Fedora Account System
Red Hat Associate
Red Hat Customer
Spec URL: https://alakatos.fedorapeople.org/trustee/trustee/trustee.spec SRPM URL: https://alakatos.fedorapeople.org/trustee/trustee/trustee-0.15.0-1.fc42.src.rpm Description: Trustee provides a set of tools and components for attesting confidential guests and securely providing secrets to them. It operates on behalf of the guest owner to facilitate remote interaction with guest components. This package delivers the Key Broker Service (KBS) component configured specifically for passport-only mode, decoupling resource provisioning from evidence validation. Fedora Account System Username: alakatos
I have some doubts regarding the License. I followed the official rust packaging guide as per https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_license_tags and I was able to obtain a list of licenses but the output is quite large: ### BEGIN LICENSE SUMMARY ### # (Apache-2.0 OR MIT) AND BSD-3-Clause # (MIT OR Apache-2.0) AND Unicode-DFS-2016 # 0BSD OR MIT OR Apache-2.0 # Apache-2.0 # Apache-2.0 AND ISC AND (MIT OR Apache-2.0) # Apache-2.0 OR BSL-1.0 # Apache-2.0 OR MIT # Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT # BSD-2-Clause OR Apache-2.0 OR MIT # BSD-3-Clause # ISC # MIT # MIT AND Apache-2.0 AND BSD-3-Clause # MIT OR Apache-2.0 # MIT OR Zlib OR Apache-2.0 # MPL-2.0 # Unicode-3.0 # Unlicense OR MIT # Zlib ### END LICENSE SUMMARY ###
Copr build: https://copr.fedorainfracloud.org/coprs/build/10044307 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2431992-trustee/fedora-rawhide-x86_64/10044307-trustee/fedora-review/review.txt Please take a look if any issues were found. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated ===== ISSUES ===== None - package meets all MUST requirements. ===== RECOMMENDATIONS ===== 1. Package is 2 versions behind (v0.15.0 vs v0.17.0 latest) 2. Add manual page for kbs binary (rpmlint warning) 3. Consider adding GPG signature verification if upstream provides it ===== MOCK INSTALLATION TEST ===== Tested in clean fedora-rawhide-x86_64 mock chroot: - Installation: SUCCESS - Binary tests: /usr/bin/kbs --help and --version work correctly - All dependencies resolved from Fedora repos - Files installed to correct locations ===== MUST items ===== Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Copr build 10044307 completed successfully for x86_64. [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Note: Source is Apache-2.0. Statically linked deps use FLOSS licenses (Apache-2.0, MIT, BSD-3-Clause, ISC, MPL-2.0, Unicode-*, Unlicense, Zlib, BSL-1.0). [x]: License field in the package spec file matches the actual license. Note: SOURCE license (Apache-2.0) verified in trustee-0.15.0/LICENSE. Binary license correctly combines source + all statically linked crates. LICENSE.dependencies (273 lines) provides complete breakdown. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. Note: License summary in spec comments (lines 8-28). LICENSE.dependencies installed as %license with per-crate breakdown. [x]: %build honors applicable compiler flags or justifies otherwise. Note: %cargo_build uses %build_rustflags. OPENSSL_NO_VENDOR=1 uses system OpenSSL. [x]: Package contains no bundled libraries or specifies bundled libraries with Provides: bundled(<libname>) if unbundling is not possible. Note: No bundled C libs. Rust crates statically linked (no stable ABI). All deps from Fedora registry via %cargo_generate_buildrequires. [x]: Changelog in prescribed format. Note: Uses %autochangelog. [x]: Sources contain only permissible code or content. Note: KBS for confidential computing attestation/secrets. No malicious code detected. [x]: Package contains desktop file if it is a GUI application. Note: Server daemon/CLI tool, not GUI. [x]: Development files must be in a -devel package Note: Non-crate app, no -devel package needed. [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. Note: "trustee" (no rust- prefix) correct for non-crate apps. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. Note: New package, not a rename. [x]: Requires correct, justified where necessary. Note: openssl (explicit) + auto-generated shared lib deps. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. Note: Typically deployed in containers/K8s per upstream docs. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. Note: SHA256 checksums match for both Source0 and Source1. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 3267 bytes in 1 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== Rust-Specific MUST items ===== [x]: Rust packages building with cargo MUST have BuildRequires: cargo-rpm-macros Note: Line 45. [x]: Rust packages MUST call %cargo_prep in %prep Note: Line 72. [x]: Rust packages building with cargo MUST use %cargo_generate_buildrequires Note: Lines 73-74. [x]: Rust packages with binaries MUST use %cargo_license for License tracking Note: Lines 80-81, LICENSE.dependencies in %files line 94. [x]: Rust crate packages MUST set %bcond check Note: Line 1: %bcond check 1. [x]: Non-crate Rust packages MUST NOT use rust- prefix Note: Package name "trustee" without rust- prefix. [x]: Non-crate Rust packages MUST NOT ship -devel subpackages Note: No -devel subpackages. [x]: Non-crate Rust packages MUST NOT ship crate sources in %{cargo_registry} Note: Uses manual install, not %cargo_install. [x]: Rust packages MUST pass standardized compiler flags Note: %cargo_build uses %build_rustflags automatically. [x]: BuildRequires MUST NOT contain arch-specific dependencies (%{?_isa}) Note: No %{?