Spec Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec SRPM Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-1.src.rpm Description: A running process is created by combining many different libraries (and other components). In the Zero Install world, we have all versions of each library available at all times. The problem then is how to choose which versions to use. The injector solves this problem by selecting components to meet a program's requirements, according to a policy you give it. The injector finds out which versions are available, and downloads and runs the ones you choose.
Good: + Local build works. Bad: - Source contains not a fullqualified URL. - Use of %{_datadir}/man instead of %{_mandir} Questions: Why do you set CFLAGS for a noarch package?
The upstream source is self-signed with GPG, and there's no unsigned tarball I can link to for the Source field. CFLAGS removed and mandir changed to use %{_mandir}, thanks. http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-2.src.rpm
Bad: - Source0 contains not a full qualiifed URL. - BuildRequires: python should be add.
I agree on the second point, but about Source0, as I explained, the upstream source is a signed GPG file. Using the upstream source would require a BuildRequires on gnupg .. The source verification can be done by downloading the GPG-ed tarball from here: http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954 So the options are: - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg - Manual verification of the source tarball (take the upstream source, gpg --decrypt ${file} > newfile, compare md5sums or do a diff) The QA checklist does not say anything about including the full Source URL, just that the source matches upstream. Let's come to an agreement on this and then I can submit the final version of the .spec file?
(In reply to comment #4) > I agree on the second point, but about Source0, as I explained, the upstream > source is a signed GPG file. Using the upstream source would require a > BuildRequires on gnupg .. > > The source verification can be done by downloading the GPG-ed tarball from here: > http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954 > > So the options are: > - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg > - Manual verification of the source tarball (take the upstream source, gpg > --decrypt ${file} > newfile, compare md5sums or do a diff) I would advocate the first option; it allows people to do: $ spectool --gf zeroinstall-injector.spec to retrieve the sources directly from upstream. Shouldn't the buildreq be python-devel rather than python?
I agree with Paul that we should use the first option. And I have a look. A python-devel package is existance. Becouse I'm kow on a windows machine, I don't determinate, if setup.py is contains in python-devel. If so, what I believe, python-devel should be a BuildRequire.
Most Python packages actually BuildRequire on python, not python-devel : the setup.py file is included with the source tarball, and it imports distutils.core which is part of python, not python-devel. Haven't used spectool --gf before, that's handy. OK, first option it is, we need a BuildRequire on gnupg, but no BuildReq on python-devel. Will upload a new package tomorrow (actually, later today) after some testing. Thanks for all your help, - Michel
So, as I posted on the mailing list, there is no clean way of using the signed tarball that upstream provided. This is the hackery I have so far; it works, has no side effect, but rpmlint is deeply unhappy by the use of %{sourcedir}. Unless there is a cleaner solution I'd suggest that either the curious user find the upstream and verify it himself. %prep # Decrypt upstream source, ignore error message due to unknown key gpg --decrypt %{_sourcedir}/%{name}-%{version}.tar.gz.gpg > %{_sourcedir}/%{name}-%{version}.tar.gz || true # Point source to the decrypted tarball mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpg %{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak mv %{_sourcedir}/%{name}-%{version}.tar.gz %{_sourcedir}/%{name}-%{version}.tar.gz.gpg %setup -q # Restore upstream tarball mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak %{_sourcedir}/%{name}-%{version}.tar.gz
Why not use %setup -c -T to make a directory and cd into it. Decrypt %{SOURCE0} into the current directory, untar it manually, and go on with the installation as normal?
This is what Ville Skyttä suggested as well. I decided to do something similar, but the other way around: after %prep, back up one directory, manually untar, then call %setup with -D (do not delete) and -T (do not untar). This way, %setup gets to sanitize file ownership and permissions. Thanks for the suggestion! Changes from the previous -2 release: - Now use gpg-signed upstream tarball, BuildReq on gnupg to handle this The other BuildReq is still on Python, as explained before. Spec Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec SRPM Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-3.src.rpm
I believe all issues have been resolved - Jochen, you might want to look at the latest src.rpm ?
Good: + rpmlint of source rpm ok. Bad: - local build failes: zeroinstall-injector-0.18/zeroinstall/injector/__init__.py zeroinstall-injector-0.18/zeroinstall/injector/download.py zeroinstall-injector-0.18/zeroinstall/injector/reader.py zeroinstall-injector-0.18/zeroinstall/__init__.py zeroinstall-injector-0.18/COPYING + popd ~/redhat/BUILD + cd /home/pclinux/redhat/BUILD + cd zeroinstall-injector-0.18 /var/tmp/rpm-tmp.94338: line 28: cd: zeroinstall-injector-0.18: No such file or directory Fehler: Bad exit status from /var/tmp/rpm-tmp.94338 (%prep)
So terribly sorry; ommitted to remove the pushd and popd. Spec Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec SRPM Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-4.src.rpm
Good: + Local build worked fine. + rpmlint for SRPM ok. + rpmlint for binaries RPMs ok. + Build on mock worked fine. I'm glade that I can APPROVE you package.
Could you set the blocker bug to FE-ACCEPT (#163779) ? Don't want to step on your toes.. thanks!
Package Change Request ====================== Package Name: zeroinstall-injector New Branches: EL-5 Owners: salimma I've just tested and zeroinstall-injector work just fine on CentOS 5
cvs done.