Bug 809395 - Review Request: jboss-as - JBoss Application Server
Review Request: jboss-as - JBoss Application Server
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Juan Hernández
Fedora Extras Quality Assurance
:
Depends On: 809398
Blocks: 807017
  Show dependency treegraph
 
Reported: 2012-04-03 05:14 EDT by Marek Goldmann
Modified: 2012-04-14 00:26 EDT (History)
4 users (show)

See Also:
Fixed In Version: jboss-as-7.1.0-2.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-14 00:26:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
juan.hernandez: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)
rpmlint output (100.74 KB, text/plain)
2012-04-03 10:42 EDT, Juan Hernández
no flags Details

  None (edit)
Description Marek Goldmann 2012-04-03 05:14:19 EDT
Spec URL: http://goldmann.fedorapeople.org/package_review/jboss-as/7.1.0-1/jboss-as.spec
SRPM URL: http://goldmann.fedorapeople.org/package_review/jboss-as/7.1.0-1/jboss-as-7.1.0-1.fc17.src.rpm
Description:

JBoss Application Server 7 is the latest release in a series of JBoss
Application Server offerings. JBoss Application Server 7, is a fast,
powerful, implementation of the Java Enterprise Edition 6 specification.
The state-of-the-art architecture built on the Modular Service Container
enables services on-demand when your application requires them.




Notes for reviewer:

1. Please check the %files section very carefully
2. Included patches are only for removing from the build everything which is more than EE6 web-profile.
3. Systemd files will go upstream at some point.
4. Picky R and BR versioning is required because some of these packages relocated the jars and we're symlinking afterwards. This would break the build. I may remove the versioning later.
5. New version of AS 7 was released, but there is no time for upgrade before F17, it'll be done later.
Comment 1 Marek Goldmann 2012-04-03 05:19:51 EDT
Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3959077
Comment 2 Juan Hernández 2012-04-03 05:31:02 EDT
I am glad to take this for review!
Comment 3 Juan Hernández 2012-04-03 10:41:48 EDT
Package Review
==============

Key:
- = N/A
x = Check
! = Problem
? = Not evaluated

=== REQUIRED ITEMS ===
[!]  Rpmlint output:

Output of rpmlint of the source package:

$ rpmlint jboss-as-7.1.0-1.fc17.src.rpm
jboss-as.src: W: invalid-url URL: http://www.jboss.org/jbossas HTTP Error 403: Forbidden
jboss-as.src: W: strange-permission jboss-as-systemd.sh 0755L
jboss-as.src: W: invalid-url Source0: jboss-as-7.1.0.Final-CLEAN.tar.xz
1 packages and 0 specfiles checked; 0 errors, 3 warnings.

The invalid-url warning is usual, but the URL is correct.

The strange-permission warning is acceptable. This could be
avoided removing the permissions from the source file and adding
them in the %install section of the spec using "install -m 755"
instead of "cp -p".

The invalid-url warning for the source is acceptable, as this is a
git checkout.

The output of rpmlint of the main binary package is too log, due
to warnings mostly, I will include it as attachment to the bug.
Here are some relevant errors and warnings:

jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/domain/data 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/standalone/data 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/domain/tmp 0775L

These permissions are necessary because the application server runs
as jboss-as:jboss-as and needs to write to those directories but
the directories are owned by root:jboss-as.

jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/auth 0700L

This directory is owned by jboss-as:jboss-as and I guess that it
stores credentials here, thus the restrictive permission.

jboss-as.noarch: E: non-standard-dir-perm /var/log/jboss-as/standalone 0770L
jboss-as.noarch: E: non-standard-dir-perm /var/log/jboss-as/domain 0770L

These are log directories and they are protected so that normal
users can't access them.

jboss-as.noarch: E: non-standard-dir-perm /etc/jboss-as/standalone 0775L
jboss-as.noarch: E: non-standard-dir-perm /etc/jboss-as/domain 0775L

These etc directories are owned by root:jboss-as and the
application server needs to write there in order to update the
configuration files when changes are perfored using the web
console or the CLI.

jboss-as.noarch: W: only-non-binary-in-usr-lib

I don't really understand the reason of this warning.

jboss-as.noarch: W: non-standard-gid /usr/share/jboss-as/modules/org/jboss/marshalling/main/module.xml jboss-as

Most of the files show this warning (repeated 814 times) because
they are owned by the jboss-as group. I think that most of the
files can be safely owned by the root group and the warning will go away.

jboss-as.noarch: W: dangling-symlink /usr/share/jboss-as/modules/javax/faces/api/main/jboss-jsf-2.1-api.jar /usr/share/java/jboss-jsf-2.1-api.jar

This warning is repeated 102 times, and I hink that they are false
positives, maybe a rpmlint issue. I checked them manually and all
of them are present and contained in one of the packages required
by jboss-as.

