Spec URL: https://sarroutb.fedorapeople.org/clevis-pin-trustee.spec SRPM URL: https://sarroutb.fedorapeople.org/clevis-pin-trustee-0.0.1-1.fc44.src.rpm Description: clevis-pin-trustee is a Clevis PIN that implements encryption and decryption operations using remote attestation via a Trustee server. It enables automated unlocking of LUKS-encrypted volumes in confidential computing environments by fetching encryption keys from Trustee servers after successful attestation. Fedora Account System Username: sarroutb
Copr build: https://copr.fedorainfracloud.org/coprs/build/10042076 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2431593-clevis-pin-trustee/fedora-rawhide-x86_64/10042076-clevis-pin-trustee/fedora-review/review.txt Found issues: - clevis-pin-trustee-fedora.spec should be clevis-pin-trustee.spec Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_spec_file_naming Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
The spec file should be named clevis-pin-trustee.spec (no "-fedora"). Also, please fix the permissions on your spec file so it can be viewed. Drop %global debug_package %{nil}. That is for rust crate "libraries", where this is a real binary which should have debuginfo. The rust-packaging name is old; use BuildRequires: cargo-rpm-macros instead. Any reason not to use rpmautospec? There should be a comment stating why BuildRequires: rust-tempfile+default-devel is necessary, as generally %cargo_generate_buildrequires should handle all such deps. As this produces a binary, %cargo_license_summary and %cargo_license need to be used as documented at https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ . This will also affect the License tag.
Hello. Thanks for your review @yselkowi. I implemented all the changes required: 1 - Changed permissions of .spec file 2 - Renamed the file to clevis-pin-trustee.spec 3 - Removed %global debug_package %{nil} 4 - Changed BuildRequires: rust-packaging to use BuildRequires: cargo-rpm-macros instead. 5 - Included %autorelease and %autochangelog 6 - Commented about the requirement to use rust-tempfile+default-devel The patch for all these changes is as follows: --- clevis-pin-trustee-fedora.spec 2026-01-21 13:46:48.443210537 +0100 +++ clevis-pin-trustee.spec 2026-01-22 11:25:22.459306575 +0100 @@ -2,24 +2,22 @@ # # SPDX-License-Identifier: MIT -# Disable debuginfo generation for Rust binaries -%global debug_package %{nil} - # Fedora: Use system Rust libraries as josekit 0.7.4+ is available %global bundled_rust_deps 0 Name: clevis-pin-trustee Version: 0.1.0 -Release: 1%{?dist} +Release: %autorelease Summary: Clevis PIN for Trustee attestation License: MIT URL: https://github.com/sarroutbi/clevis-pin-trustee Source0: https://github.com/sarroutbi/%{name}/archive/refs/tags/v%{version}.tar.gz -BuildRequires: rust-packaging >= 25 +BuildRequires: cargo-rpm-macros BuildRequires: openssl-devel -BuildRequires: rust-tempfile+default-devel +# rust-tempfile required for test execution +BuildRequires: rust-tempfile+default-devel # Runtime dependencies Requires: clevis @@ -62,9 +60,4 @@ %{_bindir}/clevis-decrypt-trustee %changelog -* Wed Nov 26 2025 Sergio Arroutbi <sarroutb> - 0.1.0-1 -- Initial release -- Clevis PIN for Trustee attestation -- Support for multiple Trustee server URLs with failover -- Certificate-based TLS authentication -- Optional initdata for attestation context +%autochangelog
This one still needs to be fixed: > As this produces a binary, %cargo_license_summary and %cargo_license need to > be used as documented at > https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ . > This will also affect the License tag.
