Spec URL: https://github.com/lrm29/fish-rpm/blob/master/fish.spec SRPM URL: https://github.com/lrm29/fish-rpm/blob/master/fish-2.0.0-1.fc18.src.rpm Description: fish is a shell geared towards interactive use. Its features are focused on user friendliness and discoverability. The language syntax is simple but incompatible with other shell languages. Fedora Account System Username: lrm29 Koji Build: http://koji.fedoraproject.org/koji/taskinfo?taskID=5509440 This is my first package, and I am seeking a sponsor.
Note that it's a retired ("deprecated") package due to lack of a maintainer and will need to be unretired. http://pkgs.fedoraproject.org/cgit/fish.git/ -> http://pkgs.fedoraproject.org/cgit/fish.git/plain/dead.package
http://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_a_Deprecated_Package
I will package it for personal use in the future development so Laurence do you want to continue?
I'd like to take this over. I need a sponsor. Spec URL: http://web.mit.edu/luto/www/fedora/fish.spec SRPM URL: http://web.mit.edu/luto/www/fedora/fish-2.1.0-1.fc19.src.rpm There's one rpmlint error about mktemp. The code in question actually appears to be secure -- it calls mktemp and then opens the file with O_CREAT | O_EXCL. This is silly (it should use mkostemp), but it appears to be safe.
(In reply to Andy Lutomirski from comment #4) > I'd like to take this over. I need a sponsor. > > Spec URL: http://web.mit.edu/luto/www/fedora/fish.spec > SRPM URL: http://web.mit.edu/luto/www/fedora/fish-2.1.0-1.fc19.src.rpm > > There's one rpmlint error about mktemp. The code in question actually > appears to be secure -- it calls mktemp and then opens the file with O_CREAT > | O_EXCL. This is silly (it should use mkostemp), but it appears to be safe. I also want to take it. But the problem is that the reporter is in unknown status, I want to know his attitude. Before we get permission to take it over, I think it's impolite to do that. Your spec is not OK also. I will contact you off bugzilla.
Laurence, if you can't response to this in 2 weeks, I will close the bug and submit a new one.
Hi, I use fish itself a lot but not Fedora so much, so happy for someone to take it over. At the time I was in contact with some people on the fish mailing list to try and get a standard rpm file as possible, and incorporate it into the fish repo on github. It would be good if whoever takes it over could continue that. P.S. I cannot access those web.mit.edu links. mkostemp is not POSIX. Why is it mkstemp 'silly' when it uses the correct flags?
(In reply to laurence.mcglashan from comment #7) > Hi, > > I use fish itself a lot but not Fedora so much, so happy for someone to take > it over. > > At the time I was in contact with some people on the fish mailing list to > try and get a standard rpm file as possible, and incorporate it into the > fish repo on github. It would be good if whoever takes it over could > continue that. RPM should be built by yourself but not others. Btw Andy has prepared spec/srpm, he also want to maintain it, if you can't find time to package it, tell us and I will close this bug and let Andy submit a new one. We don't want to wait anymore. Thanks.
Sorry, correction on my part: A more standard SPEC file, not RPM file. It's not my fault you're having to "wait". I certainly won't bother you again.
Sorry, you caught me in an intermediate state. Spec: http://web.mit.edu/luto/www/fedora/fish_rpm_v3/fish.spec SRPM: http://web.mit.edu/luto/www/fedora/fish_rpm_v3/fish-2.1.0-1.fc19.src.rpm This one should work correctly on F20+ and almost correctly on F19 (I removed the patch to make 'help' work locally under the assumption that, by the time this gets reviewed, either F20 will be released or the upstream bug will be fixed). This version should be quite a bit cleaner. I'll email upstream, too.
Can one of you either close this bug or reassign it appropriately?
