It is quite unusual to have a package without upstream URL. Why is this package a separate source if it does not have any upstream repository? Wouldn't it make sense to create fedora-specific subpackage to any package it is related to?

It does not explain what IMA stands for, which packages use it and for what exactly. I think at least README.md with a bit more descriptive text how and for what this is used would be useful. Especially with some links to more detailed page. Would a good candidate be [1]?

I think all files installed into /etc should have %config(noreplace) added to them, unless very special case.

The spec lacks %prep section, where %autosetup should be present. I think it expands it into long description, which should not be done.

I would say if this package does not have any upstream, it should have version 0 only. Release incrementals should be enough, until some upstream archive is used with any version assigned to it.

1. https://sourceforge.net/p/linux-ima/wiki/Home/

Also, since there's no upstream, and the srpm link is not provided, it's not really possible to review the contents :(

This is an automatic check from review-stats script.

This review request ticket hasn't been updated for some time. We're sorry
it is taking so long. If you're still interested in packaging this software
into Fedora repositories, please respond to this comment clearing the
NEEDINFO flag.

You may want to update the specfile and the src.rpm to the latest version
available and to propose a review swap on Fedora devel mailing list to increase
chances to have your package reviewed. If this is your first package and you
need a sponsor, you may want to post some informal reviews. Read more at
https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group.

Without any reply, this request will shortly be considered abandoned
and will be closed.
Thank you for your patience.

Thank Petr and Zbigniew for the feedback! This functions provided by this package are now contained in the ima-evm-utils package.