https://bugzilla.redhat.com/show_bug.cgi?id=2431992
--- Comment #3 from Sergio Correia <[email protected]> --- Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated ===== ISSUES ===== None - package meets all MUST requirements. ===== RECOMMENDATIONS ===== 1. Package is 2 versions behind (v0.15.0 vs v0.17.0 latest) 2. Add manual page for kbs binary (rpmlint warning) 3. Consider adding GPG signature verification if upstream provides it ===== MOCK INSTALLATION TEST ===== Tested in clean fedora-rawhide-x86_64 mock chroot: - Installation: SUCCESS - Binary tests: /usr/bin/kbs --help and --version work correctly - All dependencies resolved from Fedora repos - Files installed to correct locations ===== MUST items ===== Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Copr build 10044307 completed successfully for x86_64. [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. Note: Source is Apache-2.0. Statically linked deps use FLOSS licenses (Apache-2.0, MIT, BSD-3-Clause, ISC, MPL-2.0, Unicode-*, Unlicense, Zlib, BSL-1.0). [x]: License field in the package spec file matches the actual license. Note: SOURCE license (Apache-2.0) verified in trustee-0.15.0/LICENSE. Binary license correctly combines source + all statically linked crates. LICENSE.dependencies (273 lines) provides complete breakdown. [x]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. Note: License summary in spec comments (lines 8-28). LICENSE.dependencies installed as %license with per-crate breakdown. [x]: %build honors applicable compiler flags or justifies otherwise. Note: %cargo_build uses %build_rustflags. OPENSSL_NO_VENDOR=1 uses system OpenSSL. [x]: Package contains no bundled libraries or specifies bundled libraries with Provides: bundled(<libname>) if unbundling is not possible. Note: No bundled C libs. Rust crates statically linked (no stable ABI). All deps from Fedora registry via %cargo_generate_buildrequires. [x]: Changelog in prescribed format. Note: Uses %autochangelog. [x]: Sources contain only permissible code or content. Note: KBS for confidential computing attestation/secrets. No malicious code detected. [x]: Package contains desktop file if it is a GUI application. Note: Server daemon/CLI tool, not GUI. [x]: Development files must be in a -devel package Note: Non-crate app, no -devel package needed. [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. Note: "trustee" (no rust- prefix) correct for non-crate apps. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [x]: If the package is a rename of another package, proper Obsoletes and Provides are present. Note: New package, not a rename. [x]: Requires correct, justified where necessary. Note: openssl (explicit) + auto-generated shared lib deps. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. Note: Typically deployed in containers/K8s per upstream docs. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. Note: SHA256 checksums match for both Source0 and Source1. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 3267 bytes in 1 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== Rust-Specific MUST items ===== [x]: Rust packages building with cargo MUST have BuildRequires: cargo-rpm-macros Note: Line 45. [x]: Rust packages MUST call %cargo_prep in %prep Note: Line 72. [x]: Rust packages building with cargo MUST use %cargo_generate_buildrequires Note: Lines 73-74. [x]: Rust packages with binaries MUST use %cargo_license for License tracking Note: Lines 80-81, LICENSE.dependencies in %files line 94. [x]: Rust crate packages MUST set %bcond check Note: Line 1: %bcond check 1. [x]: Non-crate Rust packages MUST NOT use rust- prefix Note: Package name "trustee" without rust- prefix. [x]: Non-crate Rust packages MUST NOT ship -devel subpackages Note: No -devel subpackages. [x]: Non-crate Rust packages MUST NOT ship crate sources in %{cargo_registry} Note: Uses manual install, not %cargo_install. [x]: Rust packages MUST pass standardized compiler flags Note: %cargo_build uses %build_rustflags automatically. [x]: BuildRequires MUST NOT contain arch-specific dependencies (%{?_isa}) Note: No %{?_isa} in BuildRequires. [x]: Git dependencies SHOULD be replaced with path/registry dependencies Note: Patch 0007 replaces git deps with path/registry deps. [x]: Patches modifying Cargo.toml MUST be applied before spec generation Note: Applied via %autosetup -S git before %cargo_prep. [x]: No rpath in binaries Note: No rpath issues detected. ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. Note: Tested in clean fedora-rawhide-x86_64, see MOCK TEST section. [?]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. Note: Upstream includes LICENSE file. [x]: Final provides and requires are sane (see attachments). [x]: Package functions as described. [?]: Latest version is packaged. Note: v0.15.0 packaged, v0.17.0 available. 2 versions behind. [-]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. Note: 8 patches with clear rationale for Fedora packaging. [?]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: Not used. Check if available. [-]: Package should compile and build into binary rpms on all supported architectures. Note: Should build on all arches. [x]: %check is present and all tests pass. Note: Lines 87-90, %cargo_test when %{with check}. [-]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== Rust-Specific SHOULD items ===== [x]: Rust projects SHOULD use system libraries instead of bundled copies Note: OPENSSL_NO_VENDOR=1 forces system OpenSSL. [x]: Rust projects with test suites SHOULD execute them in %check Note: %cargo_test in %check. [x]: Patches SHOULD be submitted upstream when applicable Note: Patches are Fedora-specific (workspace restrictions, dep replacements, test guards). [?]: OpenPGP signature verification SHOULD be used if upstream publishes them Note: Check if upstream provides signatures. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). [x]: Rpmlint is run on all installed packages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: trustee-kbs-0.15.0-1.fc44.x86_64.rpm trustee-0.15.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpme_rnedq')] checks: 32, packages: 2 trustee-kbs.x86_64: W: no-manual-page-for-binary kbs 2 packages and 0 specfiles checked; 0 errors, 1 warnings, 9 filtered, 0 badness; has taken 0.4 s Rpmlint (debuginfo) ------------------- Checking: trustee-kbs-debuginfo-0.15.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmppl8oo1_s')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 6 filtered, 0 badness; has taken 2.9 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "trustee-kbs-debuginfo". (none): E: there is no installed rpm "trustee-kbs". There are no files to process nor additional arguments. Nothing to do, aborting. ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 2 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s Source checksums ---------------- https://github.com/confidential-containers/trustee/archive/refs/tags/v0.15.0.tar.gz : CHECKSUM(SHA256) this package : 825227b9ac6a4312cf7f02746a53d4e03718a764843d67e069274e76e3458774 CHECKSUM(SHA256) upstream package : 825227b9ac6a4312cf7f02746a53d4e03718a764843d67e069274e76e3458774 https://github.com/confidential-containers/guest-components/archive/refs/tags/v%{version}/guest-components-0.15.0.tar.gz : CHECKSUM(SHA256) this package : 3e1a234cdf621cf956b440cca472117b0547ba71dd72e448986bf7db25473f3f CHECKSUM(SHA256) upstream package : 3e1a234cdf621cf956b440cca472117b0547ba71dd72e448986bf7db25473f3f Requires -------- trustee-kbs (rpmlib, GLIBC filtered): ld-linux-x86-64.so.2()(64bit) libc.so.6()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) libm.so.6()(64bit) libssl.so.3()(64bit) libssl.so.3(OPENSSL_3.0.0)(64bit) libzstd.so.1()(64bit) openssl rtld(GNU_HASH) Provides -------- trustee-kbs: trustee-kbs trustee-kbs(x86-64) ===== DETAILED REVIEW NOTES ===== Package Type: Non-crate Rust application (trustee KBS) - Multi-crate workspace project from GitHub - Only KBS component built/shipped - Follows Rust Guidelines for non-crate projects Rust Compliance: - Correct naming (no rust- prefix), macros, license tracking - Manual install (not %cargo_install), no -devel packages - %bcond check set, tests in %check Source: Key Broker Service for confidential computing (attestation/secrets) - Reviewed for security - legitimate infrastructure, no malicious code Patches (8 total): - 0001: Restrict workspace to kbs only (reduces build footprint) - 0002: Remove built-in AS (lightweight build) - 0003: Replace concat-kdf with internal impl (reduce deps) - 0004: Use jsonwebtoken vs jwt-simple (Fedora alignment) - 0005: Align crate versions with Fedora - 0006: Replace derivative with educe - 0007: Replace git deps with path/registry (REQUIRED for offline builds) - 0008: Guard RVPS import in tests All justified for Fedora packaging. Licenses: - Source: Apache-2.0 (verified in LICENSE) - Binary: SPDX conjunction of source + all statically linked crates - LICENSE.dependencies (273 lines) lists all crate licenses - Licensecheck: 468 "Unknown" files are config/build/test files (acceptable) Security: System OpenSSL, no bundled libs, all deps from Fedora registry Version: v0.15.0 (Sept 2024), latest is v0.17.0 (Jan 2025) - 2 versions behind ===== FINAL RECOMMENDATION ===== APPROVED Package meets all MUST requirements for Fedora and Rust Packaging Guidelines. Non-blocking recommendations: 1. Update to v0.17.0 2. Add man page for kbs 3. Add GPG verification if available Generated by fedora-review 0.11.0 (05c5b26) last change: 2025-11-29 Command line :/usr/bin/fedora-review --copr-build 10044307 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, Shell-api Disabled plugins: fonts, SugarActivity, Perl, R, Haskell, Ocaml, Java, Python, C/C++, PHP Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2431992 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202431992%23c3 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
