Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 680936 - Review Request: libssh2-python - Python bindings for the libssh2 library
Review Request: libssh2-python - Python bindings for the libssh2 library
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kaleb KEITHLEY
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-28 10:23 EST by Chris Lalancette
Modified: 2011-07-08 11:31 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-08 11:31:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
kkeithle: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Chris Lalancette 2011-02-28 10:23:05 EST
Spec URL: http://people.redhat.com/clalance/libssh2-python/libssh2-python.spec
SRPM URL: http://people.redhat.com/clalance/libssh2-python/libssh2-python-0.7.1-1.fc14.src.rpm
Description: libssh2-python is a python binding for the libssh2 library.


[clalance@localhost SPECS]$ rpmlint libssh2-python.spec
libssh2-python.spec: W: invalid-url Source0: libssh2-python-0.7.1.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.
[clalance@localhost SPECS]$ rpmlint /home/clalance/rpmbuild/SRPMS/libssh2-python-0.7.1-1.fc14.src.rpm
libssh2-python.src: W: invalid-license LGPL
libssh2-python.src: W: invalid-url Source0: libssh2-python-0.7.1.tar.gz
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

The upstream project does not have tarball releases, so I believe the "invalid-url" warning is acceptable.  The "invalid-license" is clearly more of an issue.  The upstream git repository just says "LGPL", which I have reproduced here.  I have been in contact with the author of the binding for clarification of his license.  Once he responds, I will update the SPEC file accordingly.

Finally, I know that the fedora guidelines prefer "python-<foo>" to "<foo>-python", but the upstream author of the bindings prefers "libssh2-python", which is what I've done here.
Comment 1 Chris Lalancette 2011-02-28 11:09:54 EST
OK, the maintainer got back to me and said:

It's the GNU Lesser General Public License v2.1. Maybe I should add
a copy of the license to the repository.

I've encouraged him to do the latter.  For now, I've updated the SPEC file to have this piece of information and rpmlint now says:

[clalance@localhost SPECS]$ rpmlint libssh2-python.spec
libssh2-python.spec: W: invalid-url Source0: libssh2-python-0.7.1.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.
[clalance@localhost SPECS]$ rpmlint /home/clalance/rpmbuild/SRPMS/libssh2-python-0.7.1-1.fc14.src.rpm
libssh2-python.src: W: invalid-url Source0: libssh2-python-0.7.1.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.
Comment 2 Pavel Zhukov 2011-02-28 11:57:06 EST
If you can't find a direct download URL, then put only the filename in SourceX and give download instructions in a comment.
Please see http://fedoraproject.org/wiki/Packaging:SourceURL#Using_Revision_Control

>> Maybe I should add a copy of the license to the repository.

Yes, You should provide license text and contact upstream. 
http://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text





-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 Jason Tibbitts 2011-02-28 12:24:08 EST
Please note that no guideline we have should be construed to mean that the packager should add any license text that is not already present in the upstream sources.
Comment 4 Chris Lalancette 2011-02-28 13:07:52 EST
(In reply to comment #3)
> Please note that no guideline we have should be construed to mean that the
> packager should add any license text that is not already present in the
> upstream sources.

I'm not doing that at all.  As I said, I was clarifying that with upstream what the license is, and he mentioned that it should be LGPL v2.1.  If he doesn't add the license text himself in the next couple of days, I'll submit my own patch to upstream to do that.

That being said, I'm confident that this is LGPLv2.1, it just needs to be made explicit.  So if someone wants to do the rest of the review, we can get that part out of the way and then have it ready to go once the license terms are in the upstream repository.

