Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/11343442305/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm Description: Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \#11 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API reference, tutorial, and examples may help impart the flavor of the library. This is the current stable release branch 3.x of Botan. Fedora Account System Username: carlosrodrifern
Copr build: https://copr.fedorainfracloud.org/coprs/build/9552699 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09552699-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/11343588991/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
Created attachment 2106498 [details] The .spec file difference from Copr build 9552699 to 9552731
Copr build: https://copr.fedorainfracloud.org/coprs/build/9552731 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09552731-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== C/C++: [ ]: Package does not contain kernel modules. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "BSD 2-Clause License", "*No copyright* BSD 2-Clause License [generated file]", "*No copyright* BSD 2-Clause License". 2006 files have unknown license. Detailed output of licensecheck in /home/fedora-packaging/reviews/botan3/2394931- botan3/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [ ]: Package must own all directories that it creates. Note: Directories without known owners: /usr/lib/python3.14/site- packages, /usr/lib/python3.14/site-packages/__pycache__, /usr/lib/python3.14 [ ]: %build honors applicable compiler flags or justifies otherwise. [ ]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [ ]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [ ]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 52469 bytes in 4 files. [ ]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [-]: Python eggs must not download any dependencies during the build process. [-]: A package which is used by another package via an egg interface should provide egg info. [ ]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Packages MUST NOT have dependencies (either build-time or runtime) on packages named with the unversioned python- prefix unless no properly versioned package exists. Dependencies on Python packages instead MUST use names beginning with python2- or python3- as appropriate. [x]: Python packages must not contain %{pythonX_site(lib|arch)}/* in %files [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [ ]: Final provides and requires are sane (see attachments). [ ]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in python3-botan3 [ ]: Package functions as described. [ ]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [ ]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: botan3-3.9.0-1.fc44.x86_64.rpm botan3-devel-3.9.0-1.fc44.x86_64.rpm python3-botan3-3.9.0-1.fc44.noarch.rpm botan3-doc-3.9.0-1.fc44.noarch.rpm botan3-3.9.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpk9j3pzjf')] checks: 32, packages: 5 botan3.src: W: strange-permission botan3.spec 666 botan3-devel.x86_64: W: no-documentation python3-botan3.noarch: W: no-documentation botan3.x86_64: W: files-duplicate /usr/share/licenses/botan3/license.txt /usr/share/doc/botan3/license.txt 5 packages and 0 specfiles checked; 0 errors, 4 warnings, 31 filtered, 0 badness; has taken 2.4 s Rpmlint (debuginfo) ------------------- Checking: botan3-debuginfo-3.9.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpge07xsfk')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 12 filtered, 0 badness; has taken 4.4 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 python3-botan3.noarch: W: no-documentation botan3-devel.x86_64: W: no-documentation botan3.x86_64: W: files-duplicate /usr/share/licenses/botan3/license.txt /usr/share/doc/botan3/license.txt 5 packages and 0 specfiles checked; 0 errors, 3 warnings, 38 filtered, 0 badness; has taken 1.5 s Source checksums ---------------- https://botan.randombit.net/pgpkey.txt : CHECKSUM(SHA256) this package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af CHECKSUM(SHA256) upstream package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af https://botan.randombit.net/releases/Botan-3.9.0.tar.xz.asc : CHECKSUM(SHA256) this package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 CHECKSUM(SHA256) upstream package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 https://botan.randombit.net/releases/Botan-3.9.0.tar.xz : CHECKSUM(SHA256) this package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 CHECKSUM(SHA256) upstream package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 Requires -------- botan3 (rpmlib, GLIBC filtered): libbotan-3.so.9()(64bit) libbz2.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libm.so.6()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.11)(64bit) libstdc++.so.6(CXXABI_1.3.13)(64bit) libstdc++.so.6(CXXABI_1.3.15)(64bit) libstdc++.so.6(CXXABI_1.3.2)(64bit) libstdc++.so.6(CXXABI_1.3.3)(64bit) libstdc++.so.6(CXXABI_1.3.5)(64bit) libstdc++.so.6(CXXABI_1.3.7)(64bit) libstdc++.so.6(CXXABI_1.3.9)(64bit) libz.so.1()(64bit) libz.so.1(ZLIB_1.2.2)(64bit) rtld(GNU_HASH) botan3-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config botan3(x86-64) libbotan-3.so.9()(64bit) python3-botan3 (rpmlib, GLIBC filtered): botan3 python(abi) botan3-doc (rpmlib, GLIBC filtered): Provides -------- botan3: botan3 botan3(x86-64) libbotan-3.so.9()(64bit) botan3-devel: botan3-devel botan3-devel(x86-64) pkgconfig(botan-3) python3-botan3: python-botan3 python3-botan3 python3.14-botan3 botan3-doc: botan3-doc Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review -b 2394931 Buildroot used: fedora-rawhide-x86_64 Active plugins: Python, Shell-api, Generic, C/C++ Disabled plugins: PHP, Perl, fonts, Haskell, Ocaml, SugarActivity, R, Java Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH Comments: a) Koji build https://koji.fedoraproject.org/koji/taskinfo?taskID=137067722 b) soname should not be globbed: c) license.txt file is duplicated /usr/share/doc/botan3/license.txt /usr/share/licenses/botan3/license.txt d) devel package does not need a license as it requires main package e) Man page has incorrect filename botan3.1*.gz f) Do not glob includedir %{_includedir}/* Can have conflicts %{_includedir}/botan-3/ would be ok g) The name does not appear to be blocked on PyPI. Perhaps check if upstream would be willing to put the python packages on PyPI
Benson, Thank you for reviewing the package. I believe I addressed all points except for g). I'll be reaching out to upstream about that.
