From Fedora Project Wiki

Cloned from ["Packaging/ReviewGuidelines"] .

Package Review Guidelines

This is a set of guidelines for Package Reviews. Note that a complete list of things to check for would be impossible, but every attempt has been made to make this document as comprehensive as possible. Reviewers and contributors (packagers) should use their best judgement whenever items are unclear, and if in doubt, ask on the fedora-package-review list.

Author: Tom 'spot' Callaway
Revision: 0.16
Initial Draft: Monday Jun 27, 2005
Last Revised: Wed May 31, 2006


Review Purpose

In order for a new package to be accepted into CVS, that package must first undertake a formal review. The purpose of this formal review is to try to ensure that the package meets the quality control requirements for Fedora. This does not mean that the package (or the software being packaged) is perfect, but it should meet baseline minimum requirements for quality.

Review Process

There are two roles in the review process, that of the contributor and that of the reviewer. In this document, we'll present both perspectives.

Contributor

A Contributor is defined as someone who wants to submit (and maintain) a package in Fedora Extras or Core (Note: Currently only Red Hat employees can maintain a package in Core).

As a Contributor, you should have already made a package which adheres to the Package Naming Guidelines and Packaging Guidelines . You should also be aware of ForbiddenItems. If you are unsure how to become a contributor, you should read ["Extras/Contributors"] .

When you're happy with your spec file, you should then submit that SRPM to a package review. Currently, this is done by following these steps:

1. Put your spec file and SRPM somewhere on the Internet.
2. Fill out a request for review in bugzilla. The form is here: https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Extras&format=extras-review or https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Core&format=core-review Here is what a sample bugzilla request for review looks like:

http://people.redhat.com/tcallawa/sample-review.png

3. Wait for someone to review your package!
4. When someone reviews your package, fix any blockers that they have identified. Once a package is set to FE-ACCEPT (FC-ACCEPT for Core) by the reviewer, go to Step 5 (NOTE: Steps 5+ are for Extras packages only. Core packages follow a different path).
5. Import your package into CVS.
6. Add an entry for your package into the owners.list (in the owners module in CVS). Keep the list alphabetized by package.
7. Cvs checkout the package, do a final check of spec file tags, etc, and run "make tag".
8. Request a build.
9. Once the package is built, close the bugzilla review ticket as NEXTRELEASE.

You do not need to go through the review process again for subsequent package changes.

Reviewer

A Reviewer is defined as the person who chooses to review a package. For the sake of clarity, one person takes ownership of the review. Other people are encouraged to comment on the review as well, either in the bug or on the mailing list. The primary Reviewer can be any current package owner, unless the Contributor is a first timer.

  • If you wish to be a Reviewer, make sure you have the proper permissions on your Fedora account. Follow the steps below.
  • Go to: https://admin.fedora.redhat.com/accounts/
  • Click the "Edit your account" link
  • Go to the "Add new membership" section and fill out the fields as follows
  • Groupname: fedorabugs
  • Role type: user
  • Role domain: -empty-
  • If the Contributor is not sponsored, the review must be done by a Sponsor. You can check if a Contributor has already been sponsored by looking in the packager group of the account system .

As a Reviewer, your job is to review the packages submitted in bugzilla request for reviews. You can see all the packages that need reviews by going here:
https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=FE-NEW&hide_resolved=1 or https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=FC-NEW&hide_resolved=1

So, starting with a request for review that is blocking FE-NEW (aka, bz #163776) or FC-NEW (aka, bz #188265):

1. Change the blocking bug from FE-NEW to FE-REVIEW, or FC-NEW to FC-REVIEW. (FE-REVIEW is bz #163778, FC-REVIEW is bz #188267)
2. Assign the bug to yourself.
3. Review the package.

  • You should go through the MUST items listed below in "Things To Check On Review"
  • It also doesn't hurt to go through the SHOULD items.

4. Take one of the following actions:

  • ACCEPT: If the package is good, change the blocker bug from FE-REVIEW to FE-ACCEPT or FC-REVIEW to FC-ACCEPT. (FE-ACCEPT is bz #163779, FC-ACCEPT is bz #188268)
  • (Extras Only) If the Reviewer is also acting as Sponsor for the Contributor, then this is the time to sponsor the Contributor in the account system .
  • FAIL, LEGAL: If the package is legally risky for whatever reason (known patent or copyright infringement, trademark concerns) close the bug WONTFIX and leave an appropriate comment (i.e. we don't ship mp3, so stop submitting it).
  • FAIL, OTHER: If the package is just way off or unsuitable for some other reason, and there is no simple fix, then close the bug WONTFIX and leave an appropriate comment (i.e. we don't package pornography for redistribution, sorry. Or, this isn't a specfile, it's a McDonald's menu, sorry.)
  • NEEDSWORK: Anything that isn't explicitly failed should be left open while the submitter and reviewer work together to fix any potential issues.

