[Bug 1878468] New: RPM spec has unnecessary dependencies

https://bugzilla.redhat.com/show_bug.cgi?id=1878468 Bug ID: 1878468 Summary: RPM spec has unnecessary dependencies Product: Fedora Version: 31 Status: NEW Component: perl-Net-DNS Assignee: pwouters(a)redhat.com Reporter: rwfranks(a)acm.org QA Contact: extras-qa(a)fedoraproject.org CC: caillon+fedoraproject(a)gmail.com, john.j5live(a)gmail.com, kasal(a)ucw.cz, perl-devel(a)lists.fedoraproject.org, pwouters(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: Upstream metadata lists far fewer dependencies than listed the RPM spec which appears to be an inaccurate list of packages cited in require and use declarations in the code. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Potential to cause automatic installation of perl-Net-DNS-SEC without deliberate user involvement. This may have unpleasant legal consequences in some countries. Expected results: The documented Net::DNS API can be delivered by reducing this section of the RPM spec to something like: # Build BuildRequires: coreutils BuildRequires: findutils BuildRequires: glibc-common BuildRequires: make BuildRequires: sed BuildRequires: perl-generators BuildRequires: perl-interpreter BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Getopt::Long) BuildRequires: perl(IO::Socket::IP) # Runtime BuildRequires: perl(Carp) BuildRequires: perl(Digest::HMAC) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) BuildRequires: perl(Encode) BuildRequires: perl(Exporter) BuildRequires: perl(File::Spec) BuildRequires: perl(IO::File) BuildRequires: perl(IO::Select) BuildRequires: perl(IO::Socket::IP) >= 0.38 BuildRequires: perl(IO::Socket) BuildRequires: perl(MIME::Base64) BuildRequires: perl(PerlIO) BuildRequires: perl(Scalar::Util) BuildRequires: perl(Time::Local) # Net::LibIDN2 is optional # Digest::BubbleBabble is optional %if ! (0%{?rhel} >= 7) BuildRequires: perl(Digest::BubbleBabble) %endif # Tests only BuildRequires: perl(File::Find) BuildRequires: perl(Test::Builder) BuildRequires: perl(Test::More) # Optional tests: Requires: perl(Test::Pod) Additional info: With the specific exception of IO::Socket::IP (which has recent bug history), package versions can be ignored. Net::DNS::SEC and its internal components MUST NOT be listed as dependencies. Net::DNS::SEC is delivered separately because cryptographic software is prohibited or severely restricted in many territories. Net::DNS::SEC must be installed explicitly by the end-user who bears resonsibility for any legal consequences of so doing. Other packages referred to in the code fall into 5 categories: 1) Perl CORE packages assumed always to be present: base, constant, integer, overload, strict, warnings, Config 2) Fallback for missing prerequisites (accepting reduced functionality): IO::Socket::INET, Net::LibIDN 3) Support for obsolete algorithm not yet formally deprecated: Digest::GOST, Digest::GOST::CryptoPro 4) Irrelevant platform specific packages: Win32::API, Win32::IPHelper, Win32::TieRegistry 5) Support for developer inbuilt test functions (not in documented API): Data::Dumper Net::DNS::Extlang -- You are receiving this mail because: You are on the CC list for the bug.