Hello. I uploaded the file as expected. I also pointed file to appropriate release and version. Let me attach updated diff: --- clevis-pin-trustee.working.in.copr.spec 2026-01-23 11:10:22.274017058 +0100 +++ clevis-pin-trustee.spec 2026-01-23 12:06:46.232203160 +0100 @@ -6,13 +6,14 @@ %global bundled_rust_deps 0 Name: clevis-pin-trustee -Version: 0.1.0 +Version: 0.0.1 Release: %autorelease Summary: Clevis PIN for Trustee attestation -License: MIT -URL: https://github.com/sarroutbi/clevis-pin-trustee -Source0: https://github.com/sarroutbi/%{name}/archive/refs/tags/v%{version}.tar.gz +# License covers both source and all statically-linked dependencies +License: MIT AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSL-1.0 AND Unicode-3.0 AND Unicode-DFS-2016 AND Unlicense AND 0BSD AND Zlib +URL: https://github.com/latchset/clevis-pin-trustee +Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz BuildRequires: cargo-rpm-macros BuildRequires: openssl-devel @@ -37,6 +38,10 @@ %cargo_generate_buildrequires %build +# Generate license information for statically-linked dependencies +%cargo_license_summary +%cargo_license + # Build using cargo macros %cargo_build Regarding licensing, I extracted information from next COPR build: https://copr.fedorainfracloud.org/coprs/sarroutb/clevis-pin-trustee-fedora/build/10049798/
The output of %cargo_license_summary (not including the BEGIN/END lines) should be posted as a comment above the License tag. I don't believe your License tag is quite right though, see https://docs.fedoraproject.org/en-US/legal/license-field/#_special_rules_for_or_expressions As documented in the guidelines, the output of %cargo_license should be redirected to a file which is then included in the packages. IOW: -%cargo_license +%{cargo_license} > LICENSE.dependencies and then add this to %files: %license LICENSE.dependencies
I uploaded a new version with next changes, as suggested: -- clevis-pin-trustee.spec 2026-01-26 10:26:28.143400243 +0100 +++ clevis-pin-trustee.202601261025.spec 2026-01-26 10:25:45.665429029 +0100 @@ -10,8 +10,18 @@ Release: %autorelease Summary: Clevis PIN for Trustee attestation -# License covers both source and all statically-linked dependencies -License: MIT AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSL-1.0 AND Unicode-3.0 AND Unicode-DFS-2016 AND Unlicense AND 0BSD AND Zlib AND ISC AND (Apache-2.0 WITH LLVM-exception) +# (Apache-2.0 OR MIT) AND BSD-3-Clause +# (MIT OR Apache-2.0) AND Unicode-DFS-2016 +# 0BSD OR MIT OR Apache-2.0 +# Apache-2.0 +# Apache-2.0 OR BSL-1.0 +# Apache-2.0 OR MIT +# BSD-2-Clause OR Apache-2.0 OR MIT +# MIT +# MIT OR Apache-2.0 +# MIT OR Zlib OR Apache-2.0 +# Unicode-3.0 +License: Apache-2.0 AND BSD-3-Clause AND Unicode-DFS-2016 AND Unicode-3.0 AND ISC AND (Apache-2.0 WITH LLVM-exception) URL: https://github.com/latchset/clevis-pin-trustee Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz @@ -40,7 +50,7 @@ %build # Generate license information for statically-linked dependencies %cargo_license_summary -%cargo_license +%cargo_license > LICENSE.dependencies # Build using cargo macros %cargo_build @@ -58,7 +68,7 @@ %cargo_test %files -%license LICENSES/MIT.txt +%license LICENSE.dependencies %doc README.md %{_bindir}/%{name} %{_bindir}/clevis-encrypt-trustee Let me justify License selection: # Upstream license specification: MIT # # Resolved license choices from vendored dependencies: # - For "MIT OR Apache-2.0" → chose Apache-2.0 # - For "0BSD OR MIT OR Apache-2.0" → chose Apache-2.0 # - For "BSD-2-Clause OR Apache-2.0 OR MIT" → chose Apache-2.0 # - For "Apache-2.0 OR BSL-1.0" → chose Apache-2.0 # - For "MIT OR Zlib OR Apache-2.0" → chose Apache-2.0 # # Required AND combinations: # - encoding_rs: (chose Apache-2.0) AND BSD-3-Clause # - regex-syntax: (chose Apache-2.0) AND Unicode-DFS-2016 # - ring: Apache-2.0 AND ISC # - Other mandatory licenses: Unicode-3.0, Apache-2.0 WITH LLVM-exception #
