Bug 551763 - Review Request: lua-sec - Lua binding for OpenSSL library
Summary: Review Request: lua-sec - Lua binding for OpenSSL library
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Matěj Cepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: DuplicSysLibsTracker 551765
TreeView+ depends on / blocked
Reported: 2010-01-01 20:46 UTC by Johan Cwiklinski
Modified: 2018-04-11 17:40 UTC (History)
11 users (show)

Fixed In Version: lua-sec-0.4.1-2.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-04-21 21:00:23 UTC
Type: ---
mcepl: fedora-review+
gwync: fedora-cvs+

Attachments (Terms of Use)

Description Johan Cwiklinski 2010-01-01 20:46:53 UTC
Spec URL: http://odysseus.x-tnd.be/fedora/lua-sec/lua-sec.spec
SRPM URL: http://odysseus.x-tnd.be/fedora/lua-sec/lua-sec-0.4-1.fc12.src.rpm
Lua binding for OpenSSL library to provide TLS/SSL communication.
It takes an already established TCP connection and creates a secure
session between the peers.

Comment 1 Johan Cwiklinski 2010-01-01 20:51:26 UTC
rpmlint is clean for all produced packages.
SRPM builds fine in mock.

Comment 2 Adam Goode 2010-02-16 15:35:33 UTC
There seems to be a lot of duplicate code from luasocket here. Do you think it is possible to figure out if some of it can be removed (since luasec depends on luasocket anyway), or at least figure out how much code is duplicated? I mention this because of this:


Comment 3 Johan Cwiklinski 2010-02-16 20:15:04 UTC
I really do no know, I'll take a look at that.
I did not pay attention code should be duplicated here :)

Comment 4 Johan Cwiklinski 2010-02-20 15:08:01 UTC
Looks like file embedded from luasocket are from an older version, but the one in the repositories should be used I guess.

Problem is that luasocket doe not provide any -devel packages including .h files luasec should require. What can I do? Do I have to open a bug against luasocket for it to provide a -devel package?

Comment 5 Adam Goode 2010-02-23 06:25:29 UTC
Hmm. I think the correct thing to do is to get the necessary changes merged back into luasocket. I am not sure how easy it would be to get a new release of luasocket with these changes, there hasn't been a release in a while. Also, I am not sure how safe it would be for luasec to require "socket.core", because that would really tie luasec to the internals of the C interfaces. (It would probably be ok.)

It looks like only a tiny amount of changes would be necessary. io.h, socket.h, usocket.c?

Possibly it would make sense to merge luasocket and luasec together into one package at some point. luasocket is lacking IPv6, and this would require a new luasocket, so maybe it could just include luasec all together.

Practially speaking, if we want to move forward with luasec and prosody in Fedora soon, probably we should try to get a FESCO exemption for luasec's duplicate code from luasocket and then get a new luasocket/luasec released upstream that fixes these problems. Then IPv6 can be next.

Comment 6 Jan Kaluža 2010-08-06 08:32:17 UTC
Hi Johan,
what's the current state, please? I would like to see Prosody in Fedora. If you haven't tried so far, I can contact luasocket author to find out his opinion of possible merge with luasec.

Comment 7 Adam Goode 2010-08-10 18:40:20 UTC
I think luasocket is pretty much completed, the upstream considers it finished, if I remember. Another big issue here is IPv6 support, which luasocket does not support and I don't think ever really will.

I commented on the prosody bugtracker on the IPv6 bug:

I think that nixio is the way forward, since it takes care of IPv6 and SSL all in one.

Comment 8 Thom Carlin 2011-02-18 23:11:43 UTC
Adam, any updates on this?

Comment 9 Adam Goode 2011-02-20 18:30:17 UTC
There have been no changes: IPv6 is still not supported, and luasec is still a fork of luasocket. I consider both of these blockers for this review.

Comment 10 Thom Carlin 2011-02-22 17:53:25 UTC
Johan, how do you feel about nixio vs. lua-sec?

Comment 11 Adam Goode 2011-02-23 04:14:34 UTC
The main reason for this package is to run prosody. You probably want to convince prosody upstream to use nixio instead of luasocket and luasec. Otherwise, there isn't much point to packaging nixio.

Comment 12 Johan Cwiklinski 2011-02-23 06:52:03 UTC
Since I've opened that review request, I've stopped to maintain packages in Fedora repositories. I do not really know what to do with this request, should it be closed?

Anyways, Adam is right, the only reason for me to make a package such as lua-sec was to run the Prosody jabber (see https://bugzilla.redhat.com/show_bug.cgi?id=551765) server over SSL.

