Bug 2253714 - Review Request: rust-crypto-auditing - Client library for crypto-auditing project
Summary: Review Request: rust-crypto-auditing - Client library for crypto-auditing pro...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: 38
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL: https://crates.io/crates/crypto-auditing
Whiteboard:
Depends On:
Blocks: 2253719 2253720 2253721 2253723
TreeView+ depends on / blocked
 
Reported: 2023-12-09 00:35 UTC by Daiki Ueno
Modified: 2023-12-12 15:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-12-12 15:20:33 UTC
Type: ---
Embargoed:
jjelen: fedora-review+


Attachments (Terms of Use)

Description Daiki Ueno 2023-12-09 00:35:12 UTC
Spec URL: https://ueno.fedorapeople.org/rust-crypto-auditing/rust-crypto-auditing.spec
SRPM URL: https://ueno.fedorapeople.org/rust-crypto-auditing/rust-crypto-auditing-0.2.0-1.fc40.src.rpm
Description:
Client library for crypto-auditing project.

Reproducible: Always

Comment 1 Fedora Review Service 2023-12-09 00:47:08 UTC
Copr build:
https://copr.fedorainfracloud.org/coprs/build/6735741
(succeeded)

Review template:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2253714-rust-crypto-auditing/fedora-rawhide-x86_64/06735741-rust-crypto-auditing/fedora-review/review.txt

Found issues:

- No gcc, gcc-c++ or clang found in BuildRequires
  Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/

Please know that there can be false-positives.

---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.

Comment 2 Jakub Jelen 2023-12-11 10:05:48 UTC
Minor nits:
 * No documentation for the package is available
 * There are few files identified as a license "*No copyright* GNU General Public License, Version 2" -- src/bpf/audit.h -- might make sense to mention in the SPDX license field, but probably not a huge deal.

Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed

===== MUST items =====

C/C++:
[-]: Provides: bundled(gnulib) in place as required.
     Note: Sources not installed
[x]: Package does not contain kernel modules.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Package contains no static executables.
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "Unknown or generated", "*No copyright* GNU General Public
     License, Version 2", "GNU General Public License, Version 3". 5 files
     have unknown license.
[x]: License file installed when any subpackage combination is installed.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[x]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Package is not known to require an ExcludeArch tag.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %license.
[x]: The License field must be a valid SPDX expression.
[x]: Package requires other packages for directories it uses.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Dist tag is present.
[x]: Permissions on files are set properly.
[x]: Package must not depend on deprecated() packages.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 0 bytes in 0 files.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in rust-
     crypto-auditing-devel , rust-crypto-auditing+default-devel
[x]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Sources are verified with gpgverify first in %prep if upstream
     publishes signatures.
[-]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Spec file according to URL is the same as in SRPM.
     Note: Spec file as given by url is not the same as in SRPM (see
     attached diff).
     See: (this test has no URL)
     This is expected with the rpmautospec
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).


Rpmlint
-------
Checking: rust-crypto-auditing-devel-0.2.0-1.fc40.noarch.rpm
          rust-crypto-auditing+default-devel-0.2.0-1.fc40.noarch.rpm
          rust-crypto-auditing-0.2.0-1.fc40.src.rpm
=========================================================================================================== rpmlint session starts ==========================================================================================================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
rpmlintrc: [PosixPath('/tmp/tmpb39f_o03')]
checks: 31, packages: 3

rust-crypto-auditing+default-devel.noarch: W: no-documentation
rust-crypto-auditing-devel.noarch: W: no-documentation
============================================================================ 3 packages and 0 specfiles checked; 0 errors, 2 warnings, 0 badness; has taken 0.1 s ===========================================================================




Rpmlint (installed packages)
----------------------------
============================ rpmlint session starts ============================
rpmlint: 2.5.0
configuration:
    /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 32, packages: 2

rust-crypto-auditing-devel.noarch: W: no-documentation
rust-crypto-auditing+default-devel.noarch: W: no-documentation
 2 packages and 0 specfiles checked; 0 errors, 2 warnings, 8 filtered, 0 badness; has taken 0.0 s 



Source checksums
----------------
https://crates.io/api/v1/crates/crypto-auditing/0.2.0/download#/crypto-auditing-0.2.0.crate :
  CHECKSUM(SHA256) this package     : 914eeb47987cfc1e30cdddf6daaf4b4001ad5591cc89008a5030538a6a296b79
  CHECKSUM(SHA256) upstream package : 914eeb47987cfc1e30cdddf6daaf4b4001ad5591cc89008a5030538a6a296b79


