Spec URL: https://skim.cz/tmp/perl-Alt-Digest-MD5-OpenSSL/perl-Alt-Digest-MD5-OpenSSL.spec SRPM URL: https://skim.cz/tmp/perl-Alt-Digest-MD5-OpenSSL/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc39.src.rpm Description: This is a modification of the Digest::MD5 module to remove bundled C code for MD5 algorithm. Fedora Account System Username: mspacek
URL and Source0 addresses are Ok. Source0 archive (SHA-512: 91e3798d01e20d4e455b33a822107ee9709eba326fef3d9ffe0cdc8d21f12a5e6840a41196027b653851bfebacbbcfd4e683c196f5f8bf9bcc21bc227f5fd6fa) is original. Ok. Summary verified from lib/Alt/Digest/MD5/OpenSSL.pm. Ok. Description verified from lib/Alt/Digest/MD5/OpenSSL.pm. Ok. Found licenses: lib/Digest/MD5.pm: (GPL-1.0-or-later OR Artistic-1.0-Perl) AND RSA-MD MD5.xs: (GPL-1.0-or-later OR Artistic-1.0-Perl) AND RSA-MD README: GPL-1.0-or-later OR Artistic-1.0-Perl rfc1321.txt: RSA-MD AND "mddriver.c proprietary license" FIX: rfc1321:868: mddriver.c license is missing the grant paragraph of RSA-MD license. I hope this is just an author's mistake. But as it is spelled now it makes it nonfree. Strip it from the source archive. FIX: RSA-MD is not an approved Fedora license. Either removed the affected files from the source archive, or work with Fedora legal to approve the license <https://docs.fedoraproject.org/en-US/legal/license-review-process/>. TODO: Report to an upstream that "This implementation is derived from the reference C code in RFC 1321" documentation in lib/Digest/MD5.pm is not true. It uses OpenSSL which is not based on the RFC 1321 implementation. I will continue with this review once the licensing issues are cleared.
Regarding `RSA-MD`, see: https://docs.fedoraproject.org/en-US/legal/misc/#_licensing_of_rsa_implementations_of_md5
Thanks for the pointer. I remember Fedora discussed it but I did not know there was an conclusion. Though hiding the new license (external 2000 RSA statement) from users seems to me odd, I will respect it.
Found licenses: lib/Digest/MD5.pm: GPL-1.0-or-later OR Artistic-1.0-Perl MD5.xs: GPL-1.0-or-later OR Artistic-1.0-Perl README: GPL-1.0-or-later OR Artistic-1.0-Perl All occurrences of RSA-MD (e.g. rfc1321.txt) are correctly ignored per <https://docs.fedoraproject.org/en-US/legal/misc/#_licensing_of_rsa_implementations_of_md5>. License tag is Ok. TODO: Constrain `perl(ExtUtils::MakeMaker)' with `>= 6.76' (Makefile.PL:12). TODO: Build-require `perl(:VERSION) >= 5.8.5' (Makefile.PL:1). FIX: Build-require `perl(strict)' (Makefile.PL:2). FIX: Build-require `perl(warnings)' (Makefile.PL:3). FIX: Build-require `perl(Exporter)' (lib/Digest/MD5.pm:6). FIX: Build-require `perl(vars)' (t/original/badfile.t:10). TODO: Use a more specific paths instead of %{perl_vendorarch}/auto/* and %{_mandir}/man3/* globs in %files <https://docs.fedoraproject.org/en-US/packaging-guidelines/#_explicit_lists>. TODO: Report to an upstream that the code uses OpenSSL deprecated functions. An example: MD5.xs:178:9: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 178 | MD5_Init(context); | ^~~~~~~~ All tests pass. Ok. $ rpmlint perl-Alt-Digest-MD5-OpenSSL.spec ../SRPMS/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc41.src.rpm ../RPMS/x86_64/perl-Alt-Digest-MD5-OpenSSL-* ======================================== rpmlint session starts ======================================= rpmlint: 2.5.