Comment 13 Toshio Ernie Kuratomi 2011-02-23 18:51:21 UTC
Does anybody want to take over this package submission?  (Adam?)  If not we should probably close it and if someone wants to take it up in the future, they can either reopen this request or start a new one.

Comment 14 Adam Goode 2011-02-23 19:10:57 UTC
No, this package is a dead end as it stands.

Comment 15 Thom Carlin 2011-02-23 19:18:06 UTC
What about Prosody?

Comment 16 Adam Goode 2011-02-23 20:06:40 UTC
I love prosody and use it myself. If it can be built without lua-sec, then it should go into Fedora. Lack of IPv6 support is unfortunate, but not a total showshopper in my opinion. lua-sec being a fork of luasocket is.

Comment 17 Matěj Cepl 2011-05-23 16:48:24 UTC
Just (In reply to comment #15)
> What about Prosody?

just to note bug 551765 comment 21.

Comment 18 Jan Kaluža 2012-03-02 06:40:17 UTC
According to the last Fesco meeting forks are allowed and if I understand it well, it should be possible to review lua-sec now (If I'm not right, please correct me):

> At the 2012-02-27 meeting we agreed to forks are allowed provided they do not
> conflict or interfere with other packages. FPC may add additional guidelines to
> forks as they see fit 

-- https://fedorahosted.org/fesco/ticket/810

Comment 19 Matěj Cepl 2012-03-02 13:01:06 UTC
In view of comment 18, reopening this bug and taking over the review.

Comment 20 Matěj Cepl 2012-03-02 14:46:51 UTC
Legend: + = PASSED, - = FAILED, 0 = Not Applicable

+ MUST: rpmlint must be run on every package. The output should be posted in
the review

$ rpmlint -i *.rpm
3 packages and 0 specfiles checked; 0 errors, 0 warnings.

+ MUST: package named according to the Package Naming Guidelines
changed from luasec to lua-sec to follow https://fedoraproject.org/wiki/PackagingDrafts/Lua
+ MUST: The spec file name must match the base package %{name}
- MUST: The package must meet the Packaging Guidelines .
Per above mentioned Lua Packaging Guidelines spec file should contain

%if 0%{?fedora} >= 16 || 0%{?rhel} >= 7
Requires: lua(abi) = %{luaver}
Requires: lua >= %{luaver}

+ MUST: The package licensed with a Fedora approved license and meets the
Licensing Guidelines
+ MUST: The License field in the package spec file matches the actual
+ MUST: If (and only if) the source package includes the text of the license(s)
in its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.
LICENSE is included.
+ MUST: The spec file must be written in American English.
+ MUST: The spec file for the package MUST be legible.
+ MUST: The sources used to build the package must match the upstream
source, as provided in the spec URL. Reviewers should use md5sum for this task
MD5: 712158d60207bdbb6215fc7e07d8db24
+ MUST: The package successfully compiles and builds into binary rpms on at
least one primary architecture - build in koji, no problems
0 MUST: If the package does not successfully compile, build or work on an
architecture, then those architectures should be listed in the spec in
+ MUST: All build dependencies must be listed in BuildRequires, except for any
that are listed in the exceptions section of the Packaging Guidelines
Builds in koji (http://koji.fedoraproject.org/koji/taskinfo?taskID=3846510)
0 MUST: The spec file handles locales properly. This is done by using the
%find_lang macro
No locales are present.
0 MUST: Every binary RPM package (or subpackage) which stores shared library
files (not just symlinks) in any of the dynamic linker's default paths, must
call ldconfig in %post and %postun.
No libraries provided.
+ MUST: Packages must NOT bundle copies of system libraries
0 MUST: If the package is designed to be relocatable, the packager must state
this fact in the request for review, along with the rationalization for
relocation of that specific package. Without this, use of Prefix: /usr is
considered a blocker
- MUST: Package must own all directories that it creates. If it does not create
a directory that it uses, then it should require a package which does create
that directory

Missing explicit requirement of lua package (which owns %{luapkgdir} used by package).

+ MUST: Package must not list a file more than once in the spec file's %files
+ MUST: Each package must have a %clean section, which contains rm -rf
%{buildroot} (or $RPM_BUILD_ROOT).
+ MUST: Each package must consistently use macros
+ MUST: The package must contain code, or permissible content
0 MUST: Large documentation files must go in a -doc subpackage
+ MUST: If a package includes something as %doc, it must not affect the runtime
of the application
0 MUST: Header files must be in a -devel package
0 MUST: Static libraries must be in a -static package
0 MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig'
0 MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1),
then library files that end in .so (without suffix) must go in a -devel package
0 MUST: devel packages must require the base package using a fully versioned
dependency: Requires: %{name} = %{version}-%{release}
+ MUST: Packages must NOT contain any .la libtool archives, these must be
removed in the spec if they are built
0 MUST: Packages containing GUI applications must include a %{name}.desktop
file, and that file must be properly installed with desktop-file-install in the
%install section
+ MUST: Packages must not own files or directories already owned by other
- MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot}
+ MUST: All filenames in rpm packages must be valid UTF-8

Just a nitpicks:
- please fix lua requirement as shown above.

Comment 21 Johan Cwiklinski 2012-03-06 20:05:48 UTC
I've upgraded the package to latest upstream release (0.4.1).

I'm unsure about lua requirement, since lua-sec requires lua-socket, wich one should take care of lua requirement; anyways, I've added the requirement to the new specfile version.

Spec URL: http://odysseus.x-tnd.be/fedora/lua-sec/lua-sec.spec
SRPM URL: http://odysseus.x-tnd.be/fedora/lua-sec/lua-sec-0.4.1-1.fc16.trashy.src.rpm

Package builds fine in mock; rpmlint is clean.

Comment 22 Matěj Cepl 2012-03-06 22:05:57 UTC
(In reply to comment #21)
> I'm unsure about lua requirement, since lua-sec requires lua-socket, wich one
> should take care of lua requirement; anyways, I've added the requirement to the
> new specfile version.

It is not only requirements, but also packages are required to require packages which provide directories they use.

> Spec URL: http://odysseus.x-tnd.be/fedora/lua-sec/lua-sec.spec
> http://odysseus.x-tnd.be/fedora/lua-sec/lua-sec-0.4.1-1.fc16.trashy.src.rpm
> Package builds fine in mock; rpmlint is clean.

Builds in koji as well http://koji.fedoraproject.org/koji/taskinfo?taskID=3860851


Comment 23 Matěj Cepl 2012-03-06 22:24:03 UTC
One more thing, please remove %{__mkdir} macros from

%{__mkdir} -p $RPM_BUILD_ROOT%{luapkgdir}
%{__mkdir} -p $RPM_BUILD_ROOT%{lualibdir}

It is a bad mannerism and use of these macros is strongly discouraged by the Packaging guidelines.

Comment 24 Johan Cwiklinski 2012-03-06 22:37:52 UTC
New Package SCM Request
Package Name: lua-sec
Short Description: Lua binding for OpenSSL library
Owners: trasher
Branches: f15 f16 el6
InitialCC: trasher

Comment 25 Johan Cwiklinski 2012-03-06 22:38:44 UTC
(In reply to comment #23)
> One more thing, please remove %{__mkdir} macros from
> [...]

OK, I'll fix that. Thank you for the review :)

Comment 26 Gwyn Ciesla 2012-03-07 02:13:32 UTC
Git done (by process-git-requests).

Added f17.

Comment 27 Fedora Update System 2012-03-08 17:15:10 UTC
lua-sec-0.4.1-2.fc17 has been submitted as an update for Fedora 17.

Comment 28 Fedora Update System 2012-03-08 17:15:22 UTC
lua-sec-0.4.1-2.fc15 has been submitted as an update for Fedora 15.

Comment 29 Fedora Update System 2012-03-08 17:15:33 UTC
lua-sec-0.4.1-2.el6 has been submitted as an update for Fedora EPEL 6.

Comment 30 Fedora Update System 2012-03-08 17:16:05 UTC
lua-sec-0.4.1-2.fc16 has been submitted as an update for Fedora 16.

Comment 31 Fedora Update System 2012-03-09 01:07:13 UTC
lua-sec-0.4.1-2.fc17 has been pushed to the Fedora 17 testing repository.

Comment 32 Fedora Update System 2012-04-21 21:00:23 UTC
lua-sec-0.4.1-2.el6 has been pushed to the Fedora EPEL 6 stable repository.

Comment 33 Fedora Update System 2012-04-22 03:33:56 UTC
lua-sec-0.4.1-2.fc16 has been pushed to the Fedora 16 stable repository.

Comment 34 Fedora Update System 2012-04-22 03:43:00 UTC
lua-sec-0.4.1-2.fc15 has been pushed to the Fedora 15 stable repository.

Comment 35 Fedora Update System 2012-04-22 04:20:13 UTC
lua-sec-0.4.1-2.fc17 has been pushed to the Fedora 17 stable repository.

Comment 36 Robert Scheck 2015-02-14 19:48:29 UTC
Package Change Request
Package Name: lua-sec
New Branches: epel7
Owners: robert

Comment 37 Gwyn Ciesla 2015-02-16 14:19:00 UTC
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.