https://bugzilla.redhat.com/show_bug.cgi?id=1615641
Bug ID: 1615641
Summary: Review Request: compliance-masonry - Security
Documentation Builder
Product: Fedora
Version: rawhide
Component: Package Review
Severity: medium
Assignee: nob...@fedoraproject.org
Reporter: redhatri...@gmail.com
QA Contact: extras...@fedoraproject.org
CC: extras...@fedoraproject.org, nob...@fedoraproject.org,
package-review@lists.fedoraproject.org,
projects...@smart.ms, ralf...@redhat.com,
redhatri...@gmail.com, zebo...@gmail.com
+++ This bug was initially created as a clone of Bug #1609038 +++
Spec URL:
https://copr-be.cloud.fedoraproject.org/results/rga/compliance-masonry/fedora-rawhide-x86_64/00781200-compliance-masonry/compliance-masonry.spec
SRPM URL:
https://copr-be.cloud.fedoraproject.org/results/rga/compliance-masonry/fedora-rawhide-x86_64/00781200-compliance-masonry/compliance-masonry-1.1.4-2.src.rpm
Koji Scratch build:
https://koji.fedoraproject.org/koji/tasks?state=closed&owner=rga&view=tree&method=all&order=-id
Copr Builds:
https://copr.fedorainfracloud.org/coprs/rga/compliance-masonry/monitor/
Description: Compliance Masonry is a command-line interface (CLI) that allows
users to construct certification documentation using the OpenControl Schema.
Fedora Account System Username: rga
--- Additional comment from on 2018-07-26 15:27:30 EDT ---
This is my first package.
I would like to add it to EPEL7, F27, F28, F29, and Rawhide.
--- Additional comment from Robert-André Mauchin on 2018-07-26 16:23:57 EDT ---
- Use a more meaningful name for your archive:
Source0:
https://%{provider_prefix}/archive/v%{version}/%{name}-%{version}.tar.gz
- Add a comment above the patch describing why it is needed.
- You should unbundle the dependencies and remove the vendor directory in
%prep (might take a while). That implies packaging any missing dependency.
- It is not ok to apply a patch on some architecture only. The arch detection
if needed should be in the patched code itself.
- with_bundled isn't defined anywhere.
There's a new way to package the Go libraries, see
https://fedoraproject.org/wiki/More_Go_packaging and samples:
https://eclipseo.fedorapeople.org/golang/
It would be great to convert to the new style for F27-Rawhide and keep the old
style for EPEL7.
--- Additional comment from on 2018-07-26 18:59:36 EDT ---
> - Use a more meaningful name for your archive:
>
> Source0: https://%{provider_prefix}/archive/v%{version}/%{name}-%
> {version}.tar.gz
That results in the source url no longer being valid and doesn't that go
against the Fedora url guidelines which wants the actual source url?
> - Add a comment above the patch describing why it is needed.
Will fix
> - You should unbundle the dependencies and remove the vendor directory in
> %prep (might take a while). That implies packaging any missing dependency.
This was recommended to me by one of the package wranglers as well as the cri-o
people until the GO packaging guidelines are finalized
> - It is not ok to apply a patch on some architecture only. The arch detection
> if needed should be in the patched code itself.
Will fix
> - with_bundled isn't defined anywhere.
Will fix
> There's a new way to package the Go libraries, see
> https://fedoraproject.org/wiki/More_Go_packaging and samples:
> https://eclipseo.fedorapeople.org/golang/
>
> It would be great to convert to the new style for F27-Rawhide and keep the
> old style for EPEL7.
That looks to be a proposal. Does the draft not have precedence?
--- Additional comment from Robert-André Mauchin on 2018-07-26 19:13:34 EDT ---
(In reply to ralford from comment #3)
> > - Use a more meaningful name for your archive:
> >
> > Source0: https://%{provider_prefix}/archive/v%{version}/%{name}-%
> > {version}.tar.gz
>
> That results in the source url no longer being valid and doesn't that go
> against the Fedora url guidelines which wants the actual source url?
>
The source URL I provided is valid, check again.
> > - Add a comment above the patch describing why it is needed.
>
> Will fix
>
> > - You should unbundle the dependencies and remove the vendor directory in
> > %prep (might take a while). That implies packaging any missing dependency.
>
> This was recommended to me by one of the package wranglers as well as the
> cri-o people until the GO packaging guidelines are finalized
>
Could take months, packages are already being unbundled.
> > - It is not ok to apply a patch on some architecture only. The arch
> > detection if needed should be in the patched code itself.
>
> Will fix
>
> > - with_bundled isn't defined anywhere.
>
> Will fix
>
> > There's a new way to package the Go libraries, see
> > https://fedoraproject.org/wiki/More_Go_packaging and samples:
> > https://eclipseo.fedorapeople.org/golang/
> >
> > It would be great to convert to the new style for F27-Rawhide and keep the
> > old style for EPEL7.
>
> That looks to be a proposal. Does the draft not have precedence?
Most Go packages have already been converted to the new style this past year.
--- Additional comment from on 2018-07-26 20:32:59 EDT ---
> The source URL I provided is valid, check again.
Doh! My bad. Typed it in wrong.
> Could take months, packages are already being unbundled.
Okay. Thanks for the review and answering questions. Will work through your
comments.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org/message/SNVJM6AHDFFOSLWIAVLSRBW63256EBTZ/
