Bug 2138353 - Review Request: rnp - OpenPGP (RFC4880) tools
Summary: Review Request: rnp - OpenPGP (RFC4880) tools
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Benson Muite
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2139681
TreeView+ depends on / blocked
 
Reported: 2022-10-28 09:23 UTC by Remi Collet
Modified: 2022-11-17 03:22 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-17 01:27:20 UTC
Type: ---
Embargoed:
benson_muite: fedora-review+


Attachments (Terms of Use)

Description Remi Collet 2022-10-28 09:23:50 UTC
Spec URL: https://git.remirepo.net/cgit/rpms/lib/rnp.git/plain/rnp.spec?id=2b474395f763f9e6e6f2cc4aa254c5456f7cb0cf
SRPM URL: https://rpms.remirepo.net/SRPMS/rnp-0.16.2-2.remi.src.rpm
Description: 
RNP is a set of OpenPGP (RFC4880) tools.

Fedora Account System Username: remi

Comment 3 Benson Muite 2022-10-28 13:36:24 UTC
Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig not called in %post and %postun for Fedora 28 and later.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.
[x]: Development (unversioned) .so files in -devel subpackage, if present.

Generic:
[?]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[?]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated", "BSD 2-Clause License", "*No copyright*
     Public domain", "BSD 2-clause NetBSD License BSD 2-Clause License",
     "Boost Software License 1.0", "BSD 2-Clause License Apache License
     2.0", "MIT License". 635 files have unknown license. Detailed output
     of licensecheck in
     /home/FedoraPackaging/reviews/rnp/review-rnp/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[!]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[?]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[x]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[?]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[?]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[?]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 1 files.
[?]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[!]: Sources can be downloaded from URI in Source: tag
     Note: Could not download Source0:
     https://github.com/rnpgp/rnp/archive/refs/tags/v0.16.2.tar.gz
     See: https://docs.fedoraproject.org/en-US/packaging-
     guidelines/SourceURL/
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[?]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in librnp
[?]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[ ]: SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[!]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not used.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: %check is present and all tests pass.
[?]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: The placement of pkgconfig(.pc) files are correct.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: There are rpmlint messages (see attachment).
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Cannot parse rpmlint output:


Rpmlint (debuginfo)
-------------------
Cannot parse rpmlint output:



Rpmlint (installed packages)
----------------------------
============================ rpmlint session starts ============================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 5

rnp.x86_64: W: no-manual-page-for-binary rnp
rnp.x86_64: W: no-manual-page-for-binary rnpkeys
rnp.x86_64: W: no-documentation
 5 packages and 0 specfiles checked; 0 errors, 3 warnings, 0 badness; has taken 4.5 s 



Requires
--------
rnp (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    libjson-c.so.5()(64bit)
    libjson-c.so.5(JSONC_0.14)(64bit)
    librnp(x86-64)
    librnp.so.0()(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libstdc++.so.6(CXXABI_1.3.5)(64bit)
    rtld(GNU_HASH)

librnp (rpmlib, GLIBC filtered):
    libbotan-2.so.19()(64bit)
    libbz2.so.1()(64bit)
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    libjson-c.so.5()(64bit)
    libjson-c.so.5(JSONC_0.14)(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libz.so.1()(64bit)
    rtld(GNU_HASH)

librnp-devel (rpmlib, GLIBC filtered):
    /usr/bin/pkg-config
    cmake-filesystem(x86-64)
    librnp(x86-64)
    librnp.so.0()(64bit)

rnp-debuginfo (rpmlib, GLIBC filtered):

rnp-debugsource (rpmlib, GLIBC filtered):



Provides
--------
rnp:
    rnp
    rnp(x86-64)

librnp:
    librnp
    librnp(x86-64)
    librnp.so.0()(64bit)

librnp-devel:
    cmake(rnp)
    librnp-devel
    librnp-devel(x86-64)
    pkgconfig(librnp)

rnp-debuginfo:
    debuginfo(build-id)
    rnp-debuginfo
    rnp-debuginfo(x86-64)

rnp-debugsource:
    rnp-debugsource
    rnp-debugsource(x86-64)



