Bug 738034 - Review Request: woodstox-core - High-performance XML processor
Summary: Review Request: woodstox-core - High-performance XML processor
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Stanislav Ochotnicky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 737969
Blocks: 738263
TreeView+ depends on / blocked
 
Reported: 2011-09-13 16:55 UTC by Jaromír Cápík
Modified: 2016-02-01 01:55 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-07 18:04:43 UTC
sochotni: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Jaromír Cápík 2011-09-13 16:55:49 UTC
Spec URL: http://jcapik.fedorapeople.org/files/woodstox-core-asl/woodstox-core-asl.spec
SRPM URL: http://jcapik.fedorapeople.org/files/woodstox-core-asl/woodstox-core-asl-4.1.2-1.fc17.src.rpm
Description: 
Woodstox is a high-performance validating namespace-aware StAX-compliant
(JSR-173) Open Source XML-processor written in Java.
XML processor means that it handles both input (== parsing)
and output (== writing, serialization)), as well as supporting tasks
such as validation.

Comment 1 Stanislav Ochotnicky 2011-09-21 16:56:02 UTC
I'll review this one as well

Comment 2 Stanislav Ochotnicky 2011-09-22 08:49:03 UTC
Package Review
==============

Key:
- = N/A
x = Check
! = Problem
? = Not evaluated

=== REQUIRED ITEMS ===
[x]  Rpmlint output:
woodstox-core-asl.src: W: spelling-error %description -l en_US namespace -> name space, name-space, names pace
woodstox-core-asl.noarch: E: explicit-lib-dependency msv-xsdlib
woodstox-core-asl.noarch: W: spelling-error %description -l en_US namespace -> name space, name-space, names pace
3 packages and 0 specfiles checked; 1 errors, 2 warnings.

[x]  Package is named according to the Package Naming Guidelines[1].
[x]  Spec file name must match the base package name, in the format %{name}.spec.
[x]  Package meets the Packaging Guidelines[2].
[x]  Package successfully compiles and builds into binary rpms.
[x]  Buildroot definition is not present
[x]  Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines[3,4].
[!]  License field in the package spec file matches the actual license.
License type: according to release-notes/FAAQ it's either LGPL or ASL 2.0. But they did this in a weird way. Instead of simply saying "we are dual-licensing this", they say there are two different versions where the only difference is the license. Blocking FE-LEGAL, because I am not sure if we can put "LGPLv2 or ASL 2.0" here or we have to pick one of them.


[x]  If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc.
but in case of dual-licensing, don't forget to include LGPL later

[x]  All independent sub-packages have license of their own
[x]  Spec file is legible and written in American English.
[x]  Sources used to build the package matches the upstream source, as provided in the spec URL.
MD5SUM this package    : 5ceabf6c0f6daa7742cad71ae0a7db78
[x]  All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines[5].
[x]  Package must own all directories that it creates.
[x]  Package requires other packages for directories it uses.
[x]  Package does not contain duplicates in %files.
[x]  File sections do not contain %defattr(-,root,root,-) unless changed with good reason
[x]  Permissions on files are set properly.
[x]  Package does NOT have a %clean section which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). (not needed anymore)
[x]   Package consistently uses macros (no %{buildroot} and $RPM_BUILD_ROOT mixing)
[x]  Package contains code, or permissable content.
[x]  Fully versioned dependency in subpackages, if present.
[x]  Package contains a properly installed %{name}.desktop file if it is a GUI application.
[x]  Package does not own files or directories owned by other packages.
[x]  Javadoc documentation files are generated and included in -javadoc subpackage
[x]  Javadocs are placed in %{_javadocdir}/%{name} (no -%{version} symlinks)
[x]  Packages have proper BuildRequires/Requires on jpackage-utils
[x]  Javadoc subpackages have Require: jpackage-utils
[x]  Package uses %global not %define
[-]  If package uses tarball from VCS include comment how to re-create that tarball (svn export URL, git clone URL, ...)
[x]  If source tarball includes bundled jar/class files these need to be removed prior to building
[x]  All filenames in rpm packages must be valid UTF-8.
[x]  Jar files are installed to %{_javadir}/%{name}.jar (see [6] for details)
[x]  If package contains pom.xml files install it (including depmaps) even when building with ant
[x]  pom files has correct add_maven_depmap call

