https://bugzilla.redhat.com/show_bug.cgi?id=2029219 Ben Beasley <code@xxxxxxxxxxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(code@musicinmybra | |in.net) | --- Comment #5 from Ben Beasley <code@xxxxxxxxxxxxxxxxxx> --- Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= - If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: License file LICENSE is not marked as %license See: https://docs.fedoraproject.org/en-US/packaging- guidelines/LicensingGuidelines/#_license_text Please replace %doc LICENSE with %license LICENSE (but see below for further comments on license files) - The dependency on the base package from the -devel patch should be not only fully-versioned, but “arched”. Please change Requires: %{name} = %{version}-%{release} to Requires: %{name}%{?_isa} = %{version}-%{release} - Since you use CMake to find fmt, BuildRequires: fmt-devel would be better written as BuildRequires: cmake(fmt) The guidelines don’t call this out specifically, but they make a similar recommendation for pkgconfig: https://docs.fedoraproject.org/en-US/packaging-guidelines/PkgConfigBuildRequires/ - It doesn’t look like the License of ASL 2.0 is actually correct. While this is the overall license chosen for ZXing (LICENSE, LICENSE.ZXing), NOTICE points out that “TextCodec” code is (mostly) “LGPLv2 with exceptions or LGPLv3 with exceptions”. Furthermore, there are a few files under BSD or MIT licenses. We can form an effective license for the compiled library using the “effective” license concept: https://fedoraproject.org/wiki/Licensing:FAQ#What_is_.22effective_license.22_and_do_I_need_to_know_that_for_the_License:_tag.3F LGPL is stricter than ASL 2.0, BSD, or MIT, so the library can be considered “LGPLv2 with exceptions or LGPLv3 with exceptions”. However, the API headers have various licenses, so we still have a multiple licensing scenario (https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/#_multiple_licensing_scenarios). Here’s what I recommend. For the base package, change License: ASL 2.0 to # The entire source is ASL 2.0, except: # # - TextCodec files, that is, core/src/textcodec/*, are # (LGPLv2 with exceptions or LGPLv3 with exceptions). # - core/src/textcodec/JPText{En,De}coder.* are, formally, # ((LGPLv2 with exceptions or LGPLv3 with exceptions) and BSD), # which still forms an effective license of # (LGPLv2 with exceptions or LGPLv3 with exceptions) # - wrappers/wasm/base64ArrayBuffer.js is MIT (but is not used) # - thirdparty/stb/stb_image.h and thirdparty/stb/stb_image_write.h are MIT # (but are unbundled) # # The resulting effective license for the combined library is: License: LGPLv2 with exceptions or LGPLv3 with exceptions Now install *all* of the license files, by changing %license LICENSE to %license LICENSE LICENSE.ZXing LICENSE.Qt LGPL_EXCEPTION.Qt NOTICE For the -devel package, add a License field: # The entire contents are ASL 2.0, except: # # - %%{_includedir}/ZXing/textcodec/*.h are exactly or effectively # (LGPLv2 with exceptions or LGPLv3 with exceptions) # # See licensing breakdown above base package’s License field for further # details. License: ASL 2.0 and (LGPLv2 with exceptions or LGPLv3 with exceptions) (The difference here from the base package is that some installed files have different licenses and can be used separately, so forming a single effective license is not correct.) - You should unbundle stb_image and stb_image_write—both for general purposes, and because the latest Fedora version contains multiple fixes for published CVE’s. Unfortunately, stb_image.h is trivially forked. You could just proceed to bundle it, adding Provides: bundled(stb_image) = 2.25 but it would be much better to benefit from the CVE fixes and, ideally, future updates. I sent a PR upstream to update the bundled stb libraries, and to supply a patch file that allows producing the forked stb_image from the upstream one. With this, we can do: # Update stb_image/stb_image_write # https://github.com/nu-book/zxing-cpp/pull/269 # Fixes CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716, and adds a patch # file for zxing-cpp-specific changes Patch1: %{url}/pull/269.patch # -static BR’s required by guidelines for tracking of header-only libraries: BuildRequires: stb_image-devel BuildRequires: stb_image-static BuildRequires: stb_image_write-devel BuildRequires: stb_image_write-static and, in %prep: # remove bundled stb libraries: rm -v thirdparty/stb/stb_image_write.h thirdparty/stb/stb_image.h # stb_image.h is trivially forked: reconstruct the changes with the latest # unbundled copy cp -p %{_includedir}/stb/stb_image.h thirdparty/stb/ pushd thirdparty/stb patch -p1 < stb_image.patch popd Notes (no change required): =========================== - You can, if you like, write Url: https://github.com/nu-book/zxing-cpp Source0: https://github.com/nu-book/zxing-cpp/archive/v%{version}/%{name}-%{version}.tar.gz as Url: https://github.com/nu-book/zxing-cpp Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz - All of the rpmlint messages appear to be spurious. - It would be clearer to drop the glob when referencing the unversioned .so symlink in the -devel subpackage’s file section, changing %{_libdir}/*.so to %{_libdir}/libZXing.so - It would make sense to build and install the Python bindings, too, but I don’t want to hold up the package review on that. Would you (in principle) accept a PR to add them after import? ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [!]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "*No copyright* Apache License 2.0", "GNU Lesser General Public License, Version 2.1", "Apache License 2.0", "The Unlicense MIT License", "*No copyright* Apache License", "MIT License", "LGPL (v2.1 or v3)", "BSD 2-Clause License LGPL (v2.1 or v3)". 2078 files have unknown license. Detailed output of licensecheck in /home/reviewer/2029219-zxing-cpp/licensecheck.txt See Isuses. [!]: License file installed when any subpackage combination is installed. Additional license files should be installed. See Issues. [x]: %build honors applicable compiler flags or justifies otherwise. [!]: Package contains no bundled libraries without FPC exception. Should unbundle stb_image and stb_image_write. See Issues. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [!]: Requires correct, justified where necessary. The -devel dependency should have an arched dependency on the base package, and should require cmake-filesystem. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 30720 bytes in 2 files. [!]: Package complies to the Packaging Guidelines (issues mentioned elsewhere) [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [!]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in zxing- cpp-devel Dependency should be arched. [x]: Package functions as described. (based on tests passing) [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: There are rpmlint messages (see attachment). [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Cannot parse rpmlint output: Rpmlint (debuginfo) ------------------- Cannot parse rpmlint output: Rpmlint (installed packages) ---------------------------- Cannot parse rpmlint output: Source checksums ---------------- https://github.com/nu-book/zxing-cpp/archive/v1.2.0/zxing-cpp-1.2.0.tar.gz : CHECKSUM(SHA256) this package : 653d9e44195d86cf64a36af9ff3a1978ec5599df3882439fefa56e7064f55e8a CHECKSUM(SHA256) upstream package : 653d9e44195d86cf64a36af9ff3a1978ec5599df3882439fefa56e7064f55e8a Requires -------- zxing-cpp (rpmlib, GLIBC filtered): ld-linux-x86-64.so.2()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libgcc_s.so.1(GCC_3.4)(64bit) libm.so.6()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.9)(64bit) rtld(GNU_HASH) zxing-cpp-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config cmake-filesystem(x86-64) libZXing.so.1()(64bit) zxing-cpp zxing-cpp-debuginfo (rpmlib, GLIBC filtered): zxing-cpp-debugsource (rpmlib, GLIBC filtered): Provides -------- zxing-cpp: libZXing.so.1()(64bit) zxing-cpp zxing-cpp(x86-64) zxing-cpp-devel: cmake(ZXing) cmake(zxing) pkgconfig(zxing) zxing-cpp-devel zxing-cpp-devel(x86-64) zxing-cpp-debuginfo: debuginfo(build-id) libZXing.so.1.2.0-1.2.0-1.fc36.x86_64.debug()(64bit) zxing-cpp-debuginfo zxing-cpp-debuginfo(x86-64) zxing-cpp-debugsource: zxing-cpp-debugsource zxing-cpp-debugsource(x86-64) Generated by fedora-review 0.7.6 (b083f91) last change: 2020-11-10 Command line :/usr/bin/fedora-review -b 2029219 Buildroot used: fedora-rawhide-x86_64 Active plugins: Shell-api, Generic, C/C++ Disabled plugins: PHP, Haskell, Perl, Java, Python, Ocaml, SugarActivity, fonts, R Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH ============================ rpmlint session starts ============================ rpmlint: 2.1.0 configuration: /usr/lib/python3.10/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/licenses.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 5 zxing-cpp-debuginfo.x86_64: W: unstripped-binary-or-object /usr/lib/debug/usr/lib64/libZXing.so.1.2.0-1.2.0-1.fc36.x86_64.debug zxing-cpp.x86_64: E: shlib-policy-name-error 1 zxing-cpp-debuginfo.x86_64: E: shared-library-without-dependency-information /usr/lib/debug/usr/lib64/libZXing.so.1.2.0-1.2.0-1.fc36.x86_64.debug zxing-cpp-debuginfo.x86_64: W: no-documentation zxing-cpp-debugsource.x86_64: W: no-documentation zxing-cpp-devel.x86_64: W: missing-dependency-on zxing-cpp*/zxing-cpp-libs/libzxing-cpp* = 1.2.0 zxing-cpp.x86_64: E: invalid-ldconfig-symlink /usr/lib64/libZXing.so.1.2.0 libZXing.so.1.2.0 zxing-cpp-debuginfo.x86_64: W: dangling-relative-symlink /usr/lib/debug/.build-id/2c/2b91fdcb9fe62ec4be5aef1e4fd453887d122e ../../../.build-id/2c/2b91fdcb9fe62ec4be5aef1e4fd453887d122e 5 packages and 0 specfiles checked; 3 errors, 5 warnings, 3 badness; has taken 1.3 s -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2029219 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
