Red Hat Bugzilla – Bug 457924
Review Request: libmicrohttpd - Lightweight library for embedding a webserver in applications
Last modified: 2008-10-07 05:53:00 EDT
Spec URL: http://www.ftd4linux.nl/contrib/libmicrohttpd.spec
SRPM URL: http://www.ftd4linux.nl/contrib/libmicrohttpd-0.3.1-1.fc10.src.rpm
This is a library which can be used to embed a webserver in applications. I'm about to use it for one of my applications which is already available in Fedora (NNTPGrab).
The package consists of 3 sub-packages:
libmicrohttpd: the library itself
libmicrohttpd-devel: development files
libmicrohttpd-doc: API documentation and example source code
During compilation, the testsuite bundled with the library is also run
$ rpmlint libmicrohttpd.spec
0 packages and 1 specfiles checked; 0 errors, 0 warnings.
$ rpmlint libmicrohttpd-0.3.1-1.fc10.src.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
$ rpmlint libmicrohttpd-*
libmicrohttpd.i386: W: no-documentation
libmicrohttpd-devel.i386: W: no-documentation
libmicrohttpd-doc.i386: E: zero-length /usr/share/doc/libmicrohttpd-doc-0.3.1/html/d8/d26/microhttpd_8h__incl.map
4 packages and 0 specfiles checked; 1 errors, 2 warnings.
The 2 no-documentation warnings are false positives, all the docs are bundled in the -doc subpackage.
The zero-length file is something which is auto-generated by doxygen..I don't know whether to leave it as is or remove the file manually.
This package needs a license review, I think.
You have License: LGPLv2, but the source files all seem to be either LGPLv2+ or GPLv2+ (grep for "GNU Lesser" and "GNU General" and note the "any later version" language present in all files). However, I don't know if any of the GPLv2+ stuff ends up on the final binary; it seems to be test-related. You will need to check that; if that's the case, then the final product is GPLv2+; otherwise I think it would be LGPLv2+ unless some other license is involved.
libmicrohttpd.x86_64: W: no-documentation
Actually the COPYING file should be in the main package, and this will go away when that's fixed. (Eliminating this complaint isn't the reason for moving the COPYING file; we just want the license information in the package that people will be installing.)
libmicrohttpd-devel.x86_64: W: no-documentation
Not a problem.
libmicrohttpd-doc.x86_64: E: zero-length
Doxygen tends to do this for whatever reason. I don't think it's a big problem.
* source files match upstream:
* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* summary is OK.
* description is OK.
* dist tag is present.
* build root is OK.
X license field matches the actual license.
* license is open source-compatible.
X license text not included in main package.
* latest version is being packaged.
* BuildRequires are proper.
* compiler flags are appropriate.
* %clean is present.
* package builds in mock (rawhide, x86_64).
* package installs properly.
* debuginfo package looks complete.
* rpmlint has acceptable complaints.
* final provides and requires are sane:
libmicrohttpd = 0.3.1-1.fc10
libmicrohttpd(x86-64) = 0.3.1-1.fc10
libmicrohttpd-devel = 0.3.1-1.fc10
libmicrohttpd-devel(x86-64) = 0.3.1-1.fc10
libmicrohttpd = 0.3.1-1.fc10
libmicrohttpd-doc = 0.3.1-1.fc10
libmicrohttpd-doc(x86-64) = 0.3.1-1.fc10
libmicrohttpd = 0.3.1-1.fc10
* %check is present and all tests pass:
All 3 tests passed
All 15 tests passed
* shared libraries installed:
ldconfig called properly.
unversioned .so link is in the -devel package.
* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* scriptlets are OK (install-info, ldconfig).
* code, not content.
* documentation is in a separate package.
* headers are in the -devel package.
* no pkgconfig files.
* no static libraries.
* no libtool .la files.
(In reply to comment #1)
> This package needs a license review, I think.
> You have License: LGPLv2, but the source files all seem to be either LGPLv2+ or
> GPLv2+ (grep for "GNU Lesser" and "GNU General" and note the "any later
> version" language present in all files). However, I don't know if any of the
> GPLv2+ stuff ends up on the final binary; it seems to be test-related. You
> will need to check that; if that's the case, then the final product is GPLv2+;
> otherwise I think it would be LGPLv2+ unless some other license is involved.
The website of this project says the license is LGPL. This is confirmed in a mailing list posting ( http://crisp.cs.du.edu/pipermail/libmicrohttpd/2007/000001.html ) and a bugreport ( https://gnunet.org/mantis/view.php?id=1384 ). In the Subversion repository of this project, everything is already changed to LGPLv2+.
I'll change the License tag to LGPLv2+ in the spec file
> rpmlint says:
> libmicrohttpd.x86_64: W: no-documentation
> Actually the COPYING file should be in the main package, and this will go away
> when that's fixed. (Eliminating this complaint isn't the reason for moving the
> COPYING file; we just want the license information in the package that people
> will be installing.)
Fixed by moving the COPYING file to the main package
New package @ http://www.ftd4linux.nl/contrib/libmicrohttpd.spec and http://www.ftd4linux.nl/contrib/libmicrohttpd-0.3.1-2.fc10.src.rpm
I also forgot to mention the location of the SVN repository of this project, this is https://gnunet.org/svn/libmicrohttpd
Well, we trust the licenses on the actual code in preference to what upstream says on their web site. Upstreams rarely pay as much attention to licensing as we do and their web sites are often woefully inaccurate. The presence of GPL source in the tarball should indicate that.
We could either wait until a new release comes out with the licensing cleaned up, or pull a snapshot from SVN, but it would probably be more reasonable to include a copy of that mailing list post as documentation in the package, and include those links as comments in the spec.
Otherwise I think this package is fine.
After some more investigation of the latest SVN snapshot I've found out there's a license incompatibility involved in this project. The HTTPS part of libmicrohttpd makes use of a (bundled and modified copy of) opencdk and openpgp. Both these projects are licensed under the GPLv2+ (opencdk) and GPLv3+ (openpgp) licenses. If libmicrohttpd really is LGPLv2+ this is a license incompatibility as these licenses don't mix.
There are also some other files which are still licensed under the GPLv2+ license, but as these are only testcases they are valid (they aren't bundled in the RPM files anyway).
I've reported this issue at upstream's bugtracker: https://gnunet.org/mantis/view.php?id=1404
If upstream doesn't respond in a few days, I'll disable HTTPS support in the package until the issue is really solved, but for now we'll have to wait for more clearance.
I'm not sure there's any incompatibility there; the result would simply be GPLv3+.
Perhaps the legal folks should look over things; I've added it to the legal blocker.
Upstream has confirmed the license incompatibility and is looking for a solution
For what its worth, on a cursory glance, this is less of a "license incompatibility", and more of a "the resulting work would be GPLv3+".
As is, we can safely ship this in Fedora, tagged as "GPLv3+".
Upstream has removed the (GPL) opencdk and openpgp code from the SVN repository, so the license can stay at LGPL. I've just sent a mail to upstream's mailing list questioning when a new release can be expected (or if a SVN snapshot can be used) and I'm awaiting a response.
Upstream has told me there are some SSL issues in the SVN version of libmicrohttpd which need to be resolved first before a new release can be made.
So I've decided to stick with version 0.3.1 for now and change the license to GPLv3+. I've also added a comment explaining the situation in the .spec file
Lifting FE-Legal, we're fine to go forward with GPLv3+ here. When upstream resolves their issues, please correct the license tag accordingly.
OK, so the only complaints I had were related to the license, and that's cleared up now, I think this is ready.
The package review process needs reviewers! If you haven't done any package
reviews recently, please consider doing one.
Thanks for the review!
New Package CVS Request
Package Name: libmicrohttpd
Short Description: Lightweight library for embedding a webserver in applications
Branches: F-8 F-9 EL-4 EL-5
Huzaifa, the summary in pkgdb contains a small typo: ightweight library for embedding a webserver in applications
The 'L' character in 'Lightweight' is missing. Could you please fix this?
libmicrohttpd-0.3.1-4.fc8 has been submitted as an update for Fedora 8.
libmicrohttpd-0.3.1-3.fc9 has been submitted as an update for Fedora 9.
libmicrohttpd-0.3.1-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
libmicrohttpd-0.3.1-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.