diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | audited-null-licenses.toml | 56 | ||||
| -rwxr-xr-x | check-null-licenses | 179 | ||||
| -rwxr-xr-x | llhttp-packaging-bundler | 110 | ||||
| -rw-r--r-- | llhttp.spec | 261 | ||||
| -rw-r--r-- | sources | 2 |
6 files changed, 610 insertions, 0 deletions
@@ -0,0 +1,2 @@ +/llhttp-9.2.1-nm-dev.tar.zst +/llhttp-9.2.1.tar.gz diff --git a/audited-null-licenses.toml b/audited-null-licenses.toml new file mode 100644 index 0000000..4af45e9 --- /dev/null +++ b/audited-null-licenses.toml @@ -0,0 +1,56 @@ +[any] + +[prod] + +[dev] + +# Just a module wrapper around the code in tslib, which does have a proper +# license (0BSD) in its package.json: +# tslib/modules +modules = "<unknown version>" +# A “dummy” module in the tests for tslib +# tslib/test/validateModuleExportsMatchCommonJS +validateModuleExportsMatchCommonJS = "<unknown version>" + +# Similarly, these are all just ES6 module (mjs) or CommonJS (cjs) module +# wrappers in packages that do have proper license information: +# node_modules_dev/@ungap/structured-clone/cjs +# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/mjs +# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/mjs +# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/mjs +# node_modules_dev/flatted/cjs +cjs = "<unknown version>" +mjs = "<unknown version>" + +# These are all “dummy” modules in the tests for resolve: +# resolve/test/module_dir/zmodules/bbb +bbb = "<unknown version>" +# resolve/test/resolver/invalid_main +"invalid main" = "<unknown version>" +# resolve/test/resolver/incorrect_main +incorrect_main = "<unknown version>" +# resolve/test/resolver/dot_slash_main +dot_slash_main = "<unknown version>" +# resolve/test/resolver/dot_main +dot_main = "<unknown version>" +# resolve/test/resolver/baz +baz = "<unknown version>" +# resolve/test/resolver/browser_field +browser_field = "<unknown version>" +# resolve/test/resolver/symlinked/package +package = "<unknown version>" + +# These are all part of nanoid, which is MIT-licensed. +# nanoid/url-alphabet +url-alphabet = "<unknown version>" +# nanoid/non-secure +non-secure = "<unknown version>" +# nanoid/async +async = "<unknown version>" + +# This is part of yargs, which is MIT-licensed. +# mocha/node_modules/yargs/helpers +helpers = "<unknown version>" diff --git a/check-null-licenses b/check-null-licenses new file mode 100755 index 0000000..fe0e4eb --- /dev/null +++ b/check-null-licenses @@ -0,0 +1,179 @@ +#!/usr/bin/python3 +# -*- coding: utf-8 -*- + +import json +from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter +from pathlib import Path +from sys import exit, stderr + +import tomllib + + +def main(): + args = parse_args() + problem = False + if not args.tree.is_dir(): + return f"Not a directory: {args.tree}" + for pjpath in args.tree.glob("**/package.json"): + name, version, license = parse(pjpath) + identity = f"{name} {version}" + if version in args.exceptions.get(name, ()): + continue # Do not even check the license + elif license is None: + problem = True + print(f"Missing license in package.json for {identity}", file=stderr) + elif isinstance(license, dict): + if isinstance(license.get("type"), str): + continue + print( + ( + "Missing type for (deprecated) license object in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + elif isinstance(license, list): + if license and all( + isinstance(entry, dict) and isinstance(entry.get("type"), str) + for entry in license + ): + continue + print( + ( + "Defective (deprecated) licenses array-of objects in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + elif isinstance(license, str): + continue + else: + print( + ( + "Weird type for