https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Bug ID: 2138353 Summary: Review Request: rnp - OpenPGP (RFC4880) tools Product: Fedora Version: rawhide Hardware: All OS: Linux Status: NEW Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: fedora@famillecollet.com QA Contact: extras-qa@fedoraproject.org CC: package-review@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Spec URL: https://git.remirepo.net/cgit/rpms/lib/rnp.git/plain/rnp.spec?id=2b474395f76... SRPM URL: https://rpms.remirepo.net/SRPMS/rnp-0.16.2-2.remi.src.rpm Description: RNP is a set of OpenPGP (RFC4880) tools.
Fedora Account System Username: remi
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Benson Muite benson_muite@emailplus.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|nobody@fedoraproject.org |benson_muite@emailplus.org CC| |benson_muite@emailplus.org Status|NEW |ASSIGNED Doc Type|--- |If docs needed, set a value Flags| |fedora-review?
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #1 from Benson Muite benson_muite@emailplus.org --- Spec: https://git.remirepo.net/cgit/rpms/lib/rnp.git/plain/rnp.spec SRPM: https://rpms.remirepo.net/SRPMS/rnp-0.16.2-2.remi.src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #2 from Remi Collet fedora@famillecollet.com --- Scratch builds: Rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=93523776 EPEL-9: https://koji.fedoraproject.org/koji/taskinfo?taskID=93523743
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Benson Muite benson_muite@emailplus.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |182235 (FE-Legal)
--- Comment #3 from Benson Muite benson_muite@emailplus.org --- Package Review ==============
Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed
===== MUST items =====
C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present.
Generic: [?]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [?]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "BSD 2-Clause License", "*No copyright* Public domain", "BSD 2-clause NetBSD License BSD 2-Clause License", "Boost Software License 1.0", "BSD 2-Clause License Apache License 2.0", "MIT License". 635 files have unknown license. Detailed output of licensecheck in /home/FedoraPackaging/reviews/rnp/review-rnp/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [!]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [?]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [?]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [?]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [?]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 20480 bytes in 1 files. [?]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local
===== SHOULD items =====
Generic: [!]: Sources can be downloaded from URI in Source: tag Note: Could not download Source0: https://github.com/rnpgp/rnp/archive/refs/tags/v0.16.2.tar.gz See: https://docs.fedoraproject.org/en-US/packaging- guidelines/SourceURL/ [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [?]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in librnp [?]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [ ]: SourceX tarball generation or download is documented. Note: Package contains tarball without URL, check comments [!]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [?]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified.
===== EXTRA items =====
Generic: [x]: Rpmlint is run on debuginfo package(s). Note: There are rpmlint messages (see attachment). [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM.
Rpmlint ------- Cannot parse rpmlint output:
Rpmlint (debuginfo) ------------------- Cannot parse rpmlint output:
Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.4.0 configuration: /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 5
rnp.x86_64: W: no-manual-page-for-binary rnp rnp.x86_64: W: no-manual-page-for-binary rnpkeys rnp.x86_64: W: no-documentation 5 packages and 0 specfiles checked; 0 errors, 3 warnings, 0 badness; has taken 4.5 s
Requires -------- rnp (rpmlib, GLIBC filtered): libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libjson-c.so.5()(64bit) libjson-c.so.5(JSONC_0.14)(64bit) librnp(x86-64) librnp.so.0()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.5)(64bit) rtld(GNU_HASH)
librnp (rpmlib, GLIBC filtered): libbotan-2.so.19()(64bit) libbz2.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libjson-c.so.5()(64bit) libjson-c.so.5(JSONC_0.14)(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libz.so.1()(64bit) rtld(GNU_HASH)
librnp-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config cmake-filesystem(x86-64) librnp(x86-64) librnp.so.0()(64bit)
rnp-debuginfo (rpmlib, GLIBC filtered):
rnp-debugsource (rpmlib, GLIBC filtered):
Provides -------- rnp: rnp rnp(x86-64)
librnp: librnp librnp(x86-64) librnp.so.0()(64bit)
librnp-devel: cmake(rnp) librnp-devel librnp-devel(x86-64) pkgconfig(librnp)
rnp-debuginfo: debuginfo(build-id) rnp-debuginfo rnp-debuginfo(x86-64)
rnp-debugsource: rnp-debugsource rnp-debugsource(x86-64)
Generated by fedora-review 0.9.0 (6761b6c) last change: 2022-08-23 Command line :/usr/bin/fedora-review -n rnp Buildroot used: fedora-rawhide-x86_64 Active plugins: Shell-api, Generic, C/C++ Disabled plugins: Java, Python, fonts, Ocaml, Perl, PHP, Ruby, R, Haskell, SugarActivity Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH
Comments: a) Signatures and sha256sum are available upstream: https://github.com/rnpgp/rnp/releases Can they be used for verification? b) Please add a license breakdown in the spec file c) The license for OCB use probably needs a check from legal d) Perhaps change: Source0: https://github.com/rnpgp/rnp/archive/refs/tags/v%%7Bversion%7D.tar.gz to Source0: %{url}/archive//v%{version}/%{name}-%{version}.tar.gz e) There is https://packages.fedoraproject.org/pkgs/thunderbird/thunderbird-librnp-rnp/ could this be replaced by the librnp built here?
