[Bug 669858] Review Request: signpost-core - A simple, light-weight, and modular OAuth client library for the Java platform

bugzilla at redhat.com bugzilla at redhat.com
Sun Jan 23 20:37:26 UTC 2011

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


David Nalley <david at gnsa.us> changed:

           What    |Removed                     |Added
             Status|NEW                         |ASSIGNED
                 CC|                            |david at gnsa.us
         AssignedTo|nobody at fedoraproject.org    |david at gnsa.us
               Flag|                            |fedora-review?

--- Comment #4 from David Nalley <david at gnsa.us> 2011-01-23 15:37:25 EST ---
Package Review

- = N/A
x = Check
! = Problem
? = Not evaluated

[X]  Rpmlint output:
[ke4qqq at L1012001 SPECS]$ rpmlint ./signpost-core.spec
../SRPMS/signpost-core- ../RPMS/noarch/signpost-core-*
./signpost-core.spec: W: invalid-url Source0: signpost-core-
signpost-core.src: W: strange-permission signpost-core-generate-tarball.sh
signpost-core.src: W: invalid-url Source0: signpost-core-
signpost-core.noarch: W: no-documentation
3 packages and 1 specfiles checked; 0 errors, 4 warnings.
[X]  Package is named according to the Package Naming Guidelines[1].
So I've marked this OK - Part of me thinks that this should really be signpost
with subpackages for (or not, have signpost be core) and things like
signpost-jetty be a subpackage of the same srpm. 

[X]  Spec file name must match the base package name, in the format
[X]  Package meets the Packaging Guidelines[2].
[X]  Package successfully compiles and builds into binary rpms.
[ ]  Buildroot definition is not present
[X]  Package is licensed with an open-source compatible license and meets other
legal requirements as defined in the legal section of Packaging
[X]  License field in the package spec file matches the actual license.
License type:
[-]  If (and only if) the source package includes the text of the license(s) in
its own file, then that file, containing the text of the license(s) for the
package is included in %doc.
[-]  All independent sub-packages have license of their own
[X]  Spec file is legible and written in American English.
[-]  Sources used to build the package matches the upstream source, as provided
in the spec URL.
I think the shell script is probably a bit overkill - regardless -I'd prefer to
see the 'why' (which I think is justified) explained a bit more in the spec. I
noted that as required fix below.  
MD5SUM this package    :
MD5SUM upstream package:

I am marking NA here as the method you've used to generate your tarballs is
essentially unverifiable via this means. A different md5sum is generated
everytime source is downloaded. 
[X]  All build dependencies are listed in BuildRequires, except for any that
are listed in the exceptions section of Packaging Guidelines[5].
[X]  Package must own all directories that it creates.
[-]  Package requires other packages for directories it uses.
[X]  Package does not contain duplicates in %files.
[X]  Permissions on files are set properly.
[-]  Package does NOT have a %clean section which contains rm -rf %{buildroot}
(or $RPM_BUILD_ROOT). (not needed anymore)
[X]  Package consistently uses macros (no %{buildroot} and $RPM_BUILD_ROOT
[X]  Package contains code, or permissable content.
[!]  Fully versioned dependency in subpackages, if present.  
I think the javadoc package needs a versioned dep on the subpackage. 
[-]  Package contains a properly installed %{name}.desktop file if it is a GUI
[X]  Package does not own files or directories owned by other packages.
[X]  Javadoc documentation files are generated and included in -javadoc
[X]  Javadocs are placed in %{_javadocdir}/%{name} (no -%{version} symlinks)
[X]  Packages have proper BuildRequires/Requires on jpackage-utils
[X]  Javadoc subpackages have Require: jpackage-utils
[-]  Package uses %global not %define
[!]  If package uses tarball from VCS include comment how to re-create that
tarball (svn export URL, git clone URL, ...)
[-]  If source tarball includes bundled jar/class files these need to be
removed prior to building
[X]  All filenames in rpm packages must be valid UTF-8.
[X]  Jar files are installed to %{_javadir}/%{name}.jar (see [6] for details)
[!]  If package contains pom.xml files install it (including depmaps) even when
building with ant
I don't see this installed
[?]  pom files has correct add_to_maven_depmap call which resolves to the pom
file (use "JPP." and "JPP-" correctly)

=== Other suggestions ===
[?]  If possible use upstream build method (maven/ant/javac)
[X]  Avoid having BuildRequires on exact NVR unless necessary
[X]  Package has BuildArch: noarch (if possible)
[X]  Latest version is packaged.
[X]  Reviewer should test that the package builds in mock.
Tested on:

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list