Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1654664 - Review Request: perl-Authen-U2F - FIDO U2F library
Summary: Review Request: perl-Authen-U2F - FIDO U2F library
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1654710
Blocks: 1654667
TreeView+ depends on / blocked
 
Reported: 2018-11-29 11:32 UTC by Xavier Bachelot
Modified: 2023-10-25 09:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-10-25 09:37:07 UTC
Type: ---
Embargoed:
ppisar: fedora-review+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github robn Authen-U2F issues 7 0 None open Missing RSA algorithm support 2020-09-21 15:39:17 UTC

Description Xavier Bachelot 2018-11-29 11:32:08 UTC
Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Authen-U2F.spec
SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Authen-U2F-0.003-1.fc29.src.rpm
Description: This module provides the tools you need to add support for U2F in your application.
Fedora Account System Username: xavierb

Comment 1 Petr Pisar 2019-07-25 08:37:20 UTC
Authen::U2F insist on Crypt::PK::ECC that is not supported on Fedora. Until this is resolved this package cannot be packaged. U raised this issue to the upstream <https://github.com/robn/Authen-U2F/issues/7>.

Comment 2 Package Review 2021-05-01 00:45:34 UTC
This is an automatic check from review-stats script.

This review request ticket hasn't been updated for some time. We're sorry
it is taking so long. If you're still interested in packaging this software
into Fedora repositories, please respond to this comment clearing the
NEEDINFO flag.

You may want to update the specfile and the src.rpm to the latest version
available and to propose a review swap on Fedora devel mailing list to increase
chances to have your package reviewed. If this is your first package and you
need a sponsor, you may want to post some informal reviews. Read more at
https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group.

Without any reply, this request will shortly be considered abandoned
and will be closed.
Thank you for your patience.

Comment 3 Xavier Bachelot 2021-05-06 12:03:24 UTC
Still waiting on perl-CryptX to support ECC, which itself depends on libtomcrypt to make a release with ECC support.

Comment 4 Package Review 2021-05-31 00:46:06 UTC
This is an automatic action taken by review-stats script.

The ticket submitter failed to clear the NEEDINFO flag in a month.
As per https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews
we consider this ticket as DEADREVIEW and proceed to close it.

Comment 5 Xavier Bachelot 2022-02-23 10:44:33 UTC
perl-CryptX now has Crypt::PK::ECC, clearing NotReady whiteboard tag.

Comment 6 Petr Pisar 2022-05-13 11:55:18 UTC
A separate spec file is newer. I will use that for this review.

URL and Source0 addresses are usable. Ok.
TODO: Remove a trailing slash from URL value.

Source archive (SHA-512: 
2db829a9883865438411a9119a7292e53fd2b5d7bc083aa4ef2f93abd4a4aa75c055992d7212230f7b8a5999b9307ebbb33739eb5ca4dea001275eb041087e2f) is original. Ok.

TODO: Use a more descriptive subcription than "Authen::U2F Perl module". E.g. "FIDO U2F library" as worded in lib/Authen/U2F.pm.

Description verified from lib/Authen/U2F.pm. Ok.
License verified from dist.ini, Makefile.PL, lib/Authen/U2F.pm, LICENSE, README.

FATAL: examples/demoserver/u2f-api.js is BSD. That violates the license as expressed at <https://developers.google.com/open-source/licenses/bsd>:

> Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Please repackage the sources archive without examples/demoserver/u2f-api.js file, or add https://developers.google.com/open-source/licenses/bsd to the SRPM as an additional file. Also please raise this issue to the upstream.

I will resume this review once this license issue is corrected.

Comment 7 Petr Pisar 2022-06-30 11:43:21 UTC
Any progress with the license?

Comment 8 Package Review 2022-07-31 00:45:24 UTC
This is an automatic action taken by review-stats script.

The ticket submitter failed to clear the NEEDINFO flag in a month.
As per https://fedoraproject.org/wiki/Policy_for_stalled_package_reviews
we consider this ticket as DEADREVIEW and proceed to close it.

Comment 10 Petr Pisar 2023-10-09 13:55:22 UTC
FIX: The Source1 "bsd" file is an ugly HTML file, including a JavaScript code. That pieces of the file themselves are covered with CC-BY-4.0 license. Either add "CC-BY-4.0" to the License tag, or extract the BSD license text as a plain text without additional baggage.

No XS code, noarch BuildArch is Ok.

TODO: Add '>= 6.76' to 'BuildRequiers: perl(ExtUtils::MakeMaker)' for NO_PACKLIST=1 NO_PERLLOCAL=1 arguments.

All tests pass. Ok.

$ rpmlint perl-Authen-U2F.spec ../SRPMS/perl-Authen-U2F-0.003-3.fc40.src.rpm ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm 
======================================== rpmlint session starts =======================================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 3

========= 2 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.2 s ========
rpmlint is Ok.

$ rpm -q -lv -p ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm 
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/share/doc/perl-Authen-U2F
-rw-r--r--    1 root     root                      337 Oct  4  2017 /usr/share/doc/perl-Authen-U2F/Changes
-rw-r--r--    1 root     root                      352 Oct  4  2017 /usr/share/doc/perl-Authen-U2F/README
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/share/licenses/perl-Authen-U2F
-rw-r--r--    1 root     root                    18352 Oct  4  2017 /usr/share/licenses/perl-Authen-U2F/LICENSE
-rw-r--r--    1 root     root                    50325 Oct  4 02:00 /usr/share/licenses/perl-Authen-U2F/bsd
-rw-r--r--    1 root     root                     2767 Oct  4 02:00 /usr/share/man/man3/Authen::U2F.3pm.gz
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/share/perl5/vendor_perl/Authen
-rw-r--r--    1 root     root                    11071 Oct  4  2017 /usr/share/perl5/vendor_perl/Authen/U2F.pm
The file layout and permissions are Ok.

