Bug 833573 - Review Request: nettle - Low level crytopgraphic library
Review Request: nettle - Low level crytopgraphic library
Status: CLOSED DUPLICATE of bug 837331
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On: 432228
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-19 15:42 EDT by Michael Cronenworth
Modified: 2012-07-06 02:55 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-05 11:03:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Cronenworth 2012-06-19 15:42:47 EDT
Spec URL: http://michael.cronenworth.com/RPMS/libnettle.spec
SRPM URL: http://michael.cronenworth.com/RPMS/libnettle-2.5-0.1pre.fc17.src.rpm
Description: Nettle is a cryptographic library that is designed to fit easily in
more or less any context: In crypto toolkits for object-oriented
languages (C++, Python, Pike, ...), in applications like LSH or GNUPG,
or even in kernel space.
Fedora Account System Username: mooninite
Comment 1 Michael Cronenworth 2012-06-19 17:06:13 EDT
It was pointed out to me that "libnettle" probably not going to work. Renamed.

Spec URL: http://michael.cronenworth.com/RPMS/nettle.spec
SRPM URL: http://michael.cronenworth.com/RPMS/nettle-2.5-0.1pre.fc17.src.rpm
Comment 2 Richard Shaw 2012-06-21 10:15:10 EDT
Ok, quick spec review:

1. Although I find it strange as well, LGPLv2.1 or later should be referenced as just "LGPLv2+"

From http://fedoraproject.org/wiki/Licensing:Main
GNU Lesser General Public License v2 (or 2.1) or later	 LGPLv2+

2. I know hogweed is a library and on some other distros library packages are always prefixed with lib, but as we don't have that convention in Fedora, would it not be better to call the hogweed package just "hogweed" to be consistent with "nettle"?

3. Missed one arch specific Requires: in the devel subpackage.
Comment 3 Michael Cronenworth 2012-06-21 12:14:39 EDT
(In reply to comment #2)
> 2. I know hogweed is a library and on some other distros library packages
> are always prefixed with lib, but as we don't have that convention in
> Fedora, would it not be better to call the hogweed package just "hogweed" to
> be consistent with "nettle"?

The nettle documentation refers to it as "libhogweed". An alternative name I could give this package is to make it a sub-package called "nettle-gmp" or "nettle-bignum". Another alternative is to leave libhogweed.so* in the nettle package, but I'd like to keep dependencies (gmp) to a minimum.
Comment 4 Richard Shaw 2012-06-21 12:29:04 EDT
(In reply to comment #3)
> (In reply to comment #2)
> > 2. I know hogweed is a library and on some other distros library packages
> > are always prefixed with lib, but as we don't have that convention in
> > Fedora, would it not be better to call the hogweed package just "hogweed" to
> > be consistent with "nettle"?
> 
> The nettle documentation refers to it as "libhogweed". An alternative name I
> could give this package is to make it a sub-package called "nettle-gmp" or
> "nettle-bignum". Another alternative is to leave libhogweed.so* in the
> nettle package, but I'd like to keep dependencies (gmp) to a minimum.

Either way I wouldn't call it a blocker but I did have a crazy idea I'd like your opinion on.

What about not even creating a "nettle" binary package? Instead create 5 sub-packages exclusively.

libnettle
libhogweed
nettle-tools
libnettle-devel
libhogweed-devel

I like separating the devel packages so if you install one you don't automatically pull in the other library.

I don't see anywhere where this isn't allowed...

Thoughts?
Comment 5 Michael Cronenworth 2012-06-21 17:48:02 EDT
(In reply to comment #4)
> I like separating the devel packages so if you install one you don't
> automatically pull in the other library.

The only problem with splitting -devel packages is that the include files are stored in the same, single directory so I would need to create a package to own the include directory so that I can seperate the headers into their respective -devel package.

Debian packages it the way I wanted to originally so I think we're best off keeping to one -devel package.
Comment 6 Michael Schwendt 2012-06-22 07:09:13 EDT
Just a brief look:


* https://fedoraproject.org/wiki/Packaging:NamingGuidelines#General_Naming

As a precedent, Debian and openSUSE called it libnettle.


