Spec URL: https://smani.fedorapeople.org/review/pgadmin4.spec SRPM URL: https://smani.fedorapeople.org/review/pgadmin4-6.4-3.fc36.src.rpm Description: Administration tool for PostgreSQL Fedora Account System Username: smani Scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=82140630
Rpmlint found few Errors: rpmlint pgadmin4-6.4-3.fc36.src.rpm =============================================== rpmlint session starts ============================================== rpmlint: 2.1.0 configuration: /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/licenses.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 1 pgadmin4.spec: W: invalid-url Source1: pgadmin4-6.4-vendor.tar.xz pgadmin4.src: E: description-line-too-long pgAdmin is the most popular and feature rich Open Source administration and development pgadmin4.spec:96: E: buildarch-instead-of-exclusivearch-tag noarch\ ================ 1 packages and 0 specfiles checked; 2 errors, 1 warnings, 2 badness; has taken 3.6 s ===============
> pgadmin4.spec: W: invalid-url Source1: pgadmin4-6.4-vendor.tar.xz False positive > pgadmin4.src: E: description-line-too-long pgAdmin is the most popular and feature rich Open Source administration and development OK, will fix > pgadmin4.spec:96: E: buildarch-instead-of-exclusivearch-tag noarch False positive, see https://github.com/rpm-software-management/rpmlint/issues/698
Great, so I am finding it as LGTM, I haven't spotted any issue.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: License file erd_tool.js.LICENSE.txt is not marked as %license See: https://docs.fedoraproject.org/en-US/packaging- guidelines/LicensingGuidelines/#_license_text - Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 75397120 bytes in 1192 files. See: https://docs.fedoraproject.org/en-US/packaging- guidelines/#_documentation ===== MUST items ===== Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "PostgreSQL License", "*No copyright* PostgreSQL License", "*No copyright* [generated file]", "*No copyright* Apache License 2.0", "Python Software Foundation License 2.0", "MIT License", "GNU General Public License, Version 2", "*No copyright* MIT License", "*No copyright* BSD 3-Clause License", "MIT License ISC License", "*No copyright* ISC License", "BSD 3-Clause License", "MIT License Apache License 2.0", "Apache License 2.0", "MIT License [generated file]", "ISC License", "Python License 2.0 Python Software Foundation License 2.0 CNRI Python Open Source GPL Compatible License Agreement GNU General Public License", "*No copyright* GNU General Public License", "*No copyright* Python License 2.0", "*No copyright* Creative Commons Attribution 4.0", "*No copyright* BSD 2-Clause License", "BSD 2-Clause License", "BSD 2-Clause License Apache License 2.0", "MIT License BSD 3-Clause License", "*No copyright* Creative Commons CC0 1.0", "*No copyright* GNU General Public License, Version 2 Apache License 2.0", "MIT License Do What The Fuck You Want To Public License, Version 2", "*No copyright* GNU General Public License, Version 3", "GNU General Public License v3.0 or later", "MIT License Creative Commons Attribution-ShareAlike 2.5", "Creative Commons Attribution-ShareAlike 2.5", "MIT License BSD 3-Clause License BSD 2-Clause License bzip2 and libbzip2 License v1.0.6 Apache License 2.0", "*No copyright* BSD 3-Clause Clear License", "BSD 0-Clause License", "*No copyright* BSD 0-Clause License", "BSD 2-Clause with views sentence", "*No copyright* GNU General Public License v3.0 or later", "PostgreSQL License MIT License", "*No copyright* The Unlicense", "The Unlicense", "[generated file]", "zlib License", "GNU General Public License", "MIT License Creative Commons Attribution 3.0", "Creative Commons Attribution 3.0". 58252 files have unknown license. Detailed output of licensecheck in /tmp/pgadmin4/pgadmin4/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: Package must own all directories that it creates. Note: Directories without known owners: /usr/share/icons/hicolor/16x16, /usr/share/icons/hicolor/128x128/apps, /usr/share/icons/hicolor/32x32/apps, /usr/share/icons/hicolor/32x32, /usr/share/icons/hicolor/16x16/apps, /usr/share/icons/hicolor/48x48/apps, /usr/share/icons/hicolor/64x64, /usr/share/icons/hicolor, /usr/share/icons/hicolor/48x48, /usr/share/icons/hicolor/128x128, /usr/share/icons/hicolor/64x64/apps [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [-]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [-]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package contains desktop file if it is a GUI application. [x]: Package installs a %{name}.desktop using desktop-file-install or desktop-file-validate if there is such a file. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [x]: Python eggs must not download any dependencies during the build process. [x]: A package which is used by another package via an egg interface should provide egg info. [x]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Packages MUST NOT have dependencies (either build-time or runtime) on packages named with the unversioned python- prefix unless no properly versioned package exists. Dependencies on Python packages instead MUST use names beginning with python2- or python3- as appropriate. [x]: Python packages must not contain %{pythonX_site(lib|arch)}/* in %files [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [!]: Uses parallel make %{?_smp_mflags} macro. [?]: Avoid bundling fonts in non-fonts packages. Note: Package contains font files [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [?]: Final provides and requires are sane (see attachments). [x]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in pgadmin4-langpack-cs , pgadmin4-langpack-de , pgadmin4-langpack-es , pgadmin4-langpack-fr , pgadmin4-langpack-it , pgadmin4-langpack-ja , pgadmin4-langpack-ko , pgadmin4-langpack-pl , pgadmin4-langpack-ru , pgadmin4-langpack-zh [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: %check is present and all tests pass. [-]: Packages should try to preserve timestamps of original installed files. [x]: Spec use %global instead of %define unless justified. Note: %define requiring justification: %define tag_ver %(echo %{version} | awk -F. '{print $1"_"$2}'), %define lang_subpkg() %package langpack-%{1}Summary: %{2} language data for %{name}ExclusiveArch: noarchRequires: %{name} = %{version}-%{release}Supplements: (%{name} = %{version}-%{release} and langpacks-%{1})%description langpack-%{1}%{2} language data for %{name}.%files langpack-%{1}%{_prefix}/lib/%{name}/pgadmin/translations/%{1}/ [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Package should compile and build into binary rpms on all supported architectures. ===== EXTRA items ===== Generic: [!]: Large data in /usr/share should live in a noarch subpackage if package is arched. Note: Arch-ed rpms have a total of 75499520 bytes in /usr/share pgadmin4-6.4-3.fc36.x86_64.rpm:75499520 See: https://fedoraproject.org/wiki/Packaging:ReviewGuidelines#Package_Review_Guidelines [x]: Rpmlint is run on debuginfo package(s). Note: There are rpmlint messages (see attachment). [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Package should not use obsolete m4 macros using compiler directly in spec file (without makefile) is surprising, but after investigating upstream in makes completely sense.
