https://bugzilla.redhat.com/show_bug.cgi?id=2448376
--- Comment #6 from Ben Beasley <[email protected]> --- This is a high-quality submission. There are still a few things we need to revisit before it’s ready for approval. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated The spec file is generated with rust2rpm, simplifying the review. ---- The Summary is correctly and necessarily shortened to fit in 80 characters. If you are not already doing so, you can encode this in rust2rpm.toml: [package] summary = "Minimal PKCS#11 module to sign content using a Siguldry server" ---- A trivial ancillary source is provided and documented: # * registration file for p11-kit Source10: p11-kit.module By trivial, I mean that it only contains: module: libsiguldry_pkcs11.so This is reasonable. ---- There is a metadata patch that omits three tests, -[[test]] -name = "signing" -path = "tests/signing.rs" - -[[test]] -name = "sigul_imported_keys" -path = "tests/sigul_imported_keys.rs" - -[[test]] -name = "token_info" -path = "tests/token_info.rs" - and lowers the asn1 crate dependency version to 0.22. [dependencies.asn1] -version = "0.23" +version = "0.22" Both of these are reasonable, but: - The metadata patch is also subject to https://docs.fedoraproject.org/en-US/packaging-guidelines/PatchUpstreamStatus/, and should have comments explaining what it does and why. You can encode these in rust2rpm.toml: [package] cargo-toml-patch-comments = [ "Omit three tests that expect to run in the workspace", "Allow older version 0.22 of asn1 for now, RHBZ#2402490", ] - It would be much better to widen the version range for asn1 rather than *requiring* an older release. That way, it will be easy to tell that this package does not *block* an update, and the patch will not have to be backed out when we are ready to update rust-asn1. Try this: [dependencies.asn1] -version = "0.23" +version = ">=0.22, <0.24" ---- The following directories are unowned: Note: Directories without known owners: /usr/share/p11-kit, /usr/share/p11-kit/modules, /usr/lib64/pkcs11 If there is a natural dependendency on a package that owns these, then it can be added. For example, if the siguldry-pkcs11 binary package only functions with p11-kit installed, then you can add Requires: p11-kit and that will also take care of directory ownership. Otherwise, you should co-own the directories. %dir %{_datadir}/p11-kit %dir %{_datadir}/p11-kit/modules %dir %{_libdir}/pkcs11 See the relevant guidelines for more details and advice: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_and_directory_ownership. ---- A manual dependency on siguldry is added. I’m assuming this is correct. +Requires: siguldry >= 0.5.0 If you are not already doing so, you can encode this in rust2rpm.toml: [package] bin-package-extra = "Requires: siguldry >= 0.5.0" ---- The License expression for the binary package is present and appears to be correctly formed. To make it easier to detect changes in the licenses coming from Rust dependencies, it’s conventional to paste the raw output of %{cargo_license_summary} above the License field. # (MIT OR Apache-2.0) AND Unicode-DFS-2016 # Apache-2.0 # Apache-2.0 OR MIT # Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT # BSD-2-Clause OR Apache-2.0 OR MIT # BSD-3-Clause # BSL-1.0 # ISC # LGPL-2.0-or-later # MIT # MIT OR Apache-2.0 # Unicode-3.0 # Unlicense OR MIT Then, while the License expression is valid and correct, there are a few things that we often do in the Rust SIG to make it easier to understand and audit. - Parentheses grouping AND expressions are not needed. So "(A AND B) AND C" can just be "A AND B AND C", and "((MIT OR Apache-2.0) AND Unicode-DFS-2016) AND …" can be "(MIT OR Apache-2.0) AND Unicode-DFS-2016 AND …" - Duplicate terms can be removed. Order doesn’t matter here: (A OR B) is the same as (B OR A), so "(MIT OR Apache-2.0) AND (Apache-2.0 OR MIT)" can be just "(MIT OR Apache-2.0)" or just "(Apache-2.0 OR MIT)". - Terms can be reordered, if that’s helpful. A convention Fabio Valentini often uses, which works pretty well for relatively simple license expressions, is to start with the term(s) corresponding to the source license, then simple license terms in alphabetical order, then sub-expressions in alphabetical order. There’s more than one way to approach this, and this is just one way. - You can use the %{shrink: …} macro to write the license expression one-term-per-line, which makes it easier to read and diff. All together, that means you could write something like: # (MIT OR Apache-2.0) AND Unicode-DFS-2016 […] # Unlicense OR MIT License: %{shrink: MIT AND Apache-2.0 AND BSD-3-Clause AND BSL-1.0 AND ISC AND LGPL-2.0-or-later AND Unicode-3.0 AND Unicode-DFS-2016 AND (Apache-2.0 OR MIT) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND Unlicense OR MIT } Again, what you have in License is not *wrong*, but the form suggested above is hopefully a bit more useful to human eyes, and has worked well for maintenance thus far in the Rust SIG. ---- Installing the shared-library plugin and the siguldry.module appears to be handled correctly. If you are not already adding this to rust2rpm.toml, you can; look in the rust2rpm.toml man page for scripts.install.post, package.suppress-cdylib-install-fixme, and package.extra-files. ---- The package is not ExcludeArch/ExclusiveArch, but it fails to build on architectures other than x86_64. https://koji.fedoraproject.org/koji/taskinfo?taskID=143490286 On i686, there are a large number of errors related to 64-bit assumptions. This one is easy: it’s unlikely anything will depend on this on i686, so you can add: # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval ExcludeArch: %{ix86} On aarch64, ppc64le, and s390x, we have: error[E0308]: mismatched types --> src/lib.rs:388:54 | 388 | let interface_name = unsafe { CStr::from_ptr(pInterfaceName as *const i8) }; | -------------- ^^^^^^^^^^^^^^^^^^^^^^^^^^^ expected `*const u8`, found `*const i8` | | | arguments to this function are incorrect | = note: expected raw pointer `*const u8` found raw pointer `*const i8` note: associated function defined here --> library/core/src/ffi/c_str.rs:253:24 For more information about this error, try `rustc --explain E0308`. This reflects an assumption that C "char" is "signed char" rather than "unsigned char"; in fact, this is implementation-defined, and varies in practice across primary architectures. Fortunately, this is easy to fix. You can apply https://github.com/fedora-infra/siguldry/pull/161 as a patch. You may already know that, to get a patch that applies to the published crate with -p1, you can use “git format-patch --relative” from the siguldry-pkcs11 subdirectory of the upstream git repository. ===== MUST items ===== C/C++: [x]: Development (unversioned) .so files in -devel subpackage, if present. Note: Unversioned so-files in private %_libdir subdirectory (see attachment). Verify they are not in ld path. The file %{_libdir}/pkcs11/libsiguldry_pkcs11.so is a plugin, so it is correct that it is unversioned. It appears to be correctly installed, and is not in the default linker search path. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "MIT License". 6 files have unknown license. Detailed output of licensecheck in /home/ben/fedora/review/2448376-rust-siguldry-pkcs11/licensecheck.txt I do have some suggestions for improving how the License expression for the binary package is written, in the narrative section at the top of this review. [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/share/p11-kit, /usr/share/p11-kit/modules, /usr/lib64/pkcs11 I commented on this in the narrative section at the top of this review. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries or specifies bundled libraries with Provides: bundled(<libname>) if unbundling is not possible. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [x]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [!]: Package is not known to require an ExcludeArch tag. Fails to build on anything but x86_64. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: No rpmlint messages. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 5604 bytes in 2 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [?]: Package functions as described. Tests are correctly built and executed, but in practice there are no tests included in the crate that we can run. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. The metadata patch could use some commentary. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [!]: Package should compile and build into binary rpms on all supported architectures. https://koji.fedoraproject.org/koji/taskinfo?taskID=143490286 [x]: %check is present and all tests pass. Tests are correctly built and executed, but in practice there are no tests included in the crate that we can run. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [!]: Spec file according to URL is the same as in SRPM. Note: Spec file as given by url is not the same as in SRPM (see attached diff). See: (this test has no URL) [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. Rpmlint ------- Checking: siguldry-pkcs11-1.0.0-1.fc45.x86_64.rpm rust-siguldry-pkcs11-1.0.0-1.fc45.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpn3zyc88y')] checks: 32, packages: 2 2 packages and 0 specfiles checked; 0 errors, 0 warnings, 7 filtered, 0 badness; has taken 0.2 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 3 filtered, 0 badness; has taken 0.1 s Unversioned so-files -------------------- siguldry-pkcs11: /usr/lib64/pkcs11/libsiguldry_pkcs11.so Source checksums ---------------- https://crates.io/api/v1/crates/siguldry-pkcs11/1.0.0/download#/siguldry-pkcs11-1.0.0.crate : CHECKSUM(SHA256) this package : 89c4ae4bd2e8b5931dedb294510422fad525afe4d1960ca675a5074fd44854cd CHECKSUM(SHA256) upstream package : 89c4ae4bd2e8b5931dedb294510422fad525afe4d1960ca675a5074fd44854cd Requires -------- siguldry-pkcs11 (rpmlib, GLIBC filtered): ld-linux-x86-64.so.2()(64bit) libc.so.6()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3)(64bit) libgcc_s.so.1(GCC_4.2.0)(64bit) libssl.so.3()(64bit) libssl.so.3(OPENSSL_3.0.0)(64bit) rtld(GNU_HASH) siguldry Provides -------- siguldry-pkcs11: libsiguldry_pkcs11.so()(64bit) siguldry-pkcs11 siguldry-pkcs11(x86-64) Diff spec file in url and in SRPM --------------------------------- --- /home/ben/fedora/review/2448376-rust-siguldry-pkcs11/srpm/rust-siguldry-pkcs11.spec 2026-03-18 15:04:51.879117296 +0000 +++ /home/ben/fedora/review/2448376-rust-siguldry-pkcs11/srpm-unpacked/rust-siguldry-pkcs11.spec 2026-03-18 00:00:00.000000000 +0000 @@ -1,2 +1,12 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.8.3) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 1; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + # Generated by rust2rpm 28 %bcond check 1 @@ -63,3 +73,6 @@ %changelog -%autochangelog +## START: Generated by rpmautospec +* Wed Mar 18 2026 John Doe <[email protected]> - 1.0.0-1 +- Uncommitted changes +## END: Generated by rpmautospec Generated by fedora-review 0.11.0 (05c5b26) last change: 2025-11-29 Command line :/usr/bin/fedora-review -b 2448376 Buildroot used: fedora-rawhide-x86_64 Active plugins: Shell-api, Generic Disabled plugins: Perl, Python, fonts, Haskell, R, Java, PHP, SugarActivity, Ocaml, C/C++ Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2448376 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202448376%23c6 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
