Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec SRPM URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-1.src.rpm Description: Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). NOTE: JSS is a JCE-provider and needs to be signed in order to perform certain operations. Even though gcj doesn't enforce the signing requirement many of the JSS self-tests fail miserably, presumably due to deficiencies in gcj. The reason for requiring signing is to provide a level of confidence that the implemented provider you are using to perform your crypto operation is trusted. http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CertForm.txt "Only CSPs signed by a trusted entity can be plugged into the JCE framework." So the bottom line is that this JSS will work for some operations (like SSL client and server) but not for key generation and signing.
The C compiler should be invoked with $RPM_OPT_FLAGS (obviously in addition to whatever other flags this package requires). I'm seeing lots of errors during the build, although I do get a valid RPM in the end. The errors all look something like this... cd org; make export make[1]: Entering directory `/usr/src/redhat/BUILD/jss-4.2.4/mozilla/security/jss/org' syntax error at -e line 3, near "while" syntax error at -e line 7, near "}" Execution of -e aborted due to compilation errors. cd mozilla; make export make[2]: Entering directory `/usr/src/redhat/BUILD/jss-4.2.4/mozilla/security/jss/org/mozilla' syntax error at -e line 3, near "while" syntax error at -e line 7, near "}" Execution of -e aborted due to compilation errors. How do I run the JSS self-tests?
The errors are in the upstream source. They are related to dependency finding so doesn't affect the building. The JSS self-tests expect that NSS and NSPR have been built along with JSS so you have to do small amount of hacking to get around it. You can run the tests after the make is done in the %build step by adding this: mkdir mozilla/tests_results perl -pi -e "s:\\\$nss_lib_dir = \\\"\\\$dist_dir/lib\\\":\\\$nss_lib_dir = \\\"%{_libdir}\\\":" mozilla/security/jss/org/mozilla/jss/tests/all.pl perl mozilla/security/jss/org/mozilla/jss/tests/all.pl dist mozilla/dist/*.OBJ Ugly but it works. Added RPM_OPT_FLAGS so they are picked up. I did not add the above to the spec. Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec SRPM URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-2.src.rpm
Looking over http://fedoraproject.org/wiki/Packaging/ReviewGuidelines I see a few things: The licence versions should be spelled out more clearly. rpmlint passes with no errors The Source0 should be a full URL I'll look at more later, but for now it compiles (with a disturbing nubmer of warnings) on FC5.
As discussed in the past, it may be impossible to ship this in Fedora or RHEL signed because that is in conflict with our licenses and guarantees of reproducibility. The resulting software would not be "Free".
As discussed we will ship an unsigned jar in Fedora. This is adequate for use in an SSL context but it will fail as a JCE provider. The license is the Mozilla tri-license. I used the same license string as the existing NSS and NSPR packages (MPL/GPL/LGPL) There is no tar file that I could find so I updated the spec to include instructions on pulling it from CVS. I also added some information on why the jar can't be signed. Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec SRPM URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-3.src.rpm
The comment in the spec file about the unsigned JAR should indicate that this optional extra step is only required for proprietory JREs. Walking down the checklist again: Shouldn't this package run ldconfig, as it places a file in ${_libdir}? If not (is this library only ever dlopen()ed?), perhaps this should be documented in the spec file?
These were both already mentioned in the spec but I made them more explicit. Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec SRPM URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-4.src.rpm
Further Clarification regarding signing of JSS JARs. Due to Fedora's reproducibility requirements, we are unable to ship signed JAR's in Fedora as it would no longer be reproducible FOSS. Software shipped within Fedora does not need JSS to be signed, so we are OK this regard. If 3rd party software requires a signed JSS JAR, then another copy would need to be packaged and distributed by that third party. That 3rd party JSS jar should be capable of installation in parallel with the Fedora JSS without conflicting.
A signed package is really a super-set of this one so I think a properly signed version could Obsolete this one rather than installing in parallel.
How about deciding upon exactly how a proper signed package would replace this package now? Theoretical Packages ==================== jss-4.2.9-7.el6 JSS for RHEL6 unsigned jss-4.2.9-7.el6.SIGNED Same thing, except with SIGNED appended to end of the Release tag. This would "win" rpmvercmp and replace the unsigned version. This package has an additional virtual provides. Provides: jss(SIGNED) That way other packages that require jss(SIGNED) can Require it by name.
I like it.
New Package CVS Request ======================= Package Name: jss Short Description: Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). Owners: rcritten,mlum Branches: FC-6 FC-7 InitialCC: nkwan,richm,nkinder,mharmsen,sparkins
The package needs review and approval first mlum please do not request cvs before package is approved
I think we need to have a LICENSE file in the rpm e.g. %doc LICENSE Other than that, it's good to go.
You didn't set fedora-cvs to ?, but judging by the above comments and fedora-review set to +, I'm following through with your CVS request.
I found some small issues with the review i started on it. as rich says LICENSE file should be included Requires: nss >= 3.11.4 Requires: nspr >= 4.6.4 are not needed rpm detects the Requires itself. Requires: java libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6 (GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libdl.so.2()(64bit) libnspr4.so()(64bit) libnss3.so()(64bit) libnss3.so(NSS_3.10.2)( 64bit) libnss3.so(NSS_3.2)(64bit) libnss3.so(NSS_3.3)(64bit) libnss3.so(NSS_3.4)(64bit) libnss3.so(NSS_3.5)(64bit) libnss3.so(NSS_3.6) (64bit) libplc4.so()(64bit) libplds4.so()(64bit) libpthread.so.0()(64bit ) libsmime3.so()(64bit) libsmime3.so(NSS_3.2)(64bit) libsmime3.so(NSS_3.3) (64bit) libssl3.so()(64bit) libssl3.so(NSS_3.2)(64bit) nspr >= 4.6.4 nss >= 3.11.4 rtld(GNU_HASH) builds in mock on devel x86_64 rpmlint is quiet i would like to see sparc64 added to the %ifarch x86_64 ppc64 ia64 s390x line fix these small issues and ill approve jss
The Requires: are there because we need a minimum level of NSS and NSPR, not just any old version. I included the 3 license files and added sparc64. If the current Requires line is ok I'll upload a fixed spec and srpm.
NSS has versioned symbols so the minimum version is set when something is built against it so Dennis is right, we don't need Requires. Spec URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss.spec SRPM URL: http://directory.fedora.redhat.com/built/rpm_review/rcritten/jss-4.2.4-5.src.rpm
Issues fixed I approve JSS
New Package CVS Request ======================= Package Name: jss Short Description: Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). Owners: rcritten,mlum Branches: FC-6 FC-7 (IIRC, there is a branch for FC-7 on 5/17?) InitialCC: nkwan,richm,nkinder,mharmsen,sparkins
cvs done
Package Change Request ====================== Package Name: jss New Branches: FC-7 This package was approved during the FC-7 freeze and a build had not been done in devel. When the branch and tagging happened no FC-7 branch was created, I presume because it hadn't been built yet. So it essentially has skipped FC-7 and has just FC-6 and FC-8 tags.
The Fedora 7 branch is called F-7 Branch added.
New Package CVS Request ======================= Package Name: jss Short Description: Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). Owners: stahnma Branches: EL4 EL5
cvs done.