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/11360351194/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
Created attachment 2106719 [details] The .spec file difference from Copr build 9552731 to 9557214
Copr build: https://copr.fedorainfracloud.org/coprs/build/9557214 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09557214-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
@benson_muite , Could you please see if everything is taken care of? Thank you.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "BSD 2-Clause License", "*No copyright* BSD 2-Clause License [generated file]", "*No copyright* BSD 2-Clause License". 2006 files have unknown license. Detailed output of licensecheck in /home/fedora-packaging/reviews/botan3/2394931- botan3/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [ ]: Package must own all directories that it creates. Note: Directories without known owners: /usr/lib/python3.14, /usr/lib/python3.14/site-packages/__pycache__, /usr/lib/python3.14/site-packages [ ]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [ ]: Useful -debuginfo package or justification otherwise. [ ]: Package is not known to require an ExcludeArch tag. [ ]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 52469 bytes in 4 files. [ ]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [ ]: Python eggs must not download any dependencies during the build process. [ ]: A package which is used by another package via an egg interface should provide egg info. [ ]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Packages MUST NOT have dependencies (either build-time or runtime) on packages named with the unversioned python- prefix unless no properly versioned package exists. Dependencies on Python packages instead MUST use names beginning with python2- or python3- as appropriate. [x]: Python packages must not contain %{pythonX_site(lib|arch)}/* in %files [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [!]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in python3-botan3 [ ]: Package functions as described. [ ]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [ ]: Package should compile and build into binary rpms on all supported architectures. [ ]: %check is present and all tests pass. [ ]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: botan3-3.9.0-1.fc44.x86_64.rpm botan3-devel-3.9.0-1.fc44.x86_64.rpm python3-botan3-3.9.0-1.fc44.noarch.rpm botan3-doc-3.9.0-1.fc44.noarch.rpm botan3-3.9.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp00rzdmtz')] checks: 32, packages: 5 botan3.src: W: strange-permission botan3.spec 666 botan3-devel.x86_64: W: no-documentation python3-botan3.noarch: W: no-documentation botan3.x86_64: W: files-duplicate /usr/share/licenses/botan3/license.txt /usr/share/doc/botan3/license.txt 5 packages and 0 specfiles checked; 0 errors, 4 warnings, 31 filtered, 0 badness; has taken 2.3 s Rpmlint (debuginfo) ------------------- Checking: botan3-debuginfo-3.9.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp96e47ga_')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 12 filtered, 0 badness; has taken 4.6 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 botan3-devel.x86_64: W: no-documentation python3-botan3.noarch: W: no-documentation botan3.x86_64: W: files-duplicate /usr/share/licenses/botan3/license.txt /usr/share/doc/botan3/license.txt 5 packages and 0 specfiles checked; 0 errors, 3 warnings, 38 filtered, 0 badness; has taken 1.6 s Source checksums ---------------- https://botan.randombit.net/pgpkey.txt : CHECKSUM(SHA256) this package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af CHECKSUM(SHA256) upstream package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af https://botan.randombit.net/releases/Botan-3.9.0.tar.xz.asc : CHECKSUM(SHA256) this package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 CHECKSUM(SHA256) upstream package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 https://botan.randombit.net/releases/Botan-3.9.0.tar.xz : CHECKSUM(SHA256) this package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 CHECKSUM(SHA256) upstream package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 Requires -------- botan3 (rpmlib, GLIBC filtered): libbotan-3.so.9()(64bit) libbz2.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libm.so.6()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.11)(64bit) libstdc++.so.6(CXXABI_1.3.13)(64bit) libstdc++.so.6(CXXABI_1.3.15)(64bit) libstdc++.so.6(CXXABI_1.3.2)(64bit) libstdc++.so.6(CXXABI_1.3.3)(64bit) libstdc++.so.6(CXXABI_1.3.5)(64bit) libstdc++.so.6(CXXABI_1.3.7)(64bit) libstdc++.so.6(CXXABI_1.3.9)(64bit) libz.so.1()(64bit) libz.so.1(ZLIB_1.2.2)(64bit) rtld(GNU_HASH) botan3-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config botan3(x86-64) libbotan-3.so.9()(64bit) python3-botan3 (rpmlib, GLIBC filtered): botan3 python(abi) botan3-doc (rpmlib, GLIBC filtered): Provides -------- botan3: botan3 botan3(x86-64) libbotan-3.so.9()(64bit) botan3-devel: botan3-devel botan3-devel(x86-64) pkgconfig(botan-3) python3-botan3: python-botan3 python3-botan3 python3.14-botan3 botan3-doc: botan3-doc Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review -b 2394931 Buildroot used: fedora-rawhide-x86_64 Active plugins: Python, Shell-api, C/C++, Generic Disabled plugins: Java, R, PHP, SugarActivity, fonts, Ocaml, Perl, Haskell Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH Comments: a) Mostly seems ok. Will it need a crypto review? b) Is it possible to leave out the Python package until it is on PyPI? c) Doxygen documentation does not seem to have additional javascript. Can this be packaged instead? Not a blocker. Alternatively, made a pull request to generate texinfo files: https://github.com/randombit/botan/pull/5105 These can be converted to docbook, which can be viewed with Yelp.
a) For what I can gather from the docs[1], it doesn't provide any openssl config or uses the SSL_CTX_set_cipher_list(..) function. It doesn't use any of the gnutls_priority_ function either. b) I opened the ticket upstream[2] four days ago, and I see some activity, but it could take a while. To add some context, this is a major version update of a package that already exists in Fedora and provides a python package, namely botan2. I don't think it would be a very symmetric experience for the users to skip the python package at this point, though. c) The package can use doxygen and sphinx. Sphinx for the handbook, and doxygen for the API. I had doxygen disabled to match the original botan2, but I can add it to the botan3-doc package. [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries [2] https://github.com/randombit/botan/issues/5103
a) Ok. Checking with Crypto-team b) The current guidelines seem to require blocking the name on PyPI: https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_pypi_parity Checking with python sig c) Adding API documentation maybe helpful for some users. Not a blocker.
