Spec URL: https://decathorpe.fedorapeople.org/rust-cargo-deny.spec SRPM URL: https://decathorpe.fedorapeople.org/rust-cargo-deny-0.14.3-1.fc39.src.rpm Description: Cargo plugin to help you manage large dependency graphs. Fedora Account System Username: decathorpe
This package built on koji: https://koji.fedoraproject.org/koji/taskinfo?taskID=108774536
Copr build: https://copr.fedorainfracloud.org/coprs/build/6614266 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2248784-rust-cargo-deny/fedora-rawhide-x86_64/06614266-rust-cargo-deny/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Taking this review General comments: - Package was generated with rust2rpm - Some tests were skipped because of missing files --> OK - Some dependencies were manually updated to the latest version --> OK but maybe consider patching this upstream - I assume Questions: - Why is the SPDX license list data updated? Looking at upstream, it seems the file is 4 years old. Should this be reported? - What is the license under which the license list is published? I could not find any information about that (looked in https://github.com/spdx/license-list-data and https://github.com/spdx/license-list-XML). Problems: - False requires on `/usr/bin/bash`, excluding `scripts` should probably fix this Full review: Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== C/C++: [-]: Provides: bundled(gnulib) in place as required. Note: Sources not installed [x]: Package does not contain kernel modules. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Using prebuilt packages [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. No licenses found. Please check the source files for licenses manually. [x]: License file installed when any subpackage combination is installed. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: %build honors applicable compiler flags or justifies otherwise. [!]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 73246 bytes in 5 files. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in cargo- deny , rust-cargo-deny-devel , rust-cargo-deny+default-devel , rust- cargo-deny+native-certs-devel [?]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. [!]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. Rpmlint ------- Checking: cargo-deny-0.14.3-1.fc40.aarch64.rpm rust-cargo-deny-devel-0.14.3-1.fc40.noarch.rpm rust-cargo-deny+default-devel-0.14.3-1.fc40.noarch.rpm rust-cargo-deny+native-certs-devel-0.14.3-1.fc40.noarch.rpm rust-cargo-deny-debugsource-0.14.3-1.fc40.aarch64.rpm rust-cargo-deny-0.14.3-1.fc40.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.4.0 configuration: /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpsd9rvj_t')] checks: 31, packages: 6 cargo-deny.aarch64: W: no-manual-page-for-binary cargo-deny rust-cargo-deny+default-devel.noarch: W: no-documentation rust-cargo-deny+native-certs-devel.noarch: W: no-documentation 6 packages and 0 specfiles checked; 0 errors, 3 warnings, 0 badness; has taken 0.5 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "rust-cargo-deny-devel". (none): E: there is no installed rpm "rust-cargo-deny+native-certs-devel". (none): E: there is no installed rpm "rust-cargo-deny+default-devel". (none): E: there is no installed rpm "cargo-deny". (none): E: there is no installed rpm "rust-cargo-deny-debugsource". There are no files to process nor additional arguments. Nothing to do, aborting. ============================ rpmlint session starts ============================ rpmlint: 2.4.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 5 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.0 s Source checksums ---------------- https://crates.io/api/v1/crates/cargo-deny/0.14.3/download#/cargo-deny-0.14.3.crate : CHECKSUM(SHA256) this package : 60deefd7de37636520d2d0b6ea167f84b934d2bd557ee3c079b36f87614be5cd CHECKSUM(SHA256) upstream package : 60deefd7de37636520d2d0b6ea167f84b934d2bd557ee3c079b36f87614be5cd Requires -------- cargo-deny (rpmlib, GLIBC filtered): ld-linux-aarch64.