Spec URL: https://pagure.io/package-review-honggfuzz/raw/master/f/honggfuzz.spec SRPM URL: https://pagure.io/package-review-honggfuzz/raw/master/f/honggfuzz-0.7-1.20160824gitacd1cdb.fc23.src.rpm Description: A general-purpose, easy-to-use fuzzer with interesting analysis options Fedora Account System Username: mildew
I am taking this review. Upstream already released version 0.8, would you consider bumping the version, so we won't need to have a git specific version of the package?
Thanks! I'll update the spec and srpm links.
Spec URL: https://pagure.io/package-review-honggfuzz/raw/master/f/honggfuzz.spec SRPM URL: https://pagure.io/package-review-honggfuzz/raw/master/f/honggfuzz-0.8-1.20161101git7ba1010.fc24.src.rpm Description: A general-purpose, easy-to-use fuzzer with interesting analysis options Fedora Account System Username: mildew
Rawhide scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=16268910 Copr builds: https://copr.fedorainfracloud.org/coprs/mildew/sandbox/package/honggfuzz/
Is there any specific reason to get it from the latest commit instead of just packaging the latest release?
Well, the reason is to review the latest version of the project. There are ~160 commits since 0.8 release. Is it a problem to review a snapshot package? The NVR guidelines are here: https://fedoraproject.org/wiki/Packaging:Versioning#Snapshot_packages
(In reply to Daniel Kopeček from comment #6) > Well, the reason is to review the latest version of the project. There are > ~160 commits since 0.8 release. > > Is it a problem to review a snapshot package? The NVR guidelines are here: > > https://fedoraproject.org/wiki/Packaging:Versioning#Snapshot_packages Not really, I was just curious, since there's no specific reason for not waiting for upstream to come up with a new release. I think this is up to the packager anyway.
The sources contain a thirdparty directory, which contains: /third_party/android/libBlocksRuntime a lib from AOSP compiler-rt in [1], with the license in [2] /third_party/mac/* .o files Can you comment on both? [1] https://android.googlesource.com/platform/external/compiler-rt [2] https://android.googlesource.com/platform/external/compiler-rt/+/master/LICENSE.TXT rpmlint raises this error: honggfuzz-debuginfo.x86_64: E: debuginfo-without-sources That could be fixed in Makefile. Can you comment on this one as well?
(In reply to Athos Ribeiro from comment #8) > The sources contain a thirdparty directory, which contains: > /third_party/android/libBlocksRuntime > a lib from AOSP compiler-rt in [1], with the license in [2] > > /third_party/mac/* > .o files > > Can you comment on both? These third-party files are removed before build: 35 %build 36 rm -rf third_party/ > rpmlint raises this error: > > honggfuzz-debuginfo.x86_64: E: debuginfo-without-sources > > That could be fixed in Makefile. Can you comment on this one as well? Fixed by defining DEBUG=true environment variable during the build phase.