$ rpm -q --requires -p ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm | sort -f | uniq -c
      1 perl(Carp)
      1 perl(Crypt::OpenSSL::X509) >= 1.806
      1 perl(Crypt::PK::ECC)
      1 perl(CryptX) >= 0.034
      1 perl(Digest::SHA)
      1 perl(Exporter::Tiny)
      1 perl(JSON)
      1 perl(Math::Random::Secure)
      1 perl(MIME::Base64) >= 3.11
      1 perl(namespace::autoclean)
      1 perl(parent)
      1 perl(strict)
      1 perl(Try::Tiny)
      1 perl(Type::Params)
      1 perl(Types::Standard)
      1 perl(warnings)
      1 perl-libs
      1 rpmlib(CompressedFileNames) <= 3.0.4-1
      1 rpmlib(FileDigests) <= 4.6.0-1
      1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
      1 rpmlib(PayloadIsZstd) <= 5.4.18-1
Binary requires are Ok.

$ rpm -q --provides -p ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm | sort -f | uniq -c
      1 perl(Authen::U2F) = 0.003
      1 perl-Authen-U2F = 0.003-3.fc40
Binary provides are Ok.

$ resolvedeps rawhide ../RPMS/noarch/perl-Authen-U2F-0.003-3.fc40.noarch.rpm 
Binary dependencies are resolvable. Ok.

The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=107273151). Ok.

Otherwise, the package is in line with Fedora and Perl packaging guidelines.
Please correct the 'FIX' item, consider fixing the 'TODO' item, and provide a new spec file.

Comment 11 Xavier Bachelot 2023-10-24 15:19:00 UTC
Would a script massaging the HTML into a readable text file be ok ?

Something alike :
```
#!/usr/bin/perl

use warnings;
use strict;
use HTML::TreeBuilder;
use LWP::UserAgent;
use LWP::Protocol::https;
use HTML::Element;
use Text::Format;

my $tree = HTML::TreeBuilder->new_from_url("https://developers.google.com/open-source/licenses/bsd");
my $div = $tree->look_down(
  _tag => "div",
  class => qr/devsite-article-body.*/);
my $text = Text::Format->new (
  {
    columns    => 80,
    leftMargin => 0,
  }
);
foreach ( $div->descendants() ) { print $text->format( $_->as_text() )."\n"; };
$tree->delete;
```

Comment 12 Petr Pisar 2023-10-24 15:38:01 UTC
I cannot see how helpful that script could be. Koji builds do not access the Internet. Carrying a static ugly HTML file in SRPM and running a script with many new dependencies to obtain a static text file is not a good use of resources. Also tracking changes in the on-line version of the HTML document is pointless since changes there cannot be retroactive and thus once obtained code obeys to the once written license. I would simply place a static plain text file into Source1.

But if you use the script for a conversion at build time, it will placate the license terms. One of the disadvantages will be that while binary RPM and source RPM will differ in license set. But that's not a big deal. Maybe autotools-driven packages are alike.

Comment 13 Xavier Bachelot 2023-10-24 17:01:38 UTC
The idea was actually to include the script as a Source to be able to recreate the license file from the upstream link, somewhat alike was is done to recreate a tarball when upstream ships some code that needs to be cleaned up. And not to run the script at build time, sorry for being unclear.
Indeed, I'm fine with just including a manually cleaned license file.

Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Authen-U2F.spec
SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Authen-U2F-0.003-4.fc40.src.rpm

Comment 14 Petr Pisar 2023-10-25 07:50:45 UTC
$ rpmlint perl-Authen-U2F.spec ../SRPMS/perl-Authen-U2F-0.003-4.fc40.src.rpm ../RPMS/noarch/perl-Authen-U2F-0.003-4.fc40.noarch.rpm 
======================================== rpmlint session starts =======================================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 3

========= 2 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.2 s ========
rpmlint is Ok.

$ rpm -q -lv -p ../RPMS/noarch/perl-Authen-U2F-0.003-4.fc40.noarch.rpm drwxr-xr-x    2 root     root                        0 Oct 24 02:00 /usr/share/doc/perl-Authen-U2F
-rw-r--r--    1 root     root                      337 Oct  4  2017 /usr/share/doc/perl-Authen-U2F/Changes
-rw-r--r--    1 root     root                      352 Oct  4  2017 /usr/share/doc/perl-Authen-U2F/README
drwxr-xr-x    2 root     root                        0 Oct 24 02:00 /usr/share/licenses/perl-Authen-U2F
-rw-r--r--    1 root     root                    18352 Oct  4  2017 /usr/share/licenses/perl-Authen-U2F/LICENSE
-rw-r--r--    1 root     root                     1598 Oct 24 02:00 /usr/share/licenses/perl-Authen-U2F/bsd
-rw-r--r--    1 root     root                     2767 Oct 24 02:00 /usr/share/man/man3/Authen::U2F.3pm.gz
drwxr-xr-x    2 root     root                        0 Oct 24 02:00 /usr/share/perl5/vendor_perl/Authen
-rw-r--r--    1 root     root                    11071 Oct  4  2017 /usr/share/perl5/vendor_perl/Authen/U2F.pm
File layout and permissions are Ok.

The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=108072854).
The package is in line with Fedora and Perl packaging gudiles.
The package is APPROVED.

Comment 15 Fedora Admin user for bugzilla script actions 2023-10-25 08:06:27 UTC
The Pagure repository was created at https://src.fedoraproject.org/rpms/perl-Authen-U2F

Comment 16 Xavier Bachelot 2023-10-25 09:37:07 UTC
Thanks for the review Petr :-)


Note You need to log in before you can comment on or make changes to this bug.