Bug 226189 - Merge Review: neon
Merge Review: neon
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Robert Scheck
Fedora Package Reviews List
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-01-31 15:15 EST by Nobody's working on this, feel free to take it
Modified: 2009-01-19 04:42 EST (History)
5 users (show)

See Also:
Fixed In Version: 0.25.5-6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-19 04:42:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
redhat: fedora‑review+

Attachments (Terms of Use)
neon.pc: move static-only libs to Libs.private section (363 bytes, patch)
2007-04-09 09:06 EDT, Rex Dieter
no flags Details | Diff

  None (edit)
Description Nobody's working on this, feel free to take it 2007-01-31 15:15:22 EST
Fedora Merge Review: neon

Initial Owner: jorton@redhat.com
Comment 1 Jason Tibbitts 2007-02-04 13:43:11 EST
About to get kicked out of the reviewing room, but I'll at least list out the
rpmlint issues:

W: neon-devel summary-ended-with-dot Development libraries and C header files
for the neon library.
  Should be trivial to fix.

W: neon redundant-prefix-tag
  Prefix: should just be deleted.  Relocatable packages are a lost cause anyway.

Also, current upstream neon is 0.26.3.  I think there are API changes that may
prevent this from being a simple update, so I'll let you make that decision. 
0.25.5 is the most current 0.25.5 release available.
Comment 2 Joe Orton 2007-02-05 04:01:33 EST
I've fixed the rpmlint issues in -6; thanks.
Comment 3 Jason Tibbitts 2007-02-18 01:40:06 EST
Interestingly, once the package is installed, rpmlint produces the following
additional warnings:

W: neon unused-direct-shlib-dependency /usr/lib64/libneon.so.25.0.5
W: neon unused-direct-shlib-dependency /usr/lib64/libneon.so.25.0.5
W: neon unused-direct-shlib-dependency /usr/lib64/libneon.so.25.0.5
W: neon unused-direct-shlib-dependency /usr/lib64/libneon.so.25.0.5
W: neon unused-direct-shlib-dependency /usr/lib64/libneon.so.25.0.5

I will admit to not having a clue as to what might cause this or how to get rid
of it, as I've never seen this warning from rpmlint before.

I note there are a few Conflicts with an extremely old version of subversion. 
Even the subversion in FC1 was newer than the problem version, so there's really
no reason for the Conflicts bits to be there these days.

There seems to be a test suite and according to %changelog it was run at some
point but doesn't seem to be run now.  I added a %check section and got things
to run until:

./uri-tests: error while loading shared libraries: libz.so.1: failed to map
segment from shared object: Cannot allocate memory

Not sure what's up there, so probably best not to try to run the test suite.

The -devel package includes both a static library and a .la file.  According to
the guidelines, neither of these should be there except in exceptional

* source files match upstream:
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
O dist tag is not present (not required)
* build root is correct.
* license field matches the actual license.
* license is open source-compatible (LGPL)
* License text included in package.
* latest version is being packaged (latest in the 0.25 series)
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (development, x86_64).
* package installs properly
* debuginfo package looks complete.
? rpmlint has complaints, but I'm not sure what they mean.
* final provides and requires are sane:
   neon = 0.25.5-6

   neon-devel = 0.25.5-6
   neon = 0.25.5-6

* %check is not present; the included test suite doesn't actually run.
* shared libraries present; ldconfig is called properly.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* scriptlets are OK (ldconfig)
* code, not content.
* documentation is small, so no -docs subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* headers are in the -devel subpackage.
* a pkgconfig file is present and in the -devel package; pkgconfig is a
X a .la file is present, as well as a static library.
Comment 4 Joe Orton 2007-02-19 07:11:15 EST
Thanks for the review.

- the test suite will run but reserves a fixed port so cannot be run reliably
during build (multiple simultaneous builds on a single host will not necessarily
work); (for x86_64 it fails in 0.25 due to a restrictive ulimit -v; 'sed -i
/ulimit/d' test/run.sh' will fix that)

- the .la file is part of the defined interface so will not be dropped.  (it's
used by third-party apps via "neon-config --la-file"

- the static archive is used by the static build of RPM (which links against
neon), so is required

- the rpmlint unused-direct-dep warnings can't be easily fixed (properly, anyway)
Comment 5 Jason Tibbitts 2007-02-20 20:43:47 EST
OK, that all seems reasonable.  The current policy is supposed to be to require
static libs to be in a -static subpackage, but for some reason that isn't
actually in the guidelines although it was ratified in November.  So I certainly
won't block on that.

It would be nice to get at least a couple of comments about why the .la and .a
files are needed, and about why the test suite can't be run, into the .spec so
that the next person who takes a look at it will at least know why they're there.

Comment 6 Jason Tibbitts 2007-02-22 13:28:07 EST
If the fixed package has been built for rawhide, you can go ahead and close this
Comment 7 Joe Orton 2007-02-23 05:28:18 EST
Done now - thanks for your time!
Comment 8 Rex Dieter 2007-04-09 09:01:32 EDT
*.pc patch forthcoming to move static lib deps to Libs.private (similar to
recent patches for apr/apr-util)
Comment 9 Rex Dieter 2007-04-09 09:06:49 EDT
Created attachment 151989 [details]
neon.pc: move static-only libs to Libs.private section
Comment 10 Rex Dieter 2007-04-13 10:00:29 EDT
Here's a few more items that should be addressed in merge review:

1. neon's static libs (and .la's) file should be packaged separately:
into a -static or -devel-static package:

This will be mildly painful, but to do this right, we'll have to sort through
the whole stack of dependent libs/packages and do those too.

2. libneon.la (currently in neon-devel) contains references to -lgssapi_krb5
-lkrb5 but it doesn't include:
the (sub) package owning libneon.la MUST include:
Requires: krb5-devel
Eventually, when/if krb5-static exists, neon-static needs
Requires: krb5-static
Comment 11 Jason Tibbitts 2007-04-13 11:21:30 EDT
Just a note that the static library guideline wasn't there when I originally
reviewed this package, so this bit about splitting them (and the .la file) out
from the main package is new.

Still, I'm not sure what the value of putting the .la file in a separate package
is if the main package will just require it in order for "neon-config --la-file"
to be meaningful.  Unless, of course, it's OK for neon-config output to point to
a nonexistant file in the case that the -static package is not installed.
Comment 12 Rex Dieter 2007-04-13 11:29:09 EDT
Re: neon-config --la-file

Prolly patch
--- neon-config.static  2006-07-12 12:13:28.000000000 -0500
+++ neon-config 2007-04-13 10:27:56.000000000 -0500
@@ -82,7 +82,9 @@

+       if test -f ${libdir}/libneon.la ; then
        echo ${libdir}/libneon.la
+       fi

Comment 13 Joe Orton 2007-04-13 11:49:25 EDT
Rex: thanks for the .pc patch, looks great (neon 0.26.x does similar already).

But breaking the --la-file output is simply not acceptable.

I'm not sure it is worth the hassle of going through creating all those -static
packages.  We could just drop the libneon.a, strip the dep_libs line from the
.la file to prevent deps leaks, break the upstream RPM build, and be done.
Comment 14 Rex Dieter 2007-04-13 12:31:34 EDT
> break the upstream RPM build, and be done.

you sure?  Having the ability to have a static rpm seems desirable (but you're
right, the extra effort may not be worth the pain).

> breaking the --la-file output is simply not acceptable.

why?  really, who uses it?  what depends on it?  couldn't/shouldn't those be fixed?
Comment 15 Rex Dieter 2007-04-27 08:50:07 EDT
Joe, could you please provide a more comprehensive justification for .la files
than the terse "not acceptable"?
Comment 16 Joe Orton 2007-04-27 08:54:08 EDT
It's part of the neon-config interface as defined upstream, and breaking
interfaces is unacceptable.
Comment 17 Rex Dieter 2007-04-27 09:10:34 EDT
If that's all you've got, then I still don't buy it (sorry).  
What I'd *really* like to see is concrete examples of breakage.
Comment 18 Joe Orton 2007-04-27 09:15:10 EDT
What do you not buy?  That it's part of the interface as defined upstream, or
that breaking interfaces is unacceptable?
Comment 19 Rex Dieter 2007-04-27 09:23:33 EDT
I buy neither (yet).