(In reply to Sergio Arroutbi from comment #7) > -%cargo_license > +%cargo_license > LICENSE.dependencies If you had tried building this (e.g. fedpkg mockbuild), you would see that this doesn't work. The macro syntax requires that it be delineated for the redirection to work, per my comment earlier: %{cargo_license} > LICENSE.dependencies > %files > -%license LICENSES/MIT.txt > +%license LICENSE.dependencies Don't remove the first line, just add the second. > Let me justify License selection: Nope, please review: https://docs.fedoraproject.org/en-US/legal/license-field/#_no_effective_license_analysis https://docs.fedoraproject.org/en-US/legal/license-field/#_special_rules_for_or_expressions
(In reply to Yaakov Selkowitz from comment #8) > (In reply to Sergio Arroutbi from comment #7) > > -%cargo_license > > +%cargo_license > LICENSE.dependencies > > If you had tried building this (e.g. fedpkg mockbuild), you would see that > this doesn't work. The macro syntax requires that it be delineated for the > redirection to work, per my comment earlier: > > %{cargo_license} > LICENSE.dependencies Not sure what you mean with this. I built this through Copr and build worked appropriately: https://copr.fedorainfracloud.org/coprs/sarroutb/clevis-pin-trustee-fedora/build/10057529/ > > > %files > > -%license LICENSES/MIT.txt > > +%license LICENSE.dependencies > > Don't remove the first line, just add the second. > > > Let me justify License selection: > > Nope, please review: > > https://docs.fedoraproject.org/en-US/legal/license-field/ > #_no_effective_license_analysis > https://docs.fedoraproject.org/en-US/legal/license-field/ > #_special_rules_for_or_expressions Sorry, but I am a little bit lost. Could I ask to be more specific regarding what is incorrect or provide a similar Rust package to check what is required/missing?
I have applied next patch: --- clevis-pin-trustee.spec.202601271117 2026-01-26 10:26:28.143400243 +0100 +++ clevis-pin-trustee.spec 2026-01-27 12:09:51.970794917 +0100 @@ -10,8 +10,24 @@ Release: %autorelease Summary: Clevis PIN for Trustee attestation -# License covers both source and all statically-linked dependencies -License: MIT AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSL-1.0 AND Unicode-3.0 AND Unicode-DFS-2016 AND Unlicense AND 0BSD AND Zlib AND ISC AND (Apache-2.0 WITH LLVM-exception) +# Upstream license specification: MIT +# +# The build dependencies have the following licenses: +# +# (Apache-2.0 or MIT) and BSD-3-Clause +# (MIT or Apache-2.0) and Unicode-DFS-2016 +# 0BSD or MIT or Apache-2.0 +# Apache-2.0 +# Apache-2.0 or BSL-1.0 +# Apache-2.0 or MIT +# BSD-2-Clause or Apache-2.0 or MIT +# MIT +# MIT or Apache-2.0 +# MIT or Zlib or Apache-2.0 +# Unicode-3.0 +# Unlicense or MIT +# +License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Apache-2.0) AND (MIT OR Zlib OR Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 URL: https://github.com/latchset/clevis-pin-trustee Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz @@ -46,6 +62,9 @@ %cargo_build %install +# Generate license file for bundled dependencies +%{cargo_license} > LICENSE.dependencies + # Install main binary install -D -m 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name} @@ -59,6 +78,7 @@ %files %license