Generated by fedora-review 0.9.0 (6761b6c) last change: 2022-08-23
Command line :/usr/bin/fedora-review -n rnp
Buildroot used: fedora-rawhide-x86_64
Active plugins: Shell-api, Generic, C/C++
Disabled plugins: Java, Python, fonts, Ocaml, Perl, PHP, Ruby, R, Haskell, SugarActivity
Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH

Comments:
a) Signatures and sha256sum are available upstream:
https://github.com/rnpgp/rnp/releases
Can they be used for verification?
b) Please add a license breakdown in the spec file
c) The license for OCB use probably needs a check from legal
d) Perhaps change:
Source0:       https://github.com/rnpgp/rnp/archive/refs/tags/v%{version}.tar.gz
to
Source0:       %{url}/archive//v%{version}/%{name}-%{version}.tar.gz
e) There is https://packages.fedoraproject.org/pkgs/thunderbird/thunderbird-librnp-rnp/ could this be replaced by the librnp built here?

Comment 4 Remi Collet 2022-10-28 14:17:49 UTC
> a) Signatures and sha256sum are available upstream:

Done

> b) Please add a license breakdown in the spec file

This is a mess, and don't want to list all "files" per license
A simple ref to LICENSE.md should be enough

> d) Perhaps change:

github URI are the worst thing I ever see... terrible mess
Definitively I hate github (and will never understand why using it.... not serious...)


Changes done in 
https://git.remirepo.net/cgit/rpms/lib/rnp.git/commit/?id=27243de3f527870861632096d49c676daa64f5fe

Will wait for legal answer about
https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md

Comment 5 Benson Muite 2022-10-28 15:04:49 UTC
License breakdown obtained from Fedora Review is below. Removed some CMake files which would not be packaged. Other files which are not packaged and not used in the build can be removed from the listing. Possibly the examples can be packaged as documentation with the devel package?

*No copyright* Public domain
----------------------------
rnp-0.16.2/LICENSE-OCB.md

