https://bugzilla.redhat.com/show_bug.cgi?id=2363587 --- Comment #5 from Ben Beasley <code@xxxxxxxxxxxxxxxxxx> --- This package looks quite good overall. I had a few relatively minor findings. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated ===== Issues ===== - While it’s acceptable to write a long License expression all on one line, it’s easier to read and audit if you write it one-term-per-line using the %{shrink:…} RPM macro. License: %{shrink: ((MIT OR Apache-2.0) AND Unicode-DFS-2016) AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (MIT or Apache-2.0) AND (Unlicense OR MIT) } Looking at the result, there are some simplifications that can and should be applied. This is ill-documented in the relevant policy, https://docs.fedoraproject.org/en-US/legal/license-field, but https://gitlab.com/fedora/legal/fedora-legal-docs/-/issues/45 and https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx/thread/F4MYD7U6D2ROAL3CAOHSYDL3H6TPWZOT/ provide some additional context. Specifically, we can replace "(A AND B) AND B" with B, and we can treat (C OR D) and (D OR C) as equivalent and keep only one of them. The result would be something like: License: %{shrink: (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND MIT AND (Unlicense OR MIT) } People often choose to reorder the terms to make it easier to read and audit the License expression, but there are various possible schemes for this, and it’s by no means mandatory, especially for comparatively simple license expressions like this one. I do think that, in the absence of per-file license header comments, it’s reasonable to assume that everything is covered by the overall MIT license unless there is evidence otherwise. This is a common situation. - I see that you have supplied a value for the SourceLicense field. This field is documented in https://docs.fedoraproject.org/en-US/legal/license-field/#_source_package_files_not_included_in_binary_rpm, but not required, and Fedora Legal allows but doesn’t offically recommend or encourage it. Still, some people find it useful, and I like to include it too. However, this field needs to cover everything in the source RPM, including scripts/verify-sysfs.sh, so the correct value should be: SourceLicense: MIT AND GPL-2.0-only - A better source URL would be: Source: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz This way, the archive name and the extraction directory match. - You should write PREFIX=%{buildroot}/%{_prefix} make install CARGO=/usr/bin/true as PREFIX=%{buildroot}/%{_prefix} %make_install CARGO=/usr/bin/true The expansion of %make_install is something like /usr/bin/make install DESTDIR=… INSTALL="/usr/bin/install -p" and this Makefile does use an INSTALL variable, so this change ensures that timestamps are preserved in accordance with https://docs.fedoraproject.org/en-US/packaging-guidelines/#_timestamps. (You can also write %{buildroot}/%{_prefix} as %{buildroot}%{_prefix}, since %{_prefix} will always have an initial /, but this is subtle and makes no difference in the end. The same applies to paths like %{buildroot}%{_bindir}, although you don’t have any of those.) ===== Notes (no change required) ===== - Personally, I would replace all instances of %{name} in the spec file with the actual package name tbtools, because I think the macro indirection slightly hurts readability and doesn’t really make the spec file more reusable as a template for other packages. This is entirely a matter of opinion, and no change is required. - I would claim that CODE_OF_CONDUCT.md, CONTRIBUTING.md, and SECURITY.md pertain to interacting with the upstream repository and aren’t necessarily useful to package as documentation. You are certainly permitted to package them if you like, and no change is required. - I like to write directories in %files lists with a trailing slash, which makes it clear that they are they are supposed to be directories, and will not match a file of the same name. Therefore, I would write: %{_datadir}/%{name}/ or %{_datadir}/tbtools/ This is not required or suggested by the guidelines, and no change is required. - There are a couple of instances of “overlinking” detected by rpmlint: tbtools.x86_64: W: unused-direct-shlib-dependency /usr/bin/tbman /lib64/libm.so.6 tbtools.x86_64: W: unused-direct-shlib-dependency /usr/bin/tbpd /lib64/libudev.so.1 That is, these execuables link the named shared libraries but it seems to be unnecessary since don’t appear to use any of the symbols those libraries provide. This is a defect, but a relatively inconsequential one, especially since: - The libraries are likely to be installed anyway - The overlinked executables are in the same (sub)packages as executables that legitimately require those libraries, so the RPM dependency could not be removed. It’s not straightforward or worthwhile to “fix” this, I think. - Man pages are always desired for command-line tools: tbtools.x86_64: W: no-manual-page-for-binary lstb tbtools.x86_64: W: no-manual-page-for-binary tbadapters tbtools.x86_64: W: no-manual-page-for-binary tbauth tbtools.x86_64: W: no-manual-page-for-binary tbdump tbtools.x86_64: W: no-manual-page-for-binary tbget tbtools.x86_64: W: no-manual-page-for-binary tblist tbtools.x86_64: W: no-manual-page-for-binary tbman tbtools.x86_64: W: no-manual-page-for-binary tbmargin tbtools.x86_64: W: no-manual-page-for-binary tbpd tbtools.x86_64: W: no-manual-page-for-binary tbset tbtools.x86_64: W: no-manual-page-for-binary tbtrace https://docs.fedoraproject.org/en-US/packaging-guidelines/#_manpages If you choose to provide man pages, you may find that help2man --no-info provides acceptable results. ===== MUST items ===== Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "MIT License", "GNU General Public License, Version 2". 