Output of rpmlint of the javadoc package:

$ rpmlint jboss-as-javadoc-7.1.0-1.fc18.noarch.rpm
jboss-as-javadoc.noarch: W: spelling-error Summary(en_US) Javadocs -> Java docs, Java-docs, Avocados
jboss-as-javadoc.noarch: W: invalid-url URL: http://www.jboss.org/jbossas HTTP Error 403: Forbidden
1 packages and 0 specfiles checked; 0 errors, 2 warnings.

These warnings are acceptable.

[x]  Package is named according to the Package Naming Guidelines[1].
[x]  Spec file name must match the base package name, in the format %{name}.spec.
[x]  Package meets the Packaging Guidelines[2].
[x]  Package successfully compiles and builds into binary rpms.

Koji build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3959116

[x]  Buildroot definition is not present
[x]  Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines[3,4].
[!]  License field in the package spec file matches the actual license.

License type: LGPLv2

Some of the file state in their header that the license is ASL
2.0. To find them:

grep --recursive 'Apache License' *

The license type should be "LGPLv2 and ASL 2.0".

[x]  If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc.
[!]  All independent sub-packages have license of their own

The javadoc subpackage doesn't include a copy of the license.

[x]  Spec file is legible and written in American English.
[x]  Sources used to build the package matches the upstream source, as provided in the spec URL.

Checked using a recursive diff of the sources.

[x]  All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines[5].
[x]  Package must own all directories that it creates or must require other packages for directories it uses.
[x]  Package does not contain duplicates in %files.
[x]  File sections do not contain %defattr(-,root,root,-) unless changed with good reason

The package doesn't contain exacltly "%defattr(-,root,root,-)",
but it does contain "%defattr(0664,root,jboss-as,0755)". I think
that it would be good to be more restrictive and have files owned
by root:root where possible.

[x]  Permissions on files are set properly.

See the comments about the rpmlint output above.

[x]  Package does NOT have a %clean section which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). (not needed anymore)
[x]  Package consistently uses macros (no %{buildroot} and $RPM_BUILD_ROOT mixing)
[x]  Package contains code, or permissable content.
[-]  Fully versioned dependency in subpackages, if present.
[-]  Package contains a properly installed %{name}.desktop file if it is a GUI application.
[x]  Package does not own files or directories owned by other packages.
[x]  Javadoc documentation files are generated and included in -javadoc subpackage
[x]  Javadocs are placed in %{_javadocdir}/%{name} (no -%{version} symlinks)
[x]  Packages have proper BuildRequires/Requires on jpackage-utils
[x]  Javadoc subpackages have Require: jpackage-utils
[x]  Package uses %global not %define
[x]  If package uses tarball from VCS include comment how to re-create that tarball (svn export URL, git clone URL, ...)
[x]  If source tarball includes bundled jar/class files these need to be removed prior to building
[x]  All filenames in rpm packages must be valid UTF-8.
[x]  Jar files are installed to %{_javadir}/%{name}.jar (see [6] for details)
[x]  If package contains pom.xml files install it (including depmaps) even when building with ant
[x]  pom files has correct add_maven_depmap

=== Maven ===
[x]  Use %{_mavenpomdir} macro for placing pom files instead of %{_datadir}/maven2/poms
[x]  If package uses "-Dmaven.test.skip=true" explain why it was needed in a comment
[-]  If package uses custom depmap "-Dmaven.local.depmap.file=*" explain why it's needed in a comment
[x]  Package DOES NOT use %update_maven_depmap in %post/%postun
[x]  Packages DOES NOT have Requires(post) and Requires(postun) on jpackage-utils for %update_maven_depmap macro

=== Other suggestions ===
[x]  If possible use upstream build method (maven/ant/javac)
[x]  Avoid having BuildRequires on exact NVR unless necessary
[x]  Package has BuildArch: noarch (if possible)
[!]  Latest version is packaged.

Latest version is 7.1.1 but, as mentioned in the bug, it would
take to long to update the package for that version. I agree is
better to proceed with 7.1.0 at the moment.

[x]  Reviewer should test that the package builds in mock.

Tested on: http://koji.fedoraproject.org/koji/taskinfo?taskID=3959116

=== Issues ===
1. Most warnings about non standard gid can be avoided changing
group ownership of files to root:root, as the only thing the
application server needs to do is read them.

2. According to rpmlint there are dangling symlinks, but I think
these are false alarms.

3. The javadoc subpackage doesn't include a copy of the license.

4. The license type should be "LGPLv2 and ASL 2.0".

5. There is a newer version, but I think this shouldn't block the
package.

=== Final Notes ===
1. The rpmlint warning about the permissions of jboss-systemd.sh
can be avoided removing the execution permission from the source
and adding it the %install section of the spec using "install -m
755" instead of "cp -p".

2. The %install section uses a combination of "cp -a" and "install
-m". It would be nice to be consistent and use "install -m" where
possible, being explicit with the permissions instead of trusting
the source/built files.

Issues #2 and #3 need to be fixed.

Before approving I would like to get more opinions about ownership
of the files and dangling symlinks.
Comment 4 Juan Hernández 2012-04-03 10:42:56 EDT
Created attachment 574887 [details]
rpmlint output
Comment 5 Marek Goldmann 2012-04-04 12:11:26 EDT
Spec URL:
http://goldmann.fedorapeople.org/package_review/jboss-as/7.1.0-2/jboss-as.spec
SRPM URL:
http://goldmann.fedorapeople.org/package_review/jboss-as/7.1.0-2/jboss-as-7.1.0-2.fc17.src.rpm

Changes:

- Fixed rpmlint issues
- Fixed license
- Added LICENSE.txt file to javadoc subpackage
- Use standalone-web.xml config from docs as default

Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3963733
Comment 6 Juan Hernández 2012-04-04 13:29:24 EDT
The following rpmlint errors remain:

jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/domain/data 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/standalone/data 0775L
jboss-as.noarch: E: non-standard-dir-perm /etc/jboss-as/domain 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/standalone/tmp 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/domain/tmp 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/cache/jboss-as/auth 0700L
jboss-as.noarch: E: non-standard-dir-perm /var/log/jboss-as/domain 0770L
jboss-as.noarch: E: non-standard-dir-perm /etc/jboss-as/standalone 0775L
jboss-as.noarch: E: non-standard-dir-perm /var/log/jboss-as/standalone 0770L

As I said in comment #3 I think that all these permissions have a good reason.

The number of rpmlint warnings has gone from 934 to 143. The reason is that almost all the files are now owned by root:root and not root:jboss-as. Good improvement.

If we don't take into account all the dangling symlink warnings (which are all false positives) there are only 41 warnings, most of them due to the root:jobss-as or jboss-as:jboss-as ownership of files that require it. The only relevant warnings that remain are the following:

jboss-as.noarch: W: invalid-url URL: http://www.jboss.org/jbossas HTTP Error 403: Forbidden
jboss-as.noarch: W: only-non-binary-in-usr-lib
jboss-as.noarch: W: no-manual-page-for-binary jboss-as

I think that all of them are acceptable.

The strange-permission warning has been removed moving the file systemd unit file to a PatchX instead of a SourceX. Nice trick, but still using "cp" and "mv" to move files around. I think it is safer to use "install -m" in order to be explicit with the permissions.

All in all I don't see any good reason to block this package now, but please try to use "install -m" in the future.

================
*** APPROVED ***
================
Comment 7 Marek Goldmann 2012-04-04 17:57:22 EDT
Juan, thanks for your review!

Few notes:

- in the next versions I'll standardize on install instead of cp/mv
- the move of systemd files wasn't really meant as a trick, I just wanted to have it the repo :)

New Package SCM Request
=======================
Package Name:      jboss-as
Short Description: JBoss Application Server
Owners:            goldmann
Branches:          f17
Comment 8 Jon Ciesla 2012-04-05 08:12:37 EDT
Git done (by process-git-requests).
Comment 9 Fedora Update System 2012-04-07 07:04:58 EDT
jboss-as-7.1.0-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/jboss-as-7.1.0-2.fc17
Comment 10 Fedora Update System 2012-04-08 12:21:50 EDT
jboss-as-7.1.0-2.fc17 has been pushed to the Fedora 17 testing repository.
Comment 11 Fedora Update System 2012-04-14 00:26:12 EDT
jboss-as-7.1.0-2.fc17 has been pushed to the Fedora 17 stable repository.

Note You need to log in before you can comment on or make changes to this bug.