[Bug 806677] Review Request: jboss-web - JBoss Web Server

bugzilla at redhat.com bugzilla at redhat.com
Mon Mar 26 16:32:38 UTC 2012 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=806677

--- Comment #2 from Juan Hernández <juan.hernandez at redhat.com> 2012-03-26 12:32:37 EDT ---
Package Review
==============

Key:
- = N/A
x = Check
! = Problem
? = Not evaluated

=== REQUIRED ITEMS ===
[!]  Rpmlint output:

Output of rpmlint of the source package:

$ rpmlint jboss-web-7.0.13-1.fc18.src.rpm
jboss-web.src: E: description-line-too-long C JBoss Web Server is an enterprise
ready web server designed for medium and large applications, based on Tomcat.
jboss-web.src: W: invalid-url URL: http://www.jboss.org/jbossweb HTTP Error
403: Forbidden
jboss-web.src:60: W: macro-in-comment %{_javadocdir}
jboss-web.src:60: W: macro-in-comment %{name}
jboss-web.src:61: W: macro-in-comment %{_javadocdir}
jboss-web.src:61: W: macro-in-comment %{name}
jboss-web.src: W: invalid-url Source0: jboss-web-7.0.13.Final.tar.xz
1 packages and 0 specfiles checked; 1 errors, 6 warnings.

Output of rpmlint of the binary packages:

$ rpmlint jboss-web-7.0.13-1.fc18.noarch.rpm
jboss-web-doc-7.0.13-1.fc18.noarch.rpm jboss-web.noarch: E:
description-line-too-long C JBoss Web Server is an enterprise ready web server
designed for medium and large applications, based on Tomcat.
jboss-web.noarch: W: invalid-url URL: http://www.jboss.org/jbossweb HTTP Error
403: Forbidden
jboss-web-doc.noarch: W: invalid-url URL: http://www.jboss.org/jbossweb HTTP
Error 403: Forbidden
2 packages and 0 specfiles checked; 1 errors, 2 warnings.

URL warnings are acceptable.

[x]  Package is named according to the Package Naming Guidelines[1].
[x]  Spec file name must match the base package name, in the format
%{name}.spec.
[x]  Package meets the Packaging Guidelines[2].
[x]  Package successfully compiles and builds into binary rpms.

Koji build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3933281

[x]  Buildroot definition is not present

[!]  Package is licensed with an open-source compatible license and meets other
legal requirements as defined in the legal section of Packaging
Guidelines[3,4].

Some of the source files state in their license header that they are covered by
"CDDL or GPLv2+ or ASL 2.0", which are known to be imcompatible. This affects
most of the files in the java/javax directory. See for example the file
"java/javax/servlet/ServletContextListener.java".

[!]  License field in the package spec file matches the actual license.

The license in the spec file is "LGPLv3+" but the package contains files with a
mix of licenses. Some examples:

LGPLv2.1+: java/org/jboss/servlet/http/HttpEventFilterChain.java
LGPLv2+: java/org/jboss/web/php/PhpThread.java
ASL 2.0: java/org/apache/jasper/*
LGPLv2.1+ or ASL 2.0: java/org/apache/naming/resources/ProxyDirContext.java
MIT: java/org/apache/tomcat/util/json/JSONTokener.java
CDDL or LGPLv2+: java/javax/servlet/ServletContainerInitializer.java 

[x]  If (and only if) the source package includes the text of the license(s) in
its own file, then that file, containing the text of the license(s) for the
package is included in %doc.
[x]  All independent sub-packages have license of their own
[x]  Spec file is legible and written in American English.
[x]  Sources used to build the package matches the upstream source, as provided
in the spec URL.

Checked using a recursive diff of the sources, which gives output like this:

diff --recursive --unified
t/jboss-web-7.0.13.Final/java/org/apache/catalina/authenticator/AuthenticatorBase.java
t2/jboss-web-7.0.13.Final/java/org/apache/catalina/authenticator/AuthenticatorBase.java
---
t/jboss-web-7.0.13.Final/java/org/apache/catalina/authenticator/AuthenticatorBase.java
2011-10-11 17:29:56.000000000 +0200
+++
t2/jboss-web-7.0.13.Final/java/org/apache/catalina/authenticator/AuthenticatorBase.java
2011-10-11 17:29:56.818919000 +0200
@@ -70,7 +70,7 @@
  * requests.  Requests of any other type will simply be passed
  * through.
  *
  * @author Craig R. McClanahan
- * @version $Revision: 1848 $ $Date: 2011-10-11 11:29:56 -0400
  (Tue, 11 Oct 2011) $
+ * @version $Revision: 1848 $ $Date: 2011-10-11 17:29:56 +0200
(Tue, 11 Oct 2011) $
  */

These differences are acceptable, as they appear due to distinct time zones and
subversion quirks.