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) libm.so.6()(64bit) libzstd.so.1()(64bit) rtld(GNU_HASH) rust-cargo-deny-devel (rpmlib, GLIBC filtered): (crate(anyhow/default) >= 1.0.0 with crate(anyhow/default) < 2.0.0~) (crate(askalono/default) >= 0.4.0 with crate(askalono/default) < 0.5.0~) (crate(bitvec/alloc) >= 1.0.0 with crate(bitvec/alloc) < 2.0.0~) (crate(bitvec/default) >= 1.0.0 with crate(bitvec/default) < 2.0.0~) (crate(camino/default) >= 1.1.0 with crate(camino/default) < 2.0.0~) (crate(clap/default) >= 4.3.0 with crate(clap/default) < 5.0.0~) (crate(clap/derive) >= 4.3.0 with crate(clap/derive) < 5.0.0~) (crate(clap/env) >= 4.3.0 with crate(clap/env) < 5.0.0~) (crate(codespan-reporting/default) >= 0.11.0 with crate(codespan-reporting/default) < 0.12.0~) (crate(codespan/default) >= 0.11.0 with crate(codespan/default) < 0.12.0~) (crate(crossbeam/default) >= 0.8.0 with crate(crossbeam/default) < 0.9.0~) (crate(fern/default) >= 0.6.0 with crate(fern/default) < 0.7.0~) (crate(gix) >= 0.55.0 with crate(gix) < 0.56.0~) (crate(gix/blocking-http-transport-reqwest) >= 0.55.0 with crate(gix/blocking-http-transport-reqwest) < 0.56.0~) (crate(gix/blocking-network-client) >= 0.55.0 with crate(gix/blocking-network-client) < 0.56.0~) (crate(gix/interrupt) >= 0.55.0 with crate(gix/interrupt) < 0.56.0~) (crate(gix/reqwest-for-configuration-only) >= 0.55.0 with crate(gix/reqwest-for-configuration-only) < 0.56.0~) (crate(gix/worktree-mutation) >= 0.55.0 with crate(gix/worktree-mutation) < 0.56.0~) (crate(globset/default) >= 0.4.0 with crate(globset/default) < 0.5.0~) (crate(goblin) >= 0.7.0 with crate(goblin) < 0.8.0~) (crate(goblin/elf32) >= 0.7.0 with crate(goblin/elf32) < 0.8.0~) (crate(goblin/elf64) >= 0.7.0 with crate(goblin/elf64) < 0.8.0~) (crate(goblin/mach32) >= 0.7.0 with crate(goblin/mach32) < 0.8.0~) (crate(goblin/mach64) >= 0.7.0 with crate(goblin/mach64) < 0.8.0~) (crate(goblin/pe32) >= 0.7.0 with crate(goblin/pe32) < 0.8.0~) (crate(goblin/pe64) >= 0.7.0 with crate(goblin/pe64) < 0.8.0~) (crate(home/default) >= 0.5.0 with crate(home/default) < 0.6.0~) (crate(krates/default) >= 0.15.0 with crate(krates/default) < 0.16.0~) (crate(krates/targets) >= 0.15.0 with crate(krates/targets) < 0.16.0~) (crate(log/default) >= 0.4.0 with crate(log/default) < 0.5.0~) (crate(nu-ansi-term/default) >= 0.49.0 with crate(nu-ansi-term/default) < 0.50.0~) (crate(parking_lot/default) >= 0.12.0 with crate(parking_lot/default) < 0.13.0~) (crate(rayon/default) >= 1.4.0 with crate(rayon/default) < 2.0.0~) (crate(reqwest) >= 0.11.0 with crate(reqwest) < 0.12.0~) (crate(ring/default) >= 0.17.0 with crate(ring/default) < 0.18.0~) (crate(rustsec) >= 0.28.0 with crate(rustsec) < 0.29.0~) (crate(semver/default) >= 1.0.0 with crate(semver/default) < 2.0.0~) (crate(serde/default) >= 1.0.0 with crate(serde/default) < 2.0.0~) (crate(serde/derive) >= 1.0.0 with crate(serde/derive) < 2.0.0~) (crate(serde_json/default) >= 1.0.0 with crate(serde_json/default) < 2.0.0~) (crate(smallvec/default) >= 1.9.0 with crate(smallvec/default) < 2.0.0~) (crate(spdx/default) >= 0.10.0 with crate(spdx/default) < 0.11.0~) (crate(strum/default) >= 0.25.0 with crate(strum/default) < 0.26.0~) (crate(strum/derive) >= 0.25.0 with crate(strum/derive) < 0.26.0~) (crate(tame-index) >= 0.7.0 with crate(tame-index) < 0.8.0~) (crate(tame-index/git) >= 0.7.0 with crate(tame-index/git) < 0.8.0~) (crate(tame-index/sparse) >= 0.7.0 with crate(tame-index/sparse) < 0.8.0~) (crate(time) >= 0.3.0 with crate(time) < 0.4.0~) (crate(time/formatting) >= 0.3.0 with crate(time/formatting) < 0.4.0~) (crate(time/macros) >= 0.3.0 with crate(time/macros) < 0.4.0~) (crate(toml/default) >= 0.8.0 with crate(toml/default) < 0.9.0~) (crate(twox-hash) >= 1.5.0 with crate(twox-hash) < 2.0.0~) (crate(url/default) >= 2.1.0 with crate(url/default) < 3.0.0~) (crate(walkdir/default) >= 2.3.0 with crate(walkdir/default) < 3.0.0~) /usr/bin/bash cargo rust rust-cargo-deny+default-devel (rpmlib, GLIBC filtered): (crate(reqwest/rustls-tls-webpki-roots) >= 0.11.0 with crate(reqwest/rustls-tls-webpki-roots) < 0.12.0~) (crate(tame-index/default) >= 0.7.0 with crate(tame-index/default) < 0.8.0~) cargo