5. Once a package is in FE-ACCEPT / FC-ACCEPT (or is failed), the Reviewer's job is done.

Things To Check On Review

There are many many things to check for a review. This list is provided to assist new reviewers in identifying areas that they should look for, but is by no means complete. Reviewers should use their own good judgement when reviewing packages. The items listed fall into two categories: SHOULD and MUST. Items marked as SHOULD are things that the package (or reviewer) SHOULD do, but is not required to do. Items marked as MUST are things that the package (or reviewer) MUST do. If a package fails a MUST item, that is considered a blocker. No package with blockers can be approved on a review. Those items must be fixed before approval can be given.

MUST Items:

- MUST: rpmlint must be run on every package. The output should be posted in the review.
- MUST: The package must be named according to the Package Naming Guidelines .
- MUST: The spec file name must match the base package %{name}, in the format %{name}.spec
- MUST: The package must meet the Packaging Guidelines .
- MUST: The package must be licensed with an open-source compatible license and meet other legal requirements as defined in the [wiki:Self:Packaging/Guidelines#Legal legal section of Packaging Guidelines] .
- MUST: The License field in the package spec file must match the actual license.
- MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.
- MUST: The spec file must be written in American English.
- MUST: The spec file for the package MUST be legible. If the reviewer is unable to read the spec file, it will be impossible to perform a review. Fedora is not the place for entries into the Obfuscated Code Contest (http://www.ioccc.org/).
- MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task.
- MUST: The package must successfully compile and build into binary rpms on at least one supported architecture.
- MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch needs to have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number should then be placed in a comment, next to the corresponding ExcludeArch line. New packages will not have bugzilla entries during the review process, so they should put this description in the comment until the package is approved, then file the bugzilla entry, and replace the long explanation with the bug number. (Extras Only) The bug should be marked as blocking one (or more) of the following bugs to simplify tracking such issues: FE-ExcludeArch-x86 , FE-ExcludeArch-x64 , FE-ExcludeArch-ppc
- MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the [wiki:Self:Packaging/Guidelines#Exceptions exceptions section of Packaging Guidelines] ; inclusion of those as BuildRequires is optional. Apply common sense.
- MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.
- MUST: If the package contains shared library files located in the dynamic linker's default paths, that package must call ldconfig in %post and %postun. If the package has multiple subpackages with libraries, each subpackage should also have a %post/%postun section that calls /sbin/ldconfig. An example of the correct syntax for this is: 

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig


- MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker.
- MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. The exception to this are directories listed explicitly in the Filesystem Hierarchy Standard (http://www.pathname.com/fhs/pub/fhs-2.3.html), as it is safe to assume that those directories exist.
- MUST: A package must not contain any duplicate files in the %files listing.
- MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line.
- MUST: Each package must have a %clean section, which contains rm -rf %{buildroot} ([wiki:Self:Packaging/Guidelines#UsingBuildRootOptFlags or $RPM_BUILD_ROOT] ).
- MUST: Each package must consistently use macros, as described in the [wiki:Self:Packaging/Guidelines#macros macros section of Packaging Guidelines] .
- MUST: The package must contain code, or permissable content. This is described in detail in the [wiki:Self:Packaging/Guidelines#CodeVsContent code vs. content section of Packaging Guidelines] .
- MUST: Large documentation files should go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity)
- MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present.
- MUST: Header files or static libraries must be in a -devel package.
- MUST: Files used by pkgconfig (.pc files) must be in a -devel package.
- MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package.
- MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release}
- MUST: Packages must NOT contain any .la libtool archives, these should be removed in the spec.
- MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. This is described in detail in the [wiki:Self:Packaging/Guidelines#desktop desktop files section of Packaging Guidelines] . If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation.
- MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time.

SHOULD Items:

- SHOULD: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it.
- SHOULD: The description and summary sections in the package spec file should contain translations for supported Non-English languages, if available.
- SHOULD: The reviewer should test that the package builds in mock.
- SHOULD: The package should compile and build into binary rpms on all supported architectures.
- SHOULD: The reviewer should test that the package functions as described. A package should not segfault instead of running, for example.
- SHOULD: If scriptlets are used, those scriptlets must be sane. This is vague, and left up to the reviewers judgement to determine sanity.
- SHOULD: Usually, subpackages other than devel should require the base package using a fully versioned dependency.

Tracking of Package Requests

  • FE-NEW (New Extras Review Requests)
  • FC-NEW (New Core Review Requests)
  • FE-NEEDSPONSOR (New Extras Review Requests waiting for Review from sponsor)
  • FE-REVIEW (Extras Packages Currently Under Review)
  • FC-REVIEW (Core Packages Currently Under Review)
  • FE-ACCEPT (Extras Packages Accepted, Implementation Pending)
  • FC-ACCEPT (Core Packages Accepted, Implementation Pending)
Retrieved from "https://fedoraproject.org/w/index.php?title=JasonTibbitts/ReviewGuidelines&oldid=44858"