So this is an existing package we're reviving: https://admin.fedoraproject.org/pkgdb/acls/name/fish We can following this Unorphan process as in bug #1016200 Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - Package contains BR: python2-devel or python3-devel - Requires missing ncurses - %check not present but I'll not mandate that ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "GPL (v2 or later)", "GPL (v2) (with incorrect FSF address)", "LGPL (v2 or later) (with incorrect FSF address)", "Unknown or generated", "BSD (2 clause)". 96 files have unknown license. Detailed output of licensecheck in /home/padraig/974852-fish/licensecheck.txt [x]: Package does not own files or directories owned by other packages. Note: Dirs in package are owned also by: /usr/share/fish(zeroinstall- injector), /usr/share/fish/completions(zeroinstall-injector) [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [!]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. Note: rm -rf %{buildroot} present but not required [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: The spec file handles locales properly. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [-]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 583680 bytes in 46 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: %config files are marked noreplace or the reason is justified. [x]: Each %files section contains %defattr if rpm < 4.4 [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: No %config files under /usr. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local Python: [x]: Python eggs must not download any dependencies during the build process. [x]: A package which is used by another package via an egg interface should provide egg info. [x]: Package meets the Packaging Guidelines::Python [x]: Binary eggs must be removed in %prep ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [-]: Final provides and requires are sane (see attachments). [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [!]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: Dist tag is present (not strictly required in GL). [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Fully versioned dependency in subpackages if applicable. [x]: Uses parallel make %{?_smp_mflags} macro. [x]: SourceX tarball generation or download is documented. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [-]: Large data in /usr/share should live in a noarch subpackage if package is arched. Note: Arch-ed rpms have a total of 3317760 bytes in /usr/share [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: fish-2.1.0-1.fc20.x86_64.rpm fish-2.1.0-1.fc20.src.rpm fish.x86_64: W: spelling-error %description -l en_US zsh -> sh, ssh, ash fish.x86_64: W: spelling-error %description -l en_US autosuggestions -> autosuggestion, auto suggestions, auto-suggestions fish.x86_64: E: call-to-mktemp /usr/bin/fish fish.src: W: spelling-error %description -l en_US zsh -> sh, ssh, ash fish.src: W: spelling-error %description -l en_US autosuggestions -> autosuggestion, auto suggestions, auto-suggestions 2 packages and 0 specfiles checked; 1 errors, 4 warnings. Rpmlint (installed packages) ---------------------------- # rpmlint fish fish.x86_64: W: spelling-error %description -l en_US zsh -> sh, ssh, ash fish.x86_64: W: spelling-error %description -l en_US autosuggestions -> autosuggestion, auto suggestions, auto-suggestions fish.x86_64: E: call-to-mktemp /usr/bin/fish 1 packages and 0 specfiles checked; 1 errors, 2 warnings. # echo 'rpmlint-done:' Requires -------- fish (rpmlib, GLIBC filtered): /bin/sh /usr/bin/env config(fish) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libm.so.6()(64bit) libncurses.so.5()(64bit) libpthread.so.0()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libtinfo.so.5()(64bit) rtld(GNU_HASH) Provides -------- fish: config(fish) fish fish(x86-64) Source checksums ---------------- http://fishshell.com/files/2.1.0/fish-2.1.0.tar.gz : CHECKSUM(SHA256) this package : af527af9d145df5675ca3031c1a87007d4f4753a1cde49da88f4eb883a1cf044 CHECKSUM(SHA256) upstream package : af527af9d145df5675ca3031c1a87007d4f4753a1cde49da88f4eb883a1cf044 Generated by fedora-review 0.5.0 (920221d) last change: 2013-08-30 Command line :/usr/bin/fedora-review -b 974852 Buildroot used: fedora-20-x86_64 Active plugins: Generic, Python, Shell-api, C/C++ Disabled plugins: Java, SugarActivity, Perl, R, PHP, Ruby Disabled flags: EPEL5, EXARCH, DISTTAG
I'm confused about two things: > - Package contains BR: python2-devel or python3-devel The only thing I can see that requires python during the build process is brp-compile-python. Everything will still work as long as python is present at runtime even if the .pyc files don't get built. I added Requires: python, which is indeed needed for the 'config' command to work. (I think there's support for Python 3 as an alternative, but it looks like it would require patching.) > - Requires missing ncurses $ rpm -qp --requires fish-2.1.0-1.fc19.x86_64.rpm [...] libncurses.so.5()(64bit) Is that not enough? Spec: http://web.mit.edu/luto/www/fedora/fish_rpm_v4/fish.spec SRPM: http://web.mit.edu/luto/www/fedora/fish_rpm_v4/fish-2.1.0-1.fc19.src.rpm Changes: - Bumped the date to today - Use %make_install instead of make install DESTDIR=... - Removed rm -rf %{buildroot} - Added Requires: python
> There's one rpmlint error about mktemp. The code in question actually > appears to be secure -- it calls mktemp and then opens the file with > O_CREAT | O_EXCL. This is silly (it should use mkostemp), but it > appears to be safe. > Why is it mkstemp 'silly' when it uses the correct flags? The code calls mktemp, which is insecure. It ought to call mkstemp instead.
The usual mktemp(3) pattern is: mktemp(name); open(name, O_RDWR); this is broken -- name could be replaced by a symlink between the two calls. fish is doing: mktemp(name); open(name, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_CLOEXEC); I don't know what O_TRUNC is for there, but it should have no effect. Critically, though, the O_EXCL flag will cause open to fail if name has been replaced by a symlink. If that happens, fish will try again. It isn't using mkstemp because mkstemp doesn't pass O_CLOEXEC. mkostemp would work, but it's not portable. So, unless fish were willing to have a separate code path for Linux, I'm not sure how it can do better, and I think that the current code is secure.
Okay, that's the alternative implementation described in the bsd manual page for mk*temp.
Yes you're right it's better to rely on the auto lib depends here: http://fedoraproject.org/wiki/Packaging:Guidelines#Explicit_Requires Ok all looks good to go for the scm request.
(In reply to Pádraig Brady from comment #17) > Yes you're right it's better to rely on the auto lib depends here: > http://fedoraproject.org/wiki/Packaging:Guidelines#Explicit_Requires > Ok all looks good to go for the scm request. Hey, they all need sponsor. You even don't know andy's FAS name.
Yeah -- I put it on my other package review ticket and on my post to the devel list. I'm amluto.
Andy, just for the process (you're not the reporter) could you please open another re-review request. I'll happily review that one, so please assign the request to me (mrunge).