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/11426981031/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
Created attachment 2107166 [details] The .spec file difference from Copr build 9557214 to 9586685
Copr build: https://copr.fedorainfracloud.org/coprs/build/9586685 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09586685-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Is there a good reason to add a new crypto library to Fedora? This library has been pointed out previously as having several flaws. - it does not support configuration via crypto-policies so it can't be configured to use algorithms consistent with the rest of the systems. - in the past there were architectural issues that made it vulnerable to known side channel attacks (particularly bad for a TLS implementation). - it is not clear to me if this library uses exclusively the system certificate store and behaves properly when the store is updated - at a cursory look upstream I do not see even basic TLS conformance tests using something like tlsfuzzer or similar To be quite honest I do not think Fedora should include yet another TLS library unless there is a very, very, very good reason to do so. What dependency is this package trying to satisfy?
Simo Sorce, I understand the concerns but I believe there are good reasons to keep it in Fedora. It is a popular library that our users can use[1], and making it available allows other packages depending on it to use it or even be incorporated for the first time into Fedora. The version 3 in particular is already making its way into other distros[2] like Alpine, Debian, Gentoo or OpenSUSE. [1] https://en.wikipedia.org/wiki/Botan_(programming_library) [2] https://repology.org/project/botan/versions
Regarding the specific dependencies at this moment in Fedora: $ fedrq whatrequires botan2 botan2-devel-2.19.5-15.fc44.i686 botan2-devel-2.19.5-15.fc44.x86_64 corectrl-1.5.1-2.fc43.x86_64 keepassxc-2.7.10-3.fc43.x86_64 librnp-0.18.0-2.fc43.x86_64 python3-botan2-2.19.5-15.fc44.noarch qownnotes-25.5.10-3.fc43.x86_64 carlos@carlos-desktop ~ $ fedrq whatrequires librnp librnp-devel-0.18.0-2.fc43.x86_64 rnp-0.18.0-2.fc43.x86_64 thunderbird-128.13.0-1.fc43.x86_64
(In reply to Carlos Rodriguez-Fernandez from comment #18) > Simo Sorce, > > I understand the concerns but I believe there are good reasons to keep it in > Fedora. > > It is a popular library that our users can use[1], and making it available > allows other packages depending on it to use it or even be incorporated for > the first time into Fedora. The version 3 in particular is already making > its way into other distros[2] like Alpine, Debian, Gentoo or OpenSUSE. > > > [1] https://en.wikipedia.org/wiki/Botan_(programming_library) > [2] https://repology.org/project/botan/versions about 1) it is here only because Thunderbird dragged it in, it is not really popular, and I wish it remained confined to Thunderbird, and possibly replaced by sequoia which does offer an RNP interface IIRC. Other users should *not use* (if at all possible) crypto libraries that are not quality tested by us, do not integrate with fedora crypto policies, and for which I still do not have answers about TLS integration testing and certificate management. Proliferation of critical security components is *not* a good thing for us. There is absolutely zero need for yet another implementation of TLS and all the cryptography when it brings no additional security, as they do not use a memory safe language, do not seem to have strict conformance test, nor is the code hardened against side channels. In fact, as it stands, this library is a pure liability for us and it's use should be discouraged in Fedora, not promoted.
(In reply to Simo Sorce from comment #20) > (In reply to Carlos Rodriguez-Fernandez from comment #18) > > Simo Sorce, > > > > I understand the concerns but I believe there are good reasons to keep it in > > Fedora. > > > > It is a popular library that our users can use[1], and making it available > > allows other packages depending on it to use it or even be incorporated for > > the first time into Fedora. The version 3 in particular is already making > > its way into other distros[2] like Alpine, Debian, Gentoo or OpenSUSE. > > > > > > [1] https://en.wikipedia.org/wiki/Botan_(programming_library) > > [2] https://repology.org/project/botan/versions > > about 1) it is here only because Thunderbird dragged it in, it is not really > popular, and I wish it remained confined to Thunderbird, and possibly > replaced by sequoia which does offer an RNP interface IIRC. > > Other users should *not use* (if at all possible) crypto libraries that are > not quality tested by us, do not integrate with fedora crypto policies, and > for which I still do not have answers about TLS integration testing and > certificate management. > > Proliferation of critical security components is *not* a good thing for us. > There is absolutely zero need for yet another implementation of TLS and all > the cryptography when it brings no additional security, as they do not use a > memory safe language, do not seem to have strict conformance test, nor is > the code hardened against side channels. > > In fact, as it stands, this library is a pure liability for us and it's use > should be discouraged in Fedora, not promoted. Simo, as far as I understand Fedora is not a development framework, ... it is a distribution for users. How can the statement that "there must be only one library for TLS" be a strong reason why to block any other library that does TLS (botan doesn't just do TLS)? Does this also apply to all the other libraries that give alternative to a functionality?