LICENSES/MIT.txt +%license LICENSE.dependencies %doc README.md %{_bindir}/%{name} %{_bindir}/clevis-encrypt-trustee Justification: 1. No Effective License Analysis (No Simplification): Per the https://docs.fedoraproject.org/en-US/legal/license-field/#_no_effective_license_analysis: "you should not attempt to simplify or reduce the License: tag license expression" How we apply this: - We enumerate all license expressions found in the source code and dependencies without reduction - We preserve expressions like (Apache-2.0 OR MIT) even though both Apache-2.0 and MIT appear standalone elsewhere - We keep both (Apache-2.0 OR MIT) and (MIT OR Apache-2.0) as distinct expressions (different dependencies declared them in different orders) - We don't apply algebraic simplification, compatibility analysis, or license theory to reduce the expression 2. Special Rules for OR Expressions (Preserve Recipient Choice) Per the https://docs.fedoraproject.org/en-US/legal/license-field/#_special_rules_for_or_expressions: "All the license operands of an OR expression should be preserved, but only to the extent that those license operands are allowed" How we apply this: - OR expressions represent the recipient's choice of which license to use for that particular component - We preserve all OR expressions exactly as declared in the dependencies - We only exclude disallowed licenses from OR expressions (none in this case - all licenses are Fedora-approved) - We don't arbitrarily select one license from an OR expression
The output of %cargo_license_summary should be copy-and-pasted VERBATIM in the comment above the License tag. Where did you get CC0-1.0 as a license? The OR rule is a supplement/exception to the No Effective License Analysis rule. That means (Apache-2.0 OR MIT) need NOT be listed separately because both Apache-2.0 and MIT are already listed standalone, per the OR rule. Also, (Apache-2.0 OR MIT) and (MIT OR Apache-2.0) are the same thing, so even if the former didn't apply, there would be no need for both. (Perhaps this can be better spelled out in the OR rule.) The -n %{name}-%{version} arguments to %autosetup are unnecessary, as that is the default value. %cargo_summary doesn't belong in %install, and there is no need for two calls. The existing call in %build should be CHANGED per my previous comments. Also, both %cargo_license_summary and %cargo_license should FOLLOW %cargo_build, not precede it.
(In reply to Yaakov Selkowitz from comment #11) > The output of %cargo_license_summary should be copy-and-pasted VERBATIM in > the comment above the License tag. Fixed > > Where did you get CC0-1.0 as a license? https://github.com/latchset/clevis-pin-trustee/tree/main/LICENSES > > The OR rule is a supplement/exception to the No Effective License Analysis > rule. That means (Apache-2.0 OR MIT) need NOT be listed separately because > both Apache-2.0 and MIT are already listed standalone, per the OR rule. > Also, (Apache-2.0 OR MIT) and (MIT OR Apache-2.0) are the same thing, so > even if the former didn't apply, there would be no need for both. (Perhaps > this can be better spelled out in the OR rule.) Fixed > > The -n %{name}-%{version} arguments to %autosetup are unnecessary, as that > is the default value. Fixed > > %cargo_summary doesn't belong in %install, and there is no need for two > calls. The existing call in %build should be CHANGED per my previous > comments. Also, both %cargo_license_summary and %cargo_license should > FOLLOW %cargo_build, not precede it. I have no %cargo_summary in my .spec file. Do you mean %cargo_license_summary? In that case, it is