Bug 1768027 - Review Request: signify - Sign and encrypt files
Summary: Review Request: signify - Sign and encrypt files
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tom "spot" Callaway
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-01 21:37 UTC by Marcus Müller
Modified: 2021-03-01 16:30 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
spotrh: fedora-review+


Attachments (Terms of Use)

Description Marcus Müller 2019-11-01 21:37:00 UTC
Spec URL: https://raw.githubusercontent.com/marcusmueller/signify-package/master/signify.spec
SRPM URL: https://github.com/marcusmueller/signify-package/raw/master/signify-26-1.fc29.src.rpm
Description: Sign and verify signatures on files, as used by the OpenBSD release maintainers.
Fedora Account System Username: marcusmueller

Comment 1 Ondřej Pohořelský 2019-11-20 15:06:29 UTC
This is informal review only. Feedback appreciated.

I would advise you to contact upstream regarding license file. Also it would be nice to have %check and tests.


Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[x]: Provides: bundled(gnulib) in place as required.
     Note: Sources not installed
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[-]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: License field in the package spec file matches the actual license.
     Note: There is no build directory. Running licensecheck on vanilla
     upstream sources. No licenses found. Please check the source files for
     licenses manually.
[!]: License file installed when any subpackage combination is installed.
[x]: Package does not own files or directories owned by other packages.
     Note: Dirs in package are owned also by: /usr/share/doc/signify(C, to,
     set, defaulting, locale,, Failed)
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[?]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[x]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 2 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: No rpmlint messages.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[?]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[?]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[?]: Package should compile and build into binary rpms on all supported
     architectures.
[!]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Fully versioned dependency in subpackages if applicable.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: No rpmlint messages.
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: signify-26-1.fc32.x86_64.rpm
          signify-debuginfo-26-1.fc32.x86_64.rpm
          signify-debugsource-26-1.fc32.x86_64.rpm
          signify-26-1.fc32.src.rpm
4 packages and 0 specfiles checked; 0 errors, 0 warnings.




Rpmlint (debuginfo)
-------------------
Checking: signify-debuginfo-26-1.fc32.x86_64.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.





Rpmlint (installed packages)
----------------------------
#problem on my side

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_CTYPE = "C.UTF-8",
	LANG = "cs_CZ.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_CTYPE = "C.UTF-8",
	LANG = "cs_CZ.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
signify-debugsource.x86_64: W: invalid-url URL: https://github.com/aperezdc/signify <urlopen error [Errno -2] Name or service not known>
signify-debuginfo.x86_64: W: invalid-url URL: https://github.com/aperezdc/signify <urlopen error [Errno -2] Name or service not known>
signify.x86_64: W: invalid-url URL: https://github.com/aperezdc/signify <urlopen error [Errno -2] Name or service not known>
3 packages and 0 specfiles checked; 0 errors, 3 warnings.



Source checksums
----------------
https://github.com/aperezdc/signify/releases/download/v26/signify-26.tar.xz :
  CHECKSUM(SHA256) this package     : 5c2d9414cb302f0b127d8a930843461dac305c5e0e28828b6e4aaf55b00f549b
  CHECKSUM(SHA256) upstream package : 5c2d9414cb302f0b127d8a930843461dac305c5e0e28828b6e4aaf55b00f549b


Requires
--------
signify (rpmlib, GLIBC filtered):
    libbsd.so.0()(64bit)
    libbsd.so.0(LIBBSD_0.0)(64bit)
    libbsd.so.0(LIBBSD_0.2)(64bit)
    libbsd.so.0(LIBBSD_0.8)(64bit)
    libc.so.6()(64bit)
    rtld(GNU_HASH)

signify-debuginfo (rpmlib, GLIBC filtered):

signify-debugsource (rpmlib, GLIBC filtered):



Provides
--------
signify:
    signify
    signify(x86-64)

signify-debuginfo:
    debuginfo(build-id)
    signify-debuginfo
    signify-debuginfo(x86-64)

signify-debugsource:
    signify-debugsource
    signify-debugsource(x86-64)



Generated by fedora-review 0.7.3 (44b83c7) last change: 2019-09-18
Command line :/usr/bin/fedora-review -u https://bugzilla.redhat.com/show_bug.cgi?id=1768027
Buildroot used: fedora-rawhide-{{ target_arch }}
Active plugins: Generic, C/C++, Shell-api
Disabled plugins: R, Java, Perl, Ocaml, fonts, PHP, Python, SugarActivity, Haskell
Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH

Comment 2 Vít Ondruch 2019-11-21 11:07:16 UTC
* Wrong use of PREFIX in install section
  - Usage of '/usr' is definitely not right. If nothing else, there should be used %{_prefix} macro for this purpose
  - I have not looked into the project, but wouldn't be better to override the DESTDIR?

