Spec URL: http://michael.cronenworth.com/RPMS/domoticz.spec SRPM URL: http://michael.cronenworth.com/RPMS/domoticz-3.5877-1.fc25.src.rpm Description: Domoticz is a Home Automation System that lets you monitor and configure various devices like: Lights, Switches, various sensors/meters like Temperature, Rain, Wind, UV, Electra, Gas, Water and much more. Notifications/Alerts can be sent to any mobile device Fedora Account System Username: mooninite
I'll comment on what fedora-review flags as issues: - Permissions on files are set properly. Note: See rpmlint output See: http://fedoraproject.org/wiki/Packaging/Guidelines#FilePermissions The self-updater script is in /usr/share, yes, and I will disable it, but it is useless. - Package contains BR: python2-devel or python3-devel False positive. The python scripts shipped are not compiled or used and are for extra functionality not supported in the app and I include them if any advanced users which to use them. - All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. Note: These BR are not needed: gcc-c++ See: http://fedoraproject.org/wiki/Packaging/Guidelines#Exceptions_2 This is required now. Fedora-review is out of date. https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequires_and_Requires - If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: License file LICENSE is not marked as %license See: http://fedoraproject.org/wiki/Packaging/LicensingGuidelines#License_Text The license is contained in "License.txt" and is correct. Fedora-review also complains about the results of licensecheck, but the bundled software that is flagged is not shipped, and the license should be OK. - [!]: Large data in /usr/share should live in a noarch subpackage if package is arched. The /usr/share data is required by the app at runtime. Splitting it into a sub-package would net zero gains. Additionality this clause has been removed from the Guidelines. I can't find it. The review should be a single pass check-off, unless I have missed something badly.
Apologies for not getting to this sooner. * rpmlint complains that you are shipping a PEM certificate. However looking at the domoticz documentation, it explicitly references that domoticz will use this cert if a separate one is not provided, so this is probably fine. > domoticz.x86_64: W: pem-certificate /usr/share/domoticz/server_cert.pem > Shipping a PEM certificate is likely wrong. If used for the default > configuration, this is insecure ( since the certificate is public ). If this > is used for validation, ie a CA certificate store, then this must be kept up > to date due to CA compromise. The only valid reason is for testing purpose, so > ignore this warning if this is the case. * As per https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Dynamic_allocation, please add "Requires(pre): shadow-utils" since this package creates a user and a group. > False positive. The python scripts shipped are not compiled or used and are for extra functionality not supported in the app and I include them if any advanced users which to use them. $ ls rpms-unpacked/domoticz-3.5877-1.fc27.x86_64.rpm/usr/share/domoticz/scripts/python/ -l total 56 -rw-r--r-- 1 bjr bjr 3887 Nov 10 2016 domoticz.py -rw-r--r-- 2 bjr bjr 5350 Jul 16 19:57 domoticz.pyc -rw-r--r-- 2 bjr bjr 5350 Jul 16 19:57 domoticz.pyo -rw-r--r-- 1 bjr bjr 1993 Nov 10 2016 googlepubsub.py -rw-r--r-- 2 bjr bjr 1792 Jul 16 19:57 googlepubsub.pyc -rw-r--r-- 2 bjr bjr 1792 Jul 16 19:57 googlepubsub.pyo -rw-r--r-- 1 bjr bjr 1116 Nov 10 2016 reloader.py -rw-r--r-- 2 bjr bjr 1458 Jul 16 19:57 reloader.pyc -rw-r--r-- 2 bjr bjr 1458 Jul 16 19:57 reloader.pyo -rw-r--r-- 1 bjr bjr 1206 Nov 10 2016 script_device_PIRsmarter.py -rw-r--r-- 2 bjr bjr 850 Jul 16 19:57 script_device_PIRsmarter.pyc -rw-r--r-- 2 bjr bjr 850 Jul 16 19:57 script_device_PIRsmarter.pyo They look compiled to me. :) I would include the BRs just to be safe. * fedora-review also complains about the perl scripts, but I think this one is safe to ignore, assuming the Perl scripts are also not used for anything. Note: Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) missing?" * I'm dubious about the licensing being okay-- there are a lot of different licenses