BSD 2-Clause License
--------------------
rnp-0.16.2/include/rekey/rnp_key_store.h
rnp-0.16.2/include/repgp/repgp_def.h
rnp-0.16.2/include/rnp.h
rnp-0.16.2/include/rnp/rnp.h
rnp-0.16.2/include/rnp/rnp_def.h
rnp-0.16.2/include/rnp/rnp_err.h
rnp-0.16.2/src/common/file-utils.cpp
rnp-0.16.2/src/common/file-utils.h
rnp-0.16.2/src/common/getoptwin.h
rnp-0.16.2/src/common/str-utils.cpp
rnp-0.16.2/src/common/str-utils.h
rnp-0.16.2/src/common/time-utils.cpp
rnp-0.16.2/src/common/time-utils.h
rnp-0.16.2/src/common/uniwin.h
rnp-0.16.2/src/examples/CMakeLists.txt
rnp-0.16.2/src/examples/decrypt.c
rnp-0.16.2/src/examples/dump.c
rnp-0.16.2/src/examples/encrypt.c
rnp-0.16.2/src/examples/generate.c
rnp-0.16.2/src/examples/sign.c
rnp-0.16.2/src/examples/verify.c
rnp-0.16.2/src/fuzzing/CMakeLists.txt
rnp-0.16.2/src/fuzzing/dump.c
rnp-0.16.2/src/fuzzing/keyimport.c
rnp-0.16.2/src/fuzzing/keyring.c
rnp-0.16.2/src/fuzzing/keyring_g10.cpp
rnp-0.16.2/src/fuzzing/keyring_kbx.c
rnp-0.16.2/src/fuzzing/sigimport.c
rnp-0.16.2/src/fuzzing/verify.c
rnp-0.16.2/src/fuzzing/verify_detached.c
rnp-0.16.2/src/lib/CMakeLists.txt
rnp-0.16.2/src/lib/config.h.in
rnp-0.16.2/src/lib/crypto/backend_version.cpp
rnp-0.16.2/src/lib/crypto/backend_version.h
rnp-0.16.2/src/lib/crypto/bn.cpp
rnp-0.16.2/src/lib/crypto/bn.h
rnp-0.16.2/src/lib/crypto/bn_ossl.cpp
rnp-0.16.2/src/lib/crypto/cipher.cpp
rnp-0.16.2/src/lib/crypto/cipher.hpp
rnp-0.16.2/src/lib/crypto/cipher_botan.cpp
rnp-0.16.2/src/lib/crypto/cipher_botan.hpp
rnp-0.16.2/src/lib/crypto/cipher_ossl.cpp
rnp-0.16.2/src/lib/crypto/cipher_ossl.hpp
rnp-0.16.2/src/lib/crypto/common.h
rnp-0.16.2/src/lib/crypto/dl_ossl.cpp
rnp-0.16.2/src/lib/crypto/dl_ossl.h
rnp-0.16.2/src/lib/crypto/dsa.h
rnp-0.16.2/src/lib/crypto/dsa_ossl.cpp
rnp-0.16.2/src/lib/crypto/ec.cpp
rnp-0.16.2/src/lib/crypto/ec.h
rnp-0.16.2/src/lib/crypto/ec_curves.cpp
rnp-0.16.2/src/lib/crypto/ec_ossl.cpp
rnp-0.16.2/src/lib/crypto/ec_ossl.h
rnp-0.16.2/src/lib/crypto/ecdh.cpp
rnp-0.16.2/src/lib/crypto/ecdh.h
rnp-0.16.2/src/lib/crypto/ecdh_ossl.cpp
rnp-0.16.2/src/lib/crypto/ecdh_utils.cpp
rnp-0.16.2/src/lib/crypto/ecdh_utils.h
rnp-0.16.2/src/lib/crypto/ecdsa.cpp
rnp-0.16.2/src/lib/crypto/ecdsa.h
rnp-0.16.2/src/lib/crypto/ecdsa_ossl.cpp
rnp-0.16.2/src/lib/crypto/eddsa.cpp
rnp-0.16.2/src/lib/crypto/eddsa.h
rnp-0.16.2/src/lib/crypto/eddsa_ossl.cpp
rnp-0.16.2/src/lib/crypto/elgamal.cpp
rnp-0.16.2/src/lib/crypto/elgamal.h
rnp-0.16.2/src/lib/crypto/elgamal_ossl.cpp
rnp-0.16.2/src/lib/crypto/hash.cpp
rnp-0.16.2/src/lib/crypto/hash.hpp
rnp-0.16.2/src/lib/crypto/hash_botan.hpp
rnp-0.16.2/src/lib/crypto/hash_common.cpp
rnp-0.16.2/src/lib/crypto/hash_crc24.cpp
rnp-0.16.2/src/lib/crypto/hash_crc24.hpp
rnp-0.16.2/src/lib/crypto/hash_ossl.cpp
rnp-0.16.2/src/lib/crypto/hash_ossl.hpp