Of course omitting .la files sometimes involves a little collateral damage.  The
short-term pain/damage in *most* cases outweighes the pain/suffering caused by
.la file presence in rpm packaging (ie, why Fedora packaging policy to omit .la
files by default exists).  Now, without knowing any details of the "collateral
damage" to which you infer, it's not possible to judge whether it merits an
Comment 20 Joe Orton 2007-04-27 09:29:58 EDT
The interface in question is `neon-config --la-file`, which is documented in
"man neon-config", and also by `neon-config --help`.  Can you explain why you
don't think this is an interface defined upstream?
Comment 21 Rex Dieter 2007-04-27 09:34:38 EDT
I don't think the advantage of keeping the upstream interface outweighs the
packaging beneifits of omitting it.

Again, do you have any examples of concrete breakage in other packages/software
that depend on this interface, or not?  I'd like to explore the full
ramifications of removing it.
Comment 22 Josh Boyer 2007-04-27 09:59:10 EDT
Joe, I don't think Rex's request for examples of something that would actually
break if the .la files were removed is unreasonable.  Could you please provide a

The guidelines are there for a reason and having that extra information may make
a case either way for providing an exception or not.
Comment 23 Joe Orton 2007-04-27 10:44:02 EDT
It's not actually relevant whether or not I can give examples of apps which
break if the .la file is removed.  The point is that doing so breaks an
interface which is defined upstream (`neon-config --la-file`).  It is a golden
rule of packaging that you do not break interfaces defined upstream.

But, examples I know of: Subversion, which uses --la-file to link against neon,
and I think also the static build of RPM (at least upstream), which IIRC on
libtool resolving dependencies via the .la file -- exactly what .la files are
designed for.
Comment 24 Rex Dieter 2007-04-27 10:55:29 EDT
Let me (re)iterate that the "golden rule of packaging" is trumped if:
1.  following it violates packaging guidelines
2.  upstream interface is stooopid.

re: static linking.  This is a valid use-case for keeping .la files, but these
need to be packaged separately in a -static (sub)package.  But you had already
stated (in comment #13) "I'm not sure it is worth the hassle of going through
creating all those -static packages.  We could just drop the libneon.a ...", in
which case, this is moot.

In non-static cases, packages that depend on .la presence for building, are,
imo, broken, and can/should be fixed.  I'll take the bait and look at subversion
and see how hard it is to fix.
Comment 25 Joe Orton 2007-04-27 11:52:25 EDT
Playing the "We're smarter than upstream" game is a losing proposition in the
long term, and one I will not indulge in for any package I maintain.  Fedora
does not exist in a vacuum, it exists in main due to the work done in upstream
projects.  If you have changes which you think can improve the software you
should be getting involved in the upstream projects to get those changes
integrated.  This may help you better understand the motivation behind things
which you consider to be "stupid".
Comment 26 Rex Dieter 2007-04-27 12:50:08 EDT
When/if the .la dependence is fixed, the changes most certainly should be pushed
upstream.  Your assertion that this be a prerequisite to any modification of
fedora packaging is misplaced, imo.

And I stand by my statement, any app that needs help to build via 'neon-config
--la-file' and fails without libneon.la presence, is broken by design (hopefully
that's nicer than saying stooopid).

I'm making progress wrt subversion... looks like a one-line patch is all that is
--- subversion-1.4.3/build/ac-macros/neon.m4.la_file    2006-10-20
18:44:09.000000000 -0500
+++ subversion-1.4.3/build/ac-macros/neon.m4    2007-04-27 11:34:44.000000000 -0500
@@ -141,7 +141,7 @@
            test "$svn_allowed_neon" = "any"; then
             SVN_NEON_INCLUDES=[`$neon_config --cflags | sed -e 's/-D[^ ]*//g'`]
-            NEON_LIBS=`$neon_config --la-file`
+            NEON_LIBS=`$neon_config --libs`
             CFLAGS=["$CFLAGS `$neon_config --cflags | sed -e 's/-I[^ ]*//g'`"]

any others?

(1) Though one could *greatly* simplify it's content/logic by simply using
pkg-config constructs, esp since pkg-config is able to differentiate between
static and non-static configs (but that goes beyond the scope of this discussion)
Comment 27 Joe Orton 2008-02-07 10:46:15 EST
w.r.t. the original review: the static libneon.a has been dropped in Raw Hide,
since we haven't linked rpm linked against neon for a while.  The dep_libs are
now also stripped from the .la file to prevent dep leaks.