listed in the full licensecheck output [1]. Are you sure that, for example, the Boost-licensed files (marked by fedora-review as "BSL") in the "webserver" directory aren't being compiled? If they are, the license must be annotated accordingly. To be explicit about this, I would recommend removing the bits that are bundled in %prep and cross-checking with the licensecheck output. Further complicating things, there is a large amount of content in /usr/share/domoticz/www, including a number of gzip-compressed JS libraries in /usr/share/domoticz/www/js, and a variety of fonts scattered throughout the directory as well. Please: - Investigate unbundling the fonts. Hopefully this is possible, but if not please confirm that the fonts are appropriately licensed via "ttname" as per the fonts policy [2]. - Go through the bundled JS libs, identify their licenses, add bundled provides, and amend the License: tag of the package accordingly. (I would bet most are MIT licensed). Having had to do this myself before, I know it's mostly frustrating busywork; I'm sorry to have to ask for it, but the guidelines are clear. :( Otherwise the package looks fine-- I'll be happy to approve it after you run through the licensing. [1] https://paste.fedoraproject.org/paste/0ooMd0mofqGpnxIoTSTx3g [2] https://fedoraproject.org/wiki/Packaging:FontsPolicy#Licensing_Information_in_Metadata
> They look compiled to me. :) I would include the BRs just to be safe. On second thought there's really no reason to do this if the scripts are just there for demonstration purposes, so maybe explicitly exclude the pyc and pyo files in the file list to prevent RPM from including them (since as you say, they shouldn't really be there).
Created attachment 1300552 [details] Bundled fonts license check Good catch on the fonts. I can unbundle DroidSans, but the rest are not available in Fedora. Their licenses appear to be OK. I'm including the license output from the fonts for review. I will address the other issues shortly.
Created attachment 1300687 [details] Bundled javascript license check Here's a detailed list of each bundled javascript license. Will this line suffice? License: GPLv3+ and ASL 2.0 and BSD and MIT
(In reply to Ben Rosser from comment #2) > Apologies for not getting to this sooner. No problem at all. Thanks for looking! > * rpmlint complains that you are shipping a PEM certificate. However looking > at the domoticz documentation, it explicitly references that domoticz will > use this cert if a separate one is not provided, so this is probably fine. Yes, the cert is just shipped by the source tarball and it is up to the user to create their own and place it in /var/lib/domoticz, which is what the systemd unit file expects. > * As per > https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/ > UsersAndGroups#Dynamic_allocation, please add "Requires(pre): shadow-utils" > since this package creates a user and a group. Fixed. > They look compiled to me. :) I would include the BRs just to be safe. That's rpmbuild helping too much. I'll include it anyway. > * fedora-review also complains about the perl scripts, but I think this one > is safe to ignore, assuming the Perl scripts are also not used for anything. > > Note: Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; > echo $version)) missing?" Correct. > * I'm dubious about the licensing being okay-- there are a lot of different > licenses listed in the full licensecheck output [1]. Are you sure that, for > example, the Boost-licensed files (marked by fedora-review as "BSL") in the > "webserver" directory aren't being compiled? If they are, the license must > be annotated accordingly. > > To be explicit about this, I would recommend removing the bits that are > bundled in %prep and cross-checking with the licensecheck output. > > Further complicating things, there is a large amount of content in > /usr/share/domoticz/www, including a number of gzip-compressed JS libraries > in /usr/share/domoticz/www/js, and a variety of fonts scattered throughout > the directory as well. Please: > > - Investigate unbundling the fonts. Hopefully this is possible, but if not > please confirm that the fonts are appropriately licensed via "ttname" as per > the fonts policy [2]. > > - Go through the bundled JS libs, identify their licenses, add bundled > provides, and amend the License: tag of the package accordingly. (I would > bet most are MIT licensed). Having had to do this myself before, I know it's > mostly frustrating busywork; I'm sorry to have to ask for it, but the > guidelines are clear. :( These issues should be corrected. Spec: http://michael.cronenworth.com/RPMS/domoticz.spec SRPM: http://michael.cronenworth.com/RPMS/domoticz-3.5877-2.fc26.src.rpm
