Red Hat Bugzilla – Bug 749885
Review Request: iris - A library for working with the XMPP/Jabber protocol
Last modified: 2016-02-10 09:23:06 EST
Spec URL: http://rdieter.fedorapeople.org/rpms/iris/iris.spec SRPM URL: http://rdieter.fedorapeople.org/rpms/iris/iris-1.0.0-0.3.20110904.fc16.src.rpm Description: A library for working with the XMPP/Jabber protocol
Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3469611 rpmlint *.rpm x86_64/*.rpm iris.src:44: W: configure-without-libdir-spec iris.src: W: invalid-url Source0: iris-1.0.0-20110904.tar.gz iris-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/iris-1.0.0/src/libidn/nfkc.c iris-debuginfo.x86_64: W: hidden-file-or-dir /usr/src/debug/iris-1.0.0/src/xmpp/.moc iris-debuginfo.x86_64: W: hidden-file-or-dir /usr/src/debug/iris-1.0.0/src/xmpp/.moc iris-devel.x86_64: W: no-documentation 4 packages and 0 specfiles checked; 1 errors, 5 warnings.
I'm glad to see it worked. But it seams only first steep on this hard way. There also again many bundled ans spirious parts: 1) src/jdns (about it also spoken in Jreen review) 2) src/libidn (in Fedora) 3) src/irisnet/appledns - ??? 4) src/xmpp/base - Author Remko Troncon, no license specified. 5) src/xmpp/base64 - unknown author, unknown license 6) src/xmpp/zlib - I beleave it In Feora already, must be shared Even in corelib many files author are Barracuda Networks mixed with Justin Karneges. Is it one source or not? It also required for clarification. If you make desicion to continue - I've ready review them.
1. jdns, apparently only a single header file qjdns.h is used here. 2. libidn. Mostly harmless, seems only a single header file is really needed "./src/xmpp/jid/jid.cpp" which has #include <libidn/stringprep.h> which is hardly worthy of calling bundling, but easy enough to patch to use the system copy from libidn-devel instead. 3. I don't see anything out of the ordinary? 4-5. will poke upstream for clarification I suppose, but not sure if we can assume something is bundled or not without evidence either way 6. looks like some sort of xmpp plugin to me, not really a copy of zlib
Ah, so if it wasn't obvious from those previous comments, yes, I'd like to continue on the pkg review here.
Rex, even one fole should be addressed unfortunately. They can't be "very small issue" (look for exceptions for example, even one-file md5 implementation listed in 3 forms explicit). If you can exclude such files - please do that. If it is not possible - such libraries should be packaged separately and this linked to they.
Anyway, qjdns.h is not "only one file", it's the header file for the entire QJDNS library, which is itself just a wrapper for the actual JDNS library.
Any hints to what upstream to use for unbundling qjdns ?
fun, seems it's the same place, delta.affinix.com/jdns/ that mentions, The latest source can be found in the iris/src/jdns module of Delta SVN. So, one could argue that even it's own upstream can't bundle it's own code that lives as a submodule in the same svn tree? Are there any other consumers of qjdns.h in fedora? If not, I'd argue it's fine to leave it where it is.
%changelog * Mon Nov 07 2011 Rex Dieter <rdieter@fedoraproject.org> 1.0.0-0.4.20110904 - unbundle libidn Spec URL: http://rdieter.fedorapeople.org/rpms/iris/iris.spec SRPM URL: http://rdieter.fedorapeople.org/rpms/iris/iris-1.0.0-0.4.20110904.fc16.src.rpm
IMHO, since iris IS the upstream for jdns: * it's OK to package this in the same SRPM, * if something else really wants to use only jdns without the rest of iris, it can be made into a subpackage.
(but I'd only go through the trouble of making a subpackage, which also implies a separate installed library, if really needed)
OK, ironically, another of tomahawk's bundled libs, jreen, also bundles qjdns, so looks like a subpkg is on the way.
Ouch, 2 dependencies of the same program bundling the same library is a symbol conflict waiting to happen! This ought to be brought to upstream's attention.
