Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1654664
Summary: | Review Request: perl-Authen-U2F - FIDO U2F library | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Xavier Bachelot <xavier> |
Component: | Package Review | Assignee: | Petr Pisar <ppisar> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | jplesnik, package-review, ppisar |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | Flags: | ppisar:
fedora-review+
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-10-25 09:37:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1654710 | ||
Bug Blocks: | 1654667 |
Description
Xavier Bachelot
2018-11-29 11:32:08 UTC
Authen::U2F insist on Crypt::PK::ECC that is not supported on Fedora. Until this is resolved this package cannot be packaged. U raised this issue to the upstream <https://github.com/robn/Authen-U2F/issues/7>. This is an automatic check from review-stats script. This review request ticket hasn't been updated for some time. We're sorry it is taking so long. If you're still interested in packaging this software into Fedora repositories, please respond to this comment clearing the NEEDINFO flag. You may want to update the specfile and the src.rpm to the latest version available and to propose a review swap on Fedora devel mailing list to increase chances to have your package reviewed. If this is your first package and you need a sponsor, you may want to post some informal reviews. Read more at https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group. Without any reply, this request will shortly be considered abandoned and will be closed. Thank you for your patience. Still waiting on perl-CryptX to support ECC, which itself depends on libtomcrypt to make a release with ECC support. This is an automatic action taken by review-stats script. The ticket submitter failed to clear the NEEDINFO flag in a month. As per https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews we consider this ticket as DEADREVIEW and proceed to close it. perl-CryptX now has Crypt::PK::ECC, clearing NotReady whiteboard tag. A separate spec file is newer. I will use that for this review. URL and Source0 addresses are usable. Ok. TODO: Remove a trailing slash from URL value. Source archive (SHA-512: 2db829a9883865438411a9119a7292e53fd2b5d7bc083aa4ef2f93abd4a4aa75c055992d7212230f7b8a5999b9307ebbb33739eb5ca4dea001275eb041087e2f) is original. Ok. TODO: Use a more descriptive subcription than "Authen::U2F Perl module". E.g. "FIDO U2F library" as worded in lib/Authen/U2F.pm. Description verified from lib/Authen/U2F.pm. Ok. License verified from dist.ini, Makefile.PL, lib/Authen/U2F.pm, LICENSE, README. FATAL: examples/demoserver/u2f-api.js is BSD. That violates the license as expressed at <https://developers.google.com/open-source/licenses/bsd>: > Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Please repackage the sources archive without examples/demoserver/u2f-api.js file, or add https://developers.google.com/open-source/licenses/bsd to the SRPM as an additional file. Also please raise this issue to the upstream. I will resume this review once this license issue is corrected. Any progress with the license? This is an automatic action taken by review-stats script. The ticket submitter failed to clear the NEEDINFO flag in a month. As per https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews we consider this ticket as DEADREVIEW and proceed to close it. Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Authen-U2F.spec SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Authen-U2F-0.003-3.fc40.src.rpm FIX: The Source1 "bsd" file is an ugly HTML file, including a JavaScript code. That pieces of the file themselves are covered with CC-BY-4.0 license. Either add "CC-BY-4.0" to the License tag, or extract the BSD license text as a plain text without additional baggage. No XS code, noarch BuildArch is Ok. TODO: Add '>= 6.76' to 'BuildRequiers: perl(ExtUtils::MakeMaker)' for NO_PACKLIST=1 NO_PERLLOCAL=1 arguments. All tests pass. Ok. $ rpmlint perl-Authen-U2F.spec ../SRPMS/perl-Authen-U2F-0.003-3.fc40.src.rpm ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm ======================================== rpmlint session starts ======================================= rpmlint: 2.4.