https://bugzilla.redhat.com/show_bug.cgi?id=2338150 --- Comment #8 from Daniel Berrangé <berrange@xxxxxxxxxx> --- (In reply to Richard W.M. Jones from comment #7) > - The License field must be a valid SPDX expression. > Note: Not a valid SPDX expression 'Apache-2.0 AND BSD-2-Clause AND > BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND GPL-2.0-only AND > ISC AND MIT AND MIT-0 AND NCSA AND OpenSSL AND SMLNJ AND SunPro AND > LicenseRef-Public-Domain'. > See: https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 > > It's claiming this is not valid SPDX, which I'm not sure about. Maybe > there's > some real mistake in there? Last term should be "LicenseRef-Fedora-Public-Domain" > [x]: Development (unversioned) .so files in -devel subpackage, if present. > Note: Unversioned so-files in private %_libdir subdirectory (see > attachment). Verify they are not in ld path. > > These are apparently not real .so files, so that's OK. Yep, its just intel's weird choice of file extension - its actually an ELF application rather than ELF shared library, but its still not actually an ELF application in the Fedora/glibc sense. > [ ]: License field in the package spec file matches the actual license. > Note: Checking patched sources after %prep for licenses. Licenses > found: "Unknown or generated", "BSD 2-Clause License and/or BSD > 3-Clause License and/or Eclipse Public License 1.0", "BSD 3-Clause > License", "Eclipse Public License 1.0", "BSD 2-Clause License and/or > BSD 2-clause NetBSD License", "Apache License 2.0", "*No copyright* > Apache License 2.0", "FSF Unlimited License [generated file]", "*No > copyright* zlib License", "University of Illinois/NCSA Open Source > License", "*No copyright* MIT License", "ISC License", "MIT License", > "BSD 3-Clause License and/or MIT License", "BSD 2-Clause License", > "GNU Lesser General Public License v2.1 or later", "Apple Public > Source License 2.0", "*No copyright* The Unlicense", "BSD 2-clause > FreeBSD License", "BSD 3-Clause License and/or GNU General Public > License, Version 2", "BSD 3-Clause License and/or OpenSSL License", > "Standard ML of New Jersey License", "MIT No Attribution", "BSD > 4-Clause License", "*No copyright* Public domain", "BSD 3-Clause > License and/or BSD 4-Clause License", "BSD 3-Clause License and/or GNU > General Public License", "OpenSSL License", "BSD-4-Clause (University > of California-Specific)", "BSD 3-Clause License and/or Microsoft > Public License", "*No copyright* BSD 3-Clause License", "FSF All > Permissive License", "*No copyright* Eclipse Public License 1.0", > "Boost Software License 1.0", "Apache License 2.0 and/or GNU Lesser > General Public License, Version 2.1", "GNU General Public License, > Version 2", "Apache License 2.0 and/or BSD 3-Clause License", "Apache > License 2.0 and/or BSD 2-Clause License". 1890 files have unknown > license. Detailed output of licensecheck in /var/tmp/2338150-linux- > sgx-enclaves-prebuilt/licensecheck.txt > > (Possibly wrong, see above) The source tarballs do indeed containing files under many more licenses. In the License tag, I've only included licenses for the subset of source files that are used for building the enclaves on Linux. IOW, I've excluded licenses that are only relevant to host OS software, or only relevant to Windows builds. > [x]: If the package is under multiple licenses, the licensing breakdown > must be documented in the spec. > [ ]: Package requires other packages for directories it uses. > Note: No known owner of /usr/x86_64-intel-sgx, /usr/x86_64-intel- > sgx/lib64 > [ ]: Package must own all directories that it creates. > Note: Directories without known owners: /usr/x86_64-intel-sgx, > /usr/x86_64-intel-sgx/lib64 > > This could be a real problem. Dan, does another package own sgx_libdir? No, this package should own those dirs. > ===== SHOULD items ===== > > Generic: > [!]: Sources can be downloaded from URI in Source: tag > Note: Could not download Source2: https://download.01.org/intel- > sgx/sgx-dcap/1.22/linux/prebuilt_dcap_1.22-repacked.tar.gz > See: https://docs.fedoraproject.org/en-US/packaging- > guidelines/SourceURL/ > > I get a 404 for this URL. Yep, the real URL lacks the '-repacked' suffix. I'll strip the URL from the Source line