=== Maven ===
[x]  Use %{_mavenpomdir} macro for placing pom files instead of %{_datadir}/maven2/poms
[x]  If package uses "-Dmaven.test.skip=true" explain why it was needed in a comment
[x]  If package uses custom depmap "-Dmaven.local.depmap.file=*" explain why it's needed in a comment
[x]  Package DOES NOT use %update_maven_depmap in %post/%postun
[x]  Packages DOES NOT have Requires(post) and Requires(postun) on jpackage-utils for %update_maven_depmap macro

=== Other suggestions ===
[!]  If possible use upstream build method (maven/ant/javac)

You are using ant instead of maven, but this is more of a suggestion and personally I prefer this build.

[x]  Avoid having BuildRequires on exact NVR unless necessary
[x]  Package has BuildArch: noarch (if possible)
[x]  Latest version is packaged.
[x]  Reviewer should test that the package builds in mock.
Tested on: fedora-rawhide-x86_64


=== Issues ===
1. Licensing. See FAAQ in resources subdir of tarball, point 3.1

Note that I believe "LGPLv2 or ASL 2.0" was the intention of upstream, supported by http://woodstox.codehaus.org/Download#Download-Licensing but just to be sure...

=== Final Notes ===
1. Package contains src/maven directory with pom file that can be made into usable pom with simple sed. No need to have Source1

Comment 3 Stanislav Ochotnicky 2011-09-22 09:14:42 UTC
And one more thing. It would be nice to file a bug against bea-stax to include pom and depmap so you don't have to use custom one everywhere

Comment 4 Jaromír Cápík 2011-09-29 10:17:35 UTC
Unfortunately intentions of upstream are to have two separate JAR packages with separate licensing ...

http://repo1.maven.org/maven2/org/codehaus/woodstox/woodstox-core-lgpl/4.1.2/woodstox-core-lgpl-4.1.2.pom
http://repository.codehaus.org/org/codehaus/woodstox/woodstox-core-asl/4.1.2/woodstox-core-asl-4.1.2.pom

Let me check that with fedora-legal if it's possible to create just one package supplying both poms and artifacts.

Comment 5 Tom "spot" Callaway 2011-10-02 08:52:57 UTC
This is really dumb, however, here's what you should do:

Have this package generate two subpackages:

woodstox-core-asl and woodstox-core-lgpl

Tag each one with the appropriate license and include the appropriately named jar file.

Lifting FE-Legal.

Comment 6 Tom "spot" Callaway 2011-10-06 14:20:47 UTC
After talking this through with jcapik, a forced subpackage arrangement, while still acceptable, is simply unnecessary since maven can resolve the naming issue.

Just build one jar, add the maven magic to provide mappings to the license-names, and tag the package as:

License: ASL 2.0 or LGPLv2+

Comment 8 Stanislav Ochotnicky 2011-10-06 17:16:14 UTC
Looks OK now to me as well. APPROVED

Comment 9 Jaromír Cápík 2011-10-06 17:22:27 UTC
New Package SCM Request
=======================
Package Name: woodstox-core
Short Description: High-performance XML processor
Owners: jcapik
Branches: f15 f16
InitialCC: java-sig

Comment 10 Gwyn Ciesla 2011-10-06 17:30:05 UTC
Git done (by process-git-requests).

Comment 11 Jaromír Cápík 2011-10-07 09:34:09 UTC
I just received a message from Tatu Saloranta (woodstox developer) where he states it's perfectly ok to create just one dual licensed JAR file. If he could, he would do it once again the same way as we did.

Thank You guys, I'm gonna build it.

Comment 12 Jaromír Cápík 2011-10-07 18:04:43 UTC
Successfully built - closing.


Note You need to log in before you can comment on or make changes to this bug.