Bug 233775 - Review Request: haproxy - TCP/HTTP reverse proxy for high availability environments
Review Request: haproxy - TCP/HTTP reverse proxy for high availability enviro...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Package Reviews List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-24 18:44 EDT by Jeremy Hinegardner
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-21 15:03:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
kevin: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Jeremy Hinegardner 2007-03-24 18:44:48 EDT
Spec URL: http://www.hinegardner.org/fedora-extras/haproxy.spec
SRPM URL: http://www.hinegardner.org/fedora-extras/haproxy-1.2.17-2.src.rpm
Description: 
HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments. Indeed, it can:
- route HTTP requests depending on statically assigned cookies
- spread the load among several servers while assuring server persistence
  through the use of HTTP cookies
- switch to backup servers in the event a main one fails
- accept connections to special ports dedicated to service monitoring
- stop accepting connections without breaking existing ones
- add/modify/delete HTTP headers both ways
- block requests matching a particular pattern
Comment 1 Kevin Fenzi 2007-05-21 22:04:15 EDT
I'd be happy to review this package. Look for a full review in a bit. 
Comment 2 Kevin Fenzi 2007-05-21 22:48:52 EDT
OK - Package meets naming and packaging guidelines
OK - Spec file matches base package name.
OK - Spec has consistant macro usage.
OK - Meets Packaging Guidelines.
See below - License(GPL)
See below - License field in spec matches
See below - License file included in package
OK - Spec in American English
OK - Spec is legible.
OK - Sources match upstream md5sum:
45a66691aa3b22996862e3e5bac4289c  haproxy-1.2.17.tar.gz
45a66691aa3b22996862e3e5bac4289c  haproxy-1.2.17.tar.gz.1
OK - BuildRequires correct
OK - Package has %defattr and permissions on files is good.
OK - Package has a correct %clean section.
OK - Package has correct buildroot
OK - Package is code or permissible content.
OK - Packages %doc files don't affect runtime.
OK - Package has rm -rf RPM_BUILD_ROOT at top of %install

OK - Package compiles and builds on at least one arch.
OK - Package has no duplicate files in %files.
OK - Package doesn't own any directories other packages own.
OK - Package owns all the directories it creates.
See below - No rpmlint output.
OK - final provides and requires are sane.

SHOULD Items:

OK - Should build in mock.
OK - Should build on all supported archs
OK - Should have dist tag
OK - Should package latest version

Issues:

1. You might ask upstream to include a copy of the GPL and the other odd license?
Not a blocker.

2. What parts of the code are under the odd MIT-like O'Reilly license?
It might be good to list them. Also, I can't find mention of this license in the
code
anywhere. Where is it stated?

3. rpmlint says:
E: haproxy non-standard-uid /var/lib/haproxy haproxy
E: haproxy non-standard-gid /var/lib/haproxy haproxy

These can be ignored.
Not a blocker.
Comment 3 Jeremy Hinegardner 2007-05-23 11:13:38 EDT
(In reply to comment #2)
> Issues:
> 
> 1. You might ask upstream to include a copy of the GPL and the other odd license?
> Not a blocker.

I'll send upstream a note and see if he'll put a COPYING or the like in the
source distribution.  Along with a manifest of which files are under which
license.  The source code files which are GPL say so in the boiler plate at the
top of the .c files.
 
> 2. What parts of the code are under the odd MIT-like O'Reilly license?
> It might be good to list them. Also, I can't find mention of this license in the
> code
> anywhere. Where is it stated?

The .c files that are under the MIT-like license from O'Reilly say in the header
at the top of the file that they are copied from Mastering Algorithms in C by
Kyle Loudon.  It gives the ISBN number and a link to the book's page on
O'Reilly.  I wondered about what license these files were under so I downloaded
the original examples .tgz from O'Reilly where these files came from and read
the license in there. 

So no, the license is not specifically mentioned in haproxy itslf, but the
source code that is from the Loudon Book is duely noted.

All in all, each .c file in haproxy says where it came from, who wrote it, and
if its under GPL it states that.
Comment 4 Kevin Fenzi 2007-05-23 17:32:00 EDT
1. ok. Sounds good. 
2. ok. I looked, but didn't see those headers for some reason. ;( 
I found them now... makes sense to me. 