[x]  All build dependencies are listed in BuildRequires, except for any that
are listed in the exceptions section of Packaging Guidelines[5].
[x]  Package must own all directories that it creates or must require other
packages for directories it uses.
[x]  Package does not contain duplicates in %files.
[x]  File sections do not contain %defattr(-,root,root,-) unless changed with
good reason
[x]  Permissions on files are set properly.
[x]  Package does NOT have a %clean section which contains rm -rf %{buildroot}
(or $RPM_BUILD_ROOT). (not needed anymore)
[x]  Package consistently uses macros (no %{buildroot} and $RPM_BUILD_ROOT
mixing)
[x]  Package contains code, or permissable content.
[-]  Fully versioned dependency in subpackages, if present.
[-]  Package contains a properly installed %{name}.desktop file if it is a GUI
application.
[-]  Package does not own files or directories owned by other packages.
[!]  Javadoc documentation files are generated and included in -javadoc
subpackage
[!]  Javadocs are placed in %{_javadocdir}/%{name} (no -%{version} symlinks)

No javadoc is generated.

[x]  Packages have proper BuildRequires/Requires on jpackage-utils
[-]  Javadoc subpackages have Require: jpackage-utils
[x]  Package uses %global not %define
[x]  If package uses tarball from VCS include comment how to re-create that
tarball (svn export URL, git clone URL, ...)
[x]  If source tarball includes bundled jar/class files these need to be
removed prior to building
[x]  All filenames in rpm packages must be valid UTF-8.
[x]  Jar files are installed to %{_javadir}/%{name}.jar (see [6] for details)
[x]  If package contains pom.xml files install it (including depmaps) even when
building with ant
[x]  pom files has correct add_maven_depmap

=== Maven ===
[x]  Use %{_mavenpomdir} macro for placing pom files instead of
%{_datadir}/maven2/poms
[-]  If package uses "-Dmaven.test.skip=true" explain why it was needed in a
comment
[-]  If package uses custom depmap "-Dmaven.local.depmap.file=*" explain why
it's needed in a comment
[x]  Package DOES NOT use %update_maven_depmap in %post/%postun
[x]  Packages DOES NOT have Requires(post) and Requires(postun) on
jpackage-utils for %update_maven_depmap macro

=== Other suggestions ===
[x]  If possible use upstream build method (maven/ant/javac)
[x]  Avoid having BuildRequires on exact NVR unless necessary
[x]  Package has BuildArch: noarch (if possible)
[x]  Latest version is packaged.
[x]  Reviewer should test that the package builds in mock.

Tested on: http://koji.fedoraproject.org/koji/taskinfo?taskID=3933281

=== Issues ===
1. Description line is too long, please make it shorter than 79 characters.
2. Macros in comments, please remove them.
3. Several license issues, see above.
4. No javadocs.

=== Final Notes ===
My suggestion to move forward:

1. Contact upstream developers and inform them of the licensing issues,
specially for the files stating several incompatible licenses. Contact
legal at lists.fedoraproject.org for assistance.

2. Remove macros from comments (this is not strictly required).

3. As the licensing of the content in the "java/javax" is problematic you may
want to replace it with dependencies on packages providing the same content. In
this particular case that content can be obtained from the following packages
(already in rawhide):

jboss-annotations-1.1-api
jboss-el-2.2-api
jboss-jsp-2.1-api
jboss-servlet-3.0-api

You could add those to BuildRequires and Requires. Then in the %setup section
you can remove the "java/javax" directory and replace it with links in the
"lib" directory: 

%setup

# Remove all the javax classes, as they should come from other packages:
rm -rf java/javax
ln -s $(build-classpath jboss-annotations-1.1-api) lib
ln -s $(build-classpath jboss-el-2.2-api) lib
ln -s $(build-classpath jboss-jsp-2.2-api) lib
ln -s $(build-classpath jboss-servlet-3.0-api) lib

If you do this you will need to add the dependencies to the POM file as well.

This also reduces the number of different implementations of "javax" things
that we have in Fedora.

I would even suggest to remove that "java/javax" directory from the source
tarball.

Once the license issues are cleared with upstream and legal we can check what
is the right license type.

4. In order to generate the javadoc you could add a new source file:

Source2: build-javadoc.xml

With the following content:

<project name="javadoc" default="build">
  <target name="build">
    <mkdir dir="apidocs" />
    <javadoc destdir="apidocs">
      <fileset dir="java"/>
    </javadoc>
  </target>
</project>

Then in the spec you can add the following:

%setup
cp %{SOURCE2} .

%build
ant -f build-javadoc.xml

%install
install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}
cp -rp apidocs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list