The goal of removing .la files is to prevent unnecessary dep leaks; that goal
has now been achieved, without removing the .la file and breaking the
neon-config interface.
Comment 28 Rex Dieter 2008-02-07 10:58:51 EST
I'll have to remove myself, at least for now (-ENOTIME), to open the door for
someone else to help here.

Joe, thanks for your efforts re: .la files, that's likely a reasonable compromise.
Comment 29 Robert Scheck 2009-01-13 17:03:36 EST
neon.i386: W: file-not-utf8 /usr/share/doc/neon-0.28.3/THANKS
neon.i386: W: no-version-in-last-changelog
Comment 30 Joe Orton 2009-01-14 10:18:15 EST
I've fixed the former upstream; not sure what is causing the latter, the last changelog entry looks fine to me

* Thu Aug 28 2008 Joe Orton <jorton@redhat.com> 0.28.3-2
- update to 0.28.3
Comment 31 Robert Scheck 2009-01-14 10:36:52 EST
Okay, then feel free to ignore it. If find time, I'll go for a full review in
the next time; if there are takers before, feel free as well.
Comment 32 Robert Scheck 2009-01-14 18:00:55 EST
[ DONE ] MUST: rpmlint must be run on every package. The output should be 
         posted in the review
         $ rpmlint /var/lib/mock/fedora-10-x86_64/result/neon-*
         neon.x86_64: W: file-not-utf8 /usr/share/doc/neon-0.28.3/THANKS
         4 packages and 0 specfiles checked; 0 errors, 1 warnings.
         -> Solved upstream as per comment #30 and will pop into Fedora with 
            the next release at latest, that's okay for me and has to be okay
            for Fedora as well therefore ;-)
[  OK  ] MUST: The package must be named according to the Package Naming 
[  OK  ] MUST: The spec file name must match the base package %{name}, in the 
         format %{name}.spec unless your package has an exemption 
[  OK  ] MUST: The package must meet the Packaging Guidelines
[  OK  ] MUST: The package must be licensed with a Fedora approved license and 
         meet the Licensing Guidelines
[  OK  ] MUST: The License field in the package spec file must match the 
         actual license.
[  OK  ] MUST: If (and only if) the source package includes the text of the 
         license(s) in its own file, then that file, containing the text of 
         the license(s) for the package must be included in %doc
[  OK  ] MUST: The spec file must be written in American English
[  OK  ] MUST: The spec file for the package MUST be legible.
[  OK  ] MUST: The sources used to build the package must match the upstream 
         source, as provided in the spec URL. Reviewers should use md5sum for 
         this task. If no upstream URL can be specified for this package, 
         please see the Source URL Guidelines for how to deal with this.
         -> 47599a328862ce64ac3c52726d6daa12  neon-0.28.3.tar.gz
         -> 47599a328862ce64ac3c52726d6daa12  neon-0.28.3.tar.gz.1
         -> 544a92dbfba144ec600506cadbda92ae0b0eb9b0  neon-0.28.3.tar.gz
         -> 544a92dbfba144ec600506cadbda92ae0b0eb9b0  neon-0.28.3.tar.gz.1
[  OK  ] MUST: The package MUST successfully compile and build into binary 
         rpms on at least one primary architecture.
[  N/A ] MUST: If the package does not successfully compile, build or work on 
         an architecture, then those architectures should be listed in the 
         spec in ExcludeArch. Each architecture listed in ExcludeArch MUST 
         have a bug filed in bugzilla, describing the reason that the package 
         does not compile/build/work on that architecture. The bug number MUST 
         be placed in a comment, next to the corresponding ExcludeArch line. 
[  OK  ] MUST: All build dependencies must be listed in BuildRequires, except 
         for any that are listed in the exceptions section of the Packaging 
         Guidelines ; inclusion of those as BuildRequires is optional. Apply 
         common sense.
[  N/A ] MUST: The spec file MUST handle locales properly. This is done by 
         using the %find_lang macro. Using %{_datadir}/locale/* is strictly 
[  OK  ] MUST: Every binary RPM package (or subpackage) which stores shared 
         library files (not just symlinks) in any of the dynamic linker's 
         default paths, must call ldconfig in %post and %postun.
[  N/A ] MUST: If the package is designed to be relocatable, the packager must 
         state this fact in the request for review, along with the 
         rationalization for relocation of that specific package. Without 
         this, use of Prefix: /usr is considered a blocker.
[  OK  ] MUST: A package must own all directories that it creates. If it does 
         not create a directory that it uses, then it should require a package 
         which does create that directory.
[  OK  ] MUST: A package must not contain any duplicate files in the %files 
[  OK  ] MUST: Permissions on files must be set properly. Executables should 
         be set with executable permissions, for example. Every %files section 
         must include a %defattr(...) line.
[  OK  ] MUST: Each package must have a %clean section, which contains rm -rf
         %{buildroot} (or $RPM_BUILD_ROOT).
[  OK  ] MUST: Each package must consistently use macros.
[  OK  ] MUST: The package must contain code, or permissable content.
[  N/A ] MUST: Large documentation files must go in a -doc subpackage. (The 
         definition of large is left up to the packager's best judgement, but 
         is not restricted to size. Large can refer to either size or 
[  OK  ] MUST: If a package includes something as %doc, it must not affect the 
         runtime of the application. To summarize: If it is in %doc, the 
         program must run properly if it is not present
[  OK  ] MUST: Header files must be in a -devel package
[  N/A ] MUST: Static libraries must be in a -static package
[  OK  ] MUST: Packages containing pkgconfig(.pc) files must 'Requires: 
         pkgconfig' (for directory ownership and usability).
[  OK  ] MUST: If a package contains library files with a suffix (e.g. 
         libfoo.so.1.1), then library files that end in .so (without suffix) 
         must go in a -devel package.
[  OK  ] MUST: In the vast majority of cases, devel packages must require the 
         base package using a fully versioned dependency: Requires: %{name} =
[  OK  ] MUST: Packages must NOT contain any .la libtool archives, these must 
         be removed in the spec if they are built
         -> Special case, already discussed above and thereby accepted.
[  N/A ] MUST: Packages containing GUI applications must include a 
         %{name}.desktop file, and that file must be properly installed with 
         desktop-file-install in the %install section. If you feel that your 
         packaged GUI application does not need a .desktop file, you must put 
         a comment in the spec file with your explanation.
[  OK  ] MUST: Packages must not own files or directories already owned by 
         other packages. The rule of thumb here is that the first package to 
         be installed should own the files or directories that other packages 
         may rely upon. This means, for example, that no package in Fedora 
         should ever share ownership with any of the files or directories 
         owned by the filesystem or man package. If you feel that you have a 
         good reason to own a file or directory that another package owns, 
         then please present that at package review time.
[  OK  ] MUST: At the beginning of %install, each package MUST run rm -rf 
         %{buildroot} (or $RPM_BUILD_ROOT)
[  OK  ] MUST: All filenames in rpm packages must be valid UTF-8

