Side note: python-httptools and nodejs both bundle llhttp. Maybe we can unbundle it later.

Where does the check-null-licenses script originate from?

(In reply to Miro Hrončok from comment #2)
> Where does the check-null-licenses script originate from?

I wrote it to work around https://bugzilla.redhat.com/show_bug.cgi?id=1920223 around the time the rewritten NodeJS guidelines came out in Fedora 34.

Since then, nodejs-packaging-bundler was improved to flag the problem—at least in the “prod” bundle.

However, I’ve retained the auditing script in the several NodeJS packages I maintain, because (a) it also checks the “dev” bundle, and (b) it’s a convenient way to record what dependencies I’ve manually audited and why/how I determined they are acceptably-licensed.

(In reply to Ben Beasley from comment #3)
> (In reply to Miro Hrončok from comment #2)
> > Where does the check-null-licenses script originate from?
> 
> I wrote it to work around
> https://bugzilla.redhat.com/show_bug.cgi?id=1920223 around the time the
> rewritten NodeJS guidelines came out in Fedora 34.
> 
> Since then, nodejs-packaging-bundler was improved to flag the problem—at
> least in the “prod” bundle.
> 
> However, I’ve retained the auditing script in the several NodeJS packages I
> maintain, because (a) it also checks the “dev” bundle, and (b) it’s a
> convenient way to record what dependencies I’ve manually audited and why/how
> I determined they are acceptably-licensed.


Should we move it out of this package to nodejs-pacakging?


------------------

Requires:       llhttp%{?_isa} = %{version}-%{release}

Consider including %{?epoch:%{epoch}:}, it is helpful to avoid future mistakes.



------------------

if [ '%{_prefix}/lib' != '%{_libdir}' ]
then
  mv -v %{buildroot}%{_prefix}/lib/libllhttp.so* '%{buildroot}/%{_libdir}'
fi


Should %{buildroot}%{_prefix}/lib also be deleted after the move?



------------------


The rest of the spec file looks quite reasonable. The comments are very helpful.

rpmlint says:

llhttp.x86_64: E: shlib-policy-name-error 0.1

The package contains shared library but is not named after its SONAME.


Is the soname set sufficiently?

> Should we move it out of this package to nodejs-pacakging?

Maybe. I’m not sure whether or not the idea of doing license validation at build time this way would be received with interest by the nodejs-packaging maintainers or by other packagers of NodeJS packages. (I think this is a small population. There seem to be only a handful of NodeJS packages overall right now.)

Perhaps it’s worth pointing it out to the nodejs-packaging maintainers in the form of a heads-up: this script exists, and it solves certain problems for me.

> Consider including %{?epoch:%{epoch}:}, it is helpful to avoid future mistakes.

Sure, that’s reasonable. The epoch-less form is suggested in https://docs.fedoraproject.org/en-US/packaging-guidelines/#_requiring_base_package, but adding the conditional epoch is obviously also correct.

> Should %{buildroot}%{_prefix}/lib also be deleted after the move?

Maybe, although it doesn’t really cause any harm:

- It will end up getting re-created to hold the debuginfo files, which live in /usr/lib/debug%{_libdir}
- It’s not included in any of the explicit %files lists.
- If we missed moving a file, the build would fail due to unpackaged files

Still, “rmdir %{buildroot}%{_prefix}/lib” would be harmless and could help document the expectation that we’ve emptied the directory at the time of the move.

(In reply to Miro Hrončok from comment #5)
> rpmlint says:
> 
> llhttp.x86_64: E: shlib-policy-name-error 0.1
> 
> The package contains shared library but is not named after its SONAME.
> 
> 
> Is the soname set sufficiently?

I believe so:

> $ readelf -a ./usr/lib64/libllhttp.so.0.1 | grep -i soname
>  0x000000000000000e (SONAME)             Library soname: [libllhttp.so.0.1]

I’ve already seen this from rpmlint 2.x several times since Fedora 35 came out; it seems to be trying to enforce a rule that a package that provides libfoo.so MUST be named libfoo, which isn’t something Fedora’s naming guidelines insist on.