license in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + problem = True + if problem: + return "At least one missing license was found." + + +def parse(package_json_path): + with package_json_path.open("rb") as pjfile: + pj = json.load(pjfile) + try: + license = pj["license"] + except KeyError: + license = pj.get("licenses") + try: + name = pj["name"] + except KeyError: + name = package_json_path.parent.name + version = pj.get("version", "<unknown version>") + + return name, version, license + + +def parse_args(): + parser = ArgumentParser( + formatter_class=RawDescriptionHelpFormatter, + description=("Search for bundled dependencies without declared licenses"), + epilog=""" + +The exceptions file must be a TOML file with zero or more tables. Each table’s +keys are package names; the corresponding values values are exact version +number strings, or arrays of version number strings, that have been manually +audited to determine their license status and should therefore be ignored. + +Exceptions in a table called “any” are always applied. Otherwise, exceptions +are applied only if a corresponding --with TABLENAME argument is given; +multiple such arguments may be given. + +For +example: + + [any] + example-foo = "1.0.0" + + [prod] + example-bar = [ "2.0.0", "2.0.1",] + + [dev] + example-bat = [ "3.7.4",] + +would always ignore version 1.0.0 of example-foo. It would ignore example-bar +2.0.1 only when called with “--with prod”. + +Comments may (and should) be used to describe the manual audits upon which the +exclusions are based. + +Otherwise, any package.json with missing or null license field in the tree is +considered an error, and the program returns with nonzero status. +""", + ) + parser.add_argument( + "-x", + "--exceptions", + type=FileType("rb"), + help="Manually audited package versions file", + ) + parser.add_argument( + "-w", + "--with", + action="append", + default=[], + help="Enable a table in the exceptions file", + ) + parser.add_argument( + "tree", + metavar="node_modules_dir", + type=Path, + help="Path to search recursively", + default=".", + ) + args = parser.parse_args() + + if args.exceptions is None: + args.exceptions = {} + xname = None + else: + with args.exceptions as xfile: + xname = getattr(xfile, "name", "<exceptions>") + args.exceptions = tomllib.load(args.exceptions) + if not isinstance(args.exceptions, dict): + parser.error(f"Invalid format in {xname}: not an object") + for tablename, table in args.exceptions.items(): + if not isinstance(table, dict): + parser.error(f"Non-table entry in {xname}: {tablename} = {table!r}") + overlay = {} + for key, value in table.items(): + if isinstance(value, str): + overlay[key] = [value] + elif not isinstance(value, list) or not all( + isinstance(entry, str) for entry in value + ): + parser.error( + f"Invalid format in {xname} in [{tablename}]: " + f"{key!r} = {value!r}" + ) + table.update(overlay) + + x = args.exceptions.get("any", {}) + for add in getattr(args, "with"): + try: + x.update(args.exceptions[add]) + except KeyError: + if xname is None: + parser.error(f"No table {add}, as no exceptions file was given") + else: + parser.error(f"No table {add} in {xname}") + # Store the merged dictionary + args.exceptions = x + + return args + + +if __name__ == "__main__": + exit(main()) diff --git a/llhttp-packaging-bundler b/llhttp-packaging-bundler new file mode 100755 index 0000000..e0cb8ef --- /dev/null +++ b/llhttp-packaging-bundler @@ -0,0 +1,110 @@ +#!