https://bugzilla.redhat.com/show_bug.cgi?id=2257948 Fabio Valentini <decathorpe@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |fedora-review? Status|NEW |ASSIGNED CC| |decathorpe@xxxxxxxxx Assignee|nobody@xxxxxxxxxxxxxxxxx |decathorpe@xxxxxxxxx --- Comment #3 from Fabio Valentini <decathorpe@xxxxxxxxx> --- Package looks good in general, but the way the crate dependencies are handled is not good right now. 1. In general, using vendored sources is strongly discouraged (in general, and also for Rust packages). I have looked at the contents of the vendor tarball, and it looks like almost all dependencies are already packaged for Fedora. Do you have a list of crate dependencies that are missing from Fedora? If it is not too long, I would *very much* prefer to not use vendored dependencies here (except for the git snapshot of aya that is apparently necessary). I (and other Rust SIG members) can help with packaging and / or reviewing missing dependencies. 2. *If* it turns out that using *all* vendored dependencies is indeed necessary (see Rust Packaging Guidelines for replacing Git snapshots with path-based dependencies), you will need to do at least *some* auditing of the contents of the vendor tarball. I can tell just by looking at the list of vendored crates that there are is least some content that is not acceptable for redistributing in Fedora (most importantly, cryptography algorithm implementations that are not legally allowed in Fedora in the fiat-crypto crate). You can also use automation to generate the list of bundled crates with the `%cargo_vendor_manifest` macro and adding that file as a `%license` file, there is no need to list the bundled crates manually anymore. In fact, you are already using that, so there is no need to list "Provides: bundled(crate(...))" at all, since it is redundant with the Provides generator. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2257948 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202257948%23c3 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