and just put it in a comment before, so we distinguish genuine upstream URL from the re-packed tarball. I'll also add 'repack.sh' as a Source as you suggested earlier > [ ]: Fully versioned dependency in subpackages if applicable. > Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in sgx- > enclave-prebuilt-common , sgx-enclave-prebuilt-pce-signed , sgx- > enclave-prebuilt-ide-signed , sgx-enclave-prebuilt-qe3-signed , sgx- > enclave-prebuilt-tdqe-signed > > Unclear, but might this be needed? There is no '%{name}' output package, only "%{name}-common", that we depend on for the licenses. > [ ]: SourceX tarball generation or download is documented. > Note: Package contains tarball without URL, check comments > > Apart from the 404 problem, I'm not clear what fedora-review is complaining > about here. Probably got confused by the 404, which I'll fix > [-]: Spec use %global instead of %define unless justified. > Note: %define requiring justification: %define debug_package %{nil}, > %define linux_sgx_version 2.25, %define dcap_version 1.22, %define > with_enclave_pce 1, %define with_enclave_ide 1, %define > with_enclave_qe3 1, %define with_enclave_tdqe 1, %define > with_enclave_qve 0 > > I don't think this check point is relevant any longer with the latest RPM > versions. %define is just my historical habit , I can use %global instead > sgx-enclave-prebuilt-ide-signed.x86_64: E: statically-linked-binary > /usr/x86_64-intel-sgx/lib64/libsgx_id_enclave.signed.so.1.19.100.1 > sgx-enclave-prebuilt-pce-signed.x86_64: E: statically-linked-binary > /usr/x86_64-intel-sgx/lib64/libsgx_pce.signed.so.1.22.100.1 > sgx-enclave-prebuilt-qe3-signed.x86_64: E: statically-linked-binary > /usr/x86_64-intel-sgx/lib64/libsgx_qe3.signed.so.1.19.100.1 > sgx-enclave-prebuilt-tdqe-signed.x86_64: E: statically-linked-binary > /usr/x86_64-intel-sgx/lib64/libsgx_tdqe.signed.so.1.19.100.1 False positives, these aren't normal so files > sgx-enclave-prebuilt-common.x86_64: W: no-documentation > sgx-enclave-prebuilt-ide-signed.x86_64: W: no-documentation > sgx-enclave-prebuilt-pce-signed.x86_64: W: no-documentation > sgx-enclave-prebuilt-qe3-signed.x86_64: W: no-documentation > sgx-enclave-prebuilt-tdqe-signed.x86_64: W: no-documentation N/A > sgx-enclave-prebuilt-common.x86_64: E: no-binary While we could make the license common package noarch it is fairly pointless since the overall package is ExclusiveArch for x86_64. > linux-sgx-enclaves-prebuilt.spec: W: no-%check-section Not applicable > linux-sgx-enclaves-prebuilt.src: W: invalid-license LicenseRef-Public-Domain > sgx-enclave-prebuilt-common.x86_64: W: invalid-license > LicenseRef-Public-Domain > sgx-enclave-prebuilt-ide-signed.x86_64: W: invalid-license > LicenseRef-Public-Domain > sgx-enclave-prebuilt-pce-signed.x86_64: W: invalid-license > LicenseRef-Public-Domain > sgx-enclave-prebuilt-qe3-signed.x86_64: W: invalid-license > LicenseRef-Public-Domain > sgx-enclave-prebuilt-tdqe-signed.x86_64: W: invalid-license > LicenseRef-Public-Domain To be fixed to LicenseRef-Fedora-Public-Domain > sgx-enclave-prebuilt-ide-signed.x86_64: W: devel-file-in-non-devel-package > /usr/x86_64-intel-sgx/lib64/libsgx_id_enclave.signed.so > sgx-enclave-prebuilt-pce-signed.x86_64: W: devel-file-in-non-devel-package > /usr/x86_64-intel-sgx/lib64/libsgx_pce.signed.so > sgx-enclave-prebuilt-qe3-signed.x86_64: W: devel-file-in-non-devel-package > /usr/x86_64-intel-sgx/lib64/libsgx_qe3.signed.so > sgx-enclave-prebuilt-tdqe-signed.x86_64: W: devel-file-in-non-devel-package > /usr/x86_64-intel-sgx/lib64/libsgx_tdqe.signed.so False positive, these aren't normal so files. > > Unversioned so-files > -------------------- > sgx-enclave-prebuilt-pce-signed: > /usr/x86_64-intel-sgx/lib64/libsgx_pce.signed.so > sgx-enclave-prebuilt-ide-signed: > /usr/x86_64-intel-sgx/lib64/libsgx_id_enclave.signed.so > sgx-enclave-prebuilt-qe3-signed: > /usr/x86_64-intel-sgx/lib64/libsgx_qe3.signed.so > sgx-enclave-prebuilt-tdqe-signed: > /usr/x86_64-intel-sgx/lib64/libsgx_tdqe.signed.so False positive, these aren't normal so files -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2338150 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202338150%23c8 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
