Spec URL: https://github.com/LecrisUT/atuin-rpmspec/raw/f63a0e4ad8e84cf1fd4533abacecf3fa353c4936/rust-tiny-bip39/rust-tiny-bip39.spec SRPM URL: https://download.copr.fedorainfracloud.org/results/packit/SriRamanujam-atuin-rpmspec-7/fedora-rawhide-x86_64/07725264-rust-tiny-bip39/rust-tiny-bip39-1.0.0-1.fc41.src.rpm Description: Dependency for `atuin` Fedora Account System Username: lecris rust2rpm.toml: default
Copr build: https://copr.fedorainfracloud.org/coprs/build/7726795 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2297307-rust-tiny-bip39/fedora-rawhide-x86_64/07726795-rust-tiny-bip39/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Three things that will need to be addressed in some way: 1. This crate contains test data from https://github.com/trezor/python-mnemonic which is MIT licensed. Since it's only in test code I don't think it should affect the license of the package, but it might be a good idea to %exclude tests/standard-vectors.rs from the -devel file so no MIT-only licensed content is included in the package. 2. What I am not sure about is the contents of src/langs/*.txt. I don't really understand what this crate does or is (see 3.), but are the lists of words somehow meaningful, relevant or copyrightable? Or are they just "list of words in different languages that make good mnemonics"? 3. The summary of the crate is quite meaningless. The generated one ("Fork of the bip39 crate with fixes to v0.6") is even worse than the original one ("Rust implementation of BIP-0039"), not neither of them mean anything if you don't know what BIP-0039 is. Maybe this can be improved somehow? The Python package from where the test vecors are taken uses "Mnemonic code for generating deterministic keys, BIP39" as description, that seems to be better IMO.
> 2. What I am not sure about is the contents of src/langs/*.txt. I tried to do some digging, and it seems that some other "bip" have license, but there is no license described for bip39, probably because it is still as proposal. From what I saw, the licensing details is described here [1]. They don't have issues or good PR discussions to ask for clarification. From the usage, it seems to be a well defined list to map byte sequence to mnemonic words, so it should be copyrightable. I tried to look at the discussion on python-mnemonic, but the licensing issue of bip-0039 was never raised. The only other place to raise the issue would be in bitcoindev, and I cannot contact them without spoofing my gmail account and opening myself to a barrage of uncontrolled spams. Any suggestions on what to do on that front? > 1. This crate contains test data from https://github.com/trezor/python-mnemonic which is MIT licensed. Roger, I don't see a mechanism in `rust2rpm.toml` so I guess I would do it manually. This package has barely any activity so probably would not need to worry that much (hopefully they will converge and figure themselves out [2] before we have a similar situation to the unicode packages) > 3. The summary of the crate is quite meaningless Well there are a bunch of crates that implement BIP-0039, would it be ok if the `Summary` clash between them? I am considering the `Summary` to be just "Rust implementation of BIP-0039", and append the bip abstract ti it: ``` A fork of the bip39 crate with fixes to v0.6. Rust implementation ofBIP-0039. This BIP describes the implementation of a mnemonic code or mnemonic sentence -- a group of easy to remember words -- for the generation of deterministic wallets. It consists of two parts: generating the mnenomic, and converting it into a binary seed. This seed can be later used to generate deterministic wallets using BIP-0032 or similar methods. ``` wdyt? Probably getting rid of the last sentence of the abstract. [1]: https://github.com/bitcoin/bips/blob/master/bip-0002.mediawiki#bip-licensing [2]: https://crates.io/keywords/mnemonic
> Any suggestions on what to do on that front? Send a message to the legal@ mailing list. I am really unsure how this should be handled. > Roger, I don't see a mechanism in `rust2rpm.toml` so I guess I would do it manually. Correct (for now). > I am considering the `Summary` to be just "Rust implementation of BIP-0039" Summary: Rust implementation of BIP-0039 would be kind-of-good, but it is still meaningless if you don't know what a "BIP" (let alone "BIP-0039") is. but maybe that's OK. > wdyt? Probably getting rid of the last sentence of the abstract. I'm not sure editing the description is worth it. These packages aren't shipped to users after all. So it will only show when people for example visit src.fedoraproject.org/rpms/rust-tiny-bip39 or packages.fedoraproject.org.
For reference for the legal team, I have sent this email [1], but it probably got lost due to mail-server settings probably. [1]: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/SOXBVDBDPXVVTNJSILO3JMXAKTRDKXNO/
(In reply to Cristian Le from comment #5) > For reference for the legal team, I have sent this email [1], but it > probably got lost due to mail-server settings probably. > > [1]: > https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/ > thread/SOXBVDBDPXVVTNJSILO3JMXAKTRDKXNO/ Oh looks like I drafted a reply but never sent it, will fix that.