Great; the package now looks good. APPROVED. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Apache (v2.0)", "ISC BSD (2 clause)", "GPL (v2 or later)", "Unknown or generated", "*No copyright* EPL (v1.0)", "EPL (v1.0)", "MIT/X11 (BSD like)", "BSL (v1.0)", "CC by", "GPL (v3.0 or later)", "zlib/libpng", "BSD (3 clause)", "*No copyright* zlib/libpng", "LGPL (v3 or later)", "*No copyright* BSL (v1.0)", "BSD (2 clause)", "BSD (unspecified)", "GPL (v2) (with incorrect FSF address)", "*No copyright* MIT/X11 (BSD like)", "GPL (v3 or later)". 1775 files have unknown license. Detailed output of licensecheck in /home/bjr/Programming/fedora/reviews/1468768-domoticz/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [x]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 92160 bytes in 2 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: %config files are marked noreplace or the reason is justified. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: No %config files under /usr. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: Avoid bundling fonts in non-fonts packages. Note: Package contains font files [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in domoticz-debuginfo [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Uses parallel make %{?_smp_mflags} macro. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: domoticz-3.5877-2.fc27.x86_64.rpm domoticz-debuginfo-3.5877-2.fc27.x86_64.rpm domoticz-3.5877-2.fc27.src.rpm domoticz.x86_64: W: dangling-relative-symlink /usr/share/domoticz/www/styles/elemental/fonts/DroidSans.ttf %{_fontdir}/google-droid/DroidSans.ttf domoticz.x86_64: W: pem-certificate /usr/share/domoticz/server_cert.pem domoticz.x86_64: E: non-executable-script /usr/share/domoticz/scripts/_domoticz_main 644 /bin/sh domoticz.x86_64: W: non-standard-uid /var/lib/domoticz domoticz domoticz.x86_64: W: non-standard-gid /var/lib/domoticz domoticz domoticz.x86_64: E: non-executable-script /usr/share/domoticz/updatedomo 644 /bin/sh domoticz.x86_64: W: hidden-file-or-dir /usr/lib/.build-id domoticz.x86_64: W: hidden-file-or-dir /usr/lib/.build-id domoticz.x86_64: E: non-executable-script /usr/share/domoticz/scripts/buienradar_rain_example.pl 644 /usr/bin/perl -w domoticz.x86_64: W: dangling-relative-symlink /usr/share/domoticz/www/styles/element-light/fonts/DroidSans.ttf %{_fontdir}/google-droid/DroidSans.ttf domoticz.x86_64: W: dangling-relative-symlink /usr/share/domoticz/www/styles/element-dark/fonts/DroidSans.ttf %{_fontdir}/google-droid/DroidSans.ttf domoticz.x86_64: W: no-manual-page-for-binary domoticz domoticz.src:37: W: unversioned-explicit-provides bundled(js-ace) domoticz.src:40: W: unversioned-explicit-provides bundled(js-blockly) domoticz.src:41: W: unversioned-explicit-provides bundled(js-bootbox) domoticz.src:43: W: unversioned-explicit-provides bundled(js-colpick) domoticz.src:44: W: unversioned-explicit-provides bundled(js-d3) domoticz.src:52: W: unversioned-explicit-provides bundled(js-ngdraggable) domoticz.src:53: W: unversioned-explicit-provides bundled(js-nggrid) domoticz.src:59: W: unversioned-explicit-provides bundled(js-ozwcp) 3 packages and 0 specfiles checked; 3 errors, 17 warnings. Rpmlint (debuginfo) ------------------- Checking: domoticz-debuginfo-3.5877-2.fc27.x86_64.