Bug 363741 - Review Request: libewf - Library for the Expert Witness Compression Format (EWF)
Review Request: libewf - Library for the Expert Witness Compression Format (EWF)
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Tibbitts
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-02 09:02 EDT by Nicolas Chauvet (kwizart)
Modified: 2009-07-28 00:48 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-09 20:08:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tibbs: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Nicolas Chauvet (kwizart) 2007-11-02 09:02:08 EDT
Spec URL:
http://kwizart.fedorapeople.org/SPECS/libewf.spec
SRPM URL:
http://kwizart.fedorapeople.org/SRPMS/libewf-0-1.20070512.fc7.kwizart.src.rpm
Description: Library for the Expert Witness Compression Format (EWF)

koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=224364
rpmlint on installed files: libewf.x86_64: W: unused-direct-shlib-dependency /usr/lib64/libewf.so.1.0.1 /lib64/libuuid.so.1
Maybe this is related to the options used...
Comment 1 Jason Tibbitts 2007-11-02 12:50:49 EDT
The unused-direct-shlib-dependency comes from linking to libuuid but not calling
any functions in it.  The tools call it, and the package just uses the same
options to link the tools and the library.  I don't think it's enough of an
issue to justify patching around in the package's Makefile.
Comment 2 Jason Tibbitts 2007-11-03 14:28:19 EDT
Lovely how upstream forces you to use https but has an expired certificate.

The upstream web pages indicate that this is stable.  Is the eight digit number
looking suspiciously like a date actually the package's version?  If so, then
you could just use that as the version instead of treating the package as a
snapshot with no version.  Which would make your version "20070512" and your
release as "1".  Of course, this breaks (forcing you to use Epoch:) if upstream
does decide to release version 1.0 in the future, so I'll leave this up to you.
 If upstream is still sufficiently active, you could ask them what they plan to do.

The COPYING file seems to me to include the 4-clause BSD license, including the
advertising clause, although they swapped two of the clauses for whatever reason.

- All advertising materials mentioning features or use of this software
  must acknowledge the contribution by people stated in the acknowledgements.

So, first off, your License: tag is wrong; it must be "BSD with advertising".

Then, this program cannot link against anything which conflicts with
BSD+advertising.  zlib is OK, glibc is OK (LGPL), openssl/libcrypto is OK, and
e2fsprogs has four different licenses.  Looking in the source, libuuid (which is
all that's being linked against here) is plain 3-clause BSD without advertising.
 So that should be OK as well.  Running ldd against all binaries and libraries
doesn't show anything else, so that should OK.

When submitting packages with difficult licenses, you need to do this kind of
review up front.  We can't generally trust upstream to do this kind of thing
properly, because it seems to be those that pick the "you must mention me in
your advertising materials" clause who understand the implications of such a
thing the least.  You also need to make sure that the package doesn't grow
additional dependencies in the future which would cause a licensing conflict,
and that the licenses of your dependencies don't change and cause conflicts.

Review:
* source files match upstream:
   5479bc06d0eb9a83c6dc793b87ee05a4c957fc73cb7c509b57ecc7dd5154ca0c  
   libewf-20070512.tar.gz
* package meets naming and versioning guidelines (but consider using date as 
  version as detailed above).
* specfile is properly named, is cleanly written and uses macros consistently.
* summaries are OK.
* descriptions are OK.
* dist tag is present.
* build root is OK.
* license field matches the actual license.
* license is open source-compatible.
* license text included in package.
* latest version is being packaged.
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (rawhide, x86_64).
* package installs properly
* debuginfo package looks complete.
* rpmlint complaints are OK.
* final provides and requires are sane:
  ewftools-0-1.20070512.fc8.x86_64.rpm
   ewftools = 0-1.20070512.fc8
  =
   libcrypto.so.6()(64bit)
   libewf = 0-1.20070512.fc8
   libewf.so.1()(64bit)
   libuuid.so.1()(64bit)
   libz.so.1()(64bit)

  libewf-0-1.20070512.fc8.x86_64.rpm
   libewf.so.1()(64bit)
   libewf = 0-1.20070512.fc8
  =
   /sbin/ldconfig
   libcrypto.so.6()(64bit)
   libewf.so.1()(64bit)
   libuuid.so.1()(64bit)
   libz.so.1()(64bit)

  libewf-devel-0-1.20070512.fc8.x86_64.rpm
   libewf-devel = 0-1.20070512.fc8
  =
   libewf = 0-1.20070512.fc8
   libewf.so.1()(64bit)
   pkgconfig

* %check is not present; no test suite upstream.  I have no existing EWF files 
   to use test this, although I did run the tools and "acquired" a file and 
   things seemed to work well enough.
* shared libraries present; ldconfig called properly.
* unversioned .so files are in the -devel package.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* scriptlets are OK (ldconfig calls)
* code, not content.
* documentation is small, so no -docs subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.
* headers are in the -devel package.
* pkgconfig file present in -devel package.
* no static libraries.
* no libtool .la files.

APPROVED
Comment 3 Nicolas Chauvet (kwizart) 2007-11-05 10:58:56 EST
Thx for the review! I will update the License field before built...

This package is used by http://www.sleuthkit.org
which uses http://www.porcupine.org/forensics/tct.html (IBM License)
Maybe there will be a problem then... (I cannot find the wiki about compatibles
licenses...)

New Package CVS Request
=======================
Package Name:      libewf
Short Description: Library for the Expert Witness Compression Format (EWF)
Owners:            kwizart
Branches:          F-8 F-7
InitialCC:         <empty>
Commits by cvsextras: yes
Comment 4 Jason Tibbitts 2007-11-05 11:15:21 EST
Well, there is http://fedoraproject.org/wiki/Licensing but it only deals with
compatibility between common licenses.  Doing that work for all licenses we know
about would require more lawyers than I care to think about.

If you have doubts about compatibility of a specific set of licenses, just ask
or block FE-Legal on your review ticket.
Comment 5 Kevin Fenzi 2007-11-05 11:47:49 EST
cvs done.
Comment 6 Nicolas Chauvet (kwizart) 2009-07-27 07:03:24 EDT
Package Change Request
======================
Package Name: libewf
New Branches: EL-5
Owners: kwizart
Comment 7 Kevin Fenzi 2009-07-28 00:48:22 EDT
cvs done.

Note You need to log in before you can comment on or make changes to this bug.