* Bundled libwaive
  - It appears that at leas in upstream repository, there is bundled libwaive. Would it be possible to unbundle this library? If not, there should be bundled provide [1] in .spec file mentioning this library.




[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling

Comment 3 Marcus Müller 2020-01-10 21:44:38 UTC
(In reply to Vít Ondruch from comment #2)
> * Wrong use of PREFIX in install section
>   - Usage of '/usr' is definitely not right. If nothing else, there should
> be used %{_prefix} macro for this purpose

Fixing that.

>   - I have not looked into the project, but wouldn't be better to override
> the DESTDIR?

fails when setting DESTDIR, works with PREFIX

> * Bundled libwaive
>   - It appears that at leas in upstream repository, there is bundled
> libwaive. Would it be possible to unbundle this library? If not, there
> should be bundled provide [1] in .spec file mentioning this library.

libwaive is included in the upstream source, but not being used (unless you `make PLEDGE=waive`, which I don't), so no action required.

Comment 4 Marcus Müller 2020-01-10 22:01:24 UTC
(In reply to Ondřej Pohořelský from comment #1)
> This is informal review only. Feedback appreciated.


Feedback: thank you! Very much appreciated.

> I would advise you to contact upstream regarding license file. 

Done! https://github.com/aperezdc/signify/pull/24

> Also it would
> be nice to have %check and tests.

On it. As soon as https://github.com/aperezdc/signify/commit/b82aa79bd2d679a31efd53f4eddcea5e56bf2ceb is part of a release, will include %check

> [!]: License file installed when any subpackage combination is installed.

As soon as https://github.com/aperezdc/signify/pull/24 is part of a release, this will be done.

> ===== SHOULD items =====
> Generic:
> [?]: If the source package does not include license text(s) as a separate
>      file from upstream, the packager SHOULD query upstream to include it.

in process, see above

> [?]: Package functions as described.

Fundamental truth: Software is buggy, but this is relatively fine.

> [!]: %check is present and all tests pass.

in process, see above

Comment 5 Marcus Müller 2020-01-10 22:02:31 UTC
(In reply to Marcus Müller from comment #3)

to be specific:

> libwaive is included in the upstream source, but not being used (unless you
> `make PLEDGE=waive`, which I don't), so no action required.

It's not being compiled, and not installed as library, either, so I really can't claim anything provides this.

Comment 6 Antonio T. (sagitter) 2020-01-10 22:06:23 UTC
(In reply to Marcus Müller from comment #5)
> (In reply to Marcus Müller from comment #3)
> 
> to be specific:
> 
> > libwaive is included in the upstream source, but not being used (unless you
> > `make PLEDGE=waive`, which I don't), so no action required.
> 
> It's not being compiled, and not installed as library, either, so I really
> can't claim anything provides this.

Remove the code in %prep

> [x]: %build honors applicable compiler flags or justifies otherwise.

Are you sure that flags are used?

`%make_build CFLAGS=-g` is fundamentally wrong

Comment 7 Marcus Müller 2020-01-10 22:19:14 UTC
> Remove the code in %prep

Removed! Didn't expect it to work without.


> > [x]: %build honors applicable compiler flags or justifies otherwise.
> 
> Are you sure that flags are used?
> 
> `%make_build CFLAGS=-g` is fundamentally wrong

I feel the same, but: without `-g`, there's no debug symbols to be extracted, and rpmbuilding fails. It took me a while to figure out that supplying `-g` helps.

```
+ /usr/lib/rpm/find-debuginfo.sh -j8 --strict-build-id -m -i --build-id-seed 27-1.fc29 --unique-debug-suffix -27-1.fc29.x86_64 --unique-debug-src-base signify-27-1.fc29.x86_64 --run-dwz --dwz-low-mem-die-limit 10000000 --dwz-max-die-limit 110000000 -S debugsourcefiles.list /home/marcus/src/signify-package/signify-27
explicitly decompress any DWARF compressed ELF sections in /home/marcus/rpmbuild/BUILDROOT/signify-27-1.fc29.x86_64/usr/bin/signify
extracting debug info from /home/marcus/rpmbuild/BUILDROOT/signify-27-1.fc29.x86_64/usr/bin/signify
gdb-add-index: No index was created for /home/marcus/rpmbuild/BUILDROOT/signify-27-1.fc29.x86_64/usr/bin/signify
gdb-add-index: [Was there no debuginfo? Was there already an index?]
/usr/lib/rpm/sepdebugcrcfix: Updated 0 CRC32s, 1 CRC32s did match.

[…]

Processing files: signify-debugsource-27-1.fc29.x86_64
error: Empty %files file /home/marcus/src/signify-package/signify-27/debugsourcefiles.list
    Empty %files file /home/marcus/src/signify-package/signify-27/debugsourcefiles.list
```

With `-g`, the debug symbols get extracted, then the binary gets stripped and a stripped binary gets installed:

```
$ file $(which signify)
/usr/bin/signify: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e481012b03a1ccefe987d294d18eafc9f4b49935, stripped
```

Which led me to believe this was the right way to go.

