Bug 457924 - Review Request: libmicrohttpd - Lightweight library for embedding a webserver in applications
Summary: Review Request: libmicrohttpd - Lightweight library for embedding a webserver...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Tibbitts
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-05 14:54 UTC by Erik van Pienbroek
Modified: 2008-10-07 09:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-10-07 09:51:20 UTC
Type: ---
Embargoed:
j: fedora-review+
kevin: fedora-cvs+


Attachments (Terms of Use)

Description Erik van Pienbroek 2008-08-05 14:54:55 UTC
Spec URL: http://www.ftd4linux.nl/contrib/libmicrohttpd.spec
SRPM URL: http://www.ftd4linux.nl/contrib/libmicrohttpd-0.3.1-1.fc10.src.rpm

Description:

This is a library which can be used to embed a webserver in applications. I'm about to use it for one of my applications which is already available in Fedora (NNTPGrab).

The package consists of 3 sub-packages:
libmicrohttpd: the library itself
libmicrohttpd-devel: development files
libmicrohttpd-doc: API documentation and example source code

During compilation, the testsuite bundled with the library is also run

$ rpmlint libmicrohttpd.spec 
0 packages and 1 specfiles checked; 0 errors, 0 warnings.
$ rpmlint libmicrohttpd-0.3.1-1.fc10.src.rpm 
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
$ rpmlint libmicrohttpd-*
libmicrohttpd.i386: W: no-documentation
libmicrohttpd-devel.i386: W: no-documentation
libmicrohttpd-doc.i386: E: zero-length /usr/share/doc/libmicrohttpd-doc-0.3.1/html/d8/d26/microhttpd_8h__incl.map
4 packages and 0 specfiles checked; 1 errors, 2 warnings.

The 2 no-documentation warnings are false positives, all the docs are bundled in the -doc subpackage.
The zero-length file is something which is auto-generated by doxygen..I don't know whether to leave it as is or remove the file manually.

Comment 1 Jason Tibbitts 2008-08-10 02:25:49 UTC
This package needs a license review, I think.

You have License: LGPLv2, but the source files all seem to be either LGPLv2+ or GPLv2+ (grep for "GNU Lesser" and "GNU General" and note the "any later version" language present in all files).  However, I don't know if any of the GPLv2+ stuff ends up on the final binary; it seems to be test-related.  You will need to check that; if that's the case, then the final product is GPLv2+; otherwise I think it would be LGPLv2+ unless some other license is involved.

rpmlint says:
  libmicrohttpd.x86_64: W: no-documentation
Actually the COPYING file should be in the main package, and this will go away when that's fixed.  (Eliminating this complaint isn't the reason for moving the COPYING file; we just want the license information in the package that people will be installing.)

  libmicrohttpd-devel.x86_64: W: no-documentation
Not a problem.

  libmicrohttpd-doc.x86_64: E: zero-length 
   /usr/share/doc/libmicrohttpd-doc-0.3.1/html/d8/d26/microhttpd_8h__incl.map
Doxygen tends to do this for whatever reason.  I don't think it's a big problem.

* source files match upstream:
   c38e3d74c1a97e2bd0442147003d6423acbe791979cb52d5e78b5fcfe95168ff  
   libmicrohttpd-0.3.1.tar.gz
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* build root is OK.
X license field matches the actual license.
* license is open source-compatible.
X license text not included in main package.
* latest version is being packaged.
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (rawhide, x86_64).
* package installs properly.
* debuginfo package looks complete.
* rpmlint has acceptable complaints.
* final provides and requires are sane:
  libmicrohttpd-0.3.1-1.fc10.x86_64.rpm
   libmicrohttpd.so.4()(64bit)
   libmicrohttpd = 0.3.1-1.fc10
   libmicrohttpd(x86-64) = 0.3.1-1.fc10
  =
   /sbin/ldconfig
   info
   libmicrohttpd.so.4()(64bit)

  libmicrohttpd-devel-0.3.1-1.fc10.x86_64.rpm
   libmicrohttpd-devel = 0.3.1-1.fc10
   libmicrohttpd-devel(x86-64) = 0.3.1-1.fc10
  =
   libmicrohttpd = 0.3.1-1.fc10
   libmicrohttpd.so.4()(64bit)

  libmicrohttpd-doc-0.3.1-1.fc10.x86_64.rpm
   libmicrohttpd-doc = 0.3.1-1.fc10
   libmicrohttpd-doc(x86-64) = 0.3.1-1.fc10
  =
   /bin/sh
   libmicrohttpd = 0.3.1-1.fc10

* %check is present and all tests pass:
  All 3 tests passed
  All 15 tests passed

* shared libraries installed:
   ldconfig called properly.
   unversioned .so link is in the -devel package.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* scriptlets are OK (install-info, ldconfig).
* code, not content.
* documentation is in a separate package.
* headers are in the -devel package.
* no pkgconfig files.
* no static libraries.
* no libtool .la files.

Comment 2 Erik van Pienbroek 2008-08-10 10:24:10 UTC
(In reply to comment #1)
> This package needs a license review, I think.
> 
> You have License: LGPLv2, but the source files all seem to be either LGPLv2+ or
> GPLv2+ (grep for "GNU Lesser" and "GNU General" and note the "any later
> version" language present in all files).  However, I don't know if any of the
> GPLv2+ stuff ends up on the final binary; it seems to be test-related.  You
> will need to check that; if that's the case, then the final product is GPLv2+;
> otherwise I think it would be LGPLv2+ unless some other license is involved.

The website of this project says the license is LGPL. This is confirmed in a mailing list posting ( http://crisp.cs.du.edu/pipermail/libmicrohttpd/2007/000001.html ) and a bugreport ( https://gnunet.org/mantis/view.php?id=1384 ). In the Subversion repository of this project, everything is already changed to LGPLv2+.

