Bug 202334 - Review Request: jetty5 - The Jetty Webserver and Servlet Container
Review Request: jetty5 - The Jetty Webserver and Servlet Container
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Fitzsimmons
Fedora Package Reviews List
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-12 20:03 EDT by Anthony Green
Modified: 2007-11-30 17:11 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-09 10:35:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
fitzsim: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Anthony Green 2006-08-12 20:03:09 EDT
Spec URL: http://people.redhat.com/green/FE/devel/jetty5.spec
SRPM URL: http://people.redhat.com/green/FE/devel/jetty5-5.1.11-0.rc0.4jpp.src.rpm
Description: 
Jetty is a 100% Java HTTP Server and Servlet Container. 
This means that you do not need to configure and run a 
separate web server (like Apache) in order to use java, 
servlets and JSPs to generate dynamic content. Jetty is 
a fully featured web server for static and dynamic content. 
Unlike separate server/container solutions, this means 
that your web server and web application run in the same 
process, without interconnection overheads and complications. 
Furthermore, as a pure java component, Jetty can be simply 
included in your application for demonstration, distribution 
or deployment. Jetty is available on all Java supported 
platforms.
Comment 1 Kevin Fenzi 2006-10-02 13:21:54 EDT
The extras guidelines for jpp packages have never been finalized, so currently 
packages can't have .jpp in their name. 

Would you be willing to drop the jpp from the name to get this moving forward?

See: http://fedoraproject.org/wiki/PackagingDrafts/JavaPackageNaming
for discussion. 
Comment 2 Jason Tibbitts 2006-10-02 14:10:45 EDT
Just a minor clarification: there is very, very little chance that the
guidelines will ever be changed to allow "jpp" in a release.  The packaging
committee made a few proposals to the Core Java folks, but we never heard back.
 I assume that was due to the general lack of free time due to RHEL5 and FC6 stuff.
Comment 3 Kevin Fenzi 2006-11-11 20:54:09 EST
Ping Anthony. 

Any reply to comments #1 and #2? It's been almost 3 months since you submitted
this... 
Comment 4 Anthony Green 2006-11-11 21:07:52 EST
(In reply to comment #3)
> Ping Anthony. 
> 
> Any reply to comments #1 and #2? It's been almost 3 months since you submitted
> this... 

Woops.  Yes, I can remove "jpp".  I'll submit a new package shortly.

Thanks,

AG
Comment 5 Kevin Fenzi 2006-12-05 23:02:22 EST
Hey Anthony. 

Any further word on a jetty5 package without jpp tags?
Comment 6 Anthony Green 2007-01-07 10:09:19 EST
We can certainly remove the jpp tags, but it's clear that I'm not making time to
continue with this package, so I'd like to withdraw my review request.  Perhaps
somebody else would like to continue with this one.  Sorry!
Comment 7 Andrew Overholt 2007-07-11 16:45:20 EDT
We're going to need jetty for Eclipse 3.3 so I'm going to re-open this review
request.
Comment 8 Andrew Overholt 2007-07-20 11:59:03 EDT
This requires a little bit of cleanup for rpmlint, but it seems to work for me
(I added the demo.xml stuff to jetty.xml and browsed localhost:8080).  I'm going
to see if I can get someone who actually knows about jetty to take it over.  In
the meantime, here are the updated SRPM and spec:

http://fedorapeople.org/~overholt/jetty5-5.1.12-1jpp.1.fc7.src.rpm
http://fedorapeople.org/~overholt/jetty5.spec
Comment 9 Jason Tibbitts 2007-07-27 19:47:48 EDT
This fails to build for me; at the end of the build process, I get:

+ /usr/lib/rpm/check-buildroot
Binary file
/var/tmp/jetty5-5.1.12-1jpp.1.fc8-root-mockbuild/usr/lib/debug/usr/lib64/gcj/jetty5/jetty5-5.1.12_classes.so.debug
matches
Binary file
/var/tmp/jetty5-5.1.12-1jpp.1.fc8-root-mockbuild/usr/lib/debug/usr/lib64/gcj/jetty5/template_classes.so.debug
matches
Binary file
/var/tmp/jetty5-5.1.12-1jpp.1.fc8-root-mockbuild/usr/lib/debug/usr/lib64/gcj/jetty5/jsp-examples.war.so.debug
matches
Binary file
/var/tmp/jetty5-5.1.12-1jpp.1.fc8-root-mockbuild/usr/lib/debug/usr/lib64/gcj/jetty5/servlets-examples.war.so.debug
matches