rnp-0.16.2/src/lib/crypto/hash_sha1cd.cpp
rnp-0.16.2/src/lib/crypto/hash_sha1cd.hpp
rnp-0.16.2/src/lib/crypto/mem.cpp
rnp-0.16.2/src/lib/crypto/mem.h
rnp-0.16.2/src/lib/crypto/mem_ossl.cpp
rnp-0.16.2/src/lib/crypto/mpi.cpp
rnp-0.16.2/src/lib/crypto/mpi.h
rnp-0.16.2/src/lib/crypto/ossl_common.h
rnp-0.16.2/src/lib/crypto/rng.cpp
rnp-0.16.2/src/lib/crypto/rng.h
rnp-0.16.2/src/lib/crypto/rng_ossl.cpp
rnp-0.16.2/src/lib/crypto/rsa.h
rnp-0.16.2/src/lib/crypto/rsa_ossl.cpp
rnp-0.16.2/src/lib/crypto/s2k.cpp
rnp-0.16.2/src/lib/crypto/s2k.h
rnp-0.16.2/src/lib/crypto/s2k_ossl.cpp
rnp-0.16.2/src/lib/crypto/signatures.cpp
rnp-0.16.2/src/lib/crypto/signatures.h
rnp-0.16.2/src/lib/crypto/sm2.cpp
rnp-0.16.2/src/lib/crypto/sm2.h
rnp-0.16.2/src/lib/crypto/sm2_ossl.cpp
rnp-0.16.2/src/lib/crypto/symmetric_ossl.cpp
rnp-0.16.2/src/lib/defaults.h
rnp-0.16.2/src/lib/ffi-priv-types.h
rnp-0.16.2/src/lib/fingerprint.cpp
rnp-0.16.2/src/lib/fingerprint.h
rnp-0.16.2/src/lib/generate-key.cpp
rnp-0.16.2/src/lib/json-utils.cpp
rnp-0.16.2/src/lib/json-utils.h
rnp-0.16.2/src/lib/key-provider.cpp
rnp-0.16.2/src/lib/key-provider.h
rnp-0.16.2/src/lib/logging.cpp
rnp-0.16.2/src/lib/logging.h
rnp-0.16.2/src/lib/pass-provider.cpp
rnp-0.16.2/src/lib/pass-provider.h
rnp-0.16.2/src/lib/rnp.cpp
rnp-0.16.2/src/lib/sec_profile.cpp
rnp-0.16.2/src/lib/sec_profile.hpp
rnp-0.16.2/src/lib/utils.cpp
rnp-0.16.2/src/lib/utils.h
rnp-0.16.2/src/lib/version.h.in
rnp-0.16.2/src/librekey/g10_sexp.hpp
rnp-0.16.2/src/librekey/kbx_blob.hpp
rnp-0.16.2/src/librekey/key_store_g10.cpp
rnp-0.16.2/src/librekey/key_store_g10.h
rnp-0.16.2/src/librekey/key_store_kbx.cpp
rnp-0.16.2/src/librekey/key_store_kbx.h
rnp-0.16.2/src/librekey/rnp_key_store.cpp
rnp-0.16.2/src/librepgp/stream-armor.cpp
rnp-0.16.2/src/librepgp/stream-armor.h
rnp-0.16.2/src/librepgp/stream-common.cpp
rnp-0.16.2/src/librepgp/stream-common.h
rnp-0.16.2/src/librepgp/stream-ctx.cpp
rnp-0.16.2/src/librepgp/stream-ctx.h
rnp-0.16.2/src/librepgp/stream-def.h
rnp-0.16.2/src/librepgp/stream-dump.cpp
rnp-0.16.2/src/librepgp/stream-dump.h
rnp-0.16.2/src/librepgp/stream-key.cpp
rnp-0.16.2/src/librepgp/stream-key.h
rnp-0.16.2/src/librepgp/stream-packet.cpp
rnp-0.16.2/src/librepgp/stream-packet.h
rnp-0.16.2/src/librepgp/stream-parse.cpp
rnp-0.16.2/src/librepgp/stream-parse.h
rnp-0.16.2/src/librepgp/stream-sig.cpp
rnp-0.16.2/src/librepgp/stream-sig.h
rnp-0.16.2/src/librepgp/stream-write.cpp
rnp-0.16.2/src/librepgp/stream-write.h
rnp-0.16.2/src/rnp/CMakeLists.txt
rnp-0.16.2/src/rnp/fficli.cpp
rnp-0.16.2/src/rnp/fficli.h
rnp-0.16.2/src/rnp/rnp.cpp
rnp-0.16.2/src/rnp/rnpcfg.cpp
rnp-0.16.2/src/rnp/rnpcfg.h
rnp-0.16.2/src/rnpkeys/CMakeLists.txt
rnp-0.16.2/src/rnpkeys/main.cpp
rnp-0.16.2/src/rnpkeys/rnpkeys.cpp
rnp-0.16.2/src/rnpkeys/tui.cpp

