Bug 445018 - Review Request: python-beaker - WSGI middleware for sessions
Review Request: python-beaker - WSGI middleware for sessions
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Brian Pepple
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 445020 445028
  Show dependency treegraph
 
Reported: 2008-05-02 15:07 EDT by Kyle VanderBeek
Modified: 2008-06-12 22:27 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-27 20:03:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
bdpepple: fedora‑review+
tcallawa: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Kyle VanderBeek 2008-05-02 15:07:25 EDT
Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.3-1.fc8.src.rpm
Description: Beaker is a caching and web session library.  It includes middleware for WSGI, and is a prerequisite for using Pylons.
Comment 1 Felix Schwarz 2008-05-10 16:45:24 EDT
I'm willing to review this package (I will try to get someone more experienced
to check my review afterwards)
Comment 2 Felix Schwarz 2008-05-10 17:03:33 EDT
There are some problems with your submission:
First of all please update the package to 0.9.4 as 0.9.3 contains a remotely
exploitable bug (allows overwriting arbitrary files, manipulating the
application's session and last but not least remote code execution, see
http://groups.google.com/group/turbogears/browse_thread/thread/0f1079fb982c549b
for more details).

Furthermore there are some problems with your spec file:
$ rpmlint python-beaker-0.9.3-1.fc8.src.rpm 
python-beaker.src: W: summary-ended-with-dot WSGI middleware layer to provide
sessions.

Please fix this (and assure that rpmlint does not complain about other things).

Manual inspection of the spec file revealed another issue:
"Source0: http://pypi.python.org/packages/source/B/Beaker-%{version}.tar.gz"

This URL is not valid,
http://pypi.python.org/packages/source/B/Beaker-0.9.3.tar.gz does not exist.


Comment 3 Kyle VanderBeek 2008-05-11 19:40:26 EDT
Updated to 0.9.4, fixed rpmlint complaints and added missing %doc items.

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-1f8.src.rpm
Comment 4 Felix Schwarz 2008-05-12 16:04:36 EDT
Review:

MUST items
- no rpmlint output for srpm
- package naming ok for python module
- spec file name matches package name
- packaging guidelines are met
- license tag in spec file is 'MIT', upstream names it 'MIT' in setup.py but
  actual license text included in the package is 3 clause BSD (without 
  advertising).

=> I'm not quite what we should do here. At least the license tag in the spec
   file must be updated (3 clause BSD is acceptable for Fedora) but to be sure
   we should ask upstream under what license the code is placed.

Furthermore, there are some file in the package which do use a form of MIT 
license:
* beaker/converters.py uses MIT / "Modern Style with sublicense", no license text
  only referenced URL
* beaker/crypto/pbkdf2.py uses MIT / "Old Style with legal disclaimer 3"
  (variant names taken from http://fedoraproject.org/wiki/Licensing/MIT)

What should we do with them? The most part of the code is BSD(?, see above). I
think RPM does only accept a single license tag.

- license text (BSD) is separate file named LICENSE, included in %doc
- spec file written in English and is legible
- sources match upstream (md5sum 9e474576e948d7f80ce238d31c80ade3)
- package builds in mock on x86_64 for Fedora 8
- buildreqs OK
- no shared libraries, static libraries, header files, pkgconfig files, or
  locale files
- package doesn't claim to be relocatable
- directory ownership OK
- no duplicate files
- %defattr(...) present and correct in %files section
- %clean section present and correct
- %install section properly cleans buildroot first
- macro usage is ok
- package does only contain code
- runtime does not depend on docs
- no GUI, therefore no .desktop file
- filenames are all ascii

SHOULD items:
- builds in mock
- package is a library but basic functional test passed
- no file dependencies


Paul Howarth suggest for my own python package that I use a more specific file
list ("%{python_sitelib}/beaker*", ...) which seems to be a good idea for your 
package too:
"this helps catch future changes that create extra files in the package, which
you might want to document further in the changelog etc."

Comment 5 Kyle VanderBeek 2008-05-12 16:34:51 EDT
We can change the files section to do this:

%{python_sitelib}/beaker/*
%{python_sitelib}/Beaker*

You have to do this to get the egg info for this type of schizophrenic "I'm
'Beaker' and provide 'beaker'" mixed case packages.  Updated:

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-2.fc8.src.rpm

I don't think the license issue is a blocker (the variants are all Fedora-safe).
 I just used the one declared in setup.py.  I've written to upstream to see if
they can clarify it in the future.
Comment 6 Kyle VanderBeek 2008-05-12 18:21:42 EDT
Upstream responded, it's going all BSD:
  http://beaker.groovie.org/beaker/changeset/141%3Abd2a1de25888/setup.py

Spec file updated to reflect that, with patch to make it look correct (he forgot
to update the classifiers, but he will):

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-3.fc8.src.rpm
Comment 7 Paul Howarth 2008-05-12 18:43:38 EDT
You need %{python_sitelib}/beaker/ rather than %{python_sitelib}/beaker/* in the
%files list so that the directory %{python_sitelib}/beaker/ (as well as its
contents) is owned by the package.
Comment 8 Kyle VanderBeek 2008-05-12 21:52:04 EDT
Thanks, Paul.  Updated again:

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-4.fc8.src.rpm

Man, I'm sloppy this time 'round!
Comment 9 Brian Pepple 2008-05-26 19:10:07 EDT
MD5Sum:
9e474576e948d7f80ce238d31c80ade3  Beaker-0.9.4.tar.gz

Good:
* Source URL is canonical
* Upstream source tarball verified
* Package name conforms to the Fedora Naming Guidelines
* Group Tag is from the official list
* Valid license tag
* Buildroot has all required elements
* All paths begin with macros
* All necessary BuildRequires listed.
* Files have appropriate permissions and owners (except the noted item below)
* Package installs and uninstalls cleanly

Bad:
* rpmlint produces the following error that should be looked at before importing
into CVS:
python-beaker.noarch: E: non-executable-script
/usr/lib/python2.5/site-packages/beaker/crypto/pbkdf2.py 0644

+1 APPROVED.
Comment 10 Kyle VanderBeek 2008-05-26 23:51:19 EDT
New Package CVS Request
=======================
Package Name: python-beaker
Short Description: Python WSGI middleware for sessions
Owners: kylev,fschwarz
Branches: F-8 F-9
InitialCC: 
Cvsextras Commits: yes
Comment 11 Tom "spot" Callaway 2008-05-27 16:10:04 EDT
cvs done.
Comment 12 Fedora Update System 2008-05-27 19:14:15 EDT
python-beaker-0.9.4-4.fc8 has been submitted as an update for Fedora 8
Comment 13 Fedora Update System 2008-05-27 19:15:12 EDT
python-beaker-0.9.4-4.fc9 has been submitted as an update for Fedora 9
Comment 14 Fedora Update System 2008-06-12 22:25:41 EDT
python-beaker-0.9.4-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-06-12 22:27:59 EDT
python-beaker-0.9.4-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.