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #4 from Remi Collet fedora@famillecollet.com ---
a) Signatures and sha256sum are available upstream:
Done
b) Please add a license breakdown in the spec file
This is a mess, and don't want to list all "files" per license A simple ref to LICENSE.md should be enough
d) Perhaps change:
github URI are the worst thing I ever see... terrible mess Definitively I hate github (and will never understand why using it.... not serious...)
Changes done in https://git.remirepo.net/cgit/rpms/lib/rnp.git/commit/?id=27243de3f527870861...
Will wait for legal answer about https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #5 from Benson Muite benson_muite@emailplus.org --- License breakdown obtained from Fedora Review is below. Removed some CMake files which would not be packaged. Other files which are not packaged and not used in the build can be removed from the listing. Possibly the examples can be packaged as documentation with the devel package?
*No copyright* Public domain ---------------------------- rnp-0.16.2/LICENSE-OCB.md
BSD 2-Clause License -------------------- rnp-0.16.2/include/rekey/rnp_key_store.h rnp-0.16.2/include/repgp/repgp_def.h rnp-0.16.2/include/rnp.h rnp-0.16.2/include/rnp/rnp.h rnp-0.16.2/include/rnp/rnp_def.h rnp-0.16.2/include/rnp/rnp_err.h rnp-0.16.2/src/common/file-utils.cpp rnp-0.16.2/src/common/file-utils.h rnp-0.16.2/src/common/getoptwin.h rnp-0.16.2/src/common/str-utils.cpp rnp-0.16.2/src/common/str-utils.h rnp-0.16.2/src/common/time-utils.cpp rnp-0.16.2/src/common/time-utils.h rnp-0.16.2/src/common/uniwin.h rnp-0.16.2/src/examples/CMakeLists.txt rnp-0.16.2/src/examples/decrypt.c rnp-0.16.2/src/examples/dump.c rnp-0.16.2/src/examples/encrypt.c rnp-0.16.2/src/examples/generate.c rnp-0.16.2/src/examples/sign.c rnp-0.16.2/src/examples/verify.c rnp-0.16.2/src/fuzzing/CMakeLists.txt rnp-0.16.2/src/fuzzing/dump.c rnp-0.16.2/src/fuzzing/keyimport.c rnp-0.16.2/src/fuzzing/keyring.c rnp-0.16.2/src/fuzzing/keyring_g10.cpp rnp-0.16.2/src/fuzzing/keyring_kbx.c rnp-0.16.2/src/fuzzing/sigimport.c rnp-0.16.2/src/fuzzing/verify.c rnp-0.16.2/src/fuzzing/verify_detached.c rnp-0.16.2/src/lib/CMakeLists.txt rnp-0.16.2/src/lib/config.h.in rnp-0.16.2/src/lib/crypto/backend_version.cpp rnp-0.16.2/src/lib/crypto/backend_version.h rnp-0.16.2/src/lib/crypto/bn.cpp rnp-0.16.2/src/lib/crypto/bn.h rnp-0.16.2/src/lib/crypto/bn_ossl.cpp rnp-0.16.2/src/lib/crypto/cipher.cpp rnp-0.16.2/src/lib/crypto/cipher.hpp rnp-0.16.2/src/lib/crypto/cipher_botan.cpp rnp-0.16.2/src/lib/crypto/cipher_botan.hpp rnp-0.16.2/src/lib/crypto/cipher_ossl.cpp rnp-0.16.2/src/lib/crypto/cipher_ossl.hpp