I'm willing to review this package (I will try to get someone more experienced
to check my review afterwards)

There are some problems with your submission:
First of all please update the package to 0.9.4 as 0.9.3 contains a remotely
exploitable bug (allows overwriting arbitrary files, manipulating the
application's session and last but not least remote code execution, see
http://groups.google.com/group/turbogears/browse_thread/thread/0f1079fb982c549b
for more details).

Furthermore there are some problems with your spec file:
$ rpmlint python-beaker-0.9.3-1.fc8.src.rpm 
python-beaker.src: W: summary-ended-with-dot WSGI middleware layer to provide
sessions.

Please fix this (and assure that rpmlint does not complain about other things).

Manual inspection of the spec file revealed another issue:
"Source0: http://pypi.python.org/packages/source/B/Beaker-%{version}.tar.gz"

This URL is not valid,
http://pypi.python.org/packages/source/B/Beaker-0.9.3.tar.gz does not exist.

Updated to 0.9.4, fixed rpmlint complaints and added missing %doc items.

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-1f8.src.rpm

Review:

MUST items
- no rpmlint output for srpm
- package naming ok for python module
- spec file name matches package name
- packaging guidelines are met
- license tag in spec file is 'MIT', upstream names it 'MIT' in setup.py but
  actual license text included in the package is 3 clause BSD (without 
  advertising).

=> I'm not quite what we should do here. At least the license tag in the spec
   file must be updated (3 clause BSD is acceptable for Fedora) but to be sure
   we should ask upstream under what license the code is placed.

Furthermore, there are some file in the package which do use a form of MIT 
license:
* beaker/converters.py uses MIT / "Modern Style with sublicense", no license text
  only referenced URL
* beaker/crypto/pbkdf2.py uses MIT / "Old Style with legal disclaimer 3"
  (variant names taken from http://fedoraproject.org/wiki/Licensing/MIT)

What should we do with them? The most part of the code is BSD(?, see above). I
think RPM does only accept a single license tag.

- license text (BSD) is separate file named LICENSE, included in %doc
- spec file written in English and is legible
- sources match upstream (md5sum 9e474576e948d7f80ce238d31c80ade3)
- package builds in mock on x86_64 for Fedora 8
- buildreqs OK
- no shared libraries, static libraries, header files, pkgconfig files, or
  locale files
- package doesn't claim to be relocatable
- directory ownership OK
- no duplicate files
- %defattr(...) present and correct in %files section
- %clean section present and correct
- %install section properly cleans buildroot first
- macro usage is ok
- package does only contain code
- runtime does not depend on docs
- no GUI, therefore no .desktop file
- filenames are all ascii

SHOULD items:
- builds in mock
- package is a library but basic functional test passed
- no file dependencies


Paul Howarth suggest for my own python package that I use a more specific file
list ("%{python_sitelib}/beaker*", ...) which seems to be a good idea for your 
package too:
"this helps catch future changes that create extra files in the package, which
you might want to document further in the changelog etc."

We can change the files section to do this:

%{python_sitelib}/beaker/*
%{python_sitelib}/Beaker*

You have to do this to get the egg info for this type of schizophrenic "I'm
'Beaker' and provide 'beaker'" mixed case packages.  Updated:

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-2.fc8.src.rpm

I don't think the license issue is a blocker (the variants are all Fedora-safe).
 I just used the one declared in setup.py.  I've written to upstream to see if
they can clarify it in the future.

Upstream responded, it's going all BSD:
  http://beaker.groovie.org/beaker/changeset/141%3Abd2a1de25888/setup.py

Spec file updated to reflect that, with patch to make it look correct (he forgot
to update the classifiers, but he will):

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-3.fc8.src.rpm

You need %{python_sitelib}/beaker/ rather than %{python_sitelib}/beaker/* in the
%files list so that the directory %{python_sitelib}/beaker/ (as well as its
contents) is owned by the package.

Thanks, Paul.  Updated again:

Spec URL: http://www.kylev.com/pylons-rpm/python-beaker.spec
SRPM URL: http://www.kylev.com/pylons-rpm/python-beaker-0.9.4-4.fc8.src.rpm

Man, I'm sloppy this time 'round!

MD5Sum:
9e474576e948d7f80ce238d31c80ade3  Beaker-0.9.4.tar.gz

Good:
* Source URL is canonical
* Upstream source tarball verified
* Package name conforms to the Fedora Naming Guidelines
* Group Tag is from the official list
* Valid license tag
* Buildroot has all required elements
* All paths begin with macros
* All necessary BuildRequires listed.
* Files have appropriate permissions and owners (except the noted item below)
* Package installs and uninstalls cleanly

Bad:
* rpmlint produces the following error that should be looked at before importing
into CVS:
python-beaker.noarch: E: non-executable-script
/usr/lib/python2.5/site-packages/beaker/crypto/pbkdf2.py 0644

+1 APPROVED.

New Package CVS Request
=======================
Package Name: python-beaker
Short Description: Python WSGI middleware for sessions
Owners: kylev,fschwarz
Branches: F-8 F-9
InitialCC: 
Cvsextras Commits: yes

cvs done.

python-beaker-0.9.4-4.fc8 has been submitted as an update for Fedora 8

python-beaker-0.9.4-4.fc9 has been submitted as an update for Fedora 9

python-beaker-0.9.4-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

python-beaker-0.9.4-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.