Requires
--------
rust-crypto-auditing-devel (rpmlib, GLIBC filtered):
    (crate(bindgen/default) >= 0.63.0 with crate(bindgen/default) < 0.64.0~)
    (crate(futures/default) >= 0.3.0 with crate(futures/default) < 0.4.0~)
    (crate(libc/default) >= 0.2.0 with crate(libc/default) < 0.3.0~)
    (crate(serde/default) >= 1.0.0 with crate(serde/default) < 2.0.0~)
    (crate(serde/derive) >= 1.0.0 with crate(serde/derive) < 2.0.0~)
    (crate(serde_cbor/default) >= 0.11.0 with crate(serde_cbor/default) < 0.12.0~)
    (crate(serde_with/default) >= 3.0.0 with crate(serde_with/default) < 4.0.0~)
    (crate(thiserror/default) >= 1.0.0 with crate(thiserror/default) < 2.0.0~)
    (crate(tokio-serde/cbor) >= 0.8.0 with crate(tokio-serde/cbor) < 0.9.0~)
    (crate(tokio-serde/default) >= 0.8.0 with crate(tokio-serde/default) < 0.9.0~)
    (crate(tokio-stream/default) >= 0.1.0 with crate(tokio-stream/default) < 0.2.0~)
    (crate(tokio-util/codec) >= 0.7.0 with crate(tokio-util/codec) < 0.8.0~)
    (crate(tokio-util/default) >= 0.7.0 with crate(tokio-util/default) < 0.8.0~)
    (crate(tokio/default) >= 1.23.0 with crate(tokio/default) < 2.0.0~)
    (crate(tokio/net) >= 1.23.0 with crate(tokio/net) < 2.0.0~)
    (crate(tokio/rt) >= 1.23.0 with crate(tokio/rt) < 2.0.0~)
    (crate(tracing/default) >= 0.1.0 with crate(tracing/default) < 0.2.0~)
    cargo

rust-crypto-auditing+default-devel (rpmlib, GLIBC filtered):
    cargo
    crate(crypto-auditing)



Provides
--------
rust-crypto-auditing-devel:
    crate(crypto-auditing)
    rust-crypto-auditing-devel

rust-crypto-auditing+default-devel:
    crate(crypto-auditing/default)
    rust-crypto-auditing+default-devel



Diff spec file in url and in SRPM
---------------------------------
--- /home/jjelen/2253714-rust-crypto-auditing/srpm/rust-crypto-auditing.spec	2023-12-11 10:13:24.783117936 +0100
+++ /home/jjelen/2253714-rust-crypto-auditing/srpm-unpacked/rust-crypto-auditing.spec	2023-12-09 01:00:00.000000000 +0100
@@ -1,2 +1,12 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.3.8)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 1;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 # Generated by rust2rpm 25
 %bcond_without check
@@ -65,3 +75,6 @@
 
 %changelog
-%autochangelog
+## START: Generated by rpmautospec
+* Sat Dec 09 2023 John Doe <packager> - 0.2.0-1
+- Uncommitted changes
+## END: Generated by rpmautospec


Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24
Command line :/usr/bin/fedora-review -b 2253714
Buildroot used: fedora-rawhide-x86_64
Active plugins: Shell-api, Generic, C/C++
Disabled plugins: Python, PHP, Haskell, fonts, Perl, SugarActivity, Java, Ocaml, R
Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH

Comment 3 Daiki Ueno 2023-12-12 10:55:51 UTC
(In reply to Jakub Jelen from comment #2)
> Minor nits:
>  * No documentation for the package is available
>  * There are few files identified as a license "*No copyright* GNU General
> Public License, Version 2" -- src/bpf/audit.h -- might make sense to mention
> in the SPDX license field, but probably not a huge deal.

Thanks; I've created a new upstream release that include a documentation (README.md) and license clarification (GPL-2.0-or-later, and thus GPL-3.0-or-later covers all). Could you take a look again?

Spec URL: https://ueno.fedorapeople.org/rust-crypto-auditing/rust-crypto-auditing.spec
SRPM URL: https://ueno.fedorapeople.org/rust-crypto-auditing/rust-crypto-auditing-0.2.1-1.fc40.src.rpm

[fedora-review-service-build]

Comment 4 Jakub Jelen 2023-12-12 11:50:37 UTC
Thanks! Looks good to me!

Comment 5 Fedora Admin user for bugzilla script actions 2023-12-12 12:41:33 UTC
The Pagure repository was created at https://src.fedoraproject.org/rpms/rust-crypto-auditing

Comment 6 Daiki Ueno 2023-12-12 15:20:33 UTC
Thank you for the review. The package has been imported and built in rawhide:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-5ba2bc2ea0


Note You need to log in before you can comment on or make changes to this bug.