rnp-0.16.2/src/lib/crypto/common.h rnp-0.16.2/src/lib/crypto/dl_ossl.cpp rnp-0.16.2/src/lib/crypto/dl_ossl.h rnp-0.16.2/src/lib/crypto/dsa.h rnp-0.16.2/src/lib/crypto/dsa_ossl.cpp rnp-0.16.2/src/lib/crypto/ec.cpp rnp-0.16.2/src/lib/crypto/ec.h rnp-0.16.2/src/lib/crypto/ec_curves.cpp rnp-0.16.2/src/lib/crypto/ec_ossl.cpp rnp-0.16.2/src/lib/crypto/ec_ossl.h rnp-0.16.2/src/lib/crypto/ecdh.cpp rnp-0.16.2/src/lib/crypto/ecdh.h rnp-0.16.2/src/lib/crypto/ecdh_ossl.cpp rnp-0.16.2/src/lib/crypto/ecdh_utils.cpp rnp-0.16.2/src/lib/crypto/ecdh_utils.h rnp-0.16.2/src/lib/crypto/ecdsa.cpp rnp-0.16.2/src/lib/crypto/ecdsa.h rnp-0.16.2/src/lib/crypto/ecdsa_ossl.cpp rnp-0.16.2/src/lib/crypto/eddsa.cpp rnp-0.16.2/src/lib/crypto/eddsa.h rnp-0.16.2/src/lib/crypto/eddsa_ossl.cpp rnp-0.16.2/src/lib/crypto/elgamal.cpp rnp-0.16.2/src/lib/crypto/elgamal.h rnp-0.16.2/src/lib/crypto/elgamal_ossl.cpp rnp-0.16.2/src/lib/crypto/hash.cpp rnp-0.16.2/src/lib/crypto/hash.hpp rnp-0.16.2/src/lib/crypto/hash_botan.hpp rnp-0.16.2/src/lib/crypto/hash_common.cpp rnp-0.16.2/src/lib/crypto/hash_crc24.cpp rnp-0.16.2/src/lib/crypto/hash_crc24.hpp rnp-0.16.2/src/lib/crypto/hash_ossl.cpp rnp-0.16.2/src/lib/crypto/hash_ossl.hpp rnp-0.16.2/src/lib/crypto/hash_sha1cd.cpp rnp-0.16.2/src/lib/crypto/hash_sha1cd.hpp rnp-0.16.2/src/lib/crypto/mem.cpp rnp-0.16.2/src/lib/crypto/mem.h rnp-0.16.2/src/lib/crypto/mem_ossl.cpp rnp-0.16.2/src/lib/crypto/mpi.cpp rnp-0.16.2/src/lib/crypto/mpi.h rnp-0.16.2/src/lib/crypto/ossl_common.h rnp-0.16.2/src/lib/crypto/rng.cpp rnp-0.16.2/src/lib/crypto/rng.h rnp-0.16.2/src/lib/crypto/rng_ossl.cpp rnp-0.16.2/src/lib/crypto/rsa.h rnp-0.16.2/src/lib/crypto/rsa_ossl.cpp rnp-0.16.2/src/lib/crypto/s2k.cpp rnp-0.16.2/src/lib/crypto/s2k.h rnp-0.16.2/src/lib/crypto/s2k_ossl.cpp rnp-0.16.2/src/lib/crypto/signatures.cpp rnp-0.16.2/src/lib/crypto/signatures.h rnp-0.16.2/src/lib/crypto/sm2.cpp rnp-0.16.2/src/lib/crypto/sm2.h rnp-0.16.2/src/lib/crypto/sm2_ossl.cpp rnp-0.16.2/src/lib/crypto/symmetric_ossl.cpp rnp-0.16.2/src/lib/defaults.h rnp-0.16.2/src/lib/ffi-priv-types.h rnp-0.16.2/src/lib/fingerprint.cpp rnp-0.16.2/src/lib/fingerprint.h rnp-0.16.2/src/lib/generate-key.cpp rnp-0.16.2/src/lib/json-utils.cpp rnp-0.16.2/src/lib/json-utils.h rnp-0.16.2/src/lib/key-provider.cpp rnp-0.16.2/src/lib/key-provider.h rnp-0.16.2/src/lib/logging.cpp rnp-0.16.2/src/lib/logging.h rnp-0.16.2/src/lib/pass-provider.cpp rnp-0.16.2/src/lib/pass-provider.h rnp-0.16.2/src/lib/rnp.cpp rnp-0.16.2/src/lib/sec_profile.cpp rnp-0.16.2/src/lib/sec_profile.hpp rnp-0.16.2/src/lib/utils.cpp rnp-0.16.2/src/lib/utils.h rnp-0.16.2/src/lib/version.h.in rnp-0.16.2/src/librekey/g10_sexp.hpp rnp-0.16.2/src/librekey/kbx_blob.hpp