crate(cargo-deny) rust-cargo-deny+native-certs-devel (rpmlib, GLIBC filtered): (crate(reqwest/rustls-tls-native-roots) >= 0.11.0 with crate(reqwest/rustls-tls-native-roots) < 0.12.0~) (crate(tame-index/native-certs) >= 0.7.0 with crate(tame-index/native-certs) < 0.8.0~) cargo crate(cargo-deny) rust-cargo-deny-debugsource (rpmlib, GLIBC filtered): Provides -------- cargo-deny: bundled(spdx-license-list-data) cargo-deny cargo-deny(aarch-64) rust-cargo-deny-devel: crate(cargo-deny) rust-cargo-deny-devel rust-cargo-deny+default-devel: crate(cargo-deny/default) rust-cargo-deny+default-devel rust-cargo-deny+native-certs-devel: crate(cargo-deny/native-certs) rust-cargo-deny+native-certs-devel rust-cargo-deny-debugsource: rust-cargo-deny-debugsource rust-cargo-deny-debugsource(aarch-64) Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review --no-colors --prebuilt --rpm-spec --name rust-cargo-deny --mock-config /var/lib/copr-rpmbuild/results/configs/child.cfg Buildroot used: fedora-rawhide-aarch64 Active plugins: Generic, C/C++, Shell-api Disabled plugins: Java, Haskell, Perl, fonts, Python, SugarActivity, R, PHP, Ocaml Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH
(In reply to blinxen from comment #3) > Taking this review Thanks! > General comments: > > - Package was generated with rust2rpm > - Some tests were skipped because of missing files --> OK > - Some dependencies were manually updated to the latest version --> OK but > maybe consider patching this upstream ring was already updated to v0.17 upstream: https://github.com/EmbarkStudios/cargo-deny/commit/6a26873 for gix 0.54 -> 0.55, I will submit a PR. > Questions: > > - Why is the SPDX license list data updated? Looking at upstream, it seems > the file is 4 years old. Should this be reported? Probably ... there have been lots of licenses added to SPDX since Fedora started using it, so four year old data is very old. > - What is the license under which the license list is published? I could not > find any information about that (looked in > https://github.com/spdx/license-list-data and > https://github.com/spdx/license-list-XML). I could not find more information about this either. I assumed it was fine ... but I will ask on the legal mailing list. > Problems: > > - False requires on `/usr/bin/bash`, excluding `scripts` should probably fix > this Good catch, I will do that.
tame-index v0.8 / gix v0.55 PR: https://github.com/EmbarkStudios/cargo-deny/pull/575 issue about old bundled SPDX data: https://github.com/EmbarkStudios/cargo-deny/issues/576 question about license of the SPDX license list data: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/L6GZH3NDLP5DQ3YHK33FB574HKBN532Z/ I'll update the package as soon as I have more information.
It appears that anything that's copyrightable in the spdx/license-list-data is available under CC0-1.0. I've documented this in the spec file and updated the license tags accordingly. [fedora-review-service-build]
Created attachment 2000538 [details] The .spec file difference from Copr build 6614266 to 6670539
Copr build: https://copr.fedorainfracloud.org/coprs/build/6670539 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2248784-rust-cargo-deny/fedora-rawhide-x86_64/06670539-rust-cargo-deny/fedora-review/review.txt Found issues: - No gcc, gcc-c++ or clang found in BuildRequires Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/ - License file licenses.rs is not marked as %license Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/#_license_text Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
> It appears that anything that's copyrightable in the spdx/license-list-data is available under CC0-1.0. > I've documented this in the spec file and updated the license tags accordingly. Thanks! I think this looks good now, except the requires on `/bin/bash`. Once that is fixed, I can approve this
Oops, I missed that. Should be fixed now.
Looks good now! APPROVED
Thank you for the review!
The Pagure repository was created at https://src.fedoraproject.org/rpms/rust-cargo-deny
Imported and built: https://bodhi.fedoraproject.org/updates/FEDORA-2023-694f67dfc8