https://bugzilla.redhat.com/show_bug.cgi?id=2417570
Sergio Correia <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ --- Comment #7 from Sergio Correia <[email protected]> --- Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= No blocking issues found. All MUST items pass. ===== MUST items ===== Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Package builds successfully in rawhide in copr-build 09922813 [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Note: Verified MIT License. License file at /tmp/cose-rust-0.1.7/LICENSE contains standard MIT License text with copyright (c) 2021 tramires. Package implements COSE (CBOR Object Signing and Encryption) per RFC 8152, providing cryptographic operations for signing, encryption, and MAC operations. [x]: License field in the package spec file matches the actual license. Note: Spec declares "License: MIT" which matches the actual MIT License in the LICENSE file. The licensecheck output shows 14 files with "Unknown or generated" license, but these are all source code files (.rs), configuration files (Cargo.toml, .cargo_vcs_info.json), and documentation (README.md) which is normal - they are covered under the project's MIT License. The LICENSE file itself is correctly identified as "MIT License" by licensecheck. [x]: License file installed when any subpackage combination is installed. Note: %license directive in spec line 34 ensures LICENSE is installed: %license %{crate_instdir}/LICENSE [x]: %build honors applicable compiler flags or justifies otherwise. Note: Uses %cargo_build macro which properly handles Rust compiler flags. [x]: Package contains no bundled libraries without FPC exception. Note: Rust package with declared dependencies via Cargo. A patch is applied (use-system-OpenSSL-instead-of-vendored.patch) to remove the "vendored" feature from openssl dependency, ensuring system OpenSSL is used instead of bundling. [x]: Changelog in prescribed format. Note: Uses %autochangelog macro for automatic changelog generation. [x]: Sources contain only permissible code or content. Note: Examined source code in /tmp/cose-rust-0.1.7/. Package is a legitimate COSE (CBOR Object Signing and Encryption) implementation providing cryptographic primitives for signing, encryption, and MAC operations. Source files reviewed include lib.rs, keys.rs, algs.rs, message.rs, etc. Code implements RFC 8152 using rust-openssl for crypto operations and cbor-codec for CBOR encoding/decoding. No malware or suspicious code found. [x]: Package contains desktop file if it is a GUI application. Note: Library package, not a GUI application. [x]: Development files must be in a -devel package Note: This is a Rust -devel package containing library source for building other packages. [x]: Package uses nothing in %doc for runtime. Note: Only README.md is marked as %doc which is documentation only. [x]: Package consistently uses macros (instead of hard-coded directory names). Note: Properly uses %{crate_instdir} and other standard Rust macros. [x]: Package is named according to the Package Naming Guidelines. Note: Follows Rust packaging naming: rust-cose-rust [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. Note: Installs to %{crate_instdir} which is /usr/share/cargo/registry/cose-rust-0.1.7/ [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. Note: Not a renamed package. [x]: Requires correct, justified where necessary. Note: Dependencies are automatically generated via cargo-rpm-macros. Requires include crate(cbor-codec/default), crate(openssl/default), and crate(rand/default) with appropriate version constraints. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. Note: Library package, no systemd files needed. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: No rpmlint messages. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: LICENSE file included via %license directive. [x]: The License field must be a valid SPDX expression. Note: "MIT" is a valid SPDX license identifier. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. Note: Uses %cargo_install macro. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. Note: Checksum verified below. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. Note: rust-cose-rust.spec matches package name. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 0 bytes in 0 files (only README.md). [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. Note: Package built in copr, which uses mock. Built locally in mock as well, however I had to use "-a https://kojipkgs.fedoraproject.org/compose/rawhide/latest-Fedora-Rawhide/compose/Everything/x86_64/os"; to have the very latest rawhide compose available, as one of the deps (rust-cbor-codec) entered the compose a few hours ago, but apparently has not yet propagated to all the mirrors. It does build with latest rawhide bits, so I am considering this as PASS. [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Note: LICENSE file is included in upstream source. [x]: Final provides and requires are sane (see attachments). Note: Provides include crate(cose-rust) and feature-specific provides. Requires are appropriate for the crate's dependencies. [-]: Fully versioned dependency in subpackages if applicable. Note: Rust feature packages use crate() dependencies without %{name} %{?