Spec URL: https://pagure.io/package-review-honggfuzz/raw/master/f/honggfuzz.spec SRPM URL: https://pagure.io/package-review-honggfuzz/raw/master/f/honggfuzz-0.8-2.20161101git7ba1010.fc24.src.rpm
Hi Daniel, The -debuginfo subpackage looks good now. Removing the third_party directory is enough for the compiler-rt library, as we can see in [1], since it is licensed under the MIT License. I was in doubt about the .o files, so I did some research here: I am aware of [2], as you pointed out, and it is also worth saying that you are supposed to "Ask upstream to remove the binaries in their next release." (that is pointed as a 'must' in [2]. The .o files (see [3]) are part of Apple's CrashWrangler, which can be downloaded in [4]. I downloaded the sources to check the license for those files and the only license text we have is in the project's README.txt [5], which reads: "Aside from CrashReport_*.o, which contain proprietary code for creating crash logs"... In this case, I believe the .o files in question contain proprietary software and should not be included, even in the tarball. Would you generate a new tarball, as pointed out in [6]? Other than that the package seems good to me and provided the new tarball, I believe the review would be done. It would also be nice to ask upstream to remove the .o files from the sources, since I am not even sure if they can be redistributed at all. [1] https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries#Treatment_of_Bundled_Libraries [2] https://fedoraproject.org/wiki/Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries [3] https://github.com/google/honggfuzz/tree/master/third_party/mac [4] https://developer.apple.com/library/content/technotes/tn2334/_index.html [5] http://paste.fedoraproject.org/468199/10519214/ [6] https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohibited_Code
Here is the fedora-review checklist Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Apache (v2.0)", "Unknown or generated", "Apache (v2.0) BSD (3 clause)", "*No copyright* Apache (v2.0(httpwww.apache.org/licenses/LICENSE-2.0))", "*No copyright* MIT/X11 (BSD like)", "*No copyright* Apache (v2.0)". 21 files have unknown license. Detailed output of licensecheck in /home/athos/fedora /package-reviews/1370064-honggfuzz/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [!]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 51200 bytes in 8 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [-]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in honggfuzz-debuginfo [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: honggfuzz-0.8-2.20161101git7ba1010.fc26.x86_64.rpm honggfuzz-debuginfo-0.8-2.20161101git7ba1010.fc26.x86_64.rpm honggfuzz-0.8-2.20161101git7ba1010.fc26.src.rpm honggfuzz.x86_64: W: spelling-error Summary(en_US) fuzzer -> fuzzier, fuzzes, fuzzed honggfuzz.x86_64: W: spelling-error %description -l en_US ptrace -> trace, p trace, pt race honggfuzz.x86_64: W: no-manual-page-for-binary honggfuzz honggfuzz.src: W: spelling-error Summary(en_US) fuzzer -> fuzzier, fuzzes, fuzzed honggfuzz.src: W: spelling-error %description -l en_US ptrace -> trace, p trace, pt race 3 packages and 0 specfiles checked; 0 errors, 5 warnings. Rpmlint (debuginfo) ------------------- Checking: honggfuzz-debuginfo-0.8-2.20161101git7ba1010.fc26.x86_64.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. Rpmlint (installed packages) ---------------------------- honggfuzz.x86_64: W: spelling-error Summary(en_US) fuzzer -> fuzzier, fuzzes, fuzzed honggfuzz.x86_64: W: spelling-error %description -l en_US ptrace -> trace, p trace, pt race honggfuzz.x86_64: W: no-manual-page-for-binary honggfuzz 2 packages and 0 specfiles checked; 0 errors, 3 warnings. Requires -------- honggfuzz (rpmlib, GLIBC filtered): libc.so.6()(64bit) libdl.so.2()(64bit) libm.so.6()(64bit) libpthread.so.0()(64bit) librt.so.1()(64bit) libunwind-x86_64.so.8()(64bit) libz.so.1()(64bit) libz.so.1(ZLIB_1.2.0)(64bit) rtld(GNU_HASH) honggfuzz-debuginfo (rpmlib, GLIBC filtered): Provides -------- honggfuzz: honggfuzz honggfuzz(x86-64) honggfuzz-debuginfo: honggfuzz-debuginfo honggfuzz-debuginfo(x86-64) Source checksums ---------------- https://github.com/google/honggfuzz/tarball/7ba101051e2f8885703e393f37b523bda518f11d/google-honggfuzz-7ba1010.tar.gz : CHECKSUM(SHA256) this package : 61c5c87021ebd42726a5f781a60e82f56863c5debad3b4dec92029a2cccb84d2 CHECKSUM(SHA256) upstream package : 61c5c87021ebd42726a5f781a60e82f56863c5debad3b4dec92029a2cccb84d2
Here is another (probably faster) example for cleaning the tarball: https://pkgs.fedoraproject.org/cgit/rpms/calibre.git/tree/getsources.sh
What is needed to move forward here?
I believe that Daniel Kopeček is no longer working for Red Hat so at least the email address isn't going to work. I'm going to open a new review bug - will post here when it is ready.
-> https://bugzilla.redhat.com/show_bug.cgi?id=1834964