> Consider including %{?epoch:%{epoch}:}, it is helpful to avoid future mistakes.
> Should %{buildroot}%{_prefix}/lib also be deleted after the move?

I’ve implemented these two suggestions.

Spec URL: https://music.fedorapeople.org/20211206/llhttp.spec
SRPM URL: https://music.fedorapeople.org/20211206/llhttp-6.0.6-1.fc35.src.rpm

Package Review
==============


Package APPROVED.

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated


===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig not called in %post and %postun for Fedora 28 and later.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.
[x]: Development (unversioned) .so files in -devel subpackage, if present.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
[x]: License file installed when any subpackage combination is installed.
[x]: %build honors applicable compiler flags or justifies otherwise.
[-]: Package contains no bundled libraries without FPC exception.
[-]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[x]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 10240 bytes in 1 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[?]: Package functions as described.
[?]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[x]: %check is present and all tests pass.
[?]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Fully versioned dependency in subpackages if applicable.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: There are rpmlint messages (see attachment).
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------

$ rpmlint ./*.rpm
============================ rpmlint session starts ============================
rpmlint: 2.1.0
configuration:
    /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/licenses.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 5

llhttp-debuginfo.x86_64: W: unstripped-binary-or-object /usr/lib/debug/usr/lib64/libllhttp.so.0.1-6.0.6-1.fc36.x86_64.debug
llhttp.src: W: strange-permission check-null-licenses 775
llhttp.x86_64: E: shlib-policy-name-error 0.1
llhttp-debuginfo.x86_64: E: shared-library-without-dependency-information /usr/lib/debug/usr/lib64/libllhttp.so.0.1-6.0.6-1.fc36.x86_64.debug
llhttp-debuginfo.x86_64: W: no-documentation
llhttp-debugsource.x86_64: W: no-documentation
llhttp.x86_64: W: no-documentation
llhttp-devel.x86_64: W: missing-dependency-on llhttp*/llhttp-libs/libllhttp* = 6.0.6
llhttp.spec:173: W: macro-in-%changelog %autochangelog
llhttp.spec: W: invalid-url Source2: llhttp-6.0.6-nm-dev.tgz
llhttp-debuginfo.x86_64: W: dangling-relative-symlink /usr/lib/debug/.build-id/7f/d1a7e59c36a4b19162e05104ebf0d6829404a6 ../../../.build-id/7f/d1a7e59c36a4b19162e05104ebf0d6829404a6
 5 packages and 0 specfiles checked; 2 errors, 9 warnings, 2 badness; has taken 0.7 s 

<mock-chroot> sh-5.1# rpmlint -i llhttp\*
============================ rpmlint session starts ============================
rpmlint: 2.1.0
configuration:
    /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/licenses.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 1

llhttp-debuginfo.x86_64: W: unstripped-binary-or-object /usr/lib/debug/usr/lib64/libllhttp.so.0.1-6.0.6-1.fc36.x86_64.debug
llhttp.x86_64: E: shlib-policy-name-error 0.1
llhttp.x86_64: W: no-documentation
llhttp-debugsource.x86_64: W: no-documentation
llhttp-debuginfo.x86_64: W: no-documentation
llhttp-devel.x86_64: W: missing-dependency-on llhttp*/llhttp-libs/libllhttp* = 6.0.6
llhttp-debuginfo.x86_64: E: ldd-failed /usr/lib/debug/usr/lib64/libllhttp.so.0.1-6.0.6-1.fc36.x86_64.debug /usr/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
ldd: warning: you do not have execution permission for `/usr/lib/debug/usr/lib64/libllhttp.so.0.1-6.0.6-1.fc36.x86_64.debug'

llhttp-debuginfo.x86_64: W: dangling-relative-symlink /usr/lib/debug/.build-id/7f/d1a7e59c36a4b19162e05104ebf0d6829404a6 ../../../.build-id/7f/d1a7e59c36a4b19162e05104ebf0d6829404a6
 4 packages and 0 specfiles checked; 2 errors, 6 warnings, 2 badness; has taken 0.2 s 