Comment 8 Antonio T. (sagitter) 2020-01-10 22:22:05 UTC
%build
%set_build_flags
%make_build

%install
%make_install PREFIX=%{_prefix}

Comment 9 Marcus Müller 2020-01-10 22:38:49 UTC
(In reply to Antonio from comment #8)
> %set_build_flags

That works, thanks!

Updated:
Spec URL: https://raw.githubusercontent.com/marcusmueller/signify-package/master/signify.spec
SRPM URL: https://github.com/marcusmueller/signify-package/raw/master/signify-27-1.fc29.src.rpm

Comment 10 Antonio T. (sagitter) 2020-01-11 11:52:02 UTC
(In reply to Marcus Müller from comment #9)
> (In reply to Antonio from comment #8)
> > %set_build_flags
> 
> That works, thanks!
> 
> Updated:
> Spec URL:
> https://raw.githubusercontent.com/marcusmueller/signify-package/master/
> signify.spec
> SRPM URL:
> https://github.com/marcusmueller/signify-package/raw/master/signify-27-1.
> fc29.src.rpm

Include the License file when possible and remove bundled libraries in %prep section, also perform a scratch build on Rawhide, please.
Then, we can do a definitive review.

Comment 11 Marcus Müller 2020-01-11 11:57:44 UTC
> remove bundled libraries in %prep
> section

Could you elaborate on that? Does that mean `rm -r libwaive/` or something else?

Comment 12 Antonio T. (sagitter) 2020-01-11 12:10:47 UTC
(In reply to Marcus Müller from comment #11)
> > remove bundled libraries in %prep
> > section
> 
> Could you elaborate on that? Does that mean `rm -r libwaive/` or something
> else?

Exactly; something like:

%prep
%autosetup

rm -rf libwaive

%build
...

Comment 13 Marcus Müller 2020-01-11 12:23:50 UTC
ah, excellent, without the `%autosetup` I was struggling to be in the right directory.

By the way, you've been tremendously helpful, especially by pointing me to the right macros to use. I might have learned basics of SPEC authorship too long ago to be "up to date" with modern Fedora RPM macros.

Is there a reference SPEC or documentation you can recommend to learn about things like `%set_build_flags`?

In the meantime: scratch build submitted. https://koji.fedoraproject.org/koji/taskinfo?taskID=40403945

Comment 14 Marcus Müller 2020-01-11 12:29:06 UTC
The LICENSE file I currently consider a blocker: I've got a pull-request to the upstream github repo open, which I'd like the owner of that repo to review. After all, this is ISC license with a list of authors, and I'd like that list to be correct.

It's, on the other hand, just a condensation of the copyright holders in the license headers in the individual source files. Haven't found a OpenBSD nor a Fedora policy for how to do that.

Comment 15 Antonio T. (sagitter) 2020-01-11 13:48:26 UTC
(In reply to Marcus Müller from comment #13)
> 
> Is there a reference SPEC or documentation you can recommend to learn about
> things like `%set_build_flags`?
>

https://docs.fedoraproject.org/en-US/packaging-guidelines/

> The LICENSE file I currently consider a blocker: I've got a pull-request to the upstream github repo open, which I'd like the owner of that repo to review. 
> After all, this is ISC license with a list of authors, and I'd like that list to be correct.

https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/#_license_text

Comment 16 Antonio T. (sagitter) 2020-01-11 14:02:01 UTC
Use `ld` as linker:

...

%build
%set_build_flags
export LD=ld
%make_build

...

Comment 17 Robert-André Mauchin 🐧 2020-03-08 20:17:36 UTC
Bump, seems v29 fixes license issue.

Comment 18 Robert-André Mauchin 🐧 2020-03-08 20:18:08 UTC
also add newline between your changelog entries.

Comment 19 Tom "spot" Callaway 2021-02-19 16:29:32 UTC
Marcus, are you still interested in maintaining this package? I think all your blockers are resolved now, and I'd be happy to do the final review on a v30 version of this package.

Comment 20 Marcus Müller 2021-02-24 09:07:25 UTC
@spotrh@gmail.com on it.

