Spec URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth.spec SRPM URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth-2.3.1-1.fc13.src.rpm Description: The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. $ rpmlint SPECS/shibboleth.spec \ SRPMS/shibboleth-2.3.1-1.fc13.src.rpm \ RPMS/noarch/shibboleth-doc-2.3.1-1.fc13.noarch.rpm \ RPMS/x86_64/shibboleth-* shibboleth.x86_64: W: non-standard-uid /var/log/shibboleth shibd shibboleth.x86_64: W: non-standard-gid /var/log/shibboleth shibd shibboleth.x86_64: W: non-standard-uid /var/run/shibboleth shibd shibboleth.x86_64: W: non-standard-gid /var/run/shibboleth shibd shibboleth.x86_64: W: log-files-without-logrotate /var/log/shibboleth shibboleth.x86_64: W: no-reload-entry /etc/rc.d/init.d/shibd shibboleth.x86_64: W: incoherent-init-script-name shibd ('shibboleth', 'shibbolethd') shibboleth-devel.x86_64: W: no-documentation 5 packages and 1 specfiles checked; 0 errors, 8 warnings. The uid warnings are expected since shibd runs as user shibd so needs to be able to write to these directories. The log-files-without-logrotate warning is expected since log4cpp is taking care of the log file rotation and eventual deletion. Steve
Following comments about one of the patches submitted upstream this contains a replacement patch. It does the alter the packaging in any particular way. Spec URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth.spec SRPM URL: http://cern.ch/straylen/rpms/shibboleth/shibboleth-2.3.1-2.fc13.src.rpm
Fedora review shibboleth 2010-02-22 rpmlint results - same as above The no-reload-entry warning can be fixed. The guidelines says: "if the service does not support this, do nothing" http://fedoraproject.org/wiki/Packaging:SysVInitScript#Required_Actions So adding the following would resolve this: reload) ;; The init script also does not support some more of the "required actions" listed at the above reference (though rpmlint is not complaining): condrestart, try-restart, force-reload. You have worked around the missing condrestart in %postun by calling status + restart instead, so it is not critical for the installation. + package named according to guidelines + specfile named after package + package license "ASL 2.0" is Fedora approved + package license matches license statements in the sorces ? The corresponding package in Debian says: "The original upstream source was repackaged to remove the WS-Trust.xsd schema, which was not distributed under a DFSG-free license." Should this be done for Fedora too? The file is strange. The license doesn't seem to grant right to modify, but the comment at the top says "modified copy". The corresponding file on the oasis server seems to have a less questionable license: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3.xsd "This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind." + The license file (LICENSE.txt) is included in %doc + specfile is written in legible English $ cksum shibboleth-sp-2.3.1.tar.gz srpm/shibboleth-sp-2.3.1.tar.gz 432835999 806177 shibboleth-sp-2.3.1.tar.gz 432835999 806177 srpm/shibboleth-sp-2.3.1.tar.gz + sources matches upstream + builds in mock ? Looks like some build requires are missing: configure: WARNING: dot not found - will not generate graphics for doxygen documentation → missing build requires graphviz ? checking sql.h usability... no checking sql.h presence... no checking for sql.h... no → build requires unixODBC should be unixODBC-devel ? checking for FastCGI support... no → there is a build requires on fcgi-devel, but the default is "no" → missing configure flag --with-fastcgi=yes ? checking for Memcached support... no → missing build requires libmemcached-devel ? → missing configure flag --with-memcached=yes (default is "no" here too) ? + ldconfig called appropriately + package owns directories it creates ? package should require xml-common since it installs files in /usr/share/xml + no duplicates in %files + permissions are sane and %files have %defattr + %clean clears buildroot ? The pid directory created in the specfile %{_var}/%{name}/run looks strange, shouldn't it be the other way around: %{_var}/run/%{name}? The %{_var}/run/%{name} directory seems to be created anyway and is the one that gets packaged. The one created in the specfile is not. ? The specfile uses the %{_XXXdir} macros for everything except for /var where %{_var} is used instead of %{_localstatedir} (not really a big problem - if it is one at all) + %doc is not runtime essential + subpackages requires main with fully qualified version + .la files removed + package does not own other's directories + %install clear buildroot + filenames are utf-8
This review is a bit stuck since i have become aware of this: https://bugs.internet2.edu/jira/browse/CPPXT-9 essentially there are known problems with nss linked curl. Steve
No news in more than a year - giving back the review.
The limitations of nss_compat_ossl are covered here: http://fedoraproject.org/wiki/Nss_compat_ossl Based on comments in https://bugs.internet2.edu/jira/browse/CPPXT-9 , not being able to use file based certificates may be the biggest limitation. It may be that the way to move forward on this, is to start by adding that support to nss_compat_ossl.