Found '/var/tmp/jetty5-5.1.12-1jpp.1.fc8-root-mockbuild' in installed files; 
  aborting
error: Bad exit status from /var/tmp/rpm-tmp.85229 (%install)

So somehow the buildroot is leaking into the build package.  It seems pretty
bogus to me but you should double-check that there's nothing going wrong and if
everything is OK then you can export QA_SKIP_BUILD_ROOT=1 in %install and the
test should be skipped.
Comment 10 Ben Konrath 2007-08-06 16:42:35 EDT
Updated RPM to fix the problems in comment #9 and add the manifest needed for
Eclipse 3.3.

http://www.bagu.org/eclipse/jetty5.spec
http://www.bagu.org/eclipse/jetty5-5.1.12-1jpp.1.fc8.src.rpm
Comment 11 Andrew Overholt 2007-08-07 10:49:00 EDT
I guess it would help if I CC'd myself on things ... I can't see how I didn't
hit the same thing Jason did, but thanks for fixing it, Ben!
Comment 12 Ben Konrath 2007-08-07 15:10:15 EDT
I forgot to disable the demos package. This needs to be done to avoid having to
push security updates for bugs in the example code.
Comment 13 Jeff Johnston 2007-08-10 17:02:15 EDT
The demo package has been disabled.  The new spec file and src rpms can be found
here:

http://www.vermillionskye.com/downloads/jetty5.spec
http://www.vermillionskye.com/downloads/jetty5-5.1.12-1jpp.1.src.rpm

Jason, would you be willing to review this?  I cc'd you on the bug, I hope that
is ok.  Please feel free to remove your name if you did not wish to be on the list.
Comment 14 Jason Tibbitts 2007-08-10 19:57:37 EDT
Unfortunately I think this package is a bit beyond my ken.  I was trying to see
of these old packages awaiting review would at least build, but I have no idea
what this package does, I know pretty close to zero about java and frankly I
just haven't the chops to review a java package of this complexity.

Perhaps if nobody has stepped forward to look at this after I've made some good
progress elsewhere in the review queue I'll try to come back and learn more 
about java packaging and try to help out here.
Comment 15 Ben Konrath 2007-08-11 14:01:57 EDT
Vivek, since you're currently maintaining the tomcat5 rpm, do you think you
could review this package? If you're too busy, just say so.
Comment 16 Vivek Lakshmanan 2007-08-13 11:33:51 EDT
(In reply to comment #15)
> Vivek, since you're currently maintaining the tomcat5 rpm, do you think you
> could review this package? If you're too busy, just say so.

If you can wait for a day or two I can certainly take a shot at reviewing.
Comment 17 Ben Konrath 2007-08-13 11:34:58 EDT
That would be great, thanks Vivek!
Comment 18 Andrew Overholt 2007-08-13 13:52:49 EDT
This may be of interest:

http://fedoraproject.org/wiki/Packaging/UsersAndGroups
Comment 19 Thomas Fitzsimmons 2007-08-24 17:07:06 EDT
A few general comments while I wait for the mock build to complete:

- the license field is invalid according to new versions of rpmlint:

  $ rpmlint jetty5-5.1.12-1jpp.1.src.rpm
  W: jetty5 invalid-license Apache Software License

- I don't understand this comment:

  # we need a shell to be able to use su - later

  Can it be expanded to justify why /bin/sh instead of /sbin/nologin?

- I guess you'll add an entry in

  http://fedoraproject.org/wiki/PackageUserRegistry

  ?

- does fedora-usermgmt make preun user deletion OK?  I suppose the problems
  mentioned in

  http://fedoraproject.org/wiki/Packaging/UsersAndGroups

  are addressed by having the user registry + reserved address blocks?

- Maybe elaborate on why excluding the demo package is more secure and
  why you don't just delete those sections of the spec file.

- can the javadoc versioned directory be owned by the package?