BSD 2-Clause License Apache License 2.0
---------------------------------------
rnp-0.16.2/src/lib/crypto.cpp
rnp-0.16.2/src/lib/crypto.h
rnp-0.16.2/src/lib/crypto/symmetric.cpp
rnp-0.16.2/src/lib/crypto/symmetric.h
rnp-0.16.2/src/lib/pgp-key.cpp
rnp-0.16.2/src/lib/pgp-key.h
rnp-0.16.2/src/lib/types.h
rnp-0.16.2/src/librekey/key_store_pgp.cpp
rnp-0.16.2/src/librekey/key_store_pgp.h

BSD 2-clause NetBSD License BSD 2-Clause License
------------------------------------------------
rnp-0.16.2/LICENSE.md
rnp-0.16.2/src/lib/crypto/dsa.cpp
rnp-0.16.2/src/lib/crypto/rsa.cpp

Boost Software License 1.0
--------------------------
rnp-0.16.2/cmake/Modules/FindWindowsSDK.cmake

MIT License
-----------
rnp-0.16.2/src/lib/crypto/sha1cd/sha1.c
rnp-0.16.2/src/lib/crypto/sha1cd/sha1.h
rnp-0.16.2/src/lib/crypto/sha1cd/ubc_check.c
rnp-0.16.2/src/lib/crypto/sha1cd/ubc_check.h

Comment 6 Benson Muite 2022-10-28 17:37:09 UTC
Related issue:
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/92

Comment 7 Richard Fontana 2022-10-28 18:33:59 UTC
(In reply to Remi Collet from comment #4)

> Will wait for legal answer about
> https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md

https://gitlab.com/fedora/legal/fedora-license-data/-/issues/92#note_1153084097

Comment 8 Richard Fontana 2022-10-28 18:34:20 UTC
(In reply to Remi Collet from comment #4)

> Will wait for legal answer about
> https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md

https://gitlab.com/fedora/legal/fedora-license-data/-/issues/92#note_1153084097

Comment 9 Benson Muite 2022-10-29 16:31:05 UTC
Licensing seems ok. Might it be possible to also add:
BuildRequires: rubygem-asciidoctor
this will build documentation as man pages

Comment 10 rhtse 2022-10-30 05:04:37 UTC
A heartfelt thank you @fedora @benson_muite @rfontana from the RNP team. We would be more than happy to incorporate any recommendations or suggestions directly upstream so as to simplify unnecessary processing.

The LICENSE-OCB.md file used to provide documentation for users who had concerns with using OCB mode which was (back then) a patented mechanism, however, the OCB patents have since been abandoned. The patent owner Prof. Rogaway has stated here (https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/) that OCB patents are now in the public domain.

The file now acts more of an acknowledgement for Prof. Rogaway's kindness early on to make OCB available for RNP users.

Comment 12 rjl 2022-11-03 00:36:51 UTC
(In reply to Benson Muite from comment #3)
> e) There is
> https://packages.fedoraproject.org/pkgs/thunderbird/thunderbird-librnp-rnp/
> could this be replaced by the librnp built here?

As of Thunderbird 107beta and the inclusion of rnp-0.16.2, this should work. Build Thunderbird using `--with-system-librnp`. The build system will not compile librnp or its dependencies. (If that fails, a bug should be filed.) Thunderbird will pick up librnp.so.0 from the system library directory.

Comment 13 Benson Muite 2022-11-03 10:06:06 UTC
Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed



===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: If your application is a C or C++ application you must list a
     BuildRequires against gcc, gcc-c++ or clang.
[x]: Header files in -devel subpackage, if present.
[x]: ldconfig not called in %post and %postun for Fedora 28 and later.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.
[x]: Development (unversioned) .so files in -devel subpackage, if present.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated", "BSD 2-Clause License", "*No copyright*
     Public domain", "BSD 2-clause NetBSD License BSD 2-Clause License",
     "Boost Software License 1.0", "BSD 2-Clause License Apache License
     2.0", "MIT License". 635 files have unknown license. Detailed output
     of licensecheck in
     /home/FedoraPackaging/reviews/rnp/2138353-rnp/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[x]: If the package is under multiple licenses, the licensing breakdown
     must be documented in the spec.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[x]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[?]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 20480 bytes in 1 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[x]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in librnp
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
     Note: gpgverify is not the first command in %prep. Source 3 is not
     passed to gpgverify.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: The placement of pkgconfig(.pc) files are correct.
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on debuginfo package(s).
     Note: There are rpmlint messages (see attachment).
[x]: Rpmlint is run on all installed packages.
     Note: No rpmlint messages.
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Cannot parse rpmlint output:


Rpmlint (debuginfo)
-------------------
Cannot parse rpmlint output:



Rpmlint (installed packages)
----------------------------
============================ rpmlint session starts ============================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 5

 5 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 3.0 s 



Source checksums
----------------
https://github.com/rnpgp/rnp/releases/download/v0.16.2/v0.16.2.tar.gz.asc :
  CHECKSUM(SHA256) this package     : 6ff1c1a9314fd24609e518896666d276c1aa76cb20500e8375e6554ff06f6268
  CHECKSUM(SHA256) upstream package : 6ff1c1a9314fd24609e518896666d276c1aa76cb20500e8375e6554ff06f6268
https://github.com/rnpgp/rnp/archive/v0.16.2/rnp-0.16.2.tar.gz :
  CHECKSUM(SHA256) this package     : 742f2d64755633bf794be2e4a953106b9f8fb38caf785f6a2306cc23f8164346
  CHECKSUM(SHA256) upstream package : 742f2d64755633bf794be2e4a953106b9f8fb38caf785f6a2306cc23f8164346


Requires
--------
rnp (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    libjson-c.so.5()(64bit)
    libjson-c.so.5(JSONC_0.14)(64bit)
    librnp(x86-64)
    librnp.so.0()(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libstdc++.so.6(CXXABI_1.3.5)(64bit)
    rtld(GNU_HASH)

librnp (rpmlib, GLIBC filtered):
    libbotan-2.so.19()(64bit)
    libbz2.so.1()(64bit)
    libc.so.6()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    libjson-c.so.5()(64bit)
    libjson-c.so.5(JSONC_0.14)(64bit)
    libstdc++.so.6()(64bit)
    libstdc++.so.6(CXXABI_1.3)(64bit)
    libz.so.1()(64bit)
    rtld(GNU_HASH)

librnp-devel (rpmlib, GLIBC filtered):
    /usr/bin/pkg-config
    cmake-filesystem(x86-64)
    librnp(x86-64)
    librnp.so.0()(64bit)

rnp-debuginfo (rpmlib, GLIBC filtered):

rnp-debugsource (rpmlib, GLIBC filtered):



Provides
--------
rnp:
    rnp
    rnp(x86-64)

librnp:
    librnp
    librnp(x86-64)
    librnp.so.0()(64bit)

librnp-devel:
    cmake(rnp)
    librnp-devel
    librnp-devel(x86-64)
    pkgconfig(librnp)

rnp-debuginfo:
    debuginfo(build-id)
    rnp-debuginfo
    rnp-debuginfo(x86-64)

rnp-debugsource:
    rnp-debugsource
    rnp-debugsource(x86-64)



Generated by fedora-review 0.9.0 (6761b6c) last change: 2022-08-23
Command line :/usr/bin/fedora-review -b 2138353
Buildroot used: fedora-rawhide-x86_64
Active plugins: Generic, C/C++, Shell-api
Disabled plugins: Ruby, Ocaml, PHP, fonts, R, Perl, Java, Haskell, Python, SugarActivity
Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH

Comments:
a) Maybe a comment is needed in the spec file that the patents are no longer enforced?
b) Correct functionality assumed based on tests
c) rpmlint seems to be ok
d) Should obsoletes thunderbird-librnp-rnp be indicated?
e) Other than that seems ok.

Comment 14 Remi Collet 2022-11-03 11:24:04 UTC
> a) Maybe a comment is needed in the spec file that the patents are no longer enforced?

I don't think it make sense to document the past ;)
I also think there is a bug confusion between patent and license on this algo
and "patent" are not allowed in Fedora
But if you think this is a blocker I can add something

> d) Should obsoletes thunderbird-librnp-rnp be indicated?

Not needed (both can be installed)
Rather to be obsoleted by thinderbird if they choice to use it

Comment 15 Benson Muite 2022-11-03 14:35:31 UTC
>> a) Maybe a comment is needed in the spec file that the patents are no longer enforced?