%changelog * Tue Nov 08 2011 Rex Dieter <rdieter@fedoraproject.org> 1.0.0-0.5.20110904 - install/package qjdns Spec URL: http://rdieter.fedorapeople.org/rpms/iris/iris.spec SRPM URL: http://rdieter.fedorapeople.org/rpms/iris/iris-1.0.0-0.5.20110904.fc16.src.rpm
f16 scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3506224
Legend: + - Ok. - - Error. +/- - It item acceptable, but I strongly recommend enhancement. = - N/A. == MUST Items == [+/-] MUST: rpmlint must be run on every package. The output should be posted in the review. $ rpmlint *.spec *.rpm iris.spec:75: W: configure-without-libdir-spec iris.spec:25: W: mixed-use-of-spaces-and-tabs (spaces: line 3, tab: line 25) Both trivial to fix, please do that. iris.spec: W: invalid-url Source0: iris-1.0.0-20110904.tar.gz iris.src:75: W: configure-without-libdir-spec iris.src:25: W: mixed-use-of-spaces-and-tabs (spaces: line 3, tab: line 25) iris.src: W: invalid-url Source0: iris-1.0.0-20110904.tar.gz iris-debuginfo.i686: W: hidden-file-or-dir /usr/src/debug/iris-1.0.0/src/xmpp/.moc iris-debuginfo.i686: W: hidden-file-or-dir /usr/src/debug/iris-1.0.0/src/xmpp/.moc Is it .moc needed?? iris-devel.i686: W: no-documentation qjdns.i686: W: summary-not-capitalized C a simple DNS implementation that can perform normal as well as Multicast DNS queries qjdns.i686: E: summary-too-long C a simple DNS implementation that can perform normal as well as Multicast DNS queries Also easy to deal. qjdns.i686: W: spelling-error %description -l en_US Multicast -> Multics, Simulcast qjdns.i686: W: spelling-error %description -l en_US mdnsd -> madness qjdns-devel.i686: W: no-dependency-on qjdns/qjdns-libs/libqjdns Dependency missing? qjdns-devel.i686: W: no-documentation 6 packages and 1 specfiles checked; 1 errors, 14 warnings. [+] MUST: The package must be named according to the Package Naming Guidelines. [+] MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. [-] MUST: The package must meet the Packaging Guidelines. Please send patches to upstream author (may be except libidn system usage which must have comment what it Fedora related only) and add comments on appropriate bugreports. [-] MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines. src/xmpp/base and src/xmpp/base64 need clarification. Do you receive answer from author? Also still there question about mixed copyrights of Barracuda Networks and Justin Karneges. May we threat it as one author, or they parts of code just borrowed?? [+] MUST: The License field in the package spec file must match the actual license. [+] MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc. [+] MUST: The spec file must be written in American English. [+] MUST: The spec file for the package MUST be legible. [-] MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. Please provide exact revision in checkout comment instruction and in version instead of date to be able reproduce tarball. [+] MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture. [=] MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line. [=] MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense. [=] MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden. [+] MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. [-] MUST: Packages must NOT bundle copies of system libraries. See before, some parts still needs clarification. [=] MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. [+] MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [+] MUST: A Fedora package must not list a file more than once in the spec file's %files listings. [+/-] MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line. I suppose you does not target it for Epel 5. [+/-] MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot} (or $RPM_BUILD_ROOT). [+/-] MUST: Each package must have a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). If it targeted to Epel5 too - please add this directives. [+] MUST: Each package must consistently use macros. [=] MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity). [+] MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. [+] MUST: Header files must be in a -devel package. [=] MUST: Static libraries must be in a -static package. [+/-] MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for directory ownership and usability). If it targeted to Epel5 too - please add this. [+] MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package. [-] MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release} qjdns-devel does not required qjdns [+] MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built. [=] MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. [+] MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. [+] MUST: All filenames in rpm packages must be valid UTF-8. == SHOULD Items: == [-] SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Please ask upstream author to include MIT license for JDNS. [=] SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available. [=] SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example. [+] SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity. [+] SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency. I think in our case such dependency opposite shouldn't be. [=] SHOULD: If the package has file dependencies outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin consider requiring the package which provides the file instead of the file itself.
> Please send patches to upstream author (may be except libidn system usage which > must have comment what it Fedora related only) and add comments on appropriate > bugreports. Upstreaming patches and/or commenting on their upstream status is a SHOULD, not a MUST.
Yes, but highly appreciated: https://fedoraproject.org/wiki/PackageMaintainers/WhyUpstream
Spec URL: http://rdieter.fedorapeople.org/rpms/iris/iris.spec SRPM URL: http://rdieter.fedorapeople.org/rpms/iris/iris-1.0.0-0.6.20110904.fc16.src.rpm %changelog * Tue Nov 15 2011 Rex Dieter <rdieter@fedoraproject.org> 1.0.0-0.6.20110904 - qjdns-devel: Requires: qjdns
licensing/copyright clarification mail sent upstream to http://lists.affinix.com/pipermail/delta-affinix.com/ (not in it's archives yet)
Spec URL: http://rdieter.fedorapeople.org/rpms/iris/iris.spec SRPM URL: http://rdieter.fedorapeople.org/rpms/iris/iris-1.0.0-0.7.r812.fc16.src.rpm %changelog * Tue Nov 15 2011 Rex Dieter <rdieter@fedoraproject.org> 1.0.0-0.7.r812 - use svn revision instead of snapshot date
That's not compliant to the packaging guidelines. You're supposed to use either 20110904svn or 20110904svn812.
