Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 598471 - Review Request: maven-gpg-plugin - sign all of the project's attached artifacts with GnuPG.
Review Request: maven-gpg-plugin - sign all of the project's attached artifac...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Kurtakov
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-01 09:07 EDT by Stanislav Ochotnicky
Modified: 2010-06-04 03:20 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-04 03:20:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
akurtako: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Stanislav Ochotnicky 2010-06-01 09:07:31 EDT
Spec URL: http://sochotni.fedorapeople.org/maven-gpg-plugin.spec
SRPM URL: http://sochotni.fedorapeople.org/maven-gpg-plugin-1.1-1.fc14.src.rpm


Description: 
This plugin signs all of the project's attached artifacts with GnuPG. It adds goals gpg:sign and gpg:sign-and-deploy-file.

Note that this package has dependencies available only in dist-f14-maven221 target. Koji build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=2222334
Comment 1 Alexander Kurtakov 2010-06-01 16:06:17 EDT
Review:

OK: rpmlint must be run on every package. Output:
aven-gpg-plugin.noarch: W: no-documentation
maven-gpg-plugin.noarch: W: non-conffile-in-etc /etc/maven/fragments/maven-gpg-plugin

False positives. 

OK: The package must be named according to the Package Naming Guidelines .
OK: The spec file name must match the base package %{name}, in the format
%{name}.spec unless your package has an exemption. 
OK: The package must meet the Packaging Guidelines .
OK: The package must be licensed with a Fedora approved license and meet the
Licensing Guidelines .
OK: The License field in the package spec file must match the actual license.
OK: If (and only if) the source package includes the text of the license(s) in
its own file, then that file, containing the text of the license(s) for the
package must be included in %doc.
OK: The spec file must be written in American English. 
OK: The spec file for the package MUST be legible. 
OK: The sources used to build the package must match the upstream source, as
provided in the spec URL. 
OK: The package MUST successfully compile and build into binary rpms on at
least one primary architecture. 
OK: All build dependencies must be listed in BuildRequires, except for any that
are listed in the exceptions section of the Packaging Guidelines ; inclusion of
those as BuildRequires is optional. Apply common sense.
OK: Packages must NOT bundle copies of system libraries.
OK: A package must own all directories that it creates. If it does not create a
directory that it uses, then it should require a package which does create that
directory. 
OK: A Fedora package must not list a file more than once in the spec file's
%files listings. 
OK: Permissions on files must be set properly. Executables should be set
with executable permissions, for example. Every %files section must include a
%defattr(...) line. 
OK: Each package must consistently use macros. 
OK: The package must contain code, or permissable content. 
OK: Large documentation files must go in a -doc subpackage. 
OK: If a package includes something as %doc, it must not affect the runtime of
the application. 
OK: Packages must not own files or directories already owned by other packages. 
OK: All filenames in rpm packages must be valid UTF-8.    
OK: Provides/Obsoletes are good.


FIXIT: Package is missing Requires: gnupg2 . I know it's not obvious but at runtime this package execs gpg. See http://svn.apache.org/viewvc/maven/plugins/tags/maven-gpg-plugin-1.0/src/main/java/org/apache/maven/plugin/gpg/GpgSigner.java?revision=908991&view=markup line 143
Comment 2 huwang 2010-06-01 21:46:13 EDT
I noticed add_to_maven_depmap maven-antrun-plugin, it should be maven-gpg-plugin.
Comment 3 Alexander Kurtakov 2010-06-02 02:40:24 EDT
Thanks huwang.
Stanislav: please fix before importing
Comment 4 Alexander Kurtakov 2010-06-02 02:41:27 EDT
Ideally it should become %{name}
Comment 5 Stanislav Ochotnicky 2010-06-02 03:46:16 EDT
Thanks huwang for noticing, it's really better to have more pairs of eyes...

I was also wondering about gnupg2 dependency, but it wasn't mentioned on the plugin web page so I thought that maybe they used some pure java implementation...Should have checked...

Anyway, those things are fixed:

SRPM URL: http://sochotni.fedorapeople.org/maven-gpg-plugin-1.1-2.fc13.src.rpm
Spec URL: http://sochotni.fedorapeople.org/maven-gpg-plugin.spec

Koji build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2224276
Comment 6 Alexander Kurtakov 2010-06-02 03:59:31 EDT
Thanks, 
This package is APPROVED.
Comment 7 Stanislav Ochotnicky 2010-06-02 04:34:19 EDT
Thanks for the review. Requesting CVS:

New Package CVS Request
=======================
Package Name: maven-gpg-plugin
Short Description: Plugin to sign all of the project's attached artifacts with GnuPG.
Owners: sochotni 
Branches: 
InitialCC:
Comment 8 Kevin Fenzi 2010-06-03 16:34:20 EDT
CVS done (by process-cvs-requests.py).
Comment 9 Stanislav Ochotnicky 2010-06-04 03:20:27 EDT
Package built:
https://koji.fedoraproject.org/koji/buildinfo?buildID=176559

Closing.

Note You need to log in before you can comment on or make changes to this bug.