(In reply to Carlos Rodriguez-Fernandez from comment #21) > Simo, as far as I understand Fedora is not a development framework, ... it > is a distribution for users. How can the statement that "there must be only > one library for TLS" be a strong reason why to block any other library that > does TLS (botan doesn't just do TLS)? Does this also apply to all the other > libraries that give alternative to a functionality? Carlos, please do not try to put words in my mouth in some attempt to win an argument on the internet. Fedora ships 3 different TLS libraries that are curated and tested rigorously (partly by way of inclusion in RHEL), and it is an integrated system that should work coherently as a whole. A distribution is not just a kitchen sink where anything goes and curating 3 different stacks is already a lot, ideally we should reduce that further. Cryptography libraries, unlike other tools, are vital to maintain the privacy and security of our users, therefore any inclusion of cryptographic libraries in Fedora receives extra scrutiny. It is the reason why there is this extra review from the Crypto Team when such a library is proposed. Fedora maintains approved rules about integration with the system in terms of supporting crypto-policies and properly using the system certificate store for which we do not have clear answers yet wrt botan (any version). I care for the quality of what we ship, especially around security and privacy features, which is why I take these reviews seriously.
(In reply to Simo Sorce from comment #22) > Carlos, > please do not try to put words in my mouth in some attempt to win an > argument on the internet. Please, do not make this personal and start thinking evil of my intentions. Let's keep the conversation technical. If I misquoted something from you that I didn't do correctly, feel free to correct it clarifying you didn't say so that way, which then will help me understand your point of view and concerns. > Fedora ships 3 different TLS libraries that are curated and tested > rigorously (partly by way of inclusion in RHEL), and it is an integrated > system that should work coherently as a whole. Is botan, and botan2 included in that TLS list? Those libraries are in Fedora already, and in all main distros, including now botan3 as well. > A distribution is not just a > kitchen sink where anything goes and curating 3 different stacks is already > a lot, ideally we should reduce that further. That's an extreme I am not advocating here, but again, as far as I can see from evidences in Fedora itself, there is no problem in including alternative libraries to thing when it is useful for other apps and for our users as long as follows the packaging guidelines. The Crypto documentation [1], as written right today, wouldn't ban botan3 from Fedora Linux. If so, could you please provide the interpretation of the documentation portion that would grant so? > Cryptography libraries, unlike other tools, are vital to maintain the > privacy and security of our users, therefore any inclusion of cryptographic > libraries in Fedora receives extra scrutiny. It is the reason why there is > this extra review from the Crypto Team when such a library is proposed. Upstream don't just choose libs based on whether they area available in Fedora Linux. If a lib is not, the only struggle will go to the packager who will need to do some hacking specific to Fedora Linux because every major distro already ships or is working on shipping botan3. I understand the need for a process, and the policies, and such, but I don't think the Crypto Policies as written today, would ban botan3, and if so I would love to learn how. > > Fedora maintains approved rules about integration with the system in terms > of supporting crypto-policies and properly using the system certificate > store for which we do not have clear answers yet wrt botan (any version). > I care for the quality of what we ship, especially around security and > privacy features, which is why I take these reviews seriously. We all share the care, and I understand that, but please keep in mind that RedHat is not Fedora. RedHat can exclude botan3 from their distro. [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries
(In reply to Carlos Rodriguez-Fernandez from comment #23) > (In reply to Simo Sorce from comment #22) > > Carlos, > > please do not try to put words in my mouth in some attempt to win an > > argument on the internet. > > Please, do not make this personal and start thinking evil of my intentions. > Let's keep the conversation technical. If I misquoted something from you > that I didn't do correctly, feel free to correct it clarifying you didn't > say so that way, which then will help me understand your point of view and > concerns. > > > Fedora ships 3 different TLS libraries that are curated and tested > > rigorously (partly by way of inclusion in RHEL), and it is an integrated > > system that should work coherently as a whole. > > Is botan, and botan2 included in that TLS list? Those libraries are in > Fedora already, and in all main distros, including now botan3 as well. No, none of the botan libraries is, the three vetted libraries are OpenSSL, GnuTLS and NSS. > > A distribution is not just a > > kitchen sink where anything goes and curating 3 different stacks is already > > a lot, ideally we should reduce that further. > > That's an extreme I am not advocating here, but again, as far as I can see > from evidences in Fedora itself, there is no problem in including > alternative libraries to thing when it is useful for other apps and for our > users as long as follows the packaging guidelines. The Crypto documentation > [1], as written right today, wouldn't ban botan3 from Fedora Linux. If so, > could you please provide the interpretation of the documentation portion > that would grant so? I think you may misunderstand what the crypto policies are. Crypto policies is this: https://packages.fedoraproject.org/pkgs/crypto-policies/crypto-policies/ And were introduced in Fedora 21: https://fedoraproject.org/wiki/Changes/CryptoPolicy Unfortunately your link at [1] seem to have lost clarity on this over time, in any case the meaning of the link is that if you introduce a crypto library package that does not conform to crypto policies you have to ask for an exception by the Fedora Packaging Committee which is informed by the Crypto team on what is acceptable or not, then they can decide any way they want and override the recommendations of the Crypto Team. Botan still does not properly support Crypto Policies therefore at each new package review I will keep objecting on its inclusion in Fedora. I also have sever reservations on the quality of this library and therefore its inclusion as a general use library. My understanding is that librnp is the main driver to include this library in Fedora and that librnp supports using OpenSSL as a backend since version 0.16.0, therefore that library should probably use the OpenSSL backend now and not depend eon botan, which removes one of the main reason to have botan in Fedora at all (librnp is used by Thunderbird, which is the main driver to have rnp at all). > > > Cryptography libraries, unlike other tools, are vital to maintain the > > privacy and security of our users, therefore any inclusion of cryptographic > > libraries in Fedora receives extra scrutiny. It is the reason why there is > > this extra review from the Crypto Team when such a library is proposed. > > Upstream don't