This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 181801 - Review Request: zeroinstall-injector
Review Request: zeroinstall-injector
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jochen Schmitt
Fedora Package Reviews List
:
Depends On:
Blocks: FE-ACCEPT
  Show dependency treegraph
 
Reported: 2006-02-16 13:16 EST by Michel Alexandre Salim
Modified: 2009-02-28 19:30 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-19 19:25:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Michel Alexandre Salim 2006-02-16 13:16:31 EST
Spec Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
SRPM Name or Url: http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-1.src.rpm
Description:
A running process is created by combining many different libraries (and other components). In the Zero Install world, we have all versions of each library available at all times. The problem then is how to choose which versions to use.

The injector solves this problem by selecting components to meet a program's requirements, according to a policy you give it. The injector finds out which versions are available, and downloads and runs the ones you choose.
Comment 1 Jochen Schmitt 2006-02-16 16:13:14 EST
Good:
+ Local build works.

Bad:
- Source contains not a fullqualified URL.
- Use of %{_datadir}/man instead of %{_mandir}

Questions:
Why do you set CFLAGS for a noarch package?
Comment 2 Michel Alexandre Salim 2006-02-18 23:20:57 EST
The upstream source is self-signed with GPG, and there's no unsigned tarball I
can link to for the Source field.

CFLAGS removed and mandir changed to use %{_mandir}, thanks.

http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-2.src.rpm
Comment 3 Jochen Schmitt 2006-02-19 14:41:37 EST
Bad:

- Source0 contains not a full qualiifed URL.
- BuildRequires: python should be add.

Comment 4 Michel Alexandre Salim 2006-02-21 22:22:21 EST
I agree on the second point, but about Source0, as I explained, the upstream
source is a signed GPG file. Using the upstream source would require a
BuildRequires on gnupg ..

The source verification can be done by downloading the GPG-ed tarball from here:
http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954

So the options are:
- point Source0 to the .tar.gz.gpg file, BuildReq on gnupg
- Manual verification of the source tarball (take the upstream source, gpg
--decrypt ${file} > newfile, compare md5sums or do a diff)

The QA checklist does not say anything about including the full Source URL, just
that the source matches upstream.

Let's come to an agreement on this and then I can submit the final version of
the .spec file?
Comment 5 Paul Howarth 2006-02-22 01:57:09 EST
(In reply to comment #4)
> I agree on the second point, but about Source0, as I explained, the upstream
> source is a signed GPG file. Using the upstream source would require a
> BuildRequires on gnupg ..
> 
> The source verification can be done by downloading the GPG-ed tarball from here:
>
http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954
> 
> So the options are:
> - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg
> - Manual verification of the source tarball (take the upstream source, gpg
> --decrypt ${file} > newfile, compare md5sums or do a diff)

I would advocate the first option; it allows people to do:

$ spectool --gf zeroinstall-injector.spec

to retrieve the sources directly from upstream.

Shouldn't the buildreq be python-devel rather than python?
Comment 6 Jochen Schmitt 2006-02-22 09:59:03 EST
I agree with Paul that we should use the first option.

And I have a look. A python-devel package is existance. Becouse I'm kow on a 
windows machine, I don't determinate, if setup.py is contains in python-devel.

If so, what I believe, python-devel should be a BuildRequire. 
Comment 7 Michel Alexandre Salim 2006-02-24 01:25:07 EST
Most Python packages actually BuildRequire on python, not python-devel : the
setup.py file is included with the source tarball, and it imports distutils.core
which is part of python, not python-devel.

Haven't used spectool --gf before, that's handy. OK, first option it is, we need
a BuildRequire on gnupg, but no BuildReq on python-devel.

Will upload a new package tomorrow (actually, later today) after some testing.

Thanks for all your help,

- Michel
Comment 8 Michel Alexandre Salim 2006-02-25 16:49:10 EST
So, as I posted on the mailing list, there is no clean way of using the signed
tarball that upstream provided.

This is the hackery I have so far; it works, has no side effect, but rpmlint is
deeply unhappy by the use of %{sourcedir}. Unless there is a cleaner solution
I'd suggest that either the curious user find the upstream and verify it himself.

%prep
# Decrypt upstream source, ignore error message due to unknown key
gpg --decrypt %{_sourcedir}/%{name}-%{version}.tar.gz.gpg >
%{_sourcedir}/%{name}-%{version}.tar.gz || true
# Point source to the decrypted tarball
mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpg
%{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak
mv %{_sourcedir}/%{name}-%{version}.tar.gz
%{_sourcedir}/%{name}-%{version}.tar.gz.gpg

%setup -q
# Restore upstream tarball
mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak
%{_sourcedir}/%{name}-%{version}.tar.gz
Comment 9 Jason Tibbitts 2006-02-25 17:07:15 EST
Why not use %setup -c -T to make a directory and cd into it.  Decrypt %{SOURCE0}
into the current directory, untar it manually, and go on with the installation
as normal?
Comment 10 Michel Alexandre Salim 2006-02-25 17:51:34 EST
This is what Ville Skyttä suggested as well. I decided to do something similar,
but the other way around: after %prep, back up one directory, manually untar,
then call %setup with -D (do not delete) and -T (do not untar). This way, %setup
gets to sanitize file ownership and permissions. Thanks for the suggestion!

Changes from the previous -2 release:
- Now use gpg-signed upstream tarball, BuildReq on gnupg to handle this

The other BuildReq is still on Python, as explained before.


Spec Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
SRPM Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-3.src.rpm
Comment 11 Michel Alexandre Salim 2006-03-04 10:47:13 EST
I believe all issues have been resolved - Jochen, you might want to look at the
latest src.rpm ?
Comment 12 Jochen Schmitt 2006-03-05 14:11:47 EST
Good:
+ rpmlint of source rpm ok.

Bad:
- local build failes:

zeroinstall-injector-0.18/zeroinstall/injector/__init__.py
zeroinstall-injector-0.18/zeroinstall/injector/download.py
zeroinstall-injector-0.18/zeroinstall/injector/reader.py
zeroinstall-injector-0.18/zeroinstall/__init__.py
zeroinstall-injector-0.18/COPYING
+ popd
~/redhat/BUILD
+ cd /home/pclinux/redhat/BUILD
+ cd zeroinstall-injector-0.18
/var/tmp/rpm-tmp.94338: line 28: cd: zeroinstall-injector-0.18: No such file or
directory
Fehler: Bad exit status from /var/tmp/rpm-tmp.94338 (%prep)

Comment 13 Michel Alexandre Salim 2006-03-05 20:40:42 EST
So terribly sorry; ommitted to remove the pushd and popd. 

Spec Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
SRPM Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-4.src.rpm
Comment 14 Jochen Schmitt 2006-03-06 12:29:28 EST
Good:
+ Local build worked fine.
+ rpmlint for SRPM ok.
+ rpmlint for binaries RPMs ok.
+ Build on mock worked fine.

I'm glade that I can APPROVE you package.
Comment 15 Michel Alexandre Salim 2006-03-06 14:32:28 EST
Could you set the blocker bug to FE-ACCEPT (#163779) ? Don't want to step on
your toes.. thanks!
Comment 16 Michel Alexandre Salim 2009-02-28 12:06:13 EST
Package Change Request
======================
Package Name: zeroinstall-injector
New Branches: EL-5
Owners: salimma

I've just tested and zeroinstall-injector work just fine on CentOS 5
Comment 17 Kevin Fenzi 2009-02-28 19:30:43 EST
cvs done.

Note You need to log in before you can comment on or make changes to this bug.