_isa} in BuildRequires. [x]: Git dependencies SHOULD be replaced with path/registry dependencies Note: Patch 0007 replaces git deps with path/registry deps. [x]: Patches modifying Cargo.toml MUST be applied before spec generation Note: Applied via %autosetup -S git before %cargo_prep. [x]: No rpath in binaries Note: No rpath issues detected. ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. Note: Tested in clean fedora-rawhide-x86_64, see MOCK TEST section. [?]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Note: Upstream includes LICENSE file. [x]: Final provides and requires are sane (see attachments). [x]: Package functions as described. [?]: Latest version is packaged. Note: v0.15.0 packaged, v0.17.0 available. 2 versions behind. [-]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. Note: 8 patches with clear rationale for Fedora packaging. [?]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: Not used. Check if available. [-]: Package should compile and build into binary rpms on all supported architectures. Note: Should build on all arches. [x]: %check is present and all tests pass. Note: Lines 87-90, %cargo_test when %{with check}. [-]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== Rust-Specific SHOULD items ===== [x]: Rust projects SHOULD use system libraries instead of bundled copies Note: OPENSSL_NO_VENDOR=1 forces system OpenSSL. [x]: Rust projects with test suites SHOULD execute them in %check Note: %cargo_test in %check. [x]: Patches SHOULD be submitted upstream when applicable Note: Patches are Fedora-specific (workspace restrictions, dep replacements, test guards). [?]: OpenPGP signature verification SHOULD be used if upstream publishes them Note: Check if upstream provides signatures. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). [x]: Rpmlint is run on all installed packages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: trustee-kbs-0.15.0-1.fc44.x86_64.rpm trustee-0.15.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpme_rnedq')] checks: 32, packages: 2 trustee-kbs.x86_64: W: no-manual-page-for-binary kbs 2 packages and 0 specfiles checked; 0 errors, 1 warnings, 9 filtered, 0 badness; has taken 0.4 s Rpmlint (debuginfo) ------------------- Checking: trustee-kbs-debuginfo-0.15.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmppl8oo1_s')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 6 filtered, 0 badness; has taken 2.9 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "trustee-kbs-debuginfo". (none): E: there is no installed rpm "trustee-kbs". There are no files to process nor additional arguments. Nothing to do, aborting. ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 2 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s Source checksums ---------------- https://github.com/confidential-containers/trustee/archive/refs/tags/v0.15.0.tar.gz : CHECKSUM(SHA256) this package : 825227b9ac6a4312cf7f02746a53d4e03718a764843d67e069274e76e3458774 CHECKSUM(SHA256) upstream package : 825227b9ac6a4312cf7f02746a53d4e03718a764843d67e069274e76e3458774 https://github.com/confidential-containers/guest-components/archive/refs/tags/v%{version}/guest-components-0.15.0.tar.gz : CHECKSUM(SHA256) this package : 3e1a234cdf621cf956b440cca472117b0547ba71dd72e448986bf7db25473f3f CHECKSUM(SHA256) upstream package : 3e1a234cdf621cf956b440cca472117b0547ba71dd72e448986bf7db25473f3f Requires -------- trustee-kbs (rpmlib, GLIBC filtered): ld-linux-x86-64.so.2()(64bit) libc.so.6()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) libm.so.6()(64bit) libssl.so.3()(64bit) libssl.so.3(OPENSSL_3.0.0)(64bit) libzstd.so.1()(64bit) openssl rtld(GNU_HASH) Provides -------- trustee-kbs: trustee-kbs trustee-kbs(x86-64) ===== DETAILED REVIEW NOTES ===== Package Type: Non-crate Rust application (trustee KBS) - Multi-crate workspace project from GitHub - Only KBS component built/shipped - Follows Rust Guidelines for non-crate projects Rust Compliance: - Correct naming (no rust- prefix), macros, license tracking - Manual install (not %cargo_install), no -devel packages - %bcond check set, tests in %check Source: Key Broker Service for confidential computing (attestation/secrets) - Reviewed for security - legitimate infrastructure, no malicious code Patches (8 total): - 0001: Restrict workspace to kbs only (reduces build footprint) - 0002: Remove built-in AS (lightweight build) - 0003: Replace concat-kdf with internal impl (reduce deps) - 0004: Use jsonwebtoken vs jwt-simple (Fedora alignment) - 0005: Align crate versions with Fedora - 0006: Replace derivative with educe - 0007: Replace git deps with path/registry (REQUIRED for offline builds) - 0008: Guard RVPS import in tests All justified for Fedora packaging. Licenses: - Source: Apache-2.0 (verified in LICENSE) - Binary: SPDX conjunction of source + all statically linked crates - LICENSE.dependencies (273 lines) lists all crate licenses - Licensecheck: 468 "Unknown" files are config/build/test files (acceptable) Security: System OpenSSL, no bundled libs, all deps from Fedora registry Version: v0.15.0 (Sept 2024), latest is v0.17.0 (Jan 2025) - 2 versions behind ===== FINAL RECOMMENDATION ===== APPROVED Package meets all MUST requirements for Fedora and Rust Packaging Guidelines. Non-blocking recommendations: 1. Update to v0.17.0 2. Add man page for kbs 3. Add GPG verification if available Generated by fedora-review 0.11.0 (05c5b26) last change: 2025-11-29 Command line :/usr/bin/fedora-review --copr-build 10044307 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, Shell-api Disabled plugins: fonts, SugarActivity, Perl, R, Haskell, Ocaml, Java, Python, C/C++, PHP Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH
It looks OK to me and I would mark it as approved, but given the issues I missed in the previous review, may I ask you to double check here, Fabio, please? Thanks in advance.