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. Rpmlint (installed packages) ---------------------------- sh: /usr/bin/python: No such file or directory domoticz.x86_64: E: non-executable-script /usr/share/domoticz/scripts/_domoticz_main 644 /bin/sh domoticz.x86_64: E: non-executable-script /usr/share/domoticz/scripts/buienradar_rain_example.pl 644 /usr/bin/perl -w domoticz.x86_64: W: pem-certificate /usr/share/domoticz/server_cert.pem domoticz.x86_64: E: non-executable-script /usr/share/domoticz/updatedomo 644 /bin/sh domoticz.x86_64: W: dangling-relative-symlink /usr/share/domoticz/www/styles/element-dark/fonts/DroidSans.ttf %{_fontdir}/google-droid/DroidSans.ttf domoticz.x86_64: W: dangling-relative-symlink /usr/share/domoticz/www/styles/element-light/fonts/DroidSans.ttf %{_fontdir}/google-droid/DroidSans.ttf domoticz.x86_64: W: dangling-relative-symlink /usr/share/domoticz/www/styles/elemental/fonts/DroidSans.ttf %{_fontdir}/google-droid/DroidSans.ttf domoticz.x86_64: W: non-standard-uid /var/lib/domoticz domoticz domoticz.x86_64: W: non-standard-gid /var/lib/domoticz domoticz domoticz.x86_64: W: no-manual-page-for-binary domoticz 2 packages and 0 specfiles checked; 3 errors, 7 warnings. Requires -------- domoticz (rpmlib, GLIBC filtered): /bin/sh config(domoticz) google-droid-sans-fonts libboost_atomic.so.1.63.0()(64bit) libboost_chrono.so.1.63.0()(64bit) libboost_date_time.so.1.63.0()(64bit) libboost_system.so.1.63.0()(64bit) libboost_thread.so.1.63.0()(64bit) libc.so.6()(64bit) libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) libcurl.so.4()(64bit) libdl.so.2()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) liblua-5.3.so()(64bit) libm.so.6()(64bit) libmosquittopp.so.1()(64bit) libopenzwave.so.1.4()(64bit) libpthread.so.0()(64bit) librt.so.1()(64bit) libsqlite3.so.0()(64bit) libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.8)(64bit) libstdc++.so.6(CXXABI_1.3.9)(64bit) libudev.so.1()(64bit) libusb-0.1.so.4()(64bit) libz.so.1()(64bit) rtld(GNU_HASH) shadow-utils systemd domoticz-debuginfo (rpmlib, GLIBC filtered): Provides -------- domoticz: bundled(js-ace) bundled(js-angular-ui-bootstrap) bundled(js-angularamd) bundled(js-angularjs) bundled(js-blockly) bundled(js-bootbox) bundled(js-bootstrap) bundled(js-colpick) bundled(js-d3) bundled(js-datatables-datatools) bundled(js-dateformat) bundled(js-filesaver) bundled(js-highcharts) bundled(js-html5shiv) bundled(js-i18next) bundled(js-ion-sound) bundled(js-jquery) bundled(js-jquery-noty) bundled(js-less) bundled(js-ngdraggable) bundled(js-nggrid) bundled(js-ozwcp) bundled(js-require) bundled(js-respond) bundled(js-wow) bundled(js-zeroclipboard) config(domoticz) domoticz domoticz(x86-64) domoticz-debuginfo: debuginfo(build-id) domoticz-debuginfo domoticz-debuginfo(x86-64) Source checksums ---------------- https://github.com/domoticz/domoticz/archive/3.5877.tar.gz#/domoticz-3.5877.tar.gz : CHECKSUM(SHA256) this package : fb88edbe428851a7a337a85faa93f6da00713b3ad086ff6957031dc9b3b58bba CHECKSUM(SHA256) upstream package : fb88edbe428851a7a337a85faa93f6da00713b3ad086ff6957031dc9b3b58bba Generated by fedora-review 0.6.1 (f03e4e7) last change: 2016-05-02 Command line :/usr/bin/fedora-review -b 1468768 -m fedora-rawhide-x86_64 Buildroot used: fedora-rawhide-x86_64 Active plugins: Python, Generic, Shell-api, C/C++, Perl Disabled plugins: Java, fonts, SugarActivity, Ocaml, Haskell, R, PHP Disabled flags: EXARCH, DISTTAG, EPEL5, BATCH, EPEL6
Package request has been approved: https://admin.fedoraproject.org/pkgdb/package/rpms/domoticz
domoticz-3.5877-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9f014592ce
domoticz-3.5877-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c137106664
domoticz-3.5877-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9f014592ce
domoticz-3.5877-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
domoticz-3.5877-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
> The /usr/share data is required by the app at runtime. Splitting it into > a sub-package would net zero gains. Additionality this clause has been > removed from the Guidelines. I can't find it. The benefit would be for the repository and its mirrors, _if_ it's a huge (!) "noarch" subpackage that can be hardlinked between multiple repositories to save space. It has never been in the official guidelines, since it's a minor detail only. And similar to the "large documentation must go into a -doc subpackage" guideline, deciding when data are sufficiently "large enough" is troublesome. Creating too many small subpackages is not without pitfalls (such as repo metadata bloat / user needs to search for the documentation package).