Good:
+ Local build works.

Bad:
- Source contains not a fullqualified URL.
- Use of %{_datadir}/man instead of %{_mandir}

Questions:
Why do you set CFLAGS for a noarch package?

The upstream source is self-signed with GPG, and there's no unsigned tarball I
can link to for the Source field.

CFLAGS removed and mandir changed to use %{_mandir}, thanks.

http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-2.src.rpm

Bad:

- Source0 contains not a full qualiifed URL.
- BuildRequires: python should be add.

I agree on the second point, but about Source0, as I explained, the upstream
source is a signed GPG file. Using the upstream source would require a
BuildRequires on gnupg ..

The source verification can be done by downloading the GPG-ed tarball from here:
http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954

So the options are:
- point Source0 to the .tar.gz.gpg file, BuildReq on gnupg
- Manual verification of the source tarball (take the upstream source, gpg
--decrypt ${file} > newfile, compare md5sums or do a diff)

The QA checklist does not say anything about including the full Source URL, just
that the source matches upstream.

Let's come to an agreement on this and then I can submit the final version of
the .spec file?

(In reply to comment #4)
> I agree on the second point, but about Source0, as I explained, the upstream
> source is a signed GPG file. Using the upstream source would require a
> BuildRequires on gnupg ..
> 
> The source verification can be done by downloading the GPG-ed tarball from here:
>
http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954
> 
> So the options are:
> - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg
> - Manual verification of the source tarball (take the upstream source, gpg
> --decrypt ${file} > newfile, compare md5sums or do a diff)

I would advocate the first option; it allows people to do:

$ spectool --gf zeroinstall-injector.spec

to retrieve the sources directly from upstream.

Shouldn't the buildreq be python-devel rather than python?

I agree with Paul that we should use the first option.

And I have a look. A python-devel package is existance. Becouse I'm kow on a 
windows machine, I don't determinate, if setup.py is contains in python-devel.

If so, what I believe, python-devel should be a BuildRequire. 

Most Python packages actually BuildRequire on python, not python-devel : the
setup.py file is included with the source tarball, and it imports distutils.core
which is part of python, not python-devel.

Haven't used spectool --gf before, that's handy. OK, first option it is, we need
a BuildRequire on gnupg, but no BuildReq on python-devel.

Will upload a new package tomorrow (actually, later today) after some testing.

Thanks for all your help,

- Michel

So, as I posted on the mailing list, there is no clean way of using the signed
tarball that upstream provided.

This is the hackery I have so far; it works, has no side effect, but rpmlint is
deeply unhappy by the use of %{sourcedir}. Unless there is a cleaner solution
I'd suggest that either the curious user find the upstream and verify it himself.

%prep
# Decrypt upstream source, ignore error message due to unknown key
gpg --decrypt %{_sourcedir}/%{name}-%{version}.tar.gz.gpg >
%{_sourcedir}/%{name}-%{version}.tar.gz || true
# Point source to the decrypted tarball
mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpg
%{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak
mv %{_sourcedir}/%{name}-%{version}.tar.gz
%{_sourcedir}/%{name}-%{version}.tar.gz.gpg

%setup -q
# Restore upstream tarball
mv %{_sourcedir}/%{name}-%{version}.tar.gz.gpgbak
%{_sourcedir}/%{name}-%{version}.tar.gz

Why not use %setup -c -T to make a directory and cd into it.  Decrypt %{SOURCE0}
into the current directory, untar it manually, and go on with the installation
as normal?

This is what Ville Skyttä suggested as well. I decided to do something similar,
but the other way around: after %prep, back up one directory, manually untar,
then call %setup with -D (do not delete) and -T (do not untar). This way, %setup
gets to sanitize file ownership and permissions. Thanks for the suggestion!

Changes from the previous -2 release:
- Now use gpg-signed upstream tarball, BuildReq on gnupg to handle this

The other BuildReq is still on Python, as explained before.


Spec Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
SRPM Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-3.src.rpm

I believe all issues have been resolved - Jochen, you might want to look at the
latest src.rpm ?

Good:
+ rpmlint of source rpm ok.

Bad:
- local build failes:

zeroinstall-injector-0.18/zeroinstall/injector/__init__.py
zeroinstall-injector-0.18/zeroinstall/injector/download.py
zeroinstall-injector-0.18/zeroinstall/injector/reader.py
zeroinstall-injector-0.18/zeroinstall/__init__.py
zeroinstall-injector-0.18/COPYING
+ popd
~/redhat/BUILD
+ cd /home/pclinux/redhat/BUILD
+ cd zeroinstall-injector-0.18
/var/tmp/rpm-tmp.94338: line 28: cd: zeroinstall-injector-0.18: No such file or
directory
Fehler: Bad exit status from /var/tmp/rpm-tmp.94338 (%prep)

So terribly sorry; ommitted to remove the pushd and popd. 

Spec Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector.spec
SRPM Name or Url:
http://hircus.org/fedora/zeroinstall-injector/zeroinstall-injector-0.18-4.src.rpm

Good:
+ Local build worked fine.
+ rpmlint for SRPM ok.
+ rpmlint for binaries RPMs ok.
+ Build on mock worked fine.

I'm glade that I can APPROVE you package.

Could you set the blocker bug to FE-ACCEPT (#163779) ? Don't want to step on
your toes.. thanks!

Package Change Request
======================
Package Name: zeroinstall-injector
New Branches: EL-5
Owners: salimma

I've just tested and zeroinstall-injector work just fine on CentOS 5

cvs done.