I am at CentOS Connect / FOSDEM, I will probably only have time to look at this more next week. Just a few quick comments: 1. This should not be necessary (or actually be superfluous / unused) when not using vendored dependencies: > BuildRequires: openssl-devel > # Use system OpenSSL instead of building from source > export OPENSSL_NO_VENDOR=1 2. The patches are not documented (or at least not in the spec file, which they should be). Also, if any of them are upstreamable, that should happen and links to the upstream PRs or commits should be added. 3. The License tag looks very big and contains duplicates - it doesn't exactly look *wrong* but it's also messy. For example, you don't need to have both (Apache-2.0 OR MIT) *and* (MIT OR Apache-2.0), they're equivalent. You could drop one of them (I usually keep the one that sorts first alphabetically). Also, Things like "((Apache-2.0 OR MIT) AND BSD-3-Clause) AND ..." can be flattened (AND is associative and the order doesn't matter), so those are two more duplicates you can avoid. You can also use syntax like this to avoid the very long line (and better diff it): License: %{shrink: Apache-2.0 AND MIT AND BSD-3-Clause AND ... }
Hello, thank you very much for your inputs. (In reply to Fabio Valentini from comment #5) > I am at CentOS Connect / FOSDEM, I will probably only have time to look at > this more next week. > > Just a few quick comments: > > 1. This should not be necessary (or actually be superfluous / unused) when > not using vendored dependencies: > > > BuildRequires: openssl-devel > > # Use system OpenSSL instead of building from source > > export OPENSSL_NO_VENDOR=1 You are right, I removed the build requirements. > > 2. The patches are not documented (or at least not in the spec file, which > they should be). > Also, if any of them are upstreamable, that should happen and links to the > upstream PRs or commits should be added. I added brief comments for each patch in the spec file. Each patch itself contains a detailed description. This is one of the reasons I use git-style patches, as they allow additional information to be included. I agree on upstreaming some of the patches. Some already are but others won't be needed in the future. The whole trustee project has several components. The most important one for us is the KBS (key broker service). In future versions we want to support the other components as well such as the RVPS & attestation service. I wanted to give you a small insights into that, so you know why we are not including some of the components and why we have multiple downstream patches. > > 3. The License tag looks very big and contains duplicates - it doesn't > exactly look *wrong* but it's also messy. > > For example, you don't need to have both (Apache-2.0 OR MIT) *and* (MIT OR > Apache-2.0), they're equivalent. You could drop one of them (I usually keep > the one that sorts first alphabetically). > > Also, Things like "((Apache-2.0 OR MIT) AND BSD-3-Clause) AND ..." can be > flattened (AND is associative and the order doesn't matter), so those are > two more duplicates you can avoid. > > You can also use syntax like this to avoid the very long line (and better > diff it): > > License: %{shrink: > Apache-2.0 > AND MIT > AND BSD-3-Clause > AND ... > } Great note, thank you. Changed that.
Package APPROVED. The updates look good to me. Thanks Fabio for the initial look at it, hopefully there will be no more issues, but we can fix it, if that is the case.
The Pagure repository was created at https://src.fedoraproject.org/rpms/trustee
FEDORA-2026-1b6845b392 (trustee-0.15.0-1.fc45) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-1b6845b392
FEDORA-2026-1b6845b392 (trustee-0.15.0-1.fc45) has been pushed to the Fedora 45 stable repository. If problem still persists, please make note of it in this bug report.
> # Use system OpenSSL instead of building from source > export OPENSSL_NO_VENDOR=1 This is still present, should not be needed (or have any effect) when not using vendored dependencies. Other than that, package looks good to me too :)