Bug 864432 - Review Request: owasp-esapi-java - OWASP Enterprise Security API
Review Request: owasp-esapi-java - OWASP Enterprise Security API
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Mikolaj Izdebski
Fedora Extras Quality Assurance
Depends On:
Blocks: 864531
  Show dependency treegraph
Reported: 2012-10-09 08:28 EDT by Marek Goldmann
Modified: 2012-11-12 14:28 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-11-12 14:28:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mizdebsk: fedora‑review+
limburgher: fedora‑cvs+

Attachments (Terms of Use)

  None (edit)
Description Marek Goldmann 2012-10-09 08:28:21 EDT
Spec URL: http://goldmann.fedorapeople.org/package_review/owasp-esapi-java/2.0.1-1/owasp-esapi-java.spec
SRPM URL: http://goldmann.fedorapeople.org/package_review/owasp-esapi-java/2.0.1-1/owasp-esapi-java-2.0.1-1.fc17.src.rpm
Fedora Account System Username: goldmann

OWASP ESAPI (The OWASP Enterprise Security API) is a free, open source,
web application security control library that makes it easier for programmers
to write lower-risk applications. The ESAPI for Java library is designed to
make it easier for programmers to retrofit security into existing applications.
ESAPI for Java also serves as a solid foundation for new development.

Koji scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=4573969
Comment 1 Mikolaj Izdebski 2012-10-09 11:22:14 EDT
Package Review

- = N/A
x = Pass
! = Fail
? = Not evaluated

==== Generic ====
[x]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[x]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: MUST Package contains no bundled libraries.
[x]: MUST Changelog in prescribed format.
[x]: MUST Sources contain only permissible code or content.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[x]: MUST Macros in Summary, %description expandable at SRPM build time.
[x]: MUST Package contains desktop file if it is a GUI application.
[x]: MUST Development files must be in a -devel package
[x]: MUST Package requires other packages for directories it uses.
[x]: MUST Package uses nothing in %doc for runtime.
[x]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[x]: MUST Package complies to the Packaging Guidelines
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[x]: MUST Large documentation files are in a -doc subpackage, if required.
[x]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[x]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "Apache (v2.0)" For detailed output of licensecheck see file:
[x]: MUST License file installed when any subpackage combination is installed.
[!]: MUST Package consistently uses macro is (instead of hard-coded directory
[x]: MUST Package is named using only allowed ascii characters.
[x]: MUST Package is named according to the Package Naming Guidelines.
[x]: MUST Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: MUST Package obeys FHS, except libexecdir and /usr/target.
[x]: MUST If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: MUST Package must own all directories that it creates.
[x]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[x]: MUST Package is not relocatable.
[!]: MUST Requires correct, justified where necessary.
[x]: MUST Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
[x]: MUST Package contains systemd file(s) if in need.
[x]: MUST File names are valid UTF-8.
[x]: SHOULD Reviewer should test that the package builds in mock.
[x]: SHOULD Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: SHOULD Package has no %clean section with rm -rf %{buildroot} (or
     Note: Clean would be needed if support for EPEL5 is required
[x]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
[x]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
[x]: SHOULD Package functions as described.
[x]: SHOULD Latest version is packaged.
[x]: SHOULD Package does not include license text files separate from
[x]: SHOULD Patches link to upstream bugs/comments/lists or are otherwise
[x]: SHOULD SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[!]: SHOULD SourceX / PatchY prefixed with %{name}.
     Note: Patch0 (0001-Remove-validator-implementation-bsed-on-
     Antisammy.patch) Patch1 (0002-Use-different-directory-to-testing-bin-
     is-a-symlink.patch) Patch2 (0003-Implement-getContextPath-method-in-
[x]: SHOULD SourceX is a working URL.
[x]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: SHOULD Package should compile and build into binary rpms on all supported
[-]: SHOULD %check is present and all tests pass.
[x]: SHOULD Packages should try to preserve timestamps of original installed
[x]: SHOULD Spec use %global instead of %define.

==== Java ====
[x]: MUST If source tarball includes bundled jar/class files these need to be
     removed prior to building
[x]: MUST Packages have proper BuildRequires/Requires on jpackage-utils
[x]: MUST Fully versioned dependency in subpackages, if present.
[x]: MUST Javadoc documentation files are generated and included in -javadoc
[x]: MUST Javadoc subpackages have Requires: jpackage-utils
[x]: MUST Javadocs are placed in %{_javadocdir}/%{name} (no -%{version}
[x]: SHOULD Package has BuildArch: noarch (if possible)
[x]: SHOULD Package uses upstream build method (ant/maven/etc.)

==== Maven ====
[x]: MUST Pom files have correct add_maven_depmap call
     Note: Some add_maven_depmap calls found. Please check if they are correct
[x]: MUST Old add_to_maven_depmap macro is not being used
[x]: MUST Packages DOES NOT have Requires(post) and Requires(postun) on
     jpackage-utils for %update_maven_depmap macro
[x]: MUST If package contains pom.xml files install it (including depmaps)
     even when building with ant
[x]: MUST Package DOES NOT use %update_maven_depmap in %post/%postun
[x]: MUST Packages use %{_mavenpomdir} instead of %{_datadir}/maven2/poms

Checking: owasp-esapi-java-2.0.1-1.fc19.noarch.rpm
owasp-esapi-java.noarch: W: no-documentation
owasp-esapi-java-javadoc.noarch: W: spelling-error Summary(en_US) Javadocs -> Java docs, Java-docs, Avocados
owasp-esapi-java-doc.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/owasp-esapi-java-doc-2.0.1/esapi4java-2.0rc6-override-log4jloggingfactory.txt
owasp-esapi-java-doc.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/owasp-esapi-java-doc-2.0.1/esapi4java-2.0-readme.txt
owasp-esapi-java.src: W: invalid-url Source0: owasp-esapi-java-2.0.1.tar.xz
4 packages and 0 specfiles checked; 0 errors, 5 warnings.


[!]: MUST Package consistently uses macro is (instead of hard-coded directory

Use %{_javadir} instead of /usr/share/java, or even better,
build-classpath bsh-core.

[!]: MUST Requires correct, justified where necessary.

The doc subpackage shouldn't require jpackage-utils.
Comment 2 Mikolaj Izdebski 2012-10-09 11:26:48 EDT
Koji build:
Comment 4 Mikolaj Izdebski 2012-10-10 02:57:09 EDT
Comment 5 Marek Goldmann 2012-10-10 03:03:02 EDT

New Package SCM Request
Package Name: owasp-esapi-java
Short Description: OWASP Enterprise Security API
Owners: goldmann
Branches: f17 f18
Comment 6 Gwyn Ciesla 2012-10-10 06:07:45 EDT
Git done (by process-git-requests).
Comment 7 Fedora Update System 2012-10-10 07:51:10 EDT
owasp-esapi-java-2.0.1-3.fc18 has been submitted as an update for Fedora 18.
Comment 8 Fedora Update System 2012-10-10 07:51:22 EDT
owasp-esapi-java-2.0.1-3.fc17 has been submitted as an update for Fedora 17.
Comment 9 Fedora Update System 2012-10-10 14:06:44 EDT
owasp-esapi-java-2.0.1-3.fc18 has been pushed to the Fedora 18 testing repository.

Note You need to log in before you can comment on or make changes to this bug.