- why the manual removal of %{homedir}/extra/ext/*.jar.  Can't they be
  owned by the package?  An explanatory comment would be good.
Comment 20 Thomas Fitzsimmons 2007-08-27 11:50:18 EDT
rpmlint Comments
================

$ rpmlint jetty5-5.1.12-1jpp.1.fc8.i386.rpm | sort
E: jetty5 non-standard-gid /var/cache/jetty5/temp jetty5
...

OK.  rpmlint needs fedora-usermgmt support.

E: jetty5 no-status-entry /etc/init.d/jetty5

Fix.  I don't consider this release-critical but it should be fixed at some point.

E: jetty5 zero-length /etc/jetty5/jetty.conf

Fix.  How about a comment header explaining this file?

W: jetty5 dangling-symlink /usr/share/jetty5/ext/ant.jar /usr/share/java/ant.jar
...

OK.  All provided by requirements, except:

W: jetty5 dangling-symlink /usr/share/jetty5/ext/jspapi.jar
/usr/share/java/jspapi.jar

Fix.  Not provided by any required packages.  Should:

Requires:  jsse

be

Requires:  jsp

?

W: jetty5 hidden-file-or-dir /usr/share/jetty5/.jettyrc

Fix.  Rename jettyrc.

W: jetty5 invalid-license Apache Software License

Fix.  See new rpmlint -i output.

W: jetty5 no-reload-entry /etc/init.d/jetty5

Fix.  Again, not release critical.

W: jetty5 spurious-executable-perm /etc/logrotate.d/jetty5

Fix.

W: jetty5 symlink-should-be-relative /usr/share/jetty5/demo /var/lib/jetty5/demo
...

Fix.  Not release critical.

$ rpmlint jetty5-javadoc-5.1.12-1jpp.1.fc8.i386.rpm | sort
E: jetty5-javadoc zero-length /var/lib/jetty5/webapps/template/WEB-INF/lib/.keepme

Fix.  If this file's only purpose is to prevent CVS directory pruning then it
should be removed in %build.

W: jetty5-javadoc dangerous-command-in-%post ln

Fix.  See general comment above.

W: jetty5-javadoc hidden-file-or-dir
/var/lib/jetty5/webapps/template/WEB-INF/lib/.keepme

Fix.

W: jetty5-javadoc invalid-license Apache Software License

Fix.

W: jetty5-javadoc non-standard-group Development

Fix.

W: jetty5-javadoc wrong-file-end-of-line-encoding
/usr/share/javadoc/jetty5-5.1.12/META-INF/MANIFEST.MF

Fix.

$ rpmlint jetty5-manual-5.1.12-1jpp.1.fc8.i386.rpm | sort
E: jetty5-manual version-control-internal-file
/usr/share/doc/jetty5-5.1.12/WEB-INF/.cvsignore

Fix.

W: jetty5-manual dangerous-command-in-%post ln

Fix.

W: jetty5-manual invalid-license Apache Software License

Fix.

W: jetty5-manual non-standard-group Development/Documentation

Fix.

$ rpmlint jetty5-debuginfo-5.1.12-1jpp.1.fc8.i386.rpm | sort
W: jetty5-debuginfo invalid-license Apache Software License

Fix.

$ rpmlint jetty5-5.1.12-1jpp.1.fc8.src.rpm | sort
W: jetty5 invalid-license Apache Software License

Fix.

Review Guidelines Comments
==========================

MUST items:

OK  rpmlint
OK  naming
OK  spec filename
FIX packaging guidelines
  see below
FIX Fedora-approved license
  remove proprietary code to create modified source zip
OK  license field matches actual license
FIX license file included in %doc
  include all license files as %doc, not just main LICENSE.TXT
OK  english
OK  legible
FIX match upstream sources
  Source0 URL invalid
OK  package builds in x86 mock
OK  buildrequires
OK  no locale data
OK  no shared libraries
OK  not relocatable
OK  owns its directories
FIX files listed twice
  warning: File listed twice: /usr/lib/gcj/jetty5
  warning: File listed twice: /usr/lib/gcj/jetty5/jetty5-5.1.12.jar.db
  warning: File listed twice: /usr/lib/gcj/jetty5/jetty5-5.1.12.jar.so
  warning: File listed twice: /usr/lib/gcj/jetty5/jetty5-jmx-5.1.12.jar.db
  warning: File listed twice: /usr/lib/gcj/jetty5/jetty5-jmx-5.1.12.jar.so
  warning: File listed twice: /usr/lib/gcj/jetty5/jetty5-servlet-5.1.12.jar.db
  warning: File listed twice: /usr/lib/gcj/jetty5/jetty5-servlet-5.1.12.jar.so
  warning: File listed twice: /usr/lib/gcj/jetty5/start.jar.db
  warning: File listed twice: /usr/lib/gcj/jetty5/start.jar.so
  warning: File listed twice: /usr/lib/gcj/jetty5/stop.jar.db
  warning: File listed twice: /usr/lib/gcj/jetty5/stop.jar.so
OK  %clean
OK  consistent macros
OK  code vs content
OK  separate javadoc and manual subpackages
OK  proper operation not dependent on %doc files
OK  no header files
OK  no static libraries
OK  no pkgconfig files
OK  no .so files
OK  devel package requires base package
OK  no libtool archives
OK  no desktop entries
OK  doesn't own other packages' directories
OK  remove buildroot at start of %install
OK  UTF-8 filenames

SHOULD items:

OK  project includes license file
OK  no translations available
OK  package builds in mock
??  didn't check all architectures
OK  jetty starts properly
OK  scriptlets sane
FIX subpackages requiring base package
  remove '0:' epoch references in base package requires (extras and
  manual subpackages)
  javadoc subpackage doesn't require base which is fine
OK  placement of pkgconfig files
OK  package vs file requires
Comment 21 Thomas Fitzsimmons 2007-08-27 11:56:05 EDT
The main release-critical issues: 1) jetty includes many pre-built jars 2) two
pre-built jars are licensed under the Binary Code License Agreement.

1) can be fixed by removing the pre-built jars at the start of %build.  To fix
2) you'll need to modify the source zip file to remove the BCLA-licensed jars. 
Here are the relevant licenses, which are currently simply removed in the spec file:

./etc/LICENSE.javax.xml.html
./etc/LICENSE.jsse.txt
Comment 22 Andrew Overholt 2007-08-27 15:32:27 EDT
What are the BCLA-licensed jars?
Comment 23 Andrew Overholt 2007-08-27 15:48:59 EDT
Tom:  I can't figure out what you mean by the licenses.

$ for g in javax\\.servlet javax\\.xml jsse; do for f in `find -name \*.jar`; do
unzip -l $f | grep $g; done; done
Archive:  ./lib/javax.servlet.jar
       50  02-20-04 13:52  
META-INF/services/javax.xml.parsers.DocumentBuilderFactory
       44  02-20-04 13:52   META-INF/services/javax.xml.parsers.SAXParserFactory
$ find -name javax.servlet.txt[toxic:jetty-5.1.12]$ find -name javax.xml.html
$ find -name jsse.txt
$
Comment 24 Jeff Johnston 2007-08-27 16:43:44 EDT
All jars are now removed from the zip.  What additional license txt files are
you referring to with regards to marking them as %doc.  Rest of comments
addressed in:

http://www.vermillionskye.com/downloads/jetty5.spec
http://www.vermillionskye.com/downloads/jetty5-5.1.12-1jpp.3.src.rpm
Comment 25 Thomas Fitzsimmons 2007-08-27 17:17:06 EDT
(In reply to comment #23)
> Tom:  I can't figure out what you mean by the licenses.

I just meant that whatever code is licensed under those two BCLA license files
must be removed from the tarball.  It's hard to know exactly which jars are
problematic because there could be some re-namespacing going on.  I wondered
about classes in the org.mortbay namespace, for example.  But I didn't do
in-depth forensics.

Here are two specific examples of jars that need to be removed from the zip:

./ext/activation.jar
./ext/mail.jar

activation.jar:
http://java.sun.com/products/javabeans/jaf/downloads/index.html

Look at META-INF/MANIFEST.MF:

...
Implementation-Vendor: Sun Microsystems, Inc.
Specification-Vendor: Sun Microsystems, Inc.
...

mail.jar:
http://java.sun.com/products/javamail/downloads/index.html

Likewise, META-INF/MANIFEST.MF:

...
Implementation-Vendor: Sun Microsystems, Inc.
Specification-Vendor: Sun Microsystems, Inc.
...