just choose libs based on whether they area available in > Fedora Linux. If a lib is not, the only struggle will go to the packager who > will need to do some hacking specific to Fedora Linux because every major > distro already ships or is working on shipping botan3. Upstream projects can do what they think best for them, Fedora is not obliged to include everything every package upstream decides on. Where possible we should choose to use the better integrations in terms of security, and for librnp at this point (assuming feature parity) this should be openssl, not botan. I understand there are a couple of other applications that were added just because botan was let through, this is the slippery slope we do *not* want to encourage, excessive proliferation of crypto library is *not* a good thing, the amount of work needed to maintain cryptography secure is not trivial, the only way to do that at the distribution level is to limit the proliferation to what the Crypto Team can maintain properly. Note that this is not just ensuring upstream CVEs are packaged and released timely, we do a lot more than that for Cryptography. We have conformance testing for TLS, we curate crypto-polcies so that TLS is configured properly for the system and weak algorithms and protocol versions are disabled. We curate the CA certificate store so only vetted CAs are allowed on the system. We test for side-channels, and work with upstream to ensure all side-chanels are plugged. We implement and provide patches upstream to improve the integration with the system. We can't do these activities for an unbounded number of libraries, and most Fedora packagers do not have the skills nor the time to perform them on their own, which is why we try to avoid proliferation of low level cryptography and critical security protocol (TLS/SSH) packages. > > I understand the need for a process, and the policies, and such, but I don't > think the Crypto Policies as written today, would ban botan3, and if so I > would love to learn how. See above, Fedora Policy is that all crypto libraries should, at the very least support crypto-policies, especially libraries that implement TLS. > We all share the care, and I understand that, but please keep in mind that > RedHat is not Fedora. RedHat can exclude botan3 from their distro. It is Red Hat not RedHat and this has nothing to do with Red Hat, it has to do with ensuring libraries that have good maintenance and testing within Fedora in order to maintain the security of the system at a good level. > [1] > https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ > #_new_crypto_libraries
> Unfortunately your link at [1] seem to have lost clarity on this over time, in any case the meaning of the link is that if you introduce a crypto library package that does not conform to crypto policies you have to ask for an exception by the Fedora Packaging Committee which is informed by the Crypto team on what is acceptable or not, then they can decide any way they want and override the recommendations of the Crypto Team. Would this apply to a major release update of an existing package? The only reason it is a new package is because of compatibility. A leaf package wouldn't even need a new review. > Botan still does not properly support Crypto Policies therefore at each new package review I will keep objecting on its inclusion in Fedora. I also have sever reservations on the quality of this library and therefore its inclusion as a general use library. Regarding its quality, I understand your team does a thorough testing but, as example, you say OpenSSL is solid, but if you compare the CVE trends in OpenSSL[1] vs Botan[2], Botan doesn't come out too bad. Yes, those side channel vulnerabilities are there, but so it is the case of OpenSSL with CVE-2022-4304 or CVE-2024-13176, for example. Botan 3 has improved the code to ensure O(1) time complexity on operations in comparison with Botan 2. I did backport the last two timing kind of vulnerabilities in Botan from 3 into 2, CVE-2024-50382 and CVE-2024-50383. For one of them, I did have to develop the fix beyond simple backporting, and the upstream developer was prompt to review it and bless it. The project is very active. In addition to that, there is at least one institution, i.e., German Federal Office for Information Security, that contributed with docs and tests to the project and recommends it for apps with increased security requirements after auditing was done. That is just another piece that shows the numbers of eyes on the project. I understand that in spite of all of that, it is an TLS implementation out of management reach by your team. How does your team do with projects like golang apps that use the golang own tls implementation? Can it be done the same way for these non-openssl libs? > I understand there are a couple of other applications that were added just because botan was let through I do see more from the positive impact perspective, that because Botan was available in Fedora Linux like in other major distros, the packagers were able to add those applications to Fedora Linux with minimal effort. > We curate the CA certificate store so only vetted CAs are allowed on the system. If you are referring to the system cert, yes, Botan 2 and 3 does use the Fedora system cert CA now. It was using the RedHat path, but I submitted a patch to update it to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem [3] and also patched our botan2. Regarding ciphers, Botan does have a policy that can be configured at build time[4], and the file location is passed with the --module-policy option. I wonder if there is something that can be done with that in that respect. Thank you for taking the time to explain all of this. I'm learning more about the crypto team's efforts and vision which I definitely appreciate. [1] https://www.cvedetails.com/vendor/217/ [2] https://www.cvedetails.com/vendor/15841/ [3] https://github.com/randombit/botan/blob/14e54e7a15ae2392fc4f010bb39830cc9d50365d/configure.py#L3212 [4] https://github.com/randombit/botan/tree/master/src/build-data/policy
> German Federal Office for Information Security, that contributed with docs and tests to the project and recommends it for apps with increased security requirements after auditing was done. Forgot to mention the reference for that for Botan 3 [5]. [5] https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Kryptografie/Kryptobibliothek-Botan/kryptobibliothek-botan_node.html Not that that alone is a reason to add it, but that it adds to the confidence that it is a very active and used project with eyes on it.
It looks like with botan3 going out, the other two dependencies, qownnotes[1] and keepassxc[2], will start using it. [1] https://github.com/pbek/QOwnNotes/blob/b3bb0c40f2bc3dda1d74eaac5a3597ae27ece25f/src/libraries/botan/CMakeLists.txt#L18 [2] https://github.com/keepassxreboot/keepassxc/blob/c0ea6f65f934858944a9eae5b584dc8c5ae9471a/CMakeLists.txt#L210
Benson, I went ahead and requested a review by the packaging committee [1] and they gave the green light to proceed with this. I believe I addressed all the other change requests. Would you mind please continuing with the review and if all good approve it? Thank you. [1] https://pagure.io/packaging-committee/issue/1495
Are you able to get a resolution to blocking the name on PyPI? In principle, you could take the name yourself, and transfer it later if needed. Upstream also seems willing to do this, though may need a reminder.