_isa} versioning, which is normal and correct for Rust packages. The crate() virtual provides system handles versioning appropriately. [x]: Package functions as described. Note: COSE (CBOR Object Signing and Encryption) implementation per RFC 8152. Provides cryptographic operations for signatures, encryption, and MACs. [x]: Latest version is packaged. Note: Version 0.1.7 is the latest version available on crates.io. The package was last updated over 2 years ago but remains the current version. [x]: Package does not include license text files separate from upstream. Note: LICENSE file is from upstream. [-]: Patches link to upstream bugs/comments/lists or are otherwise justified. Note: Single patch (use-system-OpenSSL-instead-of-vendored.patch) removes vendored OpenSSL feature to use system OpenSSL, which is standard Fedora packaging practice. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: crates.io does not provide GPG signatures. [-]: Package should compile and build into binary rpms on all supported architectures. Note: BuildArch: noarch - Rust source packages are architecture independent. [-]: %check is present and all tests pass. Note: Tests are disabled with %bcond check 0, which is acceptable for initial Rust package submissions. [x]: Packages should try to preserve timestamps of original installed files. Note: cargo-rpm-macros handle this. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: rust-cose-rust-devel-0.1.7-1.fc44.noarch.rpm rust-cose-rust+default-devel-0.1.7-1.fc44.noarch.rpm rust-cose-rust+hex-devel-0.1.7-1.fc44.noarch.rpm rust-cose-rust+json-devel-0.1.7-1.fc44.noarch.rpm rust-cose-rust+serde_json-devel-0.1.7-1.fc44.noarch.rpm rust-cose-rust-0.1.7-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp6xxhqeuj')] checks: 32, packages: 6 6 packages and 0 specfiles checked; 0 errors, 0 warnings, 31 filtered, 0 badness; has taken 0.2 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "rust-cose-rust+serde_json-devel". (none): E: there is no installed rpm "rust-cose-rust+hex-devel". (none): E: there is no installed rpm "rust-cose-rust+default-devel". (none): E: there is no installed rpm "rust-cose-rust-devel". (none): E: there is no installed rpm "rust-cose-rust+json-devel". There are no files to process nor additional arguments. ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 5 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s Nothing to do, aborting. Source checksums ---------------- https://crates.io/api/v1/crates/cose-rust/0.1.7/download#/cose-rust-0.1.7.crate : CHECKSUM(SHA256) this package : f221b4189b72ce93755b7fa1495d1741cc330bbd9698d3032562811698e3ab84 CHECKSUM(SHA256) upstream package : f221b4189b72ce93755b7fa1495d1741cc330bbd9698d3032562811698e3ab84 Checksums match. Requires -------- rust-cose-rust-devel (rpmlib, GLIBC filtered): (crate(cbor-codec/default) >= 0.7.1 with crate(cbor-codec/default) < 0.8.0~) (crate(openssl/default) >= 0.10.0 with crate(openssl/default) < 0.11.0~) (crate(rand/default) >= 0.8.3 with crate(rand/default) < 0.9.0~) cargo rust-cose-rust+default-devel (rpmlib, GLIBC filtered): cargo crate(cose-rust) rust-cose-rust+hex-devel (rpmlib, GLIBC filtered): (crate(hex/default) >= 0.4.3 with crate(hex/default) < 0.5.0~) cargo crate(cose-rust) rust-cose-rust+json-devel (rpmlib, GLIBC filtered): cargo crate(cose-rust) crate(cose-rust/hex) crate(cose-rust/serde_json) rust-cose-rust+serde_json-devel (rpmlib, GLIBC filtered): (crate(serde_json/default) >= 1.0.64 with crate(serde_json/default) < 2.0.0~) cargo crate(cose-rust) Provides -------- rust-cose-rust-devel: crate(cose-rust) rust-cose-rust-devel rust-cose-rust+default-devel: crate(cose-rust/default) rust-cose-rust+default-devel rust-cose-rust+hex-devel: crate(cose-rust/hex) rust-cose-rust+hex-devel rust-cose-rust+json-devel: crate(cose-rust/json) rust-cose-rust+json-devel rust-cose-rust+serde_json-devel: crate(cose-rust/serde_json) rust-cose-rust+serde_json-devel Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review --copr-build 09922813 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, Shell-api Disabled plugins: Ocaml, fonts, Python, Java, C/C++, R, Perl, PHP, Haskell, SugarActivity Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH ===== APPROVAL ===== This package is APPROVED, thanks. All MUST items pass. The package is a well-structured Rust implementation of COSE (CBOR Object Signing and Encryption) per RFC 8152. The MIT license is properly declared and included. Source code has been reviewed and contains only permissible cryptographic operations code. The patch to use system OpenSSL instead of vendored OpenSSL follows Fedora packaging best practices. Checksums match upstream. Version 0.1.7 is confirmed as the latest available on crates.io. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2417570 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202417570%23c7 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
