https://bugzilla.redhat.com/show_bug.cgi?id=2417023
Sergio Correia <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ --- Comment #2 from Sergio Correia <[email protected]> --- Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= - Harmless: Package contains duplicates in %files section. Note: warning: File listed twice: /usr/share/cargo/registry/actix-web- httpauth-0.8.2/CHANGES.md This is harmless and does not affect package functionality. ===== MUST items ===== Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Note: Dual licensed under MIT OR Apache-2.0. Both LICENSE-MIT and LICENSE-APACHE files present and properly licensed. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "*No copyright* Apache License 2.0", "MIT License". The 32 files with "unknown license" are build/config files (Cargo.toml, .cargo_vcs_info.json, examples, etc.) which is normal for Rust crates. Source code is properly licensed under MIT OR Apache-2.0. The "*No copyright*" note for LICENSE-APACHE is expected - the Apache 2.0 license text itself doesn't contain a copyright notice; the copyright is in LICENSE-MIT (Copyright (c) 2023 Actix team). [x]: License file installed when any subpackage combination is installed. Note: Both LICENSE-APACHE and LICENSE-MIT files properly included via %license directives. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. Note: Dual license "MIT OR Apache-2.0" is properly documented in the License field. Both license files are included. [x]: %build honors applicable compiler flags or justifies otherwise. Note: Uses %cargo_build macro which properly handles compiler flags. [x]: Package contains no bundled libraries without FPC exception. Note: Standard Rust dependencies (actix-utils, actix-web, base64, futures-core, futures-util, log, pin-project-lite) are properly declared as BuildRequires and not bundled. [x]: Changelog in prescribed format. Note: Uses %autochangelog macro which follows Fedora guidelines. [x]: Sources contain only permissible code or content. Note: Reviewed source code - this is an HTTP authentication library for Actix Web framework. Provides typed Authorization and WWW-Authenticate headers with support for HTTP Basic (RFC 7617) and OAuth Bearer (RFC 6750) authentication schemes. No security concerns or malware detected. [-]: Package contains desktop file if it is a GUI application. Note: Not a GUI application - this is a Rust web authentication library. [x]: Development files must be in a -devel package Note: Properly structured with rust-actix-web-httpauth-devel and rust-actix-web-httpauth+default-devel subpackages. [x]: Package uses nothing in %doc for runtime. Note: Documentation files (CHANGES.md, README.md) are not required for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). Note: Proper use of %{crate_instdir}, %{crate}, %autorelease, etc. [x]: Package is named according to the Package Naming Guidelines. Note: Follows Rust packaging guidelines (rust-<crate-name> format). [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. Note: Files installed to /usr/share/cargo/registry/ per Rust guidelines. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. Note: Not a renamed package. [x]: Requires correct, justified where necessary. Note: Dependencies on actix-utils (>=3.0.0), actix-web (>=4.1.0), base64 (>=0.22.0), futures-core (>=0.3.17), futures-util (>=0.3.17), log (>=0.4.0), and pin-project-lite (>=0.2.7) with appropriate version ranges are correct for an Actix Web authentication middleware library. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. Note: Library package, no systemd files needed. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Built successfully in mock for fedora-rawhide-x86_64. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: No rpmlint errors or warnings (0 errors, 0 warnings). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: Both LICENSE-APACHE and LICENSE-MIT files are included via %license. [x]: The License field must be a valid SPDX expression. Note: "MIT OR Apache-2.0" is a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. Note: Uses %autorelease which includes dist tag. [x]: Package does not contain duplicates in %files. Note: While the spec lists some files twice (via explicit directives and directory inclusion), this is harmless. RPM handles this correctly and includes each file only once in the final package. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. Note: Uses %cargo_install macro appropriately. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. Note: SHA256 checksums match exactly: 456348ed9dcd72a13a1f4a660449fafdecee9ac8205552e286809eb5b0b29bd3 [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is minimal (CHANGES.md 3847 bytes, README.md 1483 bytes). [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Note: Both LICENSE-APACHE and LICENSE-MIT files are included from upstream. [x]: Final provides and requires are sane (see attachments). Note: Provides crate(actix-web-httpauth) and crate(actix-web-httpauth/default). Requires actix-web ecosystem dependencies (actix-utils, actix-web) and supporting libraries (base64, futures-core, futures-util, log, pin-project-lite). All appropriate and correctly versioned. [-]: Fully versioned dependency in subpackages if applicable. Note: For Rust packages, the crate() provides/requires system handles versioning. The %{name}%{?_isa} = %{version}-%{release} pattern is not applicable for noarch Rust -devel packages. [x]: Package functions as described. Note: HTTP authentication schemes library for Actix Web framework. Provides typed Authorization and WWW-Authenticate headers, extractors for authorization headers, and middleware for authorization checking. Supports HTTP Basic (RFC 7617) and OAuth Bearer (RFC 6750) authentication schemes. [x]: Latest version is packaged. Note: Version 0.8.2 confirmed as latest on docs.rs and crates.io. [x]: Package does not include license text files separate from upstream. Note: LICENSE-APACHE and LICENSE-MIT files are from upstream tarball. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: Crates.io does not publish GPG signatures. Checksum verification via SHA256 is the standard verification method for Rust crates and is performed automatically by %cargo_prep. [x]: Package should compile and build into binary rpms on all supported architectures. Note: noarch package, builds on all architectures. [x]: %check is present and all tests pass. Note: Spec includes %bcond check 0 with %cargo_test in %check section. Tests are disabled (%bcond check 0) to avoid test-only dependencies (actix-cors, actix-service) which is documented in the spec file comment. This is acceptable for Rust packages where test dependencies can be extensive. [?]: Packages should try to preserve timestamps of original installed files. Note: Standard cargo macros handle file installation. [x]: Reviewer should test that the package builds in mock. Note: Package builds successfully in mock environment. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag Note: Uses %{crates_source} macro pointing to crates.io. [x]: SourceX is a working URL. Note: https://crates.io/api/v1/crates/actix-web-httpauth/0.8.2/download [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: No rpmlint errors or warnings (0 errors, 0 warnings). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: rust-actix-web-httpauth-devel-0.8.2-1.fc44.noarch.rpm rust-actix-web-httpauth+default-devel-0.8.2-1.fc44.noarch.rpm rust-actix-web-httpauth-0.8.2-1.fc44.src.rpm 3 packages and 0 specfiles checked; 0 errors, 0 warnings, 13 filtered, 0 badness Source checksums ---------------- https://crates.io/api/v1/crates/actix-web-httpauth/0.8.2/download#/actix-web-httpauth-0.8.2.crate : CHECKSUM(SHA256) this package : 456348ed9dcd72a13a1f4a660449fafdecee9ac8205552e286809eb5b0b29bd3 CHECKSUM(SHA256) upstream package : 456348ed9dcd72a13a1f4a660449fafdecee9ac8205552e286809eb5b0b29bd3 Requires -------- rust-actix-web-httpauth-devel (rpmlib, GLIBC filtered): (crate(actix-utils/default) >= 3.0.0 with crate(actix-utils/default) < 4.0.0~) (crate(actix-web) >= 4.1.0 with crate(actix-web) < 5.0.0~) (crate(base64/default) >= 0.22.0 with crate(base64/default) < 0.23.0~) (crate(futures-core/default) >= 0.3.17 with crate(futures-core/default) < 0.4.0~) (crate(futures-util) >= 0.3.17 with crate(futures-util) < 0.4.0~) (crate(futures-util/std) >= 0.3.17 with crate(futures-util/std) < 0.4.0~) (crate(log/default) >= 0.4.0 with crate(log/default) < 0.5.0~) (crate(pin-project-lite/default) >= 0.2.7 with crate(pin-project-lite/default) < 0.3.0~) cargo rust rust-actix-web-httpauth+default-devel (rpmlib, GLIBC filtered): cargo crate(actix-web-httpauth) Provides -------- rust-actix-web-httpauth-devel: crate(actix-web-httpauth) rust-actix-web-httpauth-devel rust-actix-web-httpauth+default-devel: crate(actix-web-httpauth/default) rust-actix-web-httpauth+default-devel Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Buildroot used: fedora-rawhide-x86_64 ===== APPROVAL ===== This package is APPROVED, thanks. The duplicate files listing in %files is harmless and does not affect functionality. All MUST items pass, and the package meets Fedora packaging guidelines. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2417023 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202417023%23c2 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