Source checksums
----------------
https://github.com/nodejs/llhttp/archive/v6.0.6/llhttp-6.0.6.tar.gz :
  CHECKSUM(SHA256) this package     : 7ea6bb26bdf31a7a4410af5ee62edcede1804a7ef150ca32f32100112f17522b
  CHECKSUM(SHA256) upstream package : 7ea6bb26bdf31a7a4410af5ee62edcede1804a7ef150ca32f32100112f17522b


Requires
--------
llhttp (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    rtld(GNU_HASH)

llhttp-devel (rpmlib, GLIBC filtered):
    cmake-filesystem
    cmake-filesystem(x86-64)
    libllhttp.so.0.1()(64bit)
    llhttp(x86-64)

llhttp-debuginfo (rpmlib, GLIBC filtered):

llhttp-debugsource (rpmlib, GLIBC filtered):



Provides
--------
llhttp:
    libllhttp.so.0.1()(64bit)
    llhttp
    llhttp(x86-64)

llhttp-devel:
    cmake(llhttp)
    llhttp-devel
    llhttp-devel(x86-64)

llhttp-debuginfo:
    debuginfo(build-id)
    libllhttp.so.0.1-6.0.6-1.fc36.x86_64.debug()(64bit)
    llhttp-debuginfo
    llhttp-debuginfo(x86-64)

llhttp-debugsource:
    llhttp-debugsource
    llhttp-debugsource(x86-64)



Generated by fedora-review 0.7.0 (fed5495) last change: 2019-03-17
Command line :try-fedora-review -b 2029461 -m fedora-rawhide-x86_64
Buildroot used: fedora-rawhide-x86_64
Active plugins: Generic, C/C++, Shell-api
Disabled plugins: Python, PHP, Java, Ruby, R, Perl, SugarActivity, Haskell, Ocaml, fonts
Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH

Thanks! Repository requested.

Feel free to CC me if there’s a package review or something else I can help you out with.

(fedscm-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/llhttp

FEDORA-2021-f19f0c1fa5 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-f19f0c1fa5

FEDORA-2021-f19f0c1fa5 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

FEDORA-2021-da883c3834 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-da883c3834

FEDORA-2021-a6a183f306 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a6a183f306

FEDORA-EPEL-2021-c8d423e022 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c8d423e022

I tried unbundling from python-httptools (https://src.fedoraproject.org/fork/music/rpms/python-httptools/tree/llhttp).

It was straightforward, but (with or without updating python-httptools from 0.2.0 to 0.3.0—upstream claims “no functional changes”) exactly one test is failing: https://koji.fedoraproject.org/koji/taskinfo?taskID=79660397

======================================================================
FAIL: test_parser_response_1 (test_parser.TestResponseParser)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/httptools-0.3.0/tests/test_parser.py", line 104, in test_parser_response_1
    with self.assertRaisesRegex(
AssertionError: HttpParserError not raised
----------------------------------------------------------------------

Perhaps this will get worked out upstream after https://github.com/MagicStack/httptools/pull/67 is revisited. I’m not really eager to dig into it right now.

FEDORA-2021-a6a183f306 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf install --enablerepo=updates-testing --advisory=FEDORA-2021-a6a183f306 \*`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a6a183f306

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-2021-da883c3834 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf install --enablerepo=updates-testing --advisory=FEDORA-2021-da883c3834 \*`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-da883c3834

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-EPEL-2021-c8d423e022 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c8d423e022

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Miro, what do you think of the following alternative approach to this package?

https://src.fedoraproject.org/rpms/llhttp/pull-request/1

I liked generating the C sources within the RPM build environment, but the approach in the PR seems well-founded in the guidelines for pre-generated code, and it reduces the exposure of this package to the ongoing controversy about NodeJS packaging guidelines.

I'll follow up on the PR.

FEDORA-2021-a6a183f306 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

FEDORA-EPEL-2021-c8d423e022 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

FEDORA-2021-da883c3834 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.