62 files have unknown license. Detailed output of licensecheck in /home/ben/fedora/review/2363587-tbtools/licensecheck.txt [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. I specifically checked for file conflicts on /usr/bin/*. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 160796 bytes in 6 files. [x]: Package complies to the Packaging Guidelines (except as otherwise noted) [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Package functions as described. (Tests pass.) [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. https://koji.fedoraproject.org/koji/taskinfo?taskID=134679503 [x]: %check is present and all tests pass. [!]: Packages should try to preserve timestamps of original installed files. See Issues; using %make_install will fix this. [!]: Spec use %global instead of %define unless justified. Note: %define requiring justification: %define cargo_install_lib 0 Indeed, https://docs.fedoraproject.org/en-US/packaging-guidelines/#_global_preferred_over_define advises using %global, but the situation is more complicated (see https://pagure.io/packaging-committee/issue/1449) and the currently-documented advice is oversimplified and arguably wrong. While we wait on a new consensus, it suffices to say that since the value of the macro is a constant and does not contain other macros, it doesn’t matter whether you use %global or %define here, and there’s no need to justify it either way, despite what fedora-review says. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: tbtools-0.6.0-1.fc43.x86_64.rpm tbtools-0.6.0-1.fc43.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpxcptfxx9')] checks: 32, packages: 2 tbtools.x86_64: W: no-manual-page-for-binary lstb tbtools.x86_64: W: no-manual-page-for-binary tbadapters tbtools.x86_64: W: no-manual-page-for-binary tbauth tbtools.x86_64: W: no-manual-page-for-binary tbdump tbtools.x86_64: W: no-manual-page-for-binary tbget tbtools.x86_64: W: no-manual-page-for-binary tblist tbtools.x86_64: W: no-manual-page-for-binary tbman tbtools.x86_64: W: no-manual-page-for-binary tbmargin tbtools.x86_64: W: no-manual-page-for-binary tbpd tbtools.x86_64: W: no-manual-page-for-binary tbset tbtools.x86_64: W: no-manual-page-for-binary tbtrace tbtools.spec:33: W: mixed-use-of-spaces-and-tabs (spaces: line 33, tab: line 8) 2 packages and 0 specfiles checked; 0 errors, 12 warnings, 7 filtered, 0 badness; has taken 0.8 s Rpmlint (debuginfo) ------------------- Checking: tbtools-debuginfo-0.6.0-1.fc43.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmprnpmfpl0')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 28 filtered, 0 badness; has taken 4.6 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 2 tbtools.x86_64: W: unused-direct-shlib-dependency /usr/bin/tbman /lib64/libm.so.6 tbtools.x86_64: W: unused-direct-shlib-dependency /usr/bin/tbpd /lib64/libudev.so.1 tbtools.x86_64: W: no-manual-page-for-binary lstb tbtools.x86_64: W: no-manual-page-for-binary tbadapters tbtools.x86_64: W: no-manual-page-for-binary tbauth tbtools.x86_64: W: no-manual-page-for-binary tbdump tbtools.x86_64: W: no-manual-page-for-binary tbget tbtools.x86_64: W: no-manual-page-for-binary tblist tbtools.x86_64: W: no-manual-page-for-binary tbman tbtools.x86_64: W: no-manual-page-for-binary tbmargin tbtools.x86_64: W: no-manual-page-for-binary tbpd tbtools.x86_64: W: no-manual-page-for-binary tbset tbtools.x86_64: W: no-manual-page-for-binary tbtrace 2 packages and 0 specfiles checked; 0 errors, 13 warnings, 41 filtered, 0 badness; has taken 2.3 s Source checksums ---------------- https://github.com/intel/tbtools/archive/refs/tags/v0.6.0.tar.gz : CHECKSUM(SHA256) this package : 13ba72ef8c47d04d1e16a3f7db154a92b50a8ea34b1ea6bd41e69838139c6c3c CHECKSUM(SHA256) upstream package : 13ba72ef8c47d04d1e16a3f7db154a92b50a8ea34b1ea6bd41e69838139c6c3c Requires -------- tbtools (rpmlib, GLIBC filtered): /usr/bin/bash /usr/bin/sh ld-linux-x86-64.so.2()(64bit) libc.so.6()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) libm.so.6()(64bit) libudev.so.1()(64bit) libudev.so.1(LIBUDEV_183)(64bit) libudev.so.1(LIBUDEV_199)(64bit) rtld(GNU_HASH) Provides -------- tbtools: tbtools tbtools(x86-64) Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review -b 2363587 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, Shell-api Disabled plugins: Ocaml, SugarActivity, fonts, Haskell, C/C++, Java, Python, Perl, R, PHP Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2363587 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202363587%23c5 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