So, I registered the package botan, without any release. The package is findable but not installeable: https://pypi.org/search/?q=botan
I actually did botan2 and botan3 as well since that major version being part of the name is a convention in this project upstream.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "BSD 2-Clause License", "*No copyright* BSD 2-Clause License [generated file]", "*No copyright* BSD 2-Clause License". 2006 files have unknown license. Detailed output of licensecheck in /home/fedora-packaging/reviews/botan3/2394931- botan3/licensecheck.txt [!]: License file installed when any subpackage combination is installed. [x]: Package must own all directories that it creates. Note: Directories without known owners: /usr/lib/python3.14, /usr/lib/python3.14/site-packages, /usr/lib/python3.14/site- packages/__pycache__ [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [ ]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 52469 bytes in 4 files. [ ]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [-]: Python eggs must not download any dependencies during the build process. [-]: A package which is used by another package via an egg interface should provide egg info. [x]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Packages MUST NOT have dependencies (either build-time or runtime) on packages named with the unversioned python- prefix unless no properly versioned package exists. Dependencies on Python packages instead MUST use names beginning with python2- or python3- as appropriate. [x]: Python packages must not contain %{pythonX_site(lib|arch)}/* in %files [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [ ]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in python3-botan3 [ ]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [!]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: botan3-3.9.0-1.fc44.x86_64.rpm botan3-devel-3.9.0-1.fc44.x86_64.rpm python3-botan3-3.9.0-1.fc44.noarch.rpm botan3-doc-3.9.0-1.fc44.noarch.rpm botan3-3.9.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmptj3v2eh_')] checks: 32, packages: 5 botan3.src: W: strange-permission botan3.spec 666 botan3-devel.x86_64: W: no-documentation python3-botan3.noarch: W: no-documentation botan3.x86_64: W: files-duplicate /usr/share/licenses/botan3/license.txt /usr/share/doc/botan3/license.txt 5 packages and 0 specfiles checked; 0 errors, 4 warnings, 32 filtered, 0 badness; has taken 7.2 s Rpmlint (debuginfo) ------------------- Checking: botan3-debuginfo-3.9.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp52250g4b')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 12 filtered, 0 badness; has taken 4.4 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 botan3-devel.x86_64: W: no-documentation python3-botan3.noarch: W: no-documentation botan3.x86_64: W: files-duplicate /usr/share/licenses/botan3/license.txt /usr/share/doc/botan3/license.txt 5 packages and 0 specfiles checked; 0 errors, 3 warnings, 39 filtered, 0 badness; has taken 4.6 s Source checksums ---------------- https://botan.randombit.net/pgpkey.txt : CHECKSUM(SHA256) this package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af CHECKSUM(SHA256) upstream package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af https://botan.randombit.net/releases/Botan-3.9.0.tar.xz.asc : CHECKSUM(SHA256) this package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 CHECKSUM(SHA256) upstream package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 https://botan.randombit.net/releases/Botan-3.9.0.tar.xz : CHECKSUM(SHA256) this package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 CHECKSUM(SHA256) upstream package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 Requires -------- botan3 (rpmlib, GLIBC filtered): libbotan-3.so.9()(64bit) libbz2.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libm.so.6()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.11)(64bit) libstdc++.so.6(CXXABI_1.3.13)(64bit) libstdc++.so.6(CXXABI_1.3.15)(64bit) libstdc++.so.6(CXXABI_1.3.2)(64bit) libstdc++.so.6(CXXABI_1.3.3)(64bit) libstdc++.so.6(CXXABI_1.3.5)(64bit) libstdc++.so.6(CXXABI_1.3.7)(64bit) libstdc++.so.6(CXXABI_1.3.9)(64bit) libz.so.1()(64bit) libz.so.1(ZLIB_1.2.2)(64bit) rtld(GNU_HASH) botan3-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config botan3(x86-64) libbotan-3.so.9()(64bit) python3-botan3 (rpmlib, GLIBC filtered): botan3 python(abi) botan3-doc (rpmlib, GLIBC filtered): Provides -------- botan3: botan3 botan3(x86-64) libbotan-3.so.9()(64bit) botan3-devel: botan3-devel botan3-devel(x86-64) pkgconfig(botan-3) python3-botan3: python-botan3 python3-botan3 python3.14-botan3 botan3-doc: botan3-doc Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review -b 2394931 Buildroot used: fedora-rawhide-x86_64 Active plugins: Python, Generic, Shell-api, C/C++ Disabled plugins: Ocaml, R, Java, fonts, Haskell, Perl, SugarActivity, PHP Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH Comments: a) Please add the license file to the documentation package as it will not be automatically pulled in. b) Koji build: https://koji.fedoraproject.org/koji/taskinfo?taskID=138649689 c) To avoid duplicate files, perhaps change %{_pkgdocdir}/*.txt to %{_pkgdocdir}/authors.txt %{_pkgdocdir}/news.txt %{_pkgdocdir}/pgpkey.txt %license %{_pkgdocdir}/license.txt or do not include license.txt in %{_pkgdocdir} d) Generating texinfo documentation would be give a much nicer desktop experience than html: https://github.com/randombit/botan/pull/5105 Texinfo can also be converted to docbook, which can be viewed using Yelp, not blocking though. e) Please change %{_libdir}/libbotan-%{major_version}.so.9* to %{_libdir}/libbotan-%{major_version}.so.9{,.*} f) To preserve file metadata please use copy2 https://docs.python.org/3/library/shutil.html#shutil.copy in https://github.com/randombit/botan/blob/master/src/scripts/install.py#L126 or augment it with https://docs.python.org/3/library/shutil.html#shutil.copystat https://github.com/randombit/botan/pull/5140 g) Should jitterentropy: https://packages.fedoraproject.org/pkgs/jitterentropy/jitterentropy/ be required during the build? h) Should --enable-stack-scrubbing be added on GCC 14? i) Should --with-tpm2 --with-boost be enabled?