One thing that bothers me about that license... the part that says: 

" This code
#   is under copyright and cannot be included in any other book,
#   publication, or  educational product  without  permission  from
#   O'Reilly & Associates."

Is Fedora a "educational product" ? Could it be considered such?

FYI, the entire thing reads: 

The source code on this disk can be freely used, adapted, and redistributed in
source or  binary form, so long as an acknowledgment appears in derived source
files. The citation should list that the code comes from the  book  "Mastering
Algorithms with C"  by Kyle Loudon,  published by O'Reilly & Associates.  This
code is under copyright and cannot be included in any other book, publication,
or  educational product  without  permission  from  O'Reilly & Associates.  No
warranty is attached; we cannot take responsibility for errors or  fitness for
use.
Comment 5 Tom "spot" Callaway 2007-05-23 17:37:46 EDT
Asking the FSF for an opinion on that "unique license".
Comment 6 Jeremy Hinegardner 2007-06-14 15:35:21 EDT
Any word back from FSF ?  Is their response required for approval?
Comment 7 Tom "spot" Callaway 2007-06-14 15:37:41 EDT
Yes, they said the license as is is non-free. This is a blocker, however, I've
not stopped this, as the FSF is trying to negotiate with O'Reilly to see if
they're willing to change the license.
Comment 8 Tom "spot" Callaway 2007-06-14 15:41:22 EDT
I am however, blocking this against FE-Legal, until I hear back again from the
FSF/O'Reilly.
Comment 9 Jeremy Hinegardner 2007-06-27 22:33:06 EDT
(In reply to comment #8)
> I am however, blocking this against FE-Legal, until I hear back again from the
> FSF/O'Reilly.

Just checking in to see if FSF/O'Reilly has gotten back to anyone.  Thanks.

Comment 10 Tom "spot" Callaway 2007-06-27 23:39:40 EDT
Nothing yet. I'll poke the FSF again.
Comment 11 Kevin Fenzi 2007-07-10 21:22:47 EDT
Any further news? Hopefully they can work something out... 
Comment 12 Jeremy Hinegardner 2007-07-22 20:43:51 EDT
Any updates from the FSF?
Comment 13 Tom "spot" Callaway 2007-07-22 21:30:51 EDT
Not yet. They're rather busy with GPLv3 fallout at the time, but I'll poke them
again.
Comment 14 Jeremy Hinegardner 2007-09-11 18:13:17 EDT
I've spoken with Willy (the author of haproxy) a few times recently, he has a
patch to replace all the O'Reilly code and with appropriately licensed code. He
is now testing it.  When that release comes out, I'll package up that vesion and
then the licensing issue will be moot.
Comment 15 Tom "spot" Callaway 2007-09-12 09:46:18 EDT
O'Reilly responded to the FSF and claimed to be in the process of changing the
license on that code to a "BSD-ish" license, but so far, this has not occurred.

Even though it may be moot, I figured I would pass it along. I've sent another
email to O'Reilly asking them to actually make this licensing change.
Comment 16 Tom "spot" Callaway 2007-09-12 11:16:27 EDT
http://examples.oreilly.com/masteralgoc/

A new tarball has been uploaded there, and the source code is now under the MIT
license. HAproxy should be able to pick this code up and resolve the licensing
pain (if they want to).
Comment 17 Jeremy Hinegardner 2007-09-15 23:08:49 EDT
That is great news.  I've forwarded the info to Willy upstream.
Comment 18 Jeremy Hinegardner 2007-09-19 02:48:40 EDT
New package and spec.  I've switched to the 1.3.12 branch which is the new stable upstream branch 
instead of 1.2.17.  There are some new files and a patch from upstream against 1.3.12.1 to clear up the 
licensing issue now that O'Reilly has changed to MIT license for its code.