/bin/bash +set -o nounset +set -o errexit + +OUTPUT_DIR="$(rpm -E '%{_sourcedir}')" +SPEC_FILE="${PWD}/llhttp.spec" + +usage() { + cat 1>&2 <<EOF +Usage: $(basename "$0") + +Given llhttp.spec in the working directory, download the source and the prod +and dev dependencies, each in their own tarball. + +Also finds licenses for prod dependencies. + +All three tarballs and the license list are copied to +${OUTPUT_DIR}. +EOF + exit 1 +} + +if ! [[ -f /usr/bin/npm ]] +then + cat 1>&2 <<EOF +$(basename "${0}") requires npm to run + +Run the following to fix this: + sudo dnf install npm + +EOF + exit 2 +fi + +if [[ $# -gt 0 ]]; then + usage +fi + +TMP_DIR="$(mktemp -d -t ci-XXXXXXXXXX)" +trap "cd /; rm -rf '${TMP_DIR}'" INT TERM EXIT +cd "${TMP_DIR}" + +echo "Reading ${SPEC_FILE}; downloading source archive" 1>&2 +VERSION="$(awk '$1 == "Version:" { print $2; exit }' "${SPEC_FILE}")" +echo "Version is ${VERSION}" 1>&2 +echo "Downloading source archive" 1>&2 +spectool -g "${SPEC_FILE}" + +ARCHIVE="$( + find . -mindepth 1 -maxdepth 1 -type f -name '*.tar.gz' -print -quit +)" +echo "Downloaded $(basename "${ARCHIVE}")" 1>&2 + +tar -xzf "${ARCHIVE}" +XDIR="$(find . -mindepth 1 -maxdepth 1 -type d -print -quit)" +echo "Extracted to $(basename "${XDIR}")" 1>&2 + +cd "${XDIR}" + +echo "Downloading prod dependencies" 1>&2 +# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm +# unsuccessfully attempts to build the package. +npm install --no-optional --only=prod --ignore-scripts +echo "Successful prod dependencies download" 1>&2 +mv node_modules/ node_modules_prod + +echo "LICENSES IN BUNDLE:" +LICENSE_FILE="${TMP_DIR}/llhttp-${VERSION}-bundled-licenses.txt" +find . -name 'package.json' -exec jq '.license | strings' '{}' ';' \ + >> "${LICENSE_FILE}" +for what in '.license | objects | .type' '.licenses[] .type' +do + find . -name 'package.json' -exec jq "${what}" '{}' ';' \ + >> "${LICENSE_FILE}" 2>/dev/null +done +sort -u -o "${LICENSE_FILE}" "${LICENSE_FILE}" + +# Locate any dependencies without a provided license +find . -type f -name 'package.json' -execdir jq \ + 'if .license==null and .licenses==null then .name else null end' '{}' '+' | + grep -vE '^null$' | + sort -u > "${TMP_DIR}/nolicense.txt" + +if [[ -s "${TMP_DIR}/nolicense.txt" ]] +then + echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m" + cat "${TMP_DIR}/nolicense.txt" + echo -e "\e[5m\e[41m======================================================================\e[0m" +fi + +echo "Downloading dev dependencies" 1>&2 +# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm +# unsuccessfully attempts to build the package. +npm install --no-optional --only=dev --ignore-scripts +echo "Successful dev dependencies download" 1>&2 +mv node_modules/ node_modules_dev + +if [[ -d node_modules_prod ]] +then + tar -cf "../llhttp-${VERSION}-nm-prod.tar" node_modules_prod +fi +if [[ -d node_modules_dev ]] +then + tar -cf "../llhttp-${VERSION}-nm-dev.tar" node_modules_dev +fi +zstdmt --ultra -22 "../llhttp-${VERSION}-nm-prod.tar" "../llhttp-${VERSION}-nm-dev.tar" + +cd .. +find . -mindepth 1 -maxdepth 1 -type f \( -name "$(basename "${ARCHIVE}")" \ + -o -name "llhttp-${VERSION}*" \) -exec cp -vp '{}' "${OUTPUT_DIR}" ';' diff --git a/llhttp.spec b/llhttp.spec new file mode 100644 index 0000000..c43097c --- /dev/null +++ b/llhttp.spec @@ -0,0 +1,261 @@ +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 2; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +# This package is rather exotic. The compiled library is a typical shared +# library with a C API. However, it has only a tiny bit of C source code. Most +# of the library is written in TypeScript, which is transpiled to C, via LLVM +# IR, using llparse (https://github.com/nodejs/llparse)—all of which happens +# within the NodeJS ecosystem. +# +# The package therefore “builds like” a NodeJS package, and to the extent they +# are relevant