Reply: a) Completed b) -- c) Completed d) The texinfo option hasn't been released yet. I can pull the patch, however, I'm already generating the doxygen api docs and are in HTML. The doc package can't avoid HTML at this point. Does it make sense to remove the existing handbook in HTML? e) Completed. f) Pulled the patch. Completed. g) How would this help during the build? h) Completed i) --with-boost would add an additional runtime dependency on this package. Do you see a lot of value to it? [1] It enables using some Boost libraries. In particular Boost.Filesystem is used for a few operations (but on most platforms, a native API equivalent is available), and Boost.Asio is used to provide a few extra TLS related command line utilities. I could add it if someone that uses the cli significantly asks for that. --with-tpm2 Added. [1] https://github.com/randombit/botan/blob/3.9.0/doc/building.rst#modules-relying-on-third-party-libraries Good points and catches. Thank you for the feedback.
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/11945147078/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
Thanks for the updates. A couple more fixes: a) No distinfo directory is created by the python package. This is needed: https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_dist_info_metadata By using pyproject.toml, one can generate the metadata: https://github.com/randombit/botan/pull/5040 https://copr.fedorainfracloud.org/coprs/build/9760605 https://koji.fedoraproject.org/koji/taskinfo?taskID=138694911 Also allows one to remove: # Remove shebang sed -e '1{/^#!/d}' -i %{buildroot}%{python3_sitearch}/botan%{major_version}.py # If installs python module in sitearch, move it to sitelib. The py package is noarch, loading the lib dynamically. %if "%{python3_sitelib}" != "%{python3_sitearch}" mkdir -p %{buildroot}%{python3_sitelib} mv %{buildroot}%{python3_sitearch}/botan%{major_version}.py %{buildroot}%{python3_sitelib}/botan%{major_version}.py %endif May also want to comment on: https://github.com/randombit/botan/pull/5040 if you see a need for futher changes. b) Please add a link to the pull request for the install-fix.patch
(In reply to Carlos Rodriguez-Fernandez from comment #33) > Reply: > > d) The texinfo option hasn't been released yet. I can pull the patch, > however, I'm already generating the doxygen api docs and are in HTML. The > doc package can't avoid HTML at this point. Does it make sense to remove the > existing handbook in HTML? No, leave as is. > g) How would this help during the build? Is this a better source of randomness? > i) --with-boost would add an additional runtime dependency on this package. > Do you see a lot of value to it? [1] > > It enables using some Boost libraries. In particular Boost.Filesystem is > used for a few operations (but on most platforms, a > native API equivalent is available), and Boost.Asio is used to provide a > few extra TLS related command line utilities. > > I could add it if someone that uses the cli significantly asks for that. > Ok. > > Good points and catches. Thank you for the feedback.
It is also suggested to enable sqlite: https://botan.randombit.net/handbook/packaging.html cmake files are helpful for consuming applications May want to set CA certificate locations manually
Created attachment 2112500 [details] The .spec file difference from Copr build 9586685 to 9762672
Copr build: https://copr.fedorainfracloud.org/coprs/build/9762672 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09762672-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/11975873637/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
Good catch about the CA. I had submitted a patch but wasn't in 3.9.0 yet. I added the sqlite3, and link to the PR to the patch. I enabled the jitter. It didn't click at first that botan had support for it in the source code. Nice job on providing the pyproject.toml for this project. I'll look into that next.
Created attachment 2112714 [details] The .spec file difference from Copr build 9762672 to 9766311
Copr build: https://copr.fedorainfracloud.org/coprs/build/9766311 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09766311-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
(In reply to Carlos Rodriguez-Fernandez from comment #41) > Good catch about the CA. I had submitted a patch but wasn't in 3.9.0 yet. I > added the sqlite3, and link to the PR to the patch. I enabled the jitter. It > didn't click at first that botan had support for it in the source code. Thanks. > Nice job on providing the pyproject.toml for this project. I'll look into > that next. Great, can review once done. Consider also changing --without-cmake-config to --with-cmake-config
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/12023781184/artifacts/raw/botan3-3.9.0-1.fc44.src.rp
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/12023781184/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
Hi Benson, I think it is all in a good place now. Let me know. Thank you!