Chris Lalancette
Comment 5 Chris Lalancette 2011-03-15 10:12:36 EDT
OK, I heard back from the maintainer, and he has added the appropriate license to the repository and the source files.  I've uploaded a new version of the spec file and the source RPM here:

http://people.redhat.com/~clalance/libssh2-python/libssh2-python.spec
http://people.redhat.com/~clalance/libssh2-python/libssh2-python-0.7.1-2.fc14.src.rpm

rpmlint says:

[clalance@localhost SPECS]$ rpmlint libssh2-python.spec
libssh2-python.spec: W: invalid-url Source0: libssh2-python-0.7.1.tar.gz
0 packages and 1 specfiles checked; 0 errors, 1 warnings.
[clalance@localhost SPECS]$ rpmlint /home/clalance/rpmbuild/SRPMS/libssh2-python-0.7.1-2.fc14.src.rpm
libssh2-python.src: W: invalid-url Source0: libssh2-python-0.7.1.tar.gz
1 packages and 0 specfiles checked; 0 errors, 1 warnings.
Comment 6 Kaleb KEITHLEY 2011-07-05 10:54:24 EDT
(new) fedora guidelines say:
+ BuildRoot is unnecessary, just get rid of it
+ %defattr, ditto
+ %clean, ditto

[  OK  ] MUST: rpmlint must be run on every package
[  OK  ] MUST: The package must be named according to the Package Naming 
         Guidelines
[  OK  ] MUST: The spec file name must match the base package %{name} [...]
[  OK  ] MUST: The package must meet the Packaging Guidelines
[  OK  ] MUST: The package must be licensed with a Fedora approved license
         and meet the Licensing Guidelines
[  OK  ] MUST: The License field in the package spec file must match the 
         actual license
[  OK  ] MUST: If (and only if) the source package includes the text of the 
         license(s) in its own file, then that file, containing the text of 
         the license(s) for the package must be included in %doc
[  OK  ] MUST: The spec file must be written in American English.
[  OK  ] MUST: The spec file for the package MUST be legible.
[      ] MUST: The sources used to build the package must match the upstream 
         source, as provided in the spec URL. Reviewers should use md5sum for 
         this task. If no upstream URL can be specified for this package, 
         please see the Source URL Guidelines for how to deal with this.
[  OK  ] MUST: The package MUST successfully compile and build into binary 
         rpms on at least one primary architecture
[  N/A ] MUST: If the package does not successfully compile, build or work on 
         an architecture, then those architectures should be listed in the 
         spec in ExcludeArch. Each architecture listed in ExcludeArch MUST 
         have a bug filed in bugzilla, describing the reason that the package 
         does not compile/build/work on that architecture. The bug number MUST 
         be placed in a comment, next to the corresponding ExcludeArch line
[  OK  ] MUST: All build dependencies must be listed in BuildRequires, except 
         for any that are listed in the exceptions section of the Packaging 
         Guidelines ; inclusion of those as BuildRequires is optional. Apply 
         common sense.
[  OK  ] MUST: The spec file MUST handle locales properly. This is done by 
         using the %find_lang macro. Using %{_datadir}/locale/* is strictly 
         forbidden
[  N/A ] MUST: Every binary RPM package (or subpackage) which stores shared 
         library files (not just symlinks) in any of the dynamic linker's 
         default paths, must call ldconfig in %post and %postun.
[  N/A ] MUST: If the package is designed to be relocatable, the packager must 
         state this fact in the request for review, along with the 
         rationalization for relocation of that specific package. Without 
         this, use of Prefix: /usr is considered a blocker.
[  OK  ] MUST: A package must own all directories that it creates. If it does 
         not create a directory that it uses, then it should require a package 
         which does create that directory.
[  OK  ] MUST: A package must not contain any duplicate files in the %files 
         listing.
[  OK  ] MUST: Each package must consistently use macros.
[  OK  ] MUST: The package must contain code, or permissable content.
[  OK  ] MUST: Large documentation files must go in a -doc subpackage. (The 
         definition of large is left up to the packager's best judgement, but 
         is not restricted to size. Large can refer to either size or 
         quantity).
[  OK  ] MUST: If a package includes something as %doc, it must not affect the 
         runtime of the application. To summarize: If it is in %doc, the 
         program must run properly if it is not present.
[  N/A ] MUST: Header files must be in a -devel package.
[  N/A ] MUST: Static libraries must be in a -static package.