* https://fedoraproject.org/wiki/Packaging:ReviewGuidelines

| MUST: rpmlint must be run on the source rpm and all binary rpms
| the build produces. The output should be posted in the review.[1] 

That doesn't imply it's only the reviewer who must do this. rpmlint is also a tool for packagers.


> Version: 2.5
> Release: 0.1pre%{?dist}

https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Pre-Release_packages

A little bit pedantic, but Fedora adds another dot after the X.Y number:
Release: 0.1.pre%{?dist}


> License: LGPLv2.1+

https://fedoraproject.org/wiki/Licensing#Good_Licenses


> %package tools
> Group: System Environment/Libraries

As tools are not libraries, the package could fit into groups "System Environment/Base" or "Development/Tools". The package description doesn't expand on what these utility programs do, however.


> %package devel
> Summary: Development files for libnettle
> License: GPLv2+ and LGPLv2.1+

This will require a closer look. Why does the licensing here differ from the base library packages?


> Requires: %{name} = %{version}-%{release}
> Requires: libhogweed = %{version}-%{release}

https://fedoraproject.org/wiki/Packaging:Guidelines#Requiring_Base_Package


> %preun -p /sbin/ldconfig
> 
> %preun -n libhogweed -p /sbin/ldconfig

%postun would be the correct place to execute this.


> %files tools
> %doc COPYING.LIB

https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#Subpackage_Licensing


> testsuite

Please investigate whether this is suitable for running "make check" in the %check section of the spec file.
Comment 7 Michael Cronenworth 2012-06-22 09:20:41 EDT
Michael, thanks for the comments, but I have not posted a new spec yet due to the indecision on the package name. Fedora previously had this library as "nettle":

https://admin.fedoraproject.org/pkgdb/acls/name/nettle

If someone could give me a straight answer on the package name I can finish fixing the spec file. I do not have a preference of "nettle" or "libnettle". I just need to know which to put up for review.
Comment 8 Michael Schwendt 2012-06-23 15:51:04 EDT
Sorry, it's beyond my time and interest to dig into this much.


For Debian there are tickets from 2009 such as:

  libnettle-dev is gone, replaced (and not provided) by nettle-dev
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542133

The current naming can be found here:

  http://packages.debian.org/source/wheezy/nettle

  nettle (source)
  libnettle4
  libhogweed2
  nettle-dev
  nettle-bin
  nettle-dbg


The old Fedora review is in bug 432228. It passed the "naming and versioning guidelines" requirements there with

  nettle  src.rpm
  nettle
  nettle-devel

One could try to find out whether
https://fedoraproject.org/wiki/Packaging:NamingGuidelines#General_Naming
has been considered in 2008 and what package names other dists used around that time.

Btw, the old review also mentioned a few of the item's I have pointed out, such as the test-suite.


The old package has been included in F12 for the last time, so whatever the new naming will be, I don't think it would be necessary to add Obsoletes/Provides for the ancient stuff in F12.
Comment 9 David Woodhouse 2012-07-05 11:03:29 EDT
I've just noticed this review request; sorry. I have revived the nettle package and it has been reviewed in bug #837331.

Would you like to be a co-maintainer?

*** This bug has been marked as a duplicate of bug 837331 ***
Comment 10 David Woodhouse 2012-07-06 02:55:57 EDT
I don't think I'd get too worked up about package naming. When the library is pulled in as a runtime dependency, it's referenced by the library name(s):
libhogweed.so.2()(64bit)
libnettle.so.4()(64bit)  

And when it's seen in BuildRequires:, it should be referred to as
pkgconfig(hogweed)
pkgconfig(nettle)

In neither case should anyone really care about the *name* of the package. We could call it anything we like, and it wouldn't matter. And likewise in this context it shouldn't matter whether we split it into separate nettle/hogweed packages. If a dependent package has correct BuildRequires on the pkgconfig() objects it needs, it'll be fine.

On the topic of splitting nettle/hogweed.... we also need to ship GnuTLS v3, since we're currently shipping a hopelessly out of date GnuTLS v2.12 (bug #726886). And GnuTLS uses hogweed, so I'm not sure how often you'd manage to *avoid* having hogweed installed; it might not be worth splitting them at. But if you feel strongly that it's useful, feel free to make changes to the package (I'll grant you permissions if you aren't a provenpackager).

Note You need to log in before you can comment on or make changes to this bug.