rnp-0.16.2/src/librekey/key_store_g10.cpp rnp-0.16.2/src/librekey/key_store_g10.h rnp-0.16.2/src/librekey/key_store_kbx.cpp rnp-0.16.2/src/librekey/key_store_kbx.h rnp-0.16.2/src/librekey/rnp_key_store.cpp rnp-0.16.2/src/librepgp/stream-armor.cpp rnp-0.16.2/src/librepgp/stream-armor.h rnp-0.16.2/src/librepgp/stream-common.cpp rnp-0.16.2/src/librepgp/stream-common.h rnp-0.16.2/src/librepgp/stream-ctx.cpp rnp-0.16.2/src/librepgp/stream-ctx.h rnp-0.16.2/src/librepgp/stream-def.h rnp-0.16.2/src/librepgp/stream-dump.cpp rnp-0.16.2/src/librepgp/stream-dump.h rnp-0.16.2/src/librepgp/stream-key.cpp rnp-0.16.2/src/librepgp/stream-key.h rnp-0.16.2/src/librepgp/stream-packet.cpp rnp-0.16.2/src/librepgp/stream-packet.h rnp-0.16.2/src/librepgp/stream-parse.cpp rnp-0.16.2/src/librepgp/stream-parse.h rnp-0.16.2/src/librepgp/stream-sig.cpp rnp-0.16.2/src/librepgp/stream-sig.h rnp-0.16.2/src/librepgp/stream-write.cpp rnp-0.16.2/src/librepgp/stream-write.h rnp-0.16.2/src/rnp/CMakeLists.txt rnp-0.16.2/src/rnp/fficli.cpp rnp-0.16.2/src/rnp/fficli.h rnp-0.16.2/src/rnp/rnp.cpp rnp-0.16.2/src/rnp/rnpcfg.cpp rnp-0.16.2/src/rnp/rnpcfg.h rnp-0.16.2/src/rnpkeys/CMakeLists.txt rnp-0.16.2/src/rnpkeys/main.cpp rnp-0.16.2/src/rnpkeys/rnpkeys.cpp rnp-0.16.2/src/rnpkeys/tui.cpp
BSD 2-Clause License Apache License 2.0 --------------------------------------- rnp-0.16.2/src/lib/crypto.cpp rnp-0.16.2/src/lib/crypto.h rnp-0.16.2/src/lib/crypto/symmetric.cpp rnp-0.16.2/src/lib/crypto/symmetric.h rnp-0.16.2/src/lib/pgp-key.cpp rnp-0.16.2/src/lib/pgp-key.h rnp-0.16.2/src/lib/types.h rnp-0.16.2/src/librekey/key_store_pgp.cpp rnp-0.16.2/src/librekey/key_store_pgp.h
BSD 2-clause NetBSD License BSD 2-Clause License ------------------------------------------------ rnp-0.16.2/LICENSE.md rnp-0.16.2/src/lib/crypto/dsa.cpp rnp-0.16.2/src/lib/crypto/rsa.cpp
Boost Software License 1.0 -------------------------- rnp-0.16.2/cmake/Modules/FindWindowsSDK.cmake
MIT License ----------- rnp-0.16.2/src/lib/crypto/sha1cd/sha1.c rnp-0.16.2/src/lib/crypto/sha1cd/sha1.h rnp-0.16.2/src/lib/crypto/sha1cd/ubc_check.c rnp-0.16.2/src/lib/crypto/sha1cd/ubc_check.h
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #6 from Benson Muite benson_muite@emailplus.org --- Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/92
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Richard Fontana rfontana@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rfontana@redhat.com
--- Comment #7 from Richard Fontana rfontana@redhat.com --- (In reply to Remi Collet from comment #4)
Will wait for legal answer about https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/92#note_1153084...