[  N/A ] MUST: Packages containing pkgconfig(.pc) files must 'Requires: 
         pkgconfig' (for directory ownership and usability).
[  N/A ] MUST: If a package contains library files with a suffix (e.g. 
         libfoo.so.1.1), then library files that end in .so (without suffix) 
         must go in a -devel package.
[  N/A ] MUST: In the vast majority of cases, devel packages must require the 
         base package using a fully versioned dependency: Requires: %{name} =
         %{version}-%{release}
[  N/A ] MUST: Packages must NOT contain any .la libtool archives, these must 
         be removed in the spec if they are built.
[  N/A ] MUST: Packages containing GUI applications must include a
         %{name}.desktop file, and that file must be properly installed with 
         desktop-file-install in the %install section. If you feel that your 
         packaged GUI application does not need a .desktop file, you must put 
         a comment in the spec file with your explanation.
[  OK  ] MUST: Packages must not own files or directories already owned by 
         other packages. The rule of thumb here is that the first package to 
         be installed should own the files or directories that other packages 
         may rely upon. This means, for example, that no package in Fedora 
         should ever share ownership with any of the files or directories 
         owned by the filesystem or man package. If you feel that you have a 
         good reason to own a file or directory that another package owns, 
         then please present that at package review time.
[  OK  ] MUST: At the beginning of %install, each package MUST run rm -rf
         %{buildroot} (or $RPM_BUILD_ROOT).
[  OK  ] MUST: All filenames in rpm packages must be valid UTF-8.
[      ] SHOULD query upstream to include it.
[  N/A ] SHOULD: The description and summary sections in the package spec file
        should contain translations for supported Non-English languages, if
        available.
[  N/A ] SHOULD: The reviewer should test that the package builds in mock.
[ SKIP ] SHOULD: The package should compile and build into binary rpms on all
        supported architectures.
[      ] SHOULD: The reviewer should test that the package functions as
        described. A package should not segfault instead of running, for
        example.
[  N/A ] SHOULD: If scriptlets are used, those scriptlets must be sane. This is
        vague, and left up to the reviewers judgement to determine sanity.
[  N/A ] SHOULD: Usually, subpackages other than devel should require the base
        package using a fully versioned dependency.
[  N/A ] SHOULD: The placement of pkgconfig(.pc) files depends on their
        usecase, and this is usually for development purposes, so should be
        placed in a -devel pkg. A reasonable exception is that the main pkg
        itself is a devel tool not installed in a user runtime, e.g. gcc or
        gdb.
[  N/A ] SHOULD: If the package has file dependencies outside of /etc, /bin,
        /sbin, /usr/bin, or /usr/sbin consider requiring the package which
        provides the file instead of the file itself.
[      ] SHOULD: your package should contain man pages for binaries/scripts. If
        it doesn't, work with upstream to add them where they make sense.[34]
Comment 7 Chris Lalancette 2011-07-05 13:12:49 EDT
(In reply to comment #6)
> (new) fedora guidelines say:
> + BuildRoot is unnecessary, just get rid of it
> + %defattr, ditto
> + %clean, ditto

Thanks for the review.  I had submitted this package before I knew about those new guidelines, so thanks for the reminder.  I've now fixed those and uploaded new versions of the spec and SRPM to the same place.

Kaleb, in general when reviewing packages the procedure is to assign the bug to yourself, set the state to ASSIGNED, and also set the fedora-review flag to ?.  Once you are satisfied that the package meets criteria, you then switch the fedora-review flag to +, and then I'll complete the rest of the process.

Thanks again,
Chris Lalancette
Comment 8 David Nalley 2011-07-07 19:57:28 EDT
Chris: 

Please increment release in your spec/srpm when making changes even if trivial, it makes it much easier on the reviewer when installing your SRPM. 

http://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag

In your source URL is there a reason you can't use this as the source URL? 
https://github.com/wallunit/ssh4py/zipball/0.7.1
It would still have to be a commented troublesome source url, and it'd screw up the macros, but at least it permits upstream source to be verifiable, and less work for others. I don't see it as a blocker, but perhaps something to consider. 