SPEC url: http://jjh.fedorapeople.org/haproxy/haproxy.spec
SRPM url: http://jjh.fedorapeople.org/haproxy/haproxy-1.3.12.1-1.fc7.src.rpm

It probably needs a full review again since this is a whole new branch of code.  
Comment 19 Kevin Fenzi 2007-09-19 22:23:28 EDT
OK - Spec file matches base package name.
OK - Spec has consistant macro usage.
OK - Meets Packaging Guidelines.
See below - License (GPLv2+)
See below - License field in spec matches
OK - License file included in package
OK - Spec in American English
OK - Spec is legible.
OK - Sources match upstream md5sum:
032f976cf82e1ba48702e25545155147  haproxy-1.3.12.1.tar.gz
032f976cf82e1ba48702e25545155147  haproxy-1.3.12.1.tar.gz.1
OK - BuildRequires correct
OK - Package has %defattr and permissions on files is good.
OK - Package has a correct %clean section.
OK - Package has correct buildroot
OK - Package is code or permissible content.
OK - Packages %doc files don't affect runtime.
OK - Package has rm -rf RPM_BUILD_ROOT at top of %install

OK - Package compiles and builds on at least one arch.
OK - Package has no duplicate files in %files.
OK - Package doesn't own any directories other packages own.
OK - Package owns all the directories it creates.
See below - No rpmlint output.
OK - final provides and requires are sane.

SHOULD Items:

OK - Should build in mock.
OK - Should build on all supported archs
OK - Should have sane scriptlets.
OK - Should have dist tag
OK - Should package latest version

Issues:

1. I think the License tag here should be "GPLv2+ and LGPLv2+ and MIT".
The bulk of the program is under the GPLv2+, but those pesky example bits are
now MIT. Also, many of the header files are LGPLv2+.
It's all nice and confusing. I might try and get spot to look it over. ;)

Also, I am not sure it's permissable to change license's via a patch.
You may need to wait until upstream does a new release with the new
license text in place.

2. rpmlint says (as before):
haproxy.i386: E: non-standard-uid /var/lib/haproxy haproxy
haproxy.i386: E: non-standard-gid /var/lib/haproxy haproxy
Can be ignored.

Everything else looks good, hopefully we can get this approved soon.

Spot: can you take a look at the current license situation?
Comment 20 Tom "spot" Callaway 2007-09-19 22:48:52 EDT
I would really rather that we didn't change the license with a patch. Please try
to get upstream to make a new tarball, even if it is just for Fedora.

As to the License: tag, use "GPLv2+ and MIT". The examples are standalone MIT,
the code is GPLv2+. The headers are LGPLv2 (not LGPLv2+), but since we don't
package up the headers, we don't need to reference them in the License tag.
Comment 21 Jeremy Hinegardner 2007-09-20 00:31:22 EDT
Just to clear up any confusion, the patch I applied was sent to me from Willy 
upstream.  I'll also check and see if he'll create a new tarball.  The License
tag I've updated.  I'll create a new srpm when I hear back from Willy about a
new tarball.
Comment 22 Jeremy Hinegardner 2007-09-20 12:34:08 EDT
Upstream release a new version with the licensing patch applied and a few bug fixes too.

SRPM: http://jjh.fedorapeople.org/haproxy/haproxy-1.3.12.2-1.fc7.src.rpm
SPEC: http://jjh.fedorapeople.org/haproxy/haproxy.spec
Comment 23 Kevin Fenzi 2007-09-20 22:15:45 EDT
The License tag is still just GPLv2+... can you update it to "GPLv2+ and MIT" ?
(You can do that before you check it in)

Otherwise everything looks good in this last version, so this package is APPROVED. 

Comment 24 Jeremy Hinegardner 2007-09-20 23:32:06 EDT
license tag is updated
Comment 25 Jeremy Hinegardner 2007-09-20 23:41:57 EDT
New Package CVS Request
=======================
Package Name: haproxy
Short Description: TCP/HTTP reverse proxy for high availability environments
Owners: jjh
Branches: FC-6 F-7 EL-4 EL-5
InitialCC: 
Cvsextras Commits:
Comment 26 Jeremy Hinegardner 2007-09-20 23:43:29 EDT
Since the license issues are all cleared up, can someone remove the FE-Legal blocker?
Comment 27 Tom "spot" Callaway 2007-09-21 08:56:45 EDT
Lifting FE-Legal. Have fun!
Comment 28 Kevin Fenzi 2007-09-21 12:22:51 EDT
cvs done.

Note You need to log in before you can comment on or make changes to this bug.