular:
- fixed some typos
- set version of bundled packages
- switched to meson build
- split zip/lzip
- removed inappropriate fortunes

Some things to note about radare2 which may be important for the review:
- it reimplement some crypto/hash algo (e.g. md4, md5, sha*, aes, and maybe others)
- though I'm currently using sys capstone, we probably need an exception to bundle a more updated version of it (see comments above)
- pancake(radare2's author) is double checking whether sdb-generated files are arch independent. If they are, I will extract them in separate repo.

I'd really appreciate a review of this spec file and I will work on the comments to improve it.
Comment 45 Riccardo Schirone 2018-07-20 02:30:37 EDT
By the way, the author has confirmed that all those sdb files are arch independent, thus I will probably be able to move all those files in a separate noarch subpackage.
Comment 46 Anton Kochkov 2018-08-04 08:36:33 EDT
So, any updates on it? In two days 2.8.0 will be released. It will be really cool to finally have it in the Fedora package manager.

Note You need to log in before you can comment on or make changes to this bug.