https://bugzilla.redhat.com/show_bug.cgi?id=2417572
Sergio Correia <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ --- Comment #8 from Sergio Correia <[email protected]> --- Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= No issues found. All MUST items pass. ===== MUST items ===== Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Package builds successfully in copr-build 9931722 [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Note: Verified Apache-2.0 License. License file at ear-0.4.0/LICENSE contains standard Apache License 2.0 text. Package implements EAT (Entity Attestation Token) Attestation Results per draft-fv-rats-ear specification, providing attestation result tokens for remote attestation systems. [x]: License field in the package spec file matches the actual license. Note: Spec declares "License: Apache-2.0" which matches the actual Apache License 2.0 in the LICENSE file. The licensecheck output shows "*No copyright* Apache License 2.0" for the LICENSE file and source files - this is expected as the LICENSE file is the license text itself (without a separate copyright notice), and source files contain SPDX identifiers (// SPDX-License-Identifier: Apache-2.0) which is a valid way to indicate licensing. 15 files with "Unknown or generated" are configuration and build files (Cargo.toml, .github workflows, deny.toml, misc test keys) which is normal - they are covered under the project's Apache-2.0 License. [x]: License file installed when any subpackage combination is installed. Note: %license directive in spec line 33 ensures LICENSE is installed: %license %{crate_instdir}/LICENSE [x]: %build honors applicable compiler flags or justifies otherwise. Note: Uses %cargo_build macro which properly handles Rust compiler flags. [x]: Package contains no bundled libraries without FPC exception. Note: Rust package with declared dependencies via Cargo. Dependencies include base64, ciborium, cose-rust, hex, jsonwebtoken, lazy_static, openssl, phf, serde, serde_json, and thiserror - all properly declared. [x]: Changelog in prescribed format. Note: Uses %autochangelog macro for automatic changelog generation. [x]: Sources contain only permissible code or content. Note: Examined source code ear-0.4.0/. Package is a legitimate EAT (Entity Attestation Token) Attestation Results implementation conforming to draft-fv-rats-ear specification from IETF RATS working group. Provides functionality to create, sign, and verify attestation result tokens using JWT (JSON Web Token) and COSE (CBOR Object Signing and Encryption). Source files reviewed include lib.rs (lines 1-20 show SPDX-License-Identifier: Apache-2.0 and implementation description), ear.rs, appraisal.rs, algorithm.rs, trust/*.rs. Code provides cryptographic signing/verification of attestation results used in remote attestation systems. Part of the Veraison project for attestation verification. No malware or suspicious code found. [x]: Package contains desktop file if it is a GUI application. Note: Library package, not a GUI application. [x]: Development files must be in a -devel package Note: This is a Rust -devel package containing library source for building other packages. [x]: Package uses nothing in %doc for runtime. Note: Only README.md is marked as %doc which is documentation only. [x]: Package consistently uses macros (instead of hard-coded directory names). Note: Properly uses %{crate_instdir} and other standard Rust macros. [x]: Package is named according to the Package Naming Guidelines. Note: Follows Rust packaging naming: rust-ear [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. Note: Installs to %{crate_instdir} which is /usr/share/cargo/registry/ear-0.4.0/ [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. Note: Not a renamed package. [x]: Requires correct, justified where necessary. Note: Dependencies are automatically generated via cargo-rpm-macros. Requires include crate(base64/default), crate(ciborium/default), crate(cose-rust/default), crate(hex/default), crate(jsonwebtoken/default), crate(lazy_static/default), crate(openssl/default), crate(phf/default), crate(phf/macros), crate(phf/serde), crate(serde/default), crate(serde/derive), crate(serde_json/default), crate(serde_json/raw_value), and crate(thiserror/default) with appropriate version constraints. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. Note: Library package, no systemd files needed. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: No rpmlint messages. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: LICENSE file included via %license directive. [x]: The License field must be a valid SPDX expression. Note: "Apache-2.0" is a valid SPDX license identifier. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. Note: No duplicate file warnings in this build. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. Note: Uses %cargo_install macro. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. Note: Checksum verified below. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. Note: rust-ear.spec matches package name. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 0 bytes in 0 files (only README.md). [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: Reviewer should test that the package builds in mock. Note: Package was built via fedora-review --copr-build which uses mock. [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Note: LICENSE file is included in upstream source. [x]: Final provides and requires are sane (see attachments). Note: Provides include crate(ear) and crate(ear/default). Requires are appropriate for the crate's dependencies on cryptographic and serialization libraries. [-]: Fully versioned dependency in subpackages if applicable. Note: Rust feature packages use crate() dependencies without %{name} %{?_isa} versioning, which is normal and correct for Rust packages. The crate() virtual provides system handles versioning appropriately. [x]: Package functions as described. Note: EAT Attestation Results implementation. Provides functionality to create, sign, and verify attestation result tokens conforming to EAT Attestation Results (draft-fv-rats-ear) specification. Supports JWT and COSE signing, extensible profiles, and AR4SI trust claims. [x]: Latest version is packaged. Note: Version 0.4.0 is being packaged. The upstream rust-ear repository shows recent activity (updated November 2025), indicating active development. Version 0.4.0 appears to be a current release. [x]: Package does not include license text files separate from upstream. Note: LICENSE file is from upstream. [-]: Patches link to upstream bugs/comments/lists or are otherwise justified. Note: No patches applied. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: crates.io does not provide GPG signatures. [-]: Package should compile and build into binary rpms on all supported architectures. Note: BuildArch: noarch - Rust source packages are architecture independent. [x]: %check is present and all tests pass. Note: Tests are enabled with %bcond check 1, which means tests run during build. This is excellent for a cryptographic/attestation library. [x]: Packages should try to preserve timestamps of original installed files. Note: cargo-rpm-macros handle this. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Spec file according to URL is the same as in SRPM. [x]: Spec file %files devel section follows rust2rpm standard pattern. Rpmlint ------- Checking: rust-ear-devel-0.4.0-1.fc44.noarch.rpm rust-ear+default-devel-0.4.0-1.fc44.noarch.rpm rust-ear-0.4.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp1hbza7pl')] checks: 32, packages: 3 3 packages and 0 specfiles checked; 0 errors, 0 warnings, 13 filtered, 0 badness; has taken 0.1 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "rust-ear-devel". (none): E: there is no installed rpm "rust-ear+default-devel". There are no files to process nor additional arguments. Nothing to do, aborting. ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 2 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s Source checksums ---------------- https://crates.io/api/v1/crates/ear/0.4.0/download#/ear-0.4.0.crate : CHECKSUM(SHA256) this package : 8bc48a3976de4a3c2f6661a74836abbd7d458ef10e391fedcf47bcc4c983abc1 CHECKSUM(SHA256) upstream package : 8bc48a3976de4a3c2f6661a74836abbd7d458ef10e391fedcf47bcc4c983abc1 Checksums match. Requires -------- rust-ear-devel (rpmlib, GLIBC filtered): (crate(base64/default) >= 0.22.1 with crate(base64/default) < 0.23.0~) (crate(ciborium/default) >= 0.2.0 with crate(ciborium/default) < 0.3.0~) (crate(cose-rust/default) >= 0.1.2 with crate(cose-rust/default) < 0.2.0~) (crate(hex/default) >= 0.4.3 with crate(hex/default) < 0.5.0~) (crate(jsonwebtoken/default) >= 9.0.0 with crate(jsonwebtoken/default) < 10.0.0~) (crate(lazy_static/default) >= 1.5.0 with crate(lazy_static/default) < 2.0.0~) (crate(openssl/default) >= 0.10.54 with crate(openssl/default) < 0.11.0~) (crate(phf/default) >= 0.11.1 with crate(phf/default) < 0.12.0~) (crate(phf/macros) >= 0.11.1 with crate(phf/macros) < 0.12.0~) (crate(phf/serde) >= 0.11.1 with crate(phf/serde) < 0.12.0~) (crate(serde/default) >= 1.0.0 with crate(serde/default) < 2.0.0~) (crate(serde/derive) >= 1.0.0 with crate(serde/derive) < 2.0.0~) (crate(serde_json/default) >= 1.0.93 with crate(serde_json/default) < 2.0.0~) (crate(serde_json/raw_value) >= 1.0.93 with crate(serde_json/raw_value) < 2.0.0~) (crate(thiserror/default) >= 2.0.16 with crate(thiserror/default) < 3.0.0~) /usr/bin/bash cargo rust-ear+default-devel (rpmlib, GLIBC filtered): cargo crate(ear) Provides -------- rust-ear-devel: crate(ear) rust-ear-devel rust-ear+default-devel: crate(ear/default) rust-ear+default-devel Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review --copr-build 9931722 Buildroot used: fedora-rawhide-x86_64 Active plugins: Shell-api, Generic Disabled plugins: PHP, Haskell, R, Python, SugarActivity, Ocaml, Java, fonts, Perl, C/C++ Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH ===== APPROVAL ===== This package is APPROVED, thanks. No issues, all MUST items pass. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2417572 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202417572%23c8 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