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #8 from Richard Fontana rfontana@redhat.com --- (In reply to Remi Collet from comment #4)
Will wait for legal answer about https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/92#note_1153084...
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #9 from Benson Muite benson_muite@emailplus.org --- Licensing seems ok. Might it be possible to also add: BuildRequires: rubygem-asciidoctor this will build documentation as man pages
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
rhtse tse@ribose.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fedora@famillecol | |let.com) | |needinfo?(benson_muite@emai | |lplus.org) | |needinfo?(rfontana@redhat.c | |om) CC| |tse@ribose.com
--- Comment #10 from rhtse tse@ribose.com --- A heartfelt thank you @fedora@famillecollet.com @benson_muite@emailplus.org @rfontana@redhat.com from the RNP team. We would be more than happy to incorporate any recommendations or suggestions directly upstream so as to simplify unnecessary processing.
The LICENSE-OCB.md file used to provide documentation for users who had concerns with using OCB mode which was (back then) a patented mechanism, however, the OCB patents have since been abandoned. The patent owner Prof. Rogaway has stated here (https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/) that OCB patents are now in the public domain.
The file now acts more of an acknowledgement for Prof. Rogaway's kindness early on to make OCB available for RNP users.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Richard Fontana rfontana@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fedora@famillecol | |let.com) | |needinfo?(benson_muite@emai | |lplus.org) | |needinfo?(rfontana@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #11 from Remi Collet fedora@famillecollet.com --- - add files by license list in package sources - open https://github.com/rnpgp/rnp/issues/1932 missing MIT - add man pages - check archive signature
See https://git.remirepo.net/cgit/rpms/lib/rnp.git/commit/?id=2e8ddcff90582a97f7...
Spec URL: https://git.remirepo.net/cgit/rpms/lib/rnp.git/plain/rnp.spec?id=2e8ddcff905... SRPM URL: https://rpms.remirepo.net/SRPMS/rnp-0.16.2-3.remi.src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
rjl jfx@calypsoblue.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jfx@calypsoblue.org
--- Comment #12 from rjl jfx@calypsoblue.org --- (In reply to Benson Muite from comment #3)
e) There is https://packages.fedoraproject.org/pkgs/thunderbird/thunderbird-librnp-rnp/ could this be replaced by the librnp built here?
As of Thunderbird 107beta and the inclusion of rnp-0.16.2, this should work. Build Thunderbird using `--with-system-librnp`. The build system will not compile librnp or its dependencies. (If that fails, a bug should be filed.) Thunderbird will pick up librnp.so.0 from the system library directory.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Remi Collet fedora@famillecollet.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2139681
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2139681 [Bug 2139681] Switch to system librnp
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #13 from Benson Muite benson_muite@emailplus.org --- Package Review ==============
Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed
===== MUST items =====
C/C++: [x]: Package does not contain kernel modules. [x]: Package contains no static executables. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present.
Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "BSD 2-Clause License", "*No copyright* Public domain", "BSD 2-clause NetBSD License BSD 2-Clause License", "Boost Software License 1.0", "BSD 2-Clause License Apache License 2.0", "MIT License". 635 files have unknown license. Detailed output of licensecheck in /home/FedoraPackaging/reviews/rnp/2138353-rnp/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [?]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 20480 bytes in 1 files. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local
===== SHOULD items =====
Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in librnp [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not the first command in %prep. Source 3 is not passed to gpgverify. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified.