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 == 4 packages and 1 specfiles checked; 0 errors, 0 warnings, 13 filtered, 0 badness; has taken 0.5 s == rpmlint is Ok. $ rpm -q -lv -p ../RPMS/x86_64/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc41.x86_64.rpm drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib/.build-id drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib/.build-id/ff lrwxrwxrwx 1 root root 62 Feb 14 01:00 /usr/lib/.build-id/ff/e838740808afd519d212293292b300dd6be7df -> ../../../../usr/lib64/perl5/vendor_perl/auto/Digest/MD5/MD5.so drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib64/perl5/vendor_perl/Alt drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib64/perl5/vendor_perl/Alt/Digest drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib64/perl5/vendor_perl/Alt/Digest/MD5 -rw-r--r-- 1 root root 667 Feb 8 11:19 /usr/lib64/perl5/vendor_perl/Alt/Digest/MD5/OpenSSL.pm -rw-r--r-- 1 root root 10711 Feb 8 11:24 /usr/lib64/perl5/vendor_perl/Digest/MD5.pm drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib64/perl5/vendor_perl/auto/Digest drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/lib64/perl5/vendor_perl/auto/Digest/MD5 -rwxr-xr-x 1 root root 19624 Feb 14 01:00 /usr/lib64/perl5/vendor_perl/auto/Digest/MD5/MD5.so drwxr-xr-x 2 root root 0 Feb 14 01:00 /usr/share/doc/perl-Alt-Digest-MD5-OpenSSL -rw-r--r-- 1 root root 439 Feb 8 14:53 /usr/share/doc/perl-Alt-Digest-MD5-OpenSSL/Changes -rw-r--r-- 1 root root 557 Jan 29 23:57 /usr/share/doc/perl-Alt-Digest-MD5-OpenSSL/README -rw-r--r-- 1 root root 1103 Feb 14 01:00 /usr/share/man/man3/Alt::Digest::MD5::OpenSSL.3pm.gz -rw-r--r-- 1 root root 4943 Feb 14 01:00 /usr/share/man/man3/Digest::MD5.3pm.gz File layout and permissions are Ok. $ rpm -q --requires -p ../RPMS/x86_64/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc41.x86_64.rpm | sort -f | uniq -c 1 ld-linux-x86-64.so.2()(64bit) 1 ld-linux-x86-64.so.2(GLIBC_2.3)(64bit) 1 libc.so.6()(64bit) 1 libc.so.6(GLIBC_2.2.5)(64bit) 1 libc.so.6(GLIBC_2.4)(64bit) 1 libc.so.6(GLIBC_ABI_DT_RELR)(64bit) 1 libcrypto.so.3()(64bit) 1 libcrypto.so.3(OPENSSL_3.0.0)(64bit) 1 libperl.so.5.38()(64bit) 1 perl(:MODULE_COMPAT_5.38.2) 1 perl(Digest::base) >= 1.00 1 perl(Exporter) 1 perl(strict) 1 perl(warnings) 2 perl(XSLoader) 1 perl-libs 1 rpmlib(CompressedFileNames) <= 3.0.4-1 1 rpmlib(FileDigests) <= 4.6.0-1 1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 1 rpmlib(PayloadIsZstd) <= 5.4.18-1 1 rtld(GNU_HASH) TODO: Do not run-require `perl(XSLoader)` explicitly. It's automatically recongnized. $ rpm -q --provides -p ../RPMS/x86_64/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc41.x86_64.rpm | sort -f | uniq -c 1 perl(Alt::Digest::MD5::OpenSSL) = 0.04 1 perl(Digest::MD5) = 0.04 1 perl-Alt-Digest-MD5-OpenSSL = 0.04-1.fc41 1 perl-Alt-Digest-MD5-OpenSSL(x86-64) = 0.04-1.fc41 TODO: If this package is supposed to replace perl-Digest-MD5, you should consider providing `perl-Digest-MD5'. Otherwise, it's impossible to install both `perl' and ` perl-Alt-Digest-MD5-OpenSSL' because perl requires perl-Digest-MD5. TODO: If this package is supposed to replace 'perl(Digest::MD5)', you should increase Digest::MD5 version to be on par perl(Digest::MD5) provided by perl-Digest-MD5. Now it's impossible to install `perl-Digest-HMAC` with `perl-Alt-Digest-MD5-OpenSSL' because perl-Digest-HMAC requires `perl(Digest::MD5) >= 2'. $ rpm -q --conflicts -p ../RPMS/x86_64/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc41.x86_64.rpm | sort -f | uniq -c 1 perl(Digest::MD5) Binary conflicts are Ok. $ resolvedeps rawhide ../RPMS/x86_64/perl-Alt-Digest-MD5-OpenSSL-0.04-1.fc41.x86_64.rpm Binary dependencies are resolvable. Ok. The package builds in Fedor 41 (https://koji.fedoraproject.org/koji/taskinfo?taskID=113593347). Ok. Otherwise, this package is in line with Fedora and Perl packaging guidelines. Please fix the FIX items, consider fixing TODO items, and provide a new spec file.
(In reply to Petr Pisar from comment #3) > Thanks for the pointer. I remember Fedora discussed it but I did not know > there was an conclusion. Though hiding the new license (external 2000 RSA > statement) from users seems to me odd, I will respect it. I admit there is something unsatisfactory about this - I believe there was a recent gitlab (fedora-license-data, or maybe fedora-legal-docs) issue where I commented on that. But the basic idea here is we are continuing a very old Fedora tradition of pretending the RSA-MD license doesn't really exist.