only being called once. Let me share the current diff file: --- clevis-pin-trustee.spec.current 2026-01-28 09:51:50.639194313 +0100 +++ clevis-pin-trustee.spec.candidate.20260628 2026-01-28 09:51:23.893449453 +0100 @@ -10,24 +10,19 @@ Release: %autorelease Summary: Clevis PIN for Trustee attestation -# Upstream license specification: MIT -# -# The build dependencies have the following licenses: -# -# (Apache-2.0 or MIT) and BSD-3-Clause -# (MIT or Apache-2.0) and Unicode-DFS-2016 -# 0BSD or MIT or Apache-2.0 -# Apache-2.0 -# Apache-2.0 or BSL-1.0 -# Apache-2.0 or MIT -# BSD-2-Clause or Apache-2.0 or MIT -# MIT -# MIT or Apache-2.0 -# MIT or Zlib or Apache-2.0 -# Unicode-3.0 -# Unlicense or MIT -# -License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Apache-2.0) AND (MIT OR Zlib OR Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 +# (Apache-2.0 OR MIT) AND BSD-3-Clause +# (MIT OR Apache-2.0) AND Unicode-DFS-2016 +# 0BSD OR MIT OR Apache-2.0 +# Apache-2.0 +# Apache-2.0 OR BSL-1.0 +# Apache-2.0 OR MIT +# BSD-2-Clause OR Apache-2.0 OR MIT +# MIT +# MIT OR Apache-2.0 +# MIT OR Zlib OR Apache-2.0 +# Unicode-3.0 +# Unlicense OR MIT +License: BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Zlib OR Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 URL: https://github.com/latchset/clevis-pin-trustee Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz @@ -47,20 +42,21 @@ fetching encryption keys from Trustee servers after successful attestation. %prep -%autosetup -n %{name}-%{version} +%autosetup %cargo_prep %generate_buildrequires %cargo_generate_buildrequires %build -# Generate license information for statically-linked dependencies -%cargo_license_summary -%cargo_license # Build using cargo macros %cargo_build +# Generate license information for statically-linked dependencies +%cargo_license_summary +%cargo_license + %install # Generate license file for bundled dependencies %{cargo_license} > LICENSE.dependencies @@ -78,6 +74,7 @@ %files %license LICENSES/MIT.txt +%license LICENSES/CC0-1.0.txt %license LICENSE.dependencies %doc README.md %{_bindir}/%{name}
(In reply to Sergio Arroutbi from comment #12) > https://github.com/latchset/clevis-pin-trustee/tree/main/LICENSES CC0-1.0 is actually problematic for *code*, but inspection of the source tree shows that it is only used in the build infrastructure (Cargo.toml, test.sh, etc.). Per https://docs.fedoraproject.org/en-US/legal/license-field/#_source_package_files_not_included_in_binary_rpm , as these files do not end up in the binary RPMs, their license should be omitted. Therefore, CC0-1.0 should not be in the License tag nor installed by %license in %files. > > %cargo_summary doesn't belong in %install, and there is no need for two > > calls. The existing call in %build should be CHANGED per my previous > > comments. Also, both %cargo_license_summary and %cargo_license should > > FOLLOW %cargo_build, not precede it. > > I have no %cargo_summary in my .spec file. Do you mean > %cargo_license_summary? > In that case, it is only being called once. Sorry, I meant %cargo_license, there should be only call in %build, bracketed and redirected. > +License: BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 > AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) > AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Zlib OR > Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 Besides dropping CC0-1.0 as mentioned above, the "AND (MIT OR Apache-2.0)" clause isn't needed for the same reason "(Apache-2.0 OR MIT)" isn't -- both Apache-2.0 and MIT are already AND'ed in by themselves.