Comment 21 Marcus Müller 2021-02-24 09:29:12 UTC
@spotrh@gmail.com I might need an adult to help me through this (it's been a year since I last touched fedpkg/koji), because `fedpkg scratch-build` leads to a failing build attempt: https://koji.fedoraproject.org/koji/taskinfo?taskID=62627512 

The problem seems to be that unlike my previous scratch-build (from a year ago... shame on me), this fails to git clone, checkout.log tells me

```
$ git clone -n https://src.fedoraproject.org/git@github.com:marcusmueller/signify-package.git /var/lib/mock/f35-build-25888185-3053391/root/chroot_tmpdir/scmroot/signify-package
Cloning into '/var/lib/mock/f35-build-25888185-3053391/root/chroot_tmpdir/scmroot/signify-package'...
fatal: repository 'https://src.fedoraproject.org/git@github.com:marcusmueller/signify-package.git/' not found
```

For now I'm `fedpkg scratch-build --srpm signify-30-1.fc35.src.rpm`, but this is a bit confusing.

Comment 22 Tom "spot" Callaway 2021-02-24 18:09:44 UTC
Hmm. I always do scratch builds with the SRPM and not a git checkout, so I'm not sure I can help you there. Did the SRPM scratch-build succeed?

Comment 23 Marcus Müller 2021-02-24 20:15:38 UTC
OK, then that's no big deal, as indeed, the SRPM build works beautifully on all rawhide archs.

Comment 24 Tom "spot" Callaway 2021-02-25 20:20:19 UTC
Nice package. Couple of minor issues:

1. You have macros in the changelog. rpmlint warns on those. Those are easily fixed by replacing macro references (%check) with escaped references (%%check).
2. There are a few more licenses in play in this code base, but they're all compatible. Correct License tag should be License: ISC and MIT and BSD

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[ ]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated", "ISC License", "*No copyright* ISC
     License", "BSD 4-clause "Original" or "Old" License", "Expat License",
     "ISC License Beerware License", "BSD 3-clause "New" or "Revised"
     License". 
[x]: License file installed when any subpackage combination is installed.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[-]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 2 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[x]: Package functions as described.
[x]: Latest version is packaged.
[-]: Package does not include license text files separate from upstream.
[-]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Fully versioned dependency in subpackages if applicable.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: No rpmlint messages.
[x]: Rpmlint is run on all installed packages.
     Note: No rpmlint messages.
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: signify-30-2.fc33.x86_64.rpm
          signify-debuginfo-30-2.fc33.x86_64.rpm
          signify-debugsource-30-2.fc33.x86_64.rpm
          signify-30-2.fc33.src.rpm
signify.src:56: W: macro-in-%changelog %check
signify.src:57: W: macro-in-%changelog %set_build_flags
4 packages and 0 specfiles checked; 0 errors, 2 warnings.




Rpmlint (debuginfo)
-------------------
Checking: signify-debuginfo-30-2.fc33.x86_64.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.



Rpmlint (installed packages)
----------------------------
3 packages and 0 specfiles checked; 0 errors, 0 warnings.



Source checksums
----------------
https://github.com/aperezdc/signify/releases/download/v30/signify-30.tar.xz :
  CHECKSUM(SHA256) this package     : f68406c3085ef902e85500e6c0b90e4c3f56347e5efffc0da7b6fb47803c8686
  CHECKSUM(SHA256) upstream package : f68406c3085ef902e85500e6c0b90e4c3f56347e5efffc0da7b6fb47803c8686


Requires
--------
signify (rpmlib, GLIBC filtered):
    libbsd.so.0()(64bit)
    libbsd.so.0(LIBBSD_0.0)(64bit)
    libbsd.so.0(LIBBSD_0.2)(64bit)
    libc.so.6()(64bit)
    rtld(GNU_HASH)

signify-debuginfo (rpmlib, GLIBC filtered):

signify-debugsource (rpmlib, GLIBC filtered):



Provides
--------
signify:
    signify
    signify(x86-64)

signify-debuginfo:
    debuginfo(build-id)
    signify-debuginfo
    signify-debuginfo(x86-64)

signify-debugsource:
    signify-debugsource
    signify-debugsource(x86-64)



APPROVED (but please update the License: tag before committing).

Comment 25 Marcus Müller 2021-02-28 13:32:13 UTC
> APPROVED (but please update the License: tag before committing).

YES! Thank you :)

Done, see git.

Also, rpmlint on spec, srpm and installed rpms is all clean.

Comment 26 Mohan Boddu 2021-03-01 16:30:23 UTC
(fedscm-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/signify


Note You need to log in before you can comment on or make changes to this bug.