- Consider using the following to preserve timestamps of non-created files:
  make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p"

From my view as a packager, this package seems personally good to me as well,

Joe, apply or refuse my suggestion and close the bug report afterwards with
the hint which option you've chosen (it's a SHOULD, not more).
Comment 33 Robert Scheck 2009-01-14 18:03:10 EST
Oh, you may want to consider disttag, but it's only a SHOULD. As you've e.g. 
refused it for httpd, I'm assuming same here - but just to mention it.
Comment 34 Jason Tibbitts 2009-01-14 18:15:16 EST
This is very weird; I thought I reviewed this package something like two years ago, and indeed it seems that I did.
Comment 35 Joe Orton 2009-01-19 04:40:03 EST
Yes, this was fedora-review+'ed by you but Rex cleared it and reopened the bug in comment 10 (see the history link).
Comment 36 Joe Orton 2009-01-19 04:42:47 EST
Yeah, I don't see a need for disttag in the devel branch, and it screws up in some cases when it's there.  I've committed and the "install -p" fix - thanks a lot Robert for the re-review! :)

Closing out for good, hopefully...

1065558 build (dist-f11, /cvs/pkgs:rpms/neon/devel:neon-0_28_3-3) completed successfully

Note You need to log in before you can comment on or make changes to this bug.