I'll change the License tag to LGPLv2+ in the spec file

> rpmlint says:
>   libmicrohttpd.x86_64: W: no-documentation
> Actually the COPYING file should be in the main package, and this will go away
> when that's fixed.  (Eliminating this complaint isn't the reason for moving the
> COPYING file; we just want the license information in the package that people
> will be installing.)

Fixed by moving the COPYING file to the main package

Comment 3 Erik van Pienbroek 2008-08-10 10:27:05 UTC
New package @ http://www.ftd4linux.nl/contrib/libmicrohttpd.spec and http://www.ftd4linux.nl/contrib/libmicrohttpd-0.3.1-2.fc10.src.rpm

I also forgot to mention the location of the SVN repository of this project, this is https://gnunet.org/svn/libmicrohttpd

Comment 4 Jason Tibbitts 2008-08-10 11:37:49 UTC
Well, we trust the licenses on the actual code in preference to what upstream says on their web site.  Upstreams rarely pay as much attention to licensing as we do and their web sites are often woefully inaccurate.  The presence of GPL source in the tarball should indicate that.

We could either wait until a new release comes out with the licensing cleaned up, or pull a snapshot from SVN, but it would probably be more reasonable to include a copy of that mailing list post as documentation in the package, and include those links as comments in the spec.

Otherwise I think this package is fine.

Comment 5 Erik van Pienbroek 2008-08-10 13:34:26 UTC
After some more investigation of the latest SVN snapshot I've found out there's a license incompatibility involved in this project. The HTTPS part of libmicrohttpd makes use of a (bundled and modified copy of) opencdk and openpgp. Both these projects are licensed under the GPLv2+ (opencdk) and GPLv3+ (openpgp) licenses. If libmicrohttpd really is LGPLv2+ this is a license incompatibility as these licenses don't mix.

There are also some other files which are still licensed under the GPLv2+ license, but as these are only testcases they are valid (they aren't bundled in the RPM files anyway).

I've reported this issue at upstream's bugtracker: https://gnunet.org/mantis/view.php?id=1404

If upstream doesn't respond in a few days, I'll disable HTTPS support in the package until the issue is really solved, but for now we'll have to wait for more clearance.

Comment 6 Jason Tibbitts 2008-08-10 14:22:42 UTC
I'm not sure there's any incompatibility there; the result would simply be GPLv3+. 

Perhaps the legal folks should look over things; I've added it to the legal blocker.

Comment 7 Erik van Pienbroek 2008-08-10 23:19:54 UTC
Upstream has confirmed the license incompatibility and is looking for a solution

Comment 8 Tom "spot" Callaway 2008-09-02 16:02:03 UTC
For what its worth, on a cursory glance, this is less of a "license incompatibility", and more of a "the resulting work would be GPLv3+".

As is, we can safely ship this in Fedora, tagged as "GPLv3+".

Comment 9 Erik van Pienbroek 2008-09-04 20:29:13 UTC
Upstream has removed the (GPL) opencdk and openpgp code from the SVN repository, so the license can stay at LGPL. I've just sent a mail to upstream's mailing list questioning when a new release can be expected (or if a SVN snapshot can be used) and I'm awaiting a response.

Comment 10 Erik van Pienbroek 2008-09-06 14:29:07 UTC
Upstream has told me there are some SSL issues in the SVN version of libmicrohttpd which need to be resolved first before a new release can be made.

So I've decided to stick with version 0.3.1 for now and change the license to GPLv3+. I've also added a comment explaining the situation in the .spec file

http://ftd4linux.nl/contrib/libmicrohttpd.spec
http://ftd4linux.nl/contrib/libmicrohttpd-0.3.1-3.fc10.src.rpm

Comment 11 Tom "spot" Callaway 2008-10-01 17:15:15 UTC
Lifting FE-Legal, we're fine to go forward with GPLv3+ here. When upstream resolves their issues, please correct the license tag accordingly.

Comment 12 Jason Tibbitts 2008-10-02 00:17:47 UTC
OK, so the only complaints I had were related to the license, and that's cleared up now, I think this is ready.

APPROVED

The package review process needs reviewers!  If you haven't done any package
reviews recently, please consider doing one.

Comment 13 Erik van Pienbroek 2008-10-02 16:31:52 UTC
Thanks for the review!

New Package CVS Request
=======================
Package Name: libmicrohttpd
Short Description: Lightweight library for embedding a webserver in applications
Owners: epienbro
Branches: F-8 F-9 EL-4 EL-5
InitialCC: epienbro

Comment 14 Huzaifa S. Sidhpurwala 2008-10-03 05:55:12 UTC
cvs done

Comment 15 Erik van Pienbroek 2008-10-03 10:07:35 UTC
Huzaifa, the summary in pkgdb contains a small typo: ightweight library for embedding a webserver in applications
The 'L' character in 'Lightweight' is missing. Could you please fix this?

Comment 16 Kevin Fenzi 2008-10-03 17:08:10 UTC
Fixed.

Comment 17 Fedora Update System 2008-10-03 20:05:54 UTC
libmicrohttpd-0.3.1-4.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/libmicrohttpd-0.3.1-4.fc8

Comment 18 Fedora Update System 2008-10-03 20:06:53 UTC
libmicrohttpd-0.3.1-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libmicrohttpd-0.3.1-3.fc9

Comment 19 Fedora Update System 2008-10-07 09:51:00 UTC
libmicrohttpd-0.3.1-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2008-10-07 09:53:00 UTC
libmicrohttpd-0.3.1-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.