(In reply to Yaakov Selkowitz from comment #13) > (In reply to Sergio Arroutbi from comment #12) > > https://github.com/latchset/clevis-pin-trustee/tree/main/LICENSES > > CC0-1.0 is actually problematic for *code*, but inspection of the source > tree shows that it is only used in the build infrastructure (Cargo.toml, > test.sh, etc.). > > Per > https://docs.fedoraproject.org/en-US/legal/license-field/ > #_source_package_files_not_included_in_binary_rpm , as these files do not > end up in the binary RPMs, their license should be omitted. Therefore, > CC0-1.0 should not be in the License tag nor installed by %license in %files. > Fixed > > > %cargo_summary doesn't belong in %install, and there is no need for two > > > calls. The existing call in %build should be CHANGED per my previous > > > comments. Also, both %cargo_license_summary and %cargo_license should > > > FOLLOW %cargo_build, not precede it. > > > > I have no %cargo_summary in my .spec file. Do you mean > > %cargo_license_summary? > > In that case, it is only being called once. > > Sorry, I meant %cargo_license, there should be only call in %build, > bracketed and redirected. Fixed > > > +License: BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 > > AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) > > AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Zlib OR > > Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 > > Besides dropping CC0-1.0 as mentioned above, the "AND (MIT OR Apache-2.0)" > clause isn't needed for the same reason "(Apache-2.0 OR MIT)" isn't -- both > Apache-2.0 and MIT are already AND'ed in by themselves. Fixed. New diff: --- clevis-pin-trustee.spec.20260129 2026-01-29 10:26:57.330601327 +0100 +++ clevis-pin-trustee.spec.candidate 2026-01-29 10:29:46.039727459 +0100 @@ -22,7 +22,7 @@ # MIT OR Zlib OR Apache-2.0 # Unicode-3.0 # Unlicense OR MIT -License: BSD-3-Clause AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Zlib OR Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) AND CC0-1.0 +License: BSD-3-Clause AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT OR Zlib OR Apache-2.0) AND Unicode-3.0 AND (Unlicense OR MIT) URL: https://github.com/latchset/clevis-pin-trustee Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz @@ -55,7 +55,6 @@ # Generate license information for statically-linked dependencies %cargo_license_summary -%cargo_license %install # Generate license file for bundled dependencies @@ -74,7 +73,6 @@ %files %license LICENSES/MIT.txt -%license LICENSES/CC0-1.0.txt %license LICENSE.dependencies %doc README.md %{_bindir}/%{name}
[fedora-review-service-build]
Copr build: https://copr.fedorainfracloud.org/coprs/build/10076464 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2431593-clevis-pin-trustee/fedora-rawhide-x86_64/10076464-clevis-pin-trustee/fedora-review/review.txt Found issues: - clevis-pin-trustee-fedora.spec should be clevis-pin-trustee.spec Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_spec_file_naming Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Again, the %cargo_license call needs to be in %build, not %install. This is clearly stated in the guidelines: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_rpm_macros_2 While you have been updating the spec file, the SRPM has not been regenerated. Please update both in order for the review to be completed. Once you have done so, use the instructions in the previous comment to retrigger the CI to generate a review template so that this can be completed.
(In reply to Yaakov Selkowitz from comment #17) > Again, the %cargo_license call needs to be in %build, not %install. This is > clearly stated in the guidelines: > https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_rpm_macros_2 Fixed. Let me update latest diff: --- clevis-pin-trustee.spec.202601292103 2026-01-29 21:03:46.896607219 +0100 +++ clevis-pin-trustee.spec 2026-01-29 21:04:16.569237640 +0100 @@ -49,17 +49,15 @@ %cargo_generate_buildrequires %build - # Build using cargo macros %cargo_build # Generate license information for statically-linked dependencies %cargo_license_summary - -%install # Generate license file for bundled dependencies %{cargo_license} > LICENSE.dependencies +%install # Install main binary install -D -m 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name} > > While you have been updating the spec file, the SRPM has not been > regenerated. Please update both in order for the review to be completed. > Once you have done so, use the instructions in the previous comment to > retrigger the CI to generate a review template so that this can be completed. Please, find updated .srpm file, aligned with latest .spec file: https://sarroutb.fedorapeople.org/clevis-pin-trustee-0.0.1-1.fc44.src.rpm
"If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string."