> I don't think it make sense to document the past ;)
> I also think there is a bug confusion between patent and license on this algo
> and "patent" are not allowed in Fedora
> But if you think this is a blocker I can add something

The file LICENSE-OCB.md is packaged, but based on explanation here and on GitHub,
the correct situation is that that particular block encryption algorithm is
no longer patented, so the information in LICENSE-OCB.md is inaccurate.
Upstream will probably change something in how this is documented.  It is not a
blocker, but some comment may remind one to do an appropriate update on the next
release. Probably the file should be named PREVIOUS-PATENT-OCB.md rather than 
LICENSE-OCB.md, but unclear what the upstream project will do.

>> d) Should obsoletes thunderbird-librnp-rnp be indicated?

> Not needed (both can be installed)
> Rather to be obsoleted by thinderbird if they choice to use it
Ok. Great it does not conflict.

Comment 16 Remi Collet 2022-11-03 15:07:22 UTC
About thunderbird, also see https://bugzilla.redhat.com/show_bug.cgi?id=2139681#c1

Comment 17 rhtse 2022-11-04 05:01:03 UTC
We have made the following PRs in the upstream repository, that will be merged in a few hours:
* "Add MIT license for sha1 collision detection code" https://github.com/rnpgp/rnp/pull/1933
* "Clarify status of OCB license" https://github.com/rnpgp/rnp/pull/1936

Comment 18 Benson Muite 2022-11-04 07:14:51 UTC
Thanks for the updates.

Comment 19 jeffrey.lau 2022-11-04 08:14:45 UTC
The following PRs in the upstream repository have been merged:
* "Add MIT license for sha1 collision detection code" https://github.com/rnpgp/rnp/pull/1933
* "Clarify status of OCB license" https://github.com/rnpgp/rnp/pull/1936

Comment 21 Benson Muite 2022-11-08 05:23:06 UTC
Thanks. Approved.

Comment 23 Gwyn Ciesla 2022-11-08 14:46:40 UTC
(fedscm-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/rnp

Comment 24 Benson Muite 2022-11-08 17:48:09 UTC
Welcome.  Your repositories have been extremely helpful.  If EdDSA is used, may consider asking for the implementations in OpenSSL and Botan to be improved so that they are similar in quality to those in libsodium.

Comment 25 Fedora Update System 2022-11-08 18:01:18 UTC
FEDORA-EPEL-2022-d559f68df8 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-d559f68df8

Comment 26 Fedora Update System 2022-11-08 18:01:19 UTC
FEDORA-2022-9325194c36 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9325194c36

Comment 27 Fedora Update System 2022-11-08 18:01:20 UTC
FEDORA-EPEL-2022-26ea155e33 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-26ea155e33

Comment 28 Fedora Update System 2022-11-08 18:01:22 UTC
FEDORA-2022-7e9df7ab36 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-7e9df7ab36

Comment 29 Fedora Update System 2022-11-09 09:17:34 UTC
FEDORA-2022-9325194c36 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9325194c36 \*`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9325194c36

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 30 Fedora Update System 2022-11-09 11:35:35 UTC
FEDORA-2022-7e9df7ab36 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-7e9df7ab36 \*`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7e9df7ab36

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 31 Fedora Update System 2022-11-09 11:54:53 UTC
FEDORA-EPEL-2022-26ea155e33 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-26ea155e33

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 32 Fedora Update System 2022-11-09 12:02:05 UTC
FEDORA-EPEL-2022-d559f68df8 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-d559f68df8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 33 Richard Fontana 2022-11-13 21:01:31 UTC
Lifting FE-Legal.

Comment 34 Fedora Update System 2022-11-17 01:27:20 UTC
FEDORA-2022-7e9df7ab36 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 35 Fedora Update System 2022-11-17 01:27:30 UTC
FEDORA-2022-9325194c36 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 36 Fedora Update System 2022-11-17 03:07:55 UTC
FEDORA-EPEL-2022-26ea155e33 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 37 Fedora Update System 2022-11-17 03:22:49 UTC
FEDORA-EPEL-2022-d559f68df8 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.