(fedscm-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/pgadmin4
Thanks for the quick review!
Hi, We need to either remove this package, or rename it to something else, including logos. There are security issues, the runtime is *not* pgAdmin4, and there are performance regressions. Regards, Devrim
Can you please elaborate? - The pgadmin4 code (as a webapp) is packaged pretty much in unmodified form identical to upstream - To simplify packaging, rather than going through the huge task of packaging yet another chromium engine (nwjs), I wrote a thin qt5webengine wrapper to act as a browser - Regarding the security issues, I assume you refer to the SECRET_KEY. This was indeed an oversight, I've dropped that hunk in pgadmin4-6.4-5.fc36 Suggestions for moving forward: - If it is unacceptable for upstream to have the qtwebengine wrapper in the pgadmin package, I'm happy to move it to a separate package. - The unmodified upstream code would stay in the pgadmin4 package. The main package can contain a README how to manually run pgadmin4 in an existing browser. Would that be acceptable? Thanks for any constructive feedback.
Hi, pgAdmin dev here: - You appear to have disabled webpack optimisation. This was long ago found to be essential for acceptable performance of such a large web-based application. - config.py has been modified. That should never be done; create a config_distro.py instead in the same directory (see https://www.pgadmin.org/docs/pgadmin4/development/config_py.html#config-py) - We originally used QtWebEngine for the desktop runtime, but stopped doing so because of serious peformance issues. - As noted above, the SECRET_KEY was a serious security problem, but I see you have now resolved that. - The custom runtime is missing configuration options requested by users, and documented in the docs and on the website, such as the log viewer which we ask users to use if they run into issues, and options for things like a fixed port number. See https://www.pgadmin.org/docs/pgadmin4/development/desktop_deployment.html#configuration - The NWjs runtime is controlled in places from the application code. There is no support for this in your runtime that I can see, so that functionality is almost certainly broken in a way that users won't expect. In short, whilst I wouldn't complain if there were some minor tweaks to the code (unless something obviously broke documented functionality), the use of a custom runtime and potential performance regressions is likely to lead to user confusion and complaints that the pgAdmin Team will most likely receive in the first instance and be unable to help with. We would therefore request that you either rename the package so it is abundantly clear that it is not an official pgAdmin release, or revert the changes to the webpack configuration and use our standard runtime code. Thank you.
Thanks for the detailed feedback: > - You appear to have disabled webpack optimisation. This was long ago found to be essential for acceptable performance of such a large web-based application. This applies only to i686 and armv7hl (and armv7hl is actually scheduled for retirement). I have to admit I gave up trying to get the Webpack terser plugin to run through without stack exhaustion on these arches. Perhaps ExcludeArch would have been the better choice. > - config.py has been modified. That should never be done; create a config_distro.py instead in the same directory (see https://www.pgadmin.org/docs/pgadmin4/development/config_py.html#config-py) I've since dropped all changes to config.py except for the help path, but I'll look at handling this one properly as well > - The custom runtime is missing configuration options requested by users, and documented in the docs and on the website, such as the log viewer which we ask users to use if they run into issues, and options for things like a fixed port number. See https://www.pgadmin.org/docs/pgadmin4/development/desktop_deployment.html#configuration > - The NWjs runtime is controlled in places from the application code. There is no support for this in your runtime that I can see, so that functionality is almost certainly broken in a way that users won't expect. Thanks I'll look into these as well I've since made changes to the custom runtime explicitly noting in the window title and the startup splash screen that it is an unofficial runtime. I've also moved it to a separate subpackage. Is this acceptable to you? I can also add an explicit popup informing the user that it is not an official runtime and that bugs need to be filed in distro issue tracker. As for webpack, I'd go for ExcludeArch.
I believe I've addressed most concerns raised in pgadmin4-6.4-9.fc36, the only open issue is the callback from the application code to the front-end, which I'll address as time allows. I've added an explicit warning dialog shown at every startup of the runtime that it is an unofficial runtime with no upstream support, and that any bugs should be filed at bugzilla.redhat.com. If there are any other concerns I should address, please feel free to point them out. Thanks