Fedora Merge Review: giflib http://cvs.fedora.redhat.com/viewcvs/devel/giflib/ Initial Owner: nmurray
$ rpmlint giflib-utils-4.1.3-8.i386.rpm giflib-utils.i386: W: no-documentation giflib-utils.i386: W: obsolete-not-provided libungif-progs > http://www.sf.net/projects/libungif/ > http://sourceforge.net/projects/libungif Invalid Project > http://libungif.sourceforge.net/ 404 Couldn't find a new home or download location. Maybe ask Toshio Kuratomi, the last maintainer. He's at Red Hat. Debian includes a newer version: 4.1.4 compared with 4.1.3 in Fedora http://packages.debian.org/unstable/graphics/libungif-bin > Provides: libungif <= %{version}-%{release} > Provides: libungif-devel <= %{version}-%{release} Make it Provides: libungif = %{version}-%{release} Provides: libungif-devel = %{version}-%{release} * Don't include the static library. http://fedoraproject.org/wiki/PackagingDrafts/StaticLinkage Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig for completeness.
Norm, you're the package maintainer of giflib. Can you please perform the suggested changes by Michael and at least show up here in the bug report? Removing you from being assigned, as this field is reserved to the reviewer not to the package owner.
Okay, I'm the new maintainer of giflib, please review 4.1.6-2 from CVS.
Michael: are you still reviewing this?
Feel free to take over. Robert has fixed all issues I mentioned in comment 1. Build log warns about tmpnam() usage. The implementation is not safe. It creates the temporary file in the current working directory, but that means the user must never work in a directory an attacker may be able to write in, too.
(In reply to comment #5) > Feel free to take over. Robert has fixed all issues I mentioned in comment 1. > > Build log warns about tmpnam() usage. The implementation is not safe. It > creates the temporary file in the current working directory, but that means the > user must never work in a directory an attacker may be able to write in, too. OK, I'll do the review.
- Instead of manually removing the static .a libraries, you can probably just use the configure option --disable-static. rpmlint output: giflib-utils.x86_64: W: no-documentation 5 packages and 0 specfiles checked; 0 errors, 1 warnings. - This is OK as documentation is in main package that is pulled in by -utils. MUST: The spec file for the package is legible and macros are used consistently. OK MUST: The package must be named according to the Package Naming Guidelines. OK MUST: The spec file name must match the base package %{name}. OK MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines. OK MUST: The License field in the package spec file must match the actual license. OK - License mentioned only in COPYING, source code contains no license headers. MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. OK MUST: The package MUST successfully compile and build into binary rpms. OK MUST: The spec file MUST handle locales properly. N/A MUST: Optflags are used and time stamps preserved. OK MUST: Packages containing shared library files must call ldconfig. OK MUST: A package must own all directories that it creates or require the package that owns the directory. OK MUST: Files only listed once in %files listings. OK MUST: Debuginfo package is complete. OK MUST: Permissions on files must be set properly. OK MUST: Clean section exists. OK MUST: Large documentation files must go in a -doc subpackage. OK MUST: All relevant items are included in %doc. Items in %doc do not affect runtime of application. NEEDSWORK - Add BUGS (and maybe TODO). MUST: Header files must be in a -devel package. OK MUST: Static libraries must be in a -static package. N/A MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'. N/A MUST: If a package contains library files with a suffix then library files ending in .so must go in a -devel package. OK MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency. OK MUST: Packages does not contain any .la libtool archives. OK MUST: Desktop files are installed properly. N/A MUST: No file conflicts with other packages and no general names. OK MUST: Buildroot cleaned before install. OK SHOULD: %{?dist} tag is used in release. OK SHOULD: If the package does not include license text(s) as separate files from upstream, the packager should query upstream to include it. OK SHOULD: The package builds in mock. OK
I won't add BUGS and TODO to %doc as they IMHO don't make sense there, read the content of these files before complaining, please. Using --disable-static didn't bring the expected result, thus I'm deleting.
OK, this looks good then. APPROVED