Bug 225796 - Merge Review: giflib
Merge Review: giflib
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Susi Lehtola
Fedora Package Reviews List
:
Depends On: 447832
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-31 13:43 EST by Nobody's working on this, feel free to take it
Modified: 2009-06-14 12:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-14 12:17:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
susi.lehtola: fedora‑review+


Attachments (Terms of Use)

  None (edit)
Description Nobody's working on this, feel free to take it 2007-01-31 13:43:50 EST
Fedora Merge Review: giflib

http://cvs.fedora.redhat.com/viewcvs/devel/giflib/
Initial Owner: nmurray@redhat.com
Comment 1 Michael Schwendt 2007-12-07 13:57:19 EST
$ rpmlint giflib-utils-4.1.3-8.i386.rpm 
giflib-utils.i386: W: no-documentation
giflib-utils.i386: W: obsolete-not-provided libungif-progs


> http://www.sf.net/projects/libungif/
> http://sourceforge.net/projects/libungif

Invalid Project

> http://libungif.sourceforge.net/

404

Couldn't find a new home or download location. Maybe ask
Toshio Kuratomi, the last maintainer. He's at Red Hat.

Debian includes a newer version: 4.1.4  compared with 4.1.3 in Fedora
http://packages.debian.org/unstable/graphics/libungif-bin


> Provides: libungif <= %{version}-%{release}
> Provides: libungif-devel <= %{version}-%{release}

Make it
Provides: libungif = %{version}-%{release}
Provides: libungif-devel = %{version}-%{release}


* Don't include the static library.
http://fedoraproject.org/wiki/PackagingDrafts/StaticLinkage


Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig

for completeness.
Comment 2 Robert Scheck 2009-01-13 16:48:08 EST
Norm, you're the package maintainer of giflib. Can you please perform the
suggested changes by Michael and at least show up here in the bug report?
Removing you from being assigned, as this field is reserved to the reviewer
not to the package owner.
Comment 3 Robert Scheck 2009-05-09 18:23:34 EDT
Okay, I'm the new maintainer of giflib, please review 4.1.6-2 from CVS.
Comment 4 Susi Lehtola 2009-05-21 06:51:58 EDT
Michael: are you still reviewing this?
Comment 5 Michael Schwendt 2009-05-22 10:54:44 EDT
Feel free to take over. Robert has fixed all issues I mentioned in comment 1. 

Build log warns about tmpnam() usage. The implementation is not safe. It creates the temporary file in the current working directory, but that means the user must never work in a directory an attacker may be able to write in, too.
Comment 6 Susi Lehtola 2009-05-22 11:04:17 EDT
(In reply to comment #5)
> Feel free to take over. Robert has fixed all issues I mentioned in comment 1. 
> 
> Build log warns about tmpnam() usage. The implementation is not safe. It
> creates the temporary file in the current working directory, but that means the
> user must never work in a directory an attacker may be able to write in, too.  

OK, I'll do the review.
Comment 7 Susi Lehtola 2009-05-22 11:55:23 EDT
- Instead of manually removing the static .a libraries, you can probably just use the configure option --disable-static.


rpmlint output:
giflib-utils.x86_64: W: no-documentation
5 packages and 0 specfiles checked; 0 errors, 1 warnings.

- This is OK as documentation is in main package that is pulled in by -utils.


MUST: The spec file for the package is legible and macros are used consistently. OK
MUST: The package must be named according to the Package Naming Guidelines. OK
MUST: The spec file name must match the base package %{name}. OK
MUST: The package must be licensed with a Fedora approved license and meet the  Licensing Guidelines. OK
MUST: The License field in the package spec file must match the actual license. OK
- License mentioned only in COPYING, source code contains no license headers.

MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. OK
MUST: The package MUST successfully compile and build into binary rpms. OK
MUST: The spec file MUST handle locales properly. N/A
MUST: Optflags are used and time stamps preserved. OK
MUST: Packages containing shared library files must call ldconfig. OK
MUST: A package must own all directories that it creates or require the package that owns the directory. OK
MUST: Files only listed once in %files listings. OK
MUST: Debuginfo package is complete. OK
MUST: Permissions on files must be set properly. OK
MUST: Clean section exists. OK
MUST: Large documentation files must go in a -doc subpackage. OK

MUST: All relevant items are included in %doc. Items in %doc do not affect runtime of application. NEEDSWORK
- Add BUGS (and maybe TODO).

MUST: Header files must be in a -devel package. OK
MUST: Static libraries must be in a -static package. N/A
MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'. N/A
MUST: If a package contains library files with a suffix then library files ending in .so must go in a -devel package. OK
MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency. OK
MUST: Packages does not contain any .la libtool archives. OK
MUST: Desktop files are installed properly. N/A
MUST: No file conflicts with other packages and no general names. OK
MUST: Buildroot cleaned before install. OK
SHOULD: %{?dist} tag is used in release. OK
SHOULD: If the package does not include license text(s) as separate files from upstream, the packager should query upstream to include it. OK
SHOULD: The package builds in mock. OK
Comment 8 Robert Scheck 2009-05-22 12:28:17 EDT
I won't add BUGS and TODO to %doc as they IMHO don't make sense there, read
the content of these files before complaining, please.

Using --disable-static didn't bring the expected result, thus I'm deleting.
Comment 9 Susi Lehtola 2009-06-14 12:17:37 EDT
OK, this looks good then.

APPROVED

Note You need to log in before you can comment on or make changes to this bug.