===== EXTRA items =====
Generic: [x]: Rpmlint is run on debuginfo package(s). Note: There are rpmlint messages (see attachment). [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM.
Rpmlint ------- Cannot parse rpmlint output:
Rpmlint (debuginfo) ------------------- Cannot parse rpmlint output:
Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.4.0 configuration: /usr/lib/python3.11/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 5
5 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 3.0 s
Source checksums ---------------- https://github.com/rnpgp/rnp/releases/download/v0.16.2/v0.16.2.tar.gz.asc : CHECKSUM(SHA256) this package : 6ff1c1a9314fd24609e518896666d276c1aa76cb20500e8375e6554ff06f6268 CHECKSUM(SHA256) upstream package : 6ff1c1a9314fd24609e518896666d276c1aa76cb20500e8375e6554ff06f6268 https://github.com/rnpgp/rnp/archive/v0.16.2/rnp-0.16.2.tar.gz : CHECKSUM(SHA256) this package : 742f2d64755633bf794be2e4a953106b9f8fb38caf785f6a2306cc23f8164346 CHECKSUM(SHA256) upstream package : 742f2d64755633bf794be2e4a953106b9f8fb38caf785f6a2306cc23f8164346
Requires -------- rnp (rpmlib, GLIBC filtered): libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libjson-c.so.5()(64bit) libjson-c.so.5(JSONC_0.14)(64bit) librnp(x86-64) librnp.so.0()(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(CXXABI_1.3.5)(64bit) rtld(GNU_HASH)
librnp (rpmlib, GLIBC filtered): libbotan-2.so.19()(64bit) libbz2.so.1()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libjson-c.so.5()(64bit) libjson-c.so.5(JSONC_0.14)(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libz.so.1()(64bit) rtld(GNU_HASH)
librnp-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config cmake-filesystem(x86-64) librnp(x86-64) librnp.so.0()(64bit)
rnp-debuginfo (rpmlib, GLIBC filtered):
rnp-debugsource (rpmlib, GLIBC filtered):
Provides -------- rnp: rnp rnp(x86-64)
librnp: librnp librnp(x86-64) librnp.so.0()(64bit)
librnp-devel: cmake(rnp) librnp-devel librnp-devel(x86-64) pkgconfig(librnp)
rnp-debuginfo: debuginfo(build-id) rnp-debuginfo rnp-debuginfo(x86-64)
rnp-debugsource: rnp-debugsource rnp-debugsource(x86-64)
Generated by fedora-review 0.9.0 (6761b6c) last change: 2022-08-23 Command line :/usr/bin/fedora-review -b 2138353 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, C/C++, Shell-api Disabled plugins: Ruby, Ocaml, PHP, fonts, R, Perl, Java, Haskell, Python, SugarActivity Disabled flags: EPEL6, EPEL7, DISTTAG, BATCH, EXARCH
Comments: a) Maybe a comment is needed in the spec file that the patents are no longer enforced? b) Correct functionality assumed based on tests c) rpmlint seems to be ok d) Should obsoletes thunderbird-librnp-rnp be indicated? e) Other than that seems ok.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #14 from Remi Collet fedora@famillecollet.com ---
a) Maybe a comment is needed in the spec file that the patents are no longer enforced?
I don't think it make sense to document the past ;) I also think there is a bug confusion between patent and license on this algo and "patent" are not allowed in Fedora But if you think this is a blocker I can add something
d) Should obsoletes thunderbird-librnp-rnp be indicated?
Not needed (both can be installed) Rather to be obsoleted by thinderbird if they choice to use it
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #15 from Benson Muite benson_muite@emailplus.org ---
a) Maybe a comment is needed in the spec file that the patents are no longer enforced?
I don't think it make sense to document the past ;) I also think there is a bug confusion between patent and license on this algo and "patent" are not allowed in Fedora But if you think this is a blocker I can add something
The file LICENSE-OCB.md is packaged, but based on explanation here and on GitHub, the correct situation is that that particular block encryption algorithm is no longer patented, so the information in LICENSE-OCB.md is inaccurate. Upstream will probably change something in how this is documented. It is not a blocker, but some comment may remind one to do an appropriate update on the next release. Probably the file should be named PREVIOUS-PATENT-OCB.md rather than LICENSE-OCB.md, but unclear what the upstream project will do.
d) Should obsoletes thunderbird-librnp-rnp be indicated?
Not needed (both can be installed) Rather to be obsoleted by thinderbird if they choice to use it
Ok. Great it does not conflict.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #16 from Remi Collet fedora@famillecollet.com --- About thunderbird, also see https://bugzilla.redhat.com/show_bug.cgi?id=2139681#c1
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #17 from rhtse tse@ribose.com --- We have made the following PRs in the upstream repository, that will be merged in a few hours: * "Add MIT license for sha1 collision detection code" https://github.com/rnpgp/rnp/pull/1933 * "Clarify status of OCB license" https://github.com/rnpgp/rnp/pull/1936
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #18 from Benson Muite benson_muite@emailplus.org --- Thanks for the updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
jeffrey.lau@ribose.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jeffrey.lau@ribose.com
--- Comment #19 from jeffrey.lau@ribose.com --- The following PRs in the upstream repository have been merged: * "Add MIT license for sha1 collision detection code" https://github.com/rnpgp/rnp/pull/1933 * "Clarify status of OCB license" https://github.com/rnpgp/rnp/pull/1936
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #20 from Remi Collet fedora@famillecollet.com --- add upstream fix to clarify license and abandoned patent: https://git.remirepo.net/cgit/rpms/lib/rnp.git/commit/?id=5ee7f90484d55caf2f...
Spec URL: https://git.remirepo.net/cgit/rpms/lib/rnp.git/plain/rnp.spec?id=5ee7f90484d... SRPM URL: https://rpms.remirepo.net/SRPMS/rnp-0.16.2-4.remi.src.rpm
I hope everything is clarified.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Benson Muite benson_muite@emailplus.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ Status|ASSIGNED |POST
--- Comment #21 from Benson Muite benson_muite@emailplus.org --- Thanks. Approved.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #22 from Remi Collet fedora@famillecollet.com --- Thanks for the review!
SCM requests https://pagure.io/releng/fedora-scm-requests/issue/48886 Rawhide https://pagure.io/releng/fedora-scm-requests/issue/48887 F37 https://pagure.io/releng/fedora-scm-requests/issue/48888 F36 https://pagure.io/releng/fedora-scm-requests/issue/48889 EPEL9 https://pagure.io/releng/fedora-scm-requests/issue/48890 EPEL8
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #23 from Gwyn Ciesla gwync@protonmail.com --- (fedscm-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/rnp
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #24 from Benson Muite benson_muite@emailplus.org --- Welcome. Your repositories have been extremely helpful. If EdDSA is used, may consider asking for the implementations in OpenSSL and Botan to be improved so that they are similar in quality to those in libsodium.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |MODIFIED
--- Comment #25 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-d559f68df8 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-d559f68df8
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |MODIFIED
--- Comment #25 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-d559f68df8 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-d559f68df8
--- Comment #26 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-9325194c36 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9325194c36
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #27 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-26ea155e33 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-26ea155e33
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #28 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-7e9df7ab36 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-7e9df7ab36
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #29 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-9325194c36 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9325194c36 *` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9325194c36
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #30 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-7e9df7ab36 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf install --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-7e9df7ab36 *` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7e9df7ab36
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #31 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-26ea155e33 has been pushed to the Fedora EPEL 9 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-26ea155e33
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #32 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-d559f68df8 has been pushed to the Fedora EPEL 8 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-d559f68df8
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Richard Fontana rfontana@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|182235 (FE-Legal) |
--- Comment #33 from Richard Fontana rfontana@redhat.com --- Lifting FE-Legal.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA Last Closed| |2022-11-17 01:27:20
--- Comment #34 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-7e9df7ab36 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #35 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-9325194c36 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #36 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-26ea155e33 has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=2138353
--- Comment #37 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2022-d559f68df8 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
package-review@lists.fedoraproject.org
-
bugzilla@redhat.com