Yes, revision numbering may varry, exact revision should be at least in source checkout instructions to be able robust reproduce tarball (several commits may be happened in one day, so day does not exactly map to revision)
Spec URL: http://rdieter.fedorapeople.org/rpms/iris/iris.spec SRPM URL: http://rdieter.fedorapeople.org/rpms/iris/iris-1.0.0-0.8.20110904svn812.fc16.src.rpm %changelog * Wed Nov 16 2011 Rex Dieter <rdieter@fedoraproject.org> 1.0.0-0.8.20110904svn812 - fix Release
ping, can you outline any remaining review blockers, if any?
I think main question about affiliate Justin Karneges with Barracuda Networks (permissive content). Did you got any answer from author?
No reply, http://lists.affinix.com/pipermail/delta-affinix.com/2011-November/001900.html I've asked fedora-legal list to clarify if this lack of a few copyright headers should be considered a blocker.
To my question that iris can be included with some missing copyright headers, fedora-legal responded with: "So, the answer here is yes (with caveats), as long as we have clear evidence that the files are part of a larger work where there is consistent licensing intent." full response here, http://lists.fedoraproject.org/pipermail/legal/2011-December/001765.html it is my opinion this means that the lack of clear copyright headers in this case should not be considered a review blocker. To be clear, however, I will continue my efforts to get upstream to clarify.
If you are not argue I'll mark it as FE-LEGAL to get Spot decision.
You can if you insist, but does is my asking the very question (and getting an answer) from spot on fedora-legal list not satisfactory to you?
I think in you quote key is "as we have clear evidence that the files are part of a larger work where there is consistent licensing intent". Do you have such "clear evidence"? If so, I think we may continue.
Both of those files were imported by remko into the iris project subversion repo, whose project-wide license is LGPLv2. So, yes, Id argue, again, the requirements are satisifed. Now, can we please continue?
So, seems we've been spinning doing nothing constructive here for about a month now. Pavel, thank you for your diligence and input so far, but if you're not able or willing to contribute toward bringing this review to completion any time soon, I humbly ask you to recuse yourself, to allow another reviewer to help finish the work here.
Rex, please excuse me for the so long time silence. End or year was very-very hot for me on my workplace. $ rpmlint iris-1.0.0-0.8.20110904svn812.fc16.src.rpm iris.src:77: W: configure-without-libdir-spec iris.src:27: W: mixed-use-of-spaces-and-tabs (spaces: line 5, tab: line 27) iris.src: W: invalid-url Source0: iris-1.0.0-r812.tar.gz 1 packages and 0 specfiles checked; 0 errors, 3 warnings. Mix of space trivial to fix. Other issues lifted. So, PACKAGE APPROVED. P.S. Again sorry for such long delay.
Thanks! New Package SCM Request ======================= Package Name: iris Short Description: A library for working with the XMPP/Jabber protocol Owners: rdieter Branches: f16 InitialCC:
Git done (by process-git-requests).
imported.
clementine-0.7.1-4.fc16.1,tomahawk-0.3.3-4.fc16,libechonest-1.2.1-1.fc16,qca-cyrus-sasl-2.0.0-0.3.beta3.fc16,jreen-1.0.1-4.fc16,iris-1.0.0-0.10.20110904svn812.fc16,qtweetlib-0.3.0-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/clementine-0.7.1-4.fc16.1,tomahawk-0.3.3-4.fc16,libechonest-1.2.1-1.fc16,qca-cyrus-sasl-2.0.0-0.3.beta3.fc16,jreen-1.0.1-4.fc16,iris-1.0.0-0.10.20110904svn812.fc16,qtweetlib-0.3.0-1.fc16
clementine-0.7.1-4.fc16.1, tomahawk-0.3.3-4.fc16, libechonest-1.2.1-1.fc16, qca-cyrus-sasl-2.0.0-0.3.beta3.fc16, jreen-1.0.1-4.fc16, iris-1.0.0-0.10.20110904svn812.fc16, qtweetlib-0.3.0-1.fc16 has been pushed to the Fedora 16 stable repository.
Removing alias to allow general search for bugs.