Bug 225796 - Merge Review: giflib
Summary: Merge Review: giflib
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Susi Lehtola
QA Contact: Fedora Package Reviews List
URL:
Whiteboard:
Depends On: 447832
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-31 18:43 UTC by Nobody's working on this, feel free to take it
Modified: 2009-06-14 16:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-06-14 16:17:37 UTC
Type: ---
Embargoed:
susi.lehtola: fedora-review+


Attachments (Terms of Use)

Description Nobody's working on this, feel free to take it 2007-01-31 18:43:50 UTC
Fedora Merge Review: giflib

http://cvs.fedora.redhat.com/viewcvs/devel/giflib/
Initial Owner: nmurray

Comment 1 Michael Schwendt 2007-12-07 18:57:19 UTC
$ rpmlint giflib-utils-4.1.3-8.i386.rpm 
giflib-utils.i386: W: no-documentation
giflib-utils.i386: W: obsolete-not-provided libungif-progs


> http://www.sf.net/projects/libungif/
> http://sourceforge.net/projects/libungif

Invalid Project

> http://libungif.sourceforge.net/

404

Couldn't find a new home or download location. Maybe ask
Toshio Kuratomi, the last maintainer. He's at Red Hat.

Debian includes a newer version: 4.1.4  compared with 4.1.3 in Fedora
http://packages.debian.org/unstable/graphics/libungif-bin


> Provides: libungif <= %{version}-%{release}
> Provides: libungif-devel <= %{version}-%{release}

Make it
Provides: libungif = %{version}-%{release}
Provides: libungif-devel = %{version}-%{release}


* Don't include the static library.
http://fedoraproject.org/wiki/PackagingDrafts/StaticLinkage


Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig

for completeness.


Comment 2 Robert Scheck 2009-01-13 21:48:08 UTC
Norm, you're the package maintainer of giflib. Can you please perform the
suggested changes by Michael and at least show up here in the bug report?
Removing you from being assigned, as this field is reserved to the reviewer
not to the package owner.

Comment 3 Robert Scheck 2009-05-09 22:23:34 UTC
Okay, I'm the new maintainer of giflib, please review 4.1.6-2 from CVS.

Comment 4 Susi Lehtola 2009-05-21 10:51:58 UTC
Michael: are you still reviewing this?

Comment 5 Michael Schwendt 2009-05-22 14:54:44 UTC
Feel free to take over. Robert has fixed all issues I mentioned in comment 1. 

Build log warns about tmpnam() usage. The implementation is not safe. It creates the temporary file in the current working directory, but that means the user must never work in a directory an attacker may be able to write in, too.

Comment 6 Susi Lehtola 2009-05-22 15:04:17 UTC
(In reply to comment #5)
> Feel free to take over. Robert has fixed all issues I mentioned in comment 1. 
> 
> Build log warns about tmpnam() usage. The implementation is not safe. It
> creates the temporary file in the current working directory, but that means the
> user must never work in a directory an attacker may be able to write in, too.  

OK, I'll do the review.

Comment 7 Susi Lehtola 2009-05-22 15:55:23 UTC
- Instead of manually removing the static .a libraries, you can probably just use the configure option --disable-static.


rpmlint output:
giflib-utils.x86_64: W: no-documentation
5 packages and 0 specfiles checked; 0 errors, 1 warnings.

- This is OK as documentation is in main package that is pulled in by -utils.


MUST: The spec file for the package is legible and macros are used consistently. OK
MUST: The package must be named according to the Package Naming Guidelines. OK
MUST: The spec file name must match the base package %{name}. OK
MUST: The package must be licensed with a Fedora approved license and meet the  Licensing Guidelines. OK
MUST: The License field in the package spec file must match the actual license. OK
- License mentioned only in COPYING, source code contains no license headers.

MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. OK
MUST: The package MUST successfully compile and build into binary rpms. OK
MUST: The spec file MUST handle locales properly. N/A
MUST: Optflags are used and time stamps preserved. OK
MUST: Packages containing shared library files must call ldconfig. OK
MUST: A package must own all directories that it creates or require the package that owns the directory. OK
MUST: Files only listed once in %files listings. OK
MUST: Debuginfo package is complete. OK
MUST: Permissions on files must be set properly. OK
MUST: Clean section exists. OK
MUST: Large documentation files must go in a -doc subpackage. OK

MUST: All relevant items are included in %doc. Items in %doc do not affect runtime of application. NEEDSWORK
- Add BUGS (and maybe TODO).

MUST: Header files must be in a -devel package. OK
MUST: Static libraries must be in a -static package. N/A
MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'. N/A
MUST: If a package contains library files with a suffix then library files ending in .so must go in a -devel package. OK
MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency. OK
MUST: Packages does not contain any .la libtool archives. OK
MUST: Desktop files are installed properly. N/A
MUST: No file conflicts with other packages and no general names. OK
MUST: Buildroot cleaned before install. OK
SHOULD: %{?dist} tag is used in release. OK
SHOULD: If the package does not include license text(s) as separate files from upstream, the packager should query upstream to include it. OK
SHOULD: The package builds in mock. OK

Comment 8 Robert Scheck 2009-05-22 16:28:17 UTC
I won't add BUGS and TODO to %doc as they IMHO don't make sense there, read
the content of these files before complaining, please.

Using --disable-static didn't bring the expected result, thus I'm deleting.

Comment 9 Susi Lehtola 2009-06-14 16:17:37 UTC
OK, this looks good then.

APPROVED


Note You need to log in before you can comment on or make changes to this bug.