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/HGJ6LBOGII7NH7D57DOWWVPI7AMB45ME/
Thanks for the reply Richard. Going with the assumption that the word list is currently under MIT, would the licensing `MIT OR Apache-2.0` still be correct, or should it change to `MIT AND MIT OR Apache-2.0`?
(In reply to Cristian Le from comment #8) > Thanks for the reply Richard. Going with the assumption that the word list > is currently under MIT, would the licensing `MIT OR Apache-2.0` still be > correct, or should it change to `MIT AND MIT OR Apache-2.0`? It should be `MIT AND (MIT OR Apache-2.0)`.
Thank you, I'll make the necessary changes. PS: I did get a reply on a random PR, and they confirmed it to be MIT: https://github.com/bitcoin/bips/pull/1395#issuecomment-2393930721
Spec URL: https://lecris.fedorapeople.org/reviews/rust-tiny-bip39/rust-tiny-bip39.spec SRPM URL: https://lecris.fedorapeople.org/reviews/rust-tiny-bip39/rust-tiny-bip39-1.0.0-1.fc42.src.rpm Updated license metadata. BTW, there seems to be a competing standard (https://github.com/p2w34/wlips), which is supposed to superseed it. Maybe it's good to keep the description more technical here.
It looks like this package depends on the compat package for pbkdf2 v0.11, which was recently retired (by me, because it was unused): > Problem: nothing provides requested (crate(pbkdf2) >= 0.11.0 with crate(pbkdf2) < 0.12.0~) Can you try bumping the dependency to 0.12? Usually changes like this for RustCrypto crates don't require code changes.
Spec URL: https://lecris.fedorapeople.org/reviews/rust-tiny-bip39/rust-tiny-bip39.spec SRPM URL: https://lecris.fedorapeople.org/reviews/rust-tiny-bip39/rust-tiny-bip39-2.0.0-1.fc42.src.rpm I am going with bumping tiny-bip39 to 2.0.0. Atuin is currently incompatible with it, but hopefully it will be addressed by then. I've tried my luck at fixing but got stuck at how to remove the `downcast_ref`
Thanks, looks good to me, with one exception: Correcting the license in the spec file is not enough, since our packaging tools only have access to the metadata in Cargo.toml (i.e. the %cargo_license and %cargo_license_summary macros), so you will need to patch Cargo.toml for the corrected license expression.
2.0 is the version where they already merged the license correction. The latest version it's almost vanilla rust2rpm (don't remember if it's just summary that's patched, it's on the work laptop, will see it tomorrow) https://crates.io/crates/tiny-bip39/2.0.0
Thanks! I somehow missed that the new version fixes this upstream. === Package was generated with rust2rpm, simplifying the review. ✅ package contains only permissible content ✅ package builds and installs without errors on rawhide ✅ test suite is run and all unit tests pass ✅ latest version of the crate is packaged ✅ license matches upstream specification and is acceptable for Fedora ✅ license files are included with %license in %files ✅ package complies with Rust Packaging Guidelines Package APPROVED. === Recommended post-import rust-sig tasks: - set up package on release-monitoring.org: project: $crate homepage: https://crates.io/crates/$crate backend: crates.io version scheme: semantic version (*NOT* pre-release) filter: alpha;beta;rc;pre distro: Fedora Package: rust-$crate - add @rust-sig with "commit" access as package co-maintainer (should happen automatically) - set bugzilla assignee overrides to @rust-sig (optional) - track package in koschei for all built branches (should happen automatically once rust-sig is co-maintainer)
Thank you for the review, Fabio
The Pagure repository was created at https://src.fedoraproject.org/rpms/rust-tiny-bip39
https://pagure.io/releng/fedora-scm-requests/issue/68991
FEDORA-2024-212e8bff12 (rust-tiny-bip39-2.0.0-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-212e8bff12
FEDORA-2024-481378ea50 (rust-tiny-bip39-2.0.0-1.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-481378ea50
FEDORA-2024-4322d1f1e6 (rust-tiny-bip39-2.0.0-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-4322d1f1e6
FEDORA-2024-212e8bff12 (rust-tiny-bip39-2.0.0-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-481378ea50 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-481378ea50` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-481378ea50 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-712ce402eb has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-712ce402eb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-712ce402eb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-4322d1f1e6 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-4322d1f1e6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-4322d1f1e6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-712ce402eb (rust-tiny-bip39-2.0.0-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-4322d1f1e6 (rust-tiny-bip39-2.0.0-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-481378ea50 (rust-tiny-bip39-2.0.0-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.