Spec URL: https://rebus.fedorapeople.org/python-xlrd2.spec SRPM URL: https://rebus.fedorapeople.org/python-xlrd2-1.3.4-1.fc38.src.rpm Description: The xlrd2 module is an effort to extend [xlrd project]( which is no longer mintained by its developers). The main goal is to make it suitable for extracting necessary information from malicious xls documents. **Xlrd Purpose**: Provide a library for developers to use to extract data from Microsoft Excel (tm) spreadsheet files. It is not an end-user tool. Fedora Account System Username: rebus
This package built on koji: https://koji.fedoraproject.org/koji/taskinfo?taskID=108225995
Copr build for f37-f40, rhel7-rhel9 https://copr.fedorainfracloud.org/coprs/rebus/infosec/build/6575413/
Copr build: https://copr.fedorainfracloud.org/coprs/build/6577369 (failed) Build log: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2246704-python-xlrd2/srpm-builds/06577369/builder-live.log.gz Please make sure the package builds successfully at least for Fedora Rawhide. - If the build failed for unrelated reasons (e.g. temporary network unavailability), please ignore it. - If the build failed because of missing BuildRequires, please make sure they are listed in the "Depends On" field --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
> # macro is not defined on rhel7 and > %if (0%{?fedora}) || ( 0%{?rhel} && 0%{?rhel} >= 8 ) With RHEL7 being EOLed, do we care? > mintained by its developers typo here
> License: Apache-2.0 There is BSD-3-Clause too. https://github.com/DissectMalware/xlrd2/blob/master/LICENSE#L205 And BSD-Advertising-Acknowledgement https://github.com/DissectMalware/xlrd2/blob/master/LICENSE#L237 (note I used scancode --license --license-references -n6 --html /tmp/scan.html . on git clone to discover this)
> python3-xlrd2.noarch: W: no-manual-page-for-binary runxlrd2.py This will be nice. But I will not block on this. python-xlrd2-doc.noarch: W: files-duplicate /usr/share/licenses/python-xlrd2-doc/licenses.rst /usr/share/doc/python-xlrd2-doc/html/_sources/licenses.rst.txt and licenses.rst.txt is not marked as %license - the best thing will be removing licenses.rst.txt I see no other issue.
Spec URL: https://rebus.fedorapeople.org/python-xlrd2.spec SRPM URL: https://rebus.fedorapeople.org/python-xlrd2-1.3.4-2.fc40.src.rpm > mintained by its developers thanks ... typo fixed > With RHEL7 being EOLed, do we care? still works on copr rhel7. I do not plan to maintain rhel7 as soon as code breaks there, but while it is already working there is probably no reason to break it > There is BSD-3-Clause too And BSD-Advertising-Acknowledgement added to the License tag > scancode --license --license-references -n6 --html /tmp/scan.html thanks for the hint, I didn't know the scancode-toolkit > python3-xlrd2.noarch: W: no-manual-page-for-binary runxlrd2.py the executable is more like example than main functionality - I have never used that actually. main goal is the parsing of the xls documents to extract the malicious artifacts I use it together with the oletools Copr build https://copr.fedorainfracloud.org/coprs/rebus/infosec/build/7816991/
Copr build: https://copr.fedorainfracloud.org/coprs/build/7817109 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2246704-python-xlrd2/fedora-rawhide-x86_64/07817109-python-xlrd2/fedora-review/review.txt Found issues: - License file licenses.html is not marked as %license Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/#_license_text Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
> - Package must not depend on deprecated() packages. > Note: python3-pytest7 is deprecated, you must not depend on it. > See: https://docs.fedoraproject.org/en-US/packaging- > guidelines/deprecating-packages/ I believe this is false positive https://fedoraproject.org/wiki/Changes/Pytest_8 And in the spec file there is nothing specifically requiring version 7. >- If (and only if) the source package includes the text of the license(s) > in its own file, then that file, containing the text of the license(s) > for the package is included in %license. > Note: License file licenses.html is not marked as %license > See: https://docs.fedoraproject.org/en-US/packaging- > guidelines/LicensingGuidelines/#_license_text This is still not fixed.
Hello Miroslave, > And in the spec file there is nothing specifically requiring version 7. explicit versioning it is not in the spec file and it is not in the package. I do not understand this detection. Maybe it detects some deprecated API of pytest ... donno? Please how did you come to this detection? I do not see it in the review from the Fedora review service. >This is still not fixed. I believe this is not really issue. The file licenses.html is just part of the documentation package - rst rendered to html based on licenses.rst. File licenses.rst is itself just literally including the LICENSE file from package base directory. See https://github.com/DissectMalware/xlrd2/blob/master/docs/licenses.rst It is not wrong that it is not marked as %license and that it is not in the noarch package - source of the license information is the LICENSE file, which is already marked as %license. I believe the purpose of this rule is to have at least one meaningfull/authoritative copy of the license marked as %license, not to mark all rendered or otherwise derived copies. Frankly I would say that it is already wrong marking the documentation source file doc/licenses.rst as %license. Also it is wrong deleting of the /usr/share/doc/python-xlrd2-doc/html/_sources/licenses.rst.txt ... as the html rendered page is referring to that with a hyper-link to "Show source". Best regards Michal Ambroz
> Please how did you come to this detection? I run fedora-review on my workstation locally. > I believe this is not really issue. Ack. I agree.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. [x]: License file installed when any subpackage combination is installed. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 2280 bytes in 1 files. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [x]: Python eggs must not download any dependencies during the build process. [x]: A package which is used by another package via an egg interface should provide egg info. [x]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Packages MUST NOT have dependencies (either build-time or runtime) on packages named with the unversioned python- prefix unless no properly versioned package exists. Dependencies on Python packages instead MUST use names beginning with python2- or python3- as appropriate. [x]: Python packages must not contain %{pythonX_site(lib|arch)}/* in %files [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [-]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in python3-xlrd2 [?]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [?]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. APPROVED
The Pagure repository was created at https://src.fedoraproject.org/rpms/python-xlrd2