Copr build: https://copr.fedorainfracloud.org/coprs/build/10076658 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2431593-clevis-pin-trustee/fedora-rawhide-x86_64/10076658-clevis-pin-trustee/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Copr build: https://copr.fedorainfracloud.org/coprs/build/10076659 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2431593-clevis-pin-trustee/fedora-rawhide-x86_64/10076659-clevis-pin-trustee/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Copr build: https://copr.fedorainfracloud.org/coprs/build/10076664 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2431593-clevis-pin-trustee/fedora-rawhide-x86_64/10076664-clevis-pin-trustee/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Using prebuilt packages [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "Creative Commons CC0 1.0", "MIT License", "*No copyright* Creative Commons CC0 1.0", "*No copyright* MIT License". 5 files have unknown license. Detailed output of licensecheck in /var/lib/copr-rpmbuild/results/clevis-pin- trustee/licensecheck.txt [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries or specifies bundled libraries with Provides: bundled(<libname>) if unbundling is not possible. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 82 bytes in 1 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [?]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. Rpmlint ------- Checking: clevis-pin-trustee-0.0.1-1.fc44.x86_64.rpm clevis-pin-trustee-0.0.1-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpsyi5o0p_')] checks: 32, packages: 2 clevis-pin-trustee.x86_64: W: no-manual-page-for-binary clevis-decrypt-trustee clevis-pin-trustee.x86_64: W: no-manual-page-for-binary clevis-encrypt-trustee clevis-pin-trustee.x86_64: W: no-manual-page-for-binary clevis-pin-trustee 2 packages and 0 specfiles checked; 0 errors, 3 warnings, 7 filtered, 0 badness; has taken 0.2 s Rpmlint (debuginfo) ------------------- Checking: clevis-pin-trustee-debuginfo-0.0.1-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp94blgjew')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 5 filtered, 0 badness; has taken 0.9 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "clevis-pin-trustee". ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 2 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s (none): E: there is no installed rpm "clevis-pin-trustee-debuginfo". There are no files to process nor additional arguments. Nothing to do, aborting. Source checksums ---------------- https://github.com/latchset/clevis-pin-trustee/archive/refs/tags/v0.0.1.tar.gz : CHECKSUM(SHA256) this package : d1a8bd60a33505510d757bb5640533bac147ee6285c7c2ede491883c181f13fb CHECKSUM(SHA256) upstream package : d1a8bd60a33505510d757bb5640533bac147ee6285c7c2ede491883c181f13fb Requires -------- clevis-pin-trustee (rpmlib, GLIBC filtered): /usr/bin/bash clevis jose ld-linux-x86-64.so.2()(64bit) libc.so.6()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) libssl.so.3()(64bit) libssl.so.3(OPENSSL_3.0.0)(64bit) rtld(GNU_HASH) Provides -------- clevis-pin-trustee: clevis-pin-trustee clevis-pin-trustee(x86-64) Generated by fedora-review 0.11.0 (05c5b26) last change: 2025-11-29 Command line :/bin/fedora-review --no-colors --prebuilt --rpm-spec --name clevis-pin-trustee --mock-config /var/lib/copr-rpmbuild/results/configs/child.cfg Buildroot used: fedora-rawhide-x86_64 Active plugins: Shell-api, Generic Disabled plugins: Ocaml, R, C/C++, fonts, PHP, Java, Python, SugarActivity, Perl, Haskell Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH
Package APPROVED. Please make sure that the improvements made here also get back to the RHEL 10 package. Sometime after import, I'll try to follow up with vendoring changes for ELN (RHEL 11).
The Pagure repository was created at https://src.fedoraproject.org/rpms/clevis-pin-trustee
Hello 👋 bit confused by some of the choices made in the spec file. 1. Why define "%global bundled_rust_deps 0"? This is not used anywhere. 2. Directly having "BuildRequires: openssl-devel" should not be necessary. This dependency is pulled in by the rust-openssl-sys crate package. 3. "BuildRequires: rust-tempfile+default-devel" is wrong. The package should pass `-t` to %cargo_generate_buildrequires instead. Refer to the "https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_non_crate_rust_project" template.
Hello. I will address previous changes through a new PR in repository: https://src.fedoraproject.org/rpms/clevis-pin-trustee/pull-request/3 Thanks for suggestions