https://bugzilla.redhat.com/show_bug.cgi?id=2417690
Sergio Correia <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ --- Comment #6 from Sergio Correia <[email protected]> --- Thanks for the clarification; with this, the package is approved. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated Issues: ======= - Harmless: gcc/gcc-c++/clang BuildRequires warning is a false positive. Note: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. No gcc, gcc-c++ or clang found in BuildRequires This is harmless - rust-regorus is a pure Rust package, not C/C++. The C/C++ plugin was incorrectly activated (likely due to bindings/ directory containing example FFI bindings). The build.rs file does NOT compile C code (only copies git hooks). cargo-rpm-macros handles all build requirements. - Harmless: rpmlint warnings for file encoding and hard links. Note: W: wrong-file-end-of-line-encoding /usr/share/cargo/registry/regorus-0.2.6/SUPPORT.md W: cross-directory-hard-link (multiple test data files) This is harmless and does not affect package functionality. No other issues found. ===== MUST items ===== C/C++: [-]: Package does not contain kernel modules. Note: Not a C/C++ package. The C/C++ files in bindings/ are example FFI wrappers, not part of the core library build. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Package builds successfully in copr-build 9931719 [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Note: Verified dual licensing MIT AND Apache-2.0. Core library is MIT (Copyright (c) Microsoft Corporation), test data files are Apache-2.0, and some individual source files are dual-licensed. Package implements Rego (Open Policy Agent policy language) interpreter. [x]: License field in the package spec file matches the actual license. Note: Spec declares "License: MIT AND Apache-2.0" which correctly represents the licensing breakdown. The LICENSE file (regorus-0.2.6/LICENSE) contains MIT License with Copyright (c) Microsoft Corporation. Test data files (tests/kata/data/*/policy.rego) are Apache-2.0. Two source files have dual licensing: src/builtins/time/diff.rs (Apache-2.0 and/or MIT) and src/builtins/time/compat.rs (BSD-3-Clause and/or MIT). The licensecheck output shows 168 files with "Unknown or generated" which are normal (Cargo files, YAML test data, build scripts). [x]: License file installed when any subpackage combination is installed. Note: %license directive in spec line 36 ensures LICENSE is installed: %license %{crate_instdir}/LICENSE [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. Note: The License field "MIT AND Apache-2.0" correctly documents that the package contains code under both licenses. The breakdown has been verified in the source files. [x]: %build honors applicable compiler flags or justifies otherwise. Note: Uses %cargo_build macro which properly handles Rust compiler flags. [x]: Package contains no bundled libraries without FPC exception. Note: Rust package with declared dependencies via Cargo. Dependencies include scientific (which we also reviewed!), serde, serde_json, anyhow, lazy_static, and optional features like regex, time (chrono), base64, etc. - all properly declared. [x]: Changelog in prescribed format. Note: Uses %autochangelog macro for automatic changelog generation. [x]: Sources contain only permissible code or content. Note: Examined source code in regorus-0.2.6/. Package is a legitimate Rego (OPA policy language) interpreter implementation. Rego is a policy language from Open Policy Agent project, used for policy-as-code evaluation (similar to what Keylime needs for attestation policies!). Source files reviewed include src/lib.rs:1-30 (shows no_std capable Rust implementation), src/parser.rs, src/interpreter.rs, src/builtins/*.rs. The bindings/ directory contains example FFI bindings (C, C++, Python, etc.) but these are not built by the package. The build.rs file only copies git hooks, does NOT compile C code. No malware or suspicious code found. [x]: Package contains desktop file if it is a GUI application. Note: Library package, not a GUI application. [x]: Development files must be in a -devel package Note: This is a Rust -devel package containing library source for building other packages. [x]: Package uses nothing in %doc for runtime. Note: Documentation files (CHANGELOG.md, CODE_OF_CONDUCT.md, README.md, SECURITY.md, SUPPORT.md) are marked as %doc. [x]: Package consistently uses macros (instead of hard-coded directory names). Note: Properly uses %{crate_instdir} and other standard Rust macros. [x]: Package is named according to the Package Naming Guidelines. Note: Follows Rust packaging naming: rust-regorus [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. Note: Installs to %{crate_instdir} which is /usr/share/cargo/registry/regorus-0.2.6/ [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. Note: Not a renamed package. [x]: Requires correct, justified where necessary. Note: Dependencies are automatically generated via cargo-rpm-macros. Main requires include crate(anyhow), crate(lazy_static), crate(scientific/default), crate(serde), crate(serde_json) with appropriate version constraints. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. Note: Library package, no systemd files needed. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: rpmlint shows 5 warnings (all harmless - see Issues section). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. Note: LICENSE file included via %license directive. [x]: The License field must be a valid SPDX expression. Note: "MIT AND Apache-2.0" is a valid SPDX expression using the AND operator. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. Note: Uses %cargo_install macro. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. Note: Checksum verified below. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. Note: rust-regorus.spec matches package name. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 0 bytes in 0 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: Reviewer should test that the package builds in mock. Note: Package was built via fedora-review --copr-build which uses mock. [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Note: LICENSE file is included in upstream source. [x]: Final provides and requires are sane (see attachments). Note: Provides include crate(regorus) and feature-specific provides (default, base64, regex, std, time). Requires are appropriate for the crate's dependencies. [-]: Fully versioned dependency in subpackages if applicable. Note: Rust feature packages use crate() dependencies without %{name} %{?_isa} versioning, which is normal and correct for Rust packages. The crate() virtual provides system handles versioning appropriately. [x]: Package functions as described. Note: Fast, lightweight Rego (OPA policy language) interpreter. Rego is used for policy-as-code evaluation. The package is no_std capable and can be used from multiple languages via FFI bindings. Particularly relevant for policy evaluation in attestation systems like Keylime. [x]: Latest version is packaged. Note: Version 0.2.6 is intentionally packaged as the minimum required version for the confidential-containers/trustee project. While crates.io shows 0.5.0 as the latest, 0.2.6 is the version currently needed for the dependent project. The packager plans to update to newer versions after the initial release. This is acceptable as there are no other packages depending on rust-regorus yet. [x]: Package does not include license text files separate from upstream. Note: LICENSE file is from upstream. [-]: Patches link to upstream bugs/comments/lists or are otherwise justified. Note: No patches applied. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: crates.io does not provide GPG signatures. [-]: Package should compile and build into binary rpms on all supported architectures. Note: BuildArch: noarch - Rust source packages are architecture independent. [-]: %check is present and all tests pass. Note: Tests are disabled with %bcond check 0, with comment noting this avoids test dependencies (prettydiff, test-generator). This is acceptable for initial packaging. [x]: Packages should try to preserve timestamps of original installed files. Note: cargo-rpm-macros handle this. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: rpmlint shows harmless warnings (see Issues section). [x]: Spec file according to URL is the same as in SRPM. [x]: Spec file follows rust2rpm pattern. Rpmlint ------- Checking: rust-regorus-devel-0.2.6-1.fc44.noarch.rpm rust-regorus+default-devel-0.2.6-1.fc44.noarch.rpm rust-regorus+base64-devel-0.2.6-1.fc44.noarch.rpm rust-regorus+regex-devel-0.2.6-1.fc44.noarch.rpm rust-regorus+std-devel-0.2.6-1.fc44.noarch.rpm rust-regorus+time-devel-0.2.6-1.fc44.noarch.rpm rust-regorus-0.2.6-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpqxjh28ph')] checks: 32, packages: 7 rust-regorus-devel.noarch: W: wrong-file-end-of-line-encoding /usr/share/cargo/registry/regorus-0.2.6/SUPPORT.md rust-regorus-devel.noarch: W: cross-directory-hard-link /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/k8s-policy-pod/outputs.json /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/k8s-policy-job/outputs.json rust-regorus-devel.noarch: W: cross-directory-hard-link /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/k8s-policy-rc/outputs.json /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/k8s-policy-job/outputs.json rust-regorus-devel.noarch: W: cross-directory-hard-link /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/k8s-policy-rc/outputs.json /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/k8s-policy-pod/outputs.json rust-regorus-devel.noarch: W: cross-directory-hard-link /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/web/outputs.json /usr/share/cargo/registry/regorus-0.2.6/tests/kata/data/pod-lifecycle/outputs.json 7 packages and 0 specfiles checked; 0 errors, 5 warnings, 37 filtered, 0 badness; has taken 0.4 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "rust-regorus+time-devel". (none): E: there is no installed rpm "rust-regorus+std-devel". (none): E: there is no installed rpm "rust-regorus-devel". (none): E: there is no installed rpm "rust-regorus+base64-devel". (none): E: there is no installed rpm "rust-regorus+default-devel". (none): E: there is no installed rpm "rust-regorus+regex-devel". There are no files to process nor additional arguments. Nothing to do, aborting. ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 6 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s Source checksums ---------------- https://crates.io/api/v1/crates/regorus/0.2.6/download#/regorus-0.2.6.crate : CHECKSUM(SHA256) this package : c906aed1a3a713b7d06f9dfb44920f5e59cd4cd4b45c1d965a65da801cdf30bd CHECKSUM(SHA256) upstream package : c906aed1a3a713b7d06f9dfb44920f5e59cd4cd4b45c1d965a65da801cdf30bd Checksums match. Requires -------- rust-regorus-devel (rpmlib, GLIBC filtered): (crate(anyhow) >= 1.0.45 with crate(anyhow) < 2.0.0~) (crate(anyhow/default) >= 1.0.0 with crate(anyhow/default) < 2.0.0~) (crate(lazy_static) >= 1.4.0 with crate(lazy_static) < 2.0.0~) (crate(scientific/default) >= 0.5.2 with crate(scientific/default) < 0.6.0~) (crate(serde) >= 1.0.150 with crate(serde) < 2.0.0~) (crate(serde/derive) >= 1.0.150 with crate(serde/derive) < 2.0.0~) (crate(serde/rc) >= 1.0.150 with crate(serde/rc) < 2.0.0~) (crate(serde_json) >= 1.0.89 with crate(serde_json) < 2.0.0~) (crate(serde_json/alloc) >= 1.0.89 with crate(serde_json/alloc) < 2.0.0~) /usr/bin/bash cargo rust-regorus+default-devel (rpmlib, GLIBC filtered): cargo crate(regorus) crate(regorus/arc) crate(regorus/full-opa) rust-regorus+base64-devel (rpmlib, GLIBC filtered): (crate(data-encoding) >= 2.4.0 with crate(data-encoding) < 3.0.0~) (crate(data-encoding/alloc) >= 2.4.0 with crate(data-encoding/alloc) < 3.0.0~) cargo crate(regorus) rust-regorus+regex-devel (rpmlib, GLIBC filtered): (crate(regex) >= 1.10.2 with crate(regex) < 2.0.0~) cargo crate(regorus) rust-regorus+std-devel (rpmlib, GLIBC filtered): (crate(rand) >= 0.8.5 with crate(rand) < 0.9.0~) (crate(rand/std) >= 0.8.5 with crate(rand/std) < 0.9.0~) (crate(rand/std_rng) >= 0.8.5 with crate(rand/std_rng) < 0.9.0~) (crate(serde_json/std) >= 1.0.89 with crate(serde_json/std) < 2.0.0~) cargo crate(regorus) rust-regorus+time-devel (rpmlib, GLIBC filtered): (crate(chrono-tz/default) >= 0.10.0 with crate(chrono-tz/default) < 0.11.0~) (crate(chrono/default) >= 0.4.31 with crate(chrono/default) < 0.5.0~) cargo crate(regorus) Provides -------- rust-regorus-devel: crate(regorus) rust-regorus-devel rust-regorus+default-devel: crate(regorus/default) rust-regorus+default-devel rust-regorus+base64-devel: crate(regorus/base64) rust-regorus+base64-devel rust-regorus+regex-devel: crate(regorus/regex) rust-regorus+regex-devel rust-regorus+std-devel: crate(regorus/std) rust-regorus+std-devel rust-regorus+time-devel: crate(regorus/time) rust-regorus+time-devel Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review --copr-build 9931719 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, C/C++, Shell-api Disabled plugins: fonts, SugarActivity, R, Ocaml, PHP, Haskell, Python, Java, Perl Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH ===== APPROVAL ===== This package is APPROVED, thanks. No problems, all MUST items pass. The gcc/gcc-c++ warning is a false positive from the C/C++ plugin and the package version 0.2.6 is intentionally chosen as the minimum required version for the confidential-containers/trustee project, with plans to update to newer versions after the initial release. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2417690 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202417690%23c6 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