Kaleb: 

Can you run rpmlint on this package (spec file, SRPM, and binary RPM(s)) and paste the content in the review. 

Can you also paste the result of md5sum comparing source in srpm and at Source URL? In this particular case it won't work because of the special means to get to a tarball, but that at least needs to be commented in the review. 

Thanks for taking this on.
Comment 9 David Nalley 2011-07-07 20:08:54 EDT
A quick other comment, the license field is incorrect: 

It's currently set as LGPLv2 when it should be LGPLv2+. The source files have the 'or (at your option) any later version.' clause in the license declaration  of the actual source.
Comment 10 Chris Lalancette 2011-07-08 09:20:31 EDT
(In reply to comment #8)
> Chris: 
> 
> Please increment release in your spec/srpm when making changes even if trivial,
> it makes it much easier on the reviewer when installing your SRPM. 
> 
> http://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag
> 
> In your source URL is there a reason you can't use this as the source URL? 
> https://github.com/wallunit/ssh4py/zipball/0.7.1
> It would still have to be a commented troublesome source url, and it'd screw up
> the macros, but at least it permits upstream source to be verifiable, and less
> work for others. I don't see it as a blocker, but perhaps something to
> consider. 

You are right, I didn't know about the zipball thing.  I've updated the SPEC now.

(In reply to comment #9)
> A quick other comment, the license field is incorrect: 
> 
> It's currently set as LGPLv2 when it should be LGPLv2+. The source files have
> the 'or (at your option) any later version.' clause in the license declaration 
> of the actual source.

Oh, right.  I've fixed this as well.

A new version of the SPEC and SRPM are available:

http://people.redhat.com/clalance/libssh2-python/libssh2-python-0.7.1-3.fc14.src.rpm
http://people.redhat.com/clalance/libssh2-python/libssh2-python.spec
Comment 11 Kaleb KEITHLEY 2011-07-08 10:30:18 EDT
% rpmlint SPECS/libssh2-python.spec 
0 packages and 1 specfiles checked; 0 errors, 0 warnings.

% rpmlint SRPMS/libssh2-python-0.7.1-3.fc14.src.rpm 
libssh2-python.src: I: enchant-dictionary-not-found en_US
libssh2-python.src: W: file-size-mismatch libssh2-python-0.7.1.tar.gz = 23152, https://github.com/wallunit/ssh4py/zipball/0.7.1/libssh2-python-0.7.1.tar.gz = 20754
1 packages and 0 specfiles checked; 0 errors, 1 warnings

% rpmlint RPMS/x86_64/libssh2-python-0.7.1-3.fc15.x86_64.rpm 
libssh2-python.x86_64: I: enchant-dictionary-not-found en_US
libssh2-python.x86_64: W: private-shared-object-provides /usr/lib64/python2.7/site-packages/libssh2.so libssh2.so()(64bit)
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

% md5sum SOURCES/libssh2-python-0.7.1.tar.gz 
2d60794fd29adeaa6071c252335c3608  SOURCES/libssh2-python-0.7.1.tar.gz

% md5sum Downloads/wallunit-ssh4py-0.7.1-0-ga041047.zip
6f967df328fcbe615593f914f7e777a5  wallunit-ssh4py-0.7.1-0-ga041047.zip
Comment 12 Chris Lalancette 2011-07-08 10:53:11 EDT
Thanks Kaleb!
Comment 13 Chris Lalancette 2011-07-08 10:54:00 EDT
New Package SCM Request
=======================
Package Name: libssh2-python
Short Description: Python bindings for the libssh2 library
Owners: clalance
Branches:
InitialCC:
Comment 14 Gwyn Ciesla 2011-07-08 11:03:29 EDT
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.