There may be more.  It may be safest to just remove all jars to create a
modified source zip.
Comment 26 Andrew Overholt 2007-08-27 17:21:30 EDT
Jeff actually did remove all jars:

# Following source zip was originally taken from the following location:
# http://mirrors.ibiblio.org/pub/mirrors/maven/jetty/jetty-5.1.12.zip
# The zip file was modified by removing all jars and BCLA licenses.
# unzip jetty-5.1.12.zip
# pushd jetty-5.1.12
# find . -name *.jar -exec rm {} \;
# rm ./etc/LICENSE.javax.xml.html ./etc/LICENSE.jsse.txt
# popd
# zip jetty-5.1.12.fedora.zip jetty-5.1.12/*
Comment 27 Thomas Fitzsimmons 2007-08-27 17:27:40 EDT
Yes, I see that now.  My response to your comments collided with Jeff's new-URL
comment.
Comment 28 Thomas Fitzsimmons 2007-08-27 17:48:36 EDT
Looks good.  Just a few more points:

- jetty.conf: by "comment header" I meant adding a comment to jetty.conf itself
(rather than in the spec file, explaining its creation), e.g. indicating the
purpose and maybe the format of the file, as well as a reference to
documentation describing the use of the file.  That would eliminate rpmlint's
complaint about it being an empty file and it would be helpful to the would-be
jetty administrator.

- you added the jsp requirement rather than replacing the jsse requirement.  Is
jsse needed?  (jsse is a virtual provide provided by the JDK packages, and
represents a Java <= 1.4 concept, so it shouldn't be necessary if you're
requiring Java >= 1.5).

- I missed this the first time, but can %{demodir}/webapps just belong to the
manual subpackage?  If not, can you add a comment to the spec file explaining
manual's post section?
Comment 29 Jeff Johnston 2007-08-27 18:23:50 EDT
Added a comment to jetty.conf with a # character to start the line.  I could not
find the format of the file as the references I found online pointed a
non-existent web-site (see earlier comment regarding the URL in the spec file).

I removed the jsse requirement and removed the manual post step.

Updates can be found here:

http://www.vermillionskye.com/downloads/jetty5.spec
http://www.vermillionskye.com/downloads/jetty5-5.1.12-1jpp.4.src.rpm
Comment 30 Thomas Fitzsimmons 2007-08-27 18:39:47 EDT
Right, the URL comment brings up an interesting point: that Eclipse 3.3 will be
depending on a project with a dead upstream.  Longer term, I suppose either you
will have to become the upstream (it would be nice if the URL field were made
valid again) or Eclipse will have to be convinced to use some replacement for
jetty5.  For now though, jetty5 fills a need and it has been carefully packaged.

Approved.
Comment 31 Jeff Johnston 2007-08-28 11:07:34 EDT
New Package CVS Request
=======================
Package Name: jetty5
Short Description: Jetty webserver and servlet container
Owners: jjohnstn
Branches: F-8
InitialCC: overholt
Cvsextras Commits: yes
Comment 32 Jason Tibbitts 2007-08-28 11:23:57 EDT
If this is approved, please set the fedora-review flag to '+'.  (It should be
set to '?' while the package is being reviewed and to '+' once approval is given.)
Comment 33 Andrew Overholt 2007-08-28 15:05:55 EDT
Package Change Request
======================
Package Name: jetty5
Re-name package to jetty.  Sorry, I know this was just approved and imported,
but I should have brought this up during the review.  I was thinking about
having parallel-installable jetty's (5, 6, etc.) but we don't care about that. 
I'm an idiot, sorry :).
Comment 34 Kevin Fenzi 2007-08-28 21:09:59 EDT
This appears to already be done. Please reset the flag if you need further cvs
work done. 
Comment 35 Anthony Green 2007-10-09 10:35:00 EDT
I'm closing this.  It was imported some time ago.

Note You need to log in before you can comment on or make changes to this bug.