Created attachment 2113456 [details] The .spec file difference from Copr build 9766311 to 9780742
Copr build: https://copr.fedorainfracloud.org/coprs/build/9780742 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2394931-botan3/fedora-rawhide-x86_64/09780742-botan3/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "BSD 2-Clause License", "*No copyright* BSD 2-Clause License [generated file]", "*No copyright* BSD 2-Clause License". 2007 files have unknown license. Detailed output of licensecheck in /home/fedora-packaging/reviews/botan3/2394931- botan3/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/lib64/cmake, /usr/lib/python3.14/site-packages/__pycache__, /usr/lib/python3.14, /usr/lib/python3.14/site-packages [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 51158 bytes in 3 files. [ ]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [-]: Python eggs must not download any dependencies during the build process. [-]: A package which is used by another package via an egg interface should provide egg info. [ ]: Package meets the Packaging Guidelines::Python [x]: Package contains BR: python2-devel or python3-devel [x]: Packages MUST NOT have dependencies (either build-time or runtime) on packages named with the unversioned python- prefix unless no properly versioned package exists. Dependencies on Python packages instead MUST use names beginning with python2- or python3- as appropriate. [x]: Python packages must not contain %{pythonX_site(lib|arch)}/* in %files [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [ ]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in python3-botan3 [ ]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: botan3-3.9.0-1.fc44.x86_64.rpm botan3-devel-3.9.0-1.fc44.x86_64.rpm python3-botan3-3.9.0-1.fc44.noarch.rpm botan3-doc-3.9.0-1.fc44.noarch.rpm botan3-3.9.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpt_fol1qp')] checks: 32, packages: 5 botan3.src: W: strange-permission botan3.spec 666 botan3.src: W: strange-permission install-fix.patch 666 botan3.src: W: strange-permission pyproject.patch 666 python3-botan3.noarch: E: non-executable-script /usr/lib/python3.14/site-packages/botan3.py 644 /usr/bin/env python3 botan3-devel.x86_64: W: no-documentation python3-botan3.noarch: W: no-documentation 5 packages and 0 specfiles checked; 1 errors, 5 warnings, 31 filtered, 1 badness; has taken 7.5 s Rpmlint (debuginfo) ------------------- Checking: botan3-debuginfo-3.9.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmplgt6zt0e')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 12 filtered, 0 badness; has taken 4.5 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 python3-botan3.noarch: E: non-executable-script /usr/lib/python3.14/site-packages/botan3.py 644 /usr/bin/env python3 python3-botan3.noarch: W: no-documentation botan3-devel.x86_64: W: no-documentation 5 packages and 0 specfiles checked; 1 errors, 2 warnings, 39 filtered, 1 badness; has taken 4.6 s Source checksums ---------------- https://botan.randombit.net/pgpkey.txt : CHECKSUM(SHA256) this package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af CHECKSUM(SHA256) upstream package : 07862f27687739a7ac201759779d361fa6282f0d6f1cb7973c68ebe1f36f54af https://botan.randombit.net/releases/Botan-3.9.0.tar.xz.asc : CHECKSUM(SHA256) this package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 CHECKSUM(SHA256) upstream package : d3bed356b65ae4ddab168c80989e16392cdfe405b894cb5b6dbf8fd6beb310f0 https://botan.randombit.net/releases/Botan-3.9.0.tar.xz : CHECKSUM(SHA256) this package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 CHECKSUM(SHA256) upstream package : 8c3f284b58ddd42e8e43e9fa86a7129d87ea7c3f776a80d3da63ec20722b0883 Requires -------- botan3 (rpmlib, GLIBC filtered): libbotan-3.so.9()(64bit) libbz2.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_14.0.0)(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libjitterentropy.so.3()(64bit) libm.so.6()(64bit) libsqlite3.so.0()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.11)(64bit) libstdc++.so.6(CXXABI_1.3.13)(64bit) libstdc++.so.6(CXXABI_1.3.15)(64bit) libstdc++.so.6(CXXABI_1.3.2)(64bit) libstdc++.so.6(CXXABI_1.3.3)(64bit) libstdc++.so.6(CXXABI_1.3.5)(64bit) libstdc++.so.6(CXXABI_1.3.7)(64bit) libstdc++.so.6(CXXABI_1.3.9)(64bit) libtss2-esys.so.0()(64bit) libtss2-mu.so.0()(64bit) libtss2-rc.so.0()(64bit) libtss2-tctildr.so.0()(64bit) libz.so.1()(64bit) libz.so.1(ZLIB_1.2.2)(64bit) rtld(GNU_HASH) botan3-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config botan3(x86-64) libbotan-3.so.9()(64bit) python3-botan3 (rpmlib, GLIBC filtered): botan3 python(abi) botan3-doc (rpmlib, GLIBC filtered): Provides -------- botan3: botan3 botan3(x86-64) libbotan-3.so.9()(64bit) botan3-devel: botan3-devel botan3-devel(x86-64) pkgconfig(botan-3) python3-botan3: python-botan3 python3-botan3 python3.14-botan3 python3.14dist(botan3) python3dist(botan3) botan3-doc: botan3-doc Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review -b 2394931 Buildroot used: fedora-rawhide-x86_64 Active plugins: Shell-api, C/C++, Python, Generic Disabled plugins: SugarActivity, Ocaml, fonts, Java, R, PHP, Perl, Haskell Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH Comments: a) Consider changing: %{_libdir}/cmake/Botan-%{version} %{_includedir}/botan-%{major_version} %{_pkgdocdir}/handbook %{_pkgdocdir}/doxygen to %{_libdir}/cmake/Botan-%{version}/ %{_includedir}/botan-%{major_version}/ %{_pkgdocdir}/handbook/ %{_pkgdocdir}/doxygen/ so that it is clear they are directories. b) To ensure directory ownership, the devel subpackage should require cmake-filesystem c) The python package should also require python3-libs, this should happen automatically, but for some reason the review tool is still giving an error. d) Please remove the shebang line in src/python/botan3.py have used: sed -i "s|#!/usr/bin/env python3||g" src/python/botan3.py but a patch would be better. Associated pull request: https://github.com/randombit/botan/pull/5152 e) Koji build: https://koji.fedoraproject.org/koji/taskinfo?taskID=138806662 f) Approved. Please fix (b), (c) and (d) before import. Consider also fixing (a).
Spec URL: https://gitlab.com/carlosrodfern/botan3-review/-/raw/main/botan3.spec SRPM URL: https://gitlab.com/carlosrodfern/botan3-review/-/jobs/12035286923/artifacts/raw/botan3-3.9.0-1.fc44.src.rpm
The Pagure repository was created at https://src.fedoraproject.org/rpms/botan3
I addressed the last points. Thank you Benson for the detailed review!
FEDORA-2025-26f7841714 (botan3-3.9.0-2.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-26f7841714
FEDORA-2025-26f7841714 (botan3-3.9.0-2.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.