https://bugzilla.redhat.com/show_bug.cgi?id=1378860 --- Comment #6 from Mikolaj Izdebski <mizdebsk@xxxxxxxxxx> --- Package Review ============== Key: - = N/A x = Check ! = Problem [x] rpmlint must be run on the source rpm and all binary rpms the build produces. The output should be posted in the review. [x] The package must be named according to the Package Naming Guidelines. [x] The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. [!] The package must meet the Packaging Guidelines. * Compilers used to build packages must honor the applicable compiler flags set in the system rpm configuration. See https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags * Source URLs should point to git commits, not branches (jetty-9.3.x) and not tags (%{name}-%{version}). See https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Hosting_Services * JNI shared objects MUST be placed in %{_libdir}/%{name}, not under %{_jnidir}. See http://fedoraproject.org/wiki/Packaging:Java#Guideline * The javadoc subpackage MUST be declared noarch even if main package is architecture specific. See http://fedoraproject.org/wiki/Packaging:Java#Javadoc_installation [!] The package must be licensed with a Fedora approved license and meet the Licensing Guidelines. License text should be taken from "reliable and canonical sources". Branches on Github are neither reliable nor cannonical. See https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text [x] The License field in the package spec file must match the actual license. [x] If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc. [x] The spec file must be written in American English. [x] The spec file for the package MUST be legible. [x] The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. [x] The package MUST successfully compile and build into binary rpms on at least one primary architecture. [x] If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line. [x] All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines; inclusion of those as BuildRequires is optional. Apply common sense. [x] The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden. [x] Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. [x] Packages must NOT bundle copies of system libraries. [x] If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. [x] A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [x] A Fedora package must not list a file more than once in the spec file's %files listings. (Notable exception: license texts in specific situations.) [x] Permissions on files must be set properly. Executables should be set with executable permissions, for example. [!] Each package must consistently use macros. xmvn-config.xml should not hardcode path to %{_libdir}, but use RPM macros. [x] The package must contain code, or permissible content. [x] Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity). [x] If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. [x] Static libraries must be in a -static package. [x] Development files must be in a -devel package. [x] In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name}%{?_isa} = %{version}-%{release} [x] Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built. [x] Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. [x] Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. [x] All filenames in rpm packages must be valid UTF-8. rpmlint output -------------- jetty-setuid.x86_64: E: missing-call-to-setgroups-before-setuid /usr/lib/java/jetty-setuid/libsetuid-linux.so jetty-setuid-debuginfo.x86_64: E: debuginfo-without-sources 4 packages and 0 specfiles checked; 2 errors, 0 warnings. These errors need to be addressed. missing-call-to-setgroups-before-setuid: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this means it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. debuginfo-without-sources: This debuginfo package appears to contain debug symbols but no source files. This is often a sign of binaries being unexpectedly stripped too early during the build, or being compiled without compiler debug flags (which again often is a sign of distro's default compiler flags ignored which might have security consequences), or other compiler flags which result in rpmbuild's debuginfo extraction not working as expected. Verify that the binaries are not unexpectedly stripped and that the intended compiler flags are used. Other notes ----------- * What is purpose of jetty-setuid-native.jar? It contains source code only. Source code should generally not be installed by binary packages, unless it's needed for runtime. (Sources may be installed in %{_usrsrc}, but only for reference purposes.) * Many of the above issues could be addressed in either maven-native or one of packaging tools (like XMvn or Java Packages Tools). -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx