https://bugzilla.redhat.com/show_bug.cgi?id=2448590
--- Comment #2 from Daniel Berrangé <[email protected]> --- Some notes for reviews: * The 'sgx-pccs' functionality is in fact already present in Fedora, created as a sub-RPM of 'linux-sgx'. Historically PCCS was bundled with the general SGX codebase, but in their 1.25 release of SGX DCAP, it was split off upstream into its own git repository. This makes it practical to now package as a standalone thing in Fedora, which is a very good benefit, as it needs frequent updates for NodeJS security flaws. Once this package is approved and built in Fedora, I will be updating linux-sgx to turn off the build of its own 'sgx-pccs' sub-RPMs to avoid the clash. The upgrade path should be seemless since the RPMs have the same names and versioning scheme. * The 'sgx-pccs' RPM generates a metric tonne of rpmlint warnings. I've addressed many issues, but feel the remaining ones are acceptable, or unavoidable given the poor state / limitations of working with the NodeJS ecosystem. sgx-pccs.x86_64: W: non-standard-uid /var/lib/pccs pccs sgx-pccs.x86_64: W: non-standard-uid /var/log/pccs pccs sgx-pccs.x86_64: W: non-standard-gid /etc/pccs/ssl pccs sgx-pccs.x86_64: W: non-standard-gid /var/lib/pccs pccs sgx-pccs.x86_64: W: non-standard-gid /var/log/pccs pccs sgx-pccs.x86_64: E: non-standard-dir-perm /etc/pccs/ssl 750 sgx-pccs.x86_64: E: non-standard-dir-perm /var/log/pccs 700 => Intentional package integration choices sgx-pccs.x86_64: W: no-manual-page-for-binary pccs sgx-pccs.x86_64: W: no-documentation sgx-pccs.x86_64: W: log-files-without-logrotate ['/var/log/pccs'] => limitations of what's provided by upstream 23 * zero-length 11 * devel-file-in-non-devel-package 186 * hidden-file-or-dir => NodeJS has no separation of dev env content from production content, so when bundling nodejs package deps you get all sorts of undesirable files such as those highlighted by rpmlint. While in theory we could painstakingly analyse and remove much of it, it doesn't appear to be a requirement of the nodejs packaging guidelines 34 files-duplicate => I've listed the license files for every nodejs dep in %license, and inevitably many deps have the same license text and hardlinking does not work for files listed in %license. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2448590 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202448590%23c2 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