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 3 ========= 2 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.2 s ======== rpmlint is Ok. $ rpm -q -lv -p ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/share/doc/perl-Authen-U2F -rw-r--r-- 1 root root 337 Oct 4 2017 /usr/share/doc/perl-Authen-U2F/Changes -rw-r--r-- 1 root root 352 Oct 4 2017 /usr/share/doc/perl-Authen-U2F/README drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/share/licenses/perl-Authen-U2F -rw-r--r-- 1 root root 18352 Oct 4 2017 /usr/share/licenses/perl-Authen-U2F/LICENSE -rw-r--r-- 1 root root 50325 Oct 4 02:00 /usr/share/licenses/perl-Authen-U2F/bsd -rw-r--r-- 1 root root 2767 Oct 4 02:00 /usr/share/man/man3/Authen::U2F.3pm.gz drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/share/perl5/vendor_perl/Authen -rw-r--r-- 1 root root 11071 Oct 4 2017 /usr/share/perl5/vendor_perl/Authen/U2F.pm The file layout and permissions are Ok. $ rpm -q --requires -p ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm | sort -f | uniq -c 1 perl(Carp) 1 perl(Crypt::OpenSSL::X509) >= 1.806 1 perl(Crypt::PK::ECC) 1 perl(CryptX) >= 0.034 1 perl(Digest::SHA) 1 perl(Exporter::Tiny) 1 perl(JSON) 1 perl(Math::Random::Secure) 1 perl(MIME::Base64) >= 3.11 1 perl(namespace::autoclean) 1 perl(parent) 1 perl(strict) 1 perl(Try::Tiny) 1 perl(Type::Params) 1 perl(Types::Standard) 1 perl(warnings) 1 perl-libs 1 rpmlib(CompressedFileNames) <= 3.0.4-1 1 rpmlib(FileDigests) <= 4.6.0-1 1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 1 rpmlib(PayloadIsZstd) <= 5.4.18-1 Binary requires are Ok. $ rpm -q --provides -p ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm | sort -f | uniq -c 1 perl(Authen::U2F) = 0.003 1 perl-Authen-U2F = 0.003-3.fc40 Binary provides are Ok. $ resolvedeps rawhide ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm Binary dependencies are resolvable. Ok. The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=107273151). Ok. Otherwise, the package is in line with Fedora and Perl packaging guidelines. Please correct the 'FIX' item, consider fixing the 'TODO' item, and provide a new spec file. Would a script massaging the HTML into a readable text file be ok ? Something alike : ``` #!/usr/bin/perl use warnings; use strict; use HTML::TreeBuilder; use LWP::UserAgent; use LWP::Protocol::https; use HTML::Element; use Text::Format; my $tree = HTML::TreeBuilder->new_from_url("https://developers.google.com/open-source/licenses/bsd"); my $div = $tree->look_down( _tag => "div", class => qr/devsite-article-body.*/); my $text = Text::Format->new ( { columns => 80, leftMargin => 0, } ); foreach ( $div->descendants() ) { print $text->format( $_->as_text() )."\n"; }; $tree->delete; ``` I cannot see how helpful that script could be. Koji builds do not access the Internet. Carrying a static ugly HTML file in SRPM and running a script with many new dependencies to obtain a static text file is not a good use of resources. Also tracking changes in the on-line version of the HTML document is pointless since changes there cannot be retroactive and thus once obtained code obeys to the once written license. I would simply place a static plain text file into Source1. But if you use the script for a conversion at build time, it will placate the license terms. One of the disadvantages will be that while binary RPM and source RPM will differ in license set. But that's not a big deal. Maybe autotools-driven packages are alike. The idea was actually to include the script as a Source to be able to recreate the license file from the upstream link, somewhat alike was is done to recreate a tarball when upstream ships some code that needs to be cleaned up. And not to run the script at build time, sorry for being unclear. Indeed, I'm fine with just including a manually cleaned license file. Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Authen-U2F.spec SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Authen-U2F-0.003-4.fc40.src.rpm $ rpmlint perl-Authen-U2F.spec ../SRPMS/perl-Authen-U2F-0.003-4.fc40.src.rpm ../RPMS/noarch/perl-Authen-U2F-0.003-4.fc40.noarch.rpm ======================================== rpmlint session starts ======================================= rpmlint: 2.4.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 3 ========= 2 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.2 s ======== rpmlint is Ok. $ rpm -q -lv -p ../RPMS/noarch/perl-Authen-U2F-0.003-4.fc40.noarch.rpm drwxr-xr-x 2 root root 0 Oct 24 02:00 /usr/share/doc/perl-Authen-U2F -rw-r--r-- 1 root root 337 Oct 4 2017 /usr/share/doc/perl-Authen-U2F/Changes -rw-r--r-- 1 root root 352 Oct 4 2017 /usr/share/doc/perl-Authen-U2F/README drwxr-xr-x 2 root root 0 Oct 24 02:00 /usr/share/licenses/perl-Authen-U2F -rw-r--r-- 1 root root 18352 Oct 4 2017 /usr/share/licenses/perl-Authen-U2F/LICENSE -rw-r--r-- 1 root root 1598 Oct 24 02:00 /usr/share/licenses/perl-Authen-U2F/bsd -rw-r--r-- 1 root root 2767 Oct 24 02:00 /usr/share/man/man3/Authen::U2F.3pm.gz drwxr-xr-x 2 root root 0 Oct 24 02:00 /usr/share/perl5/vendor_perl/Authen -rw-r--r-- 1 root root 11071 Oct 4 2017 /usr/share/perl5/vendor_perl/Authen/U2F.pm File layout and permissions are Ok. The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=108072854). The package is in line with Fedora and Perl packaging gudiles. The package is APPROVED. The Pagure repository was created at https://src.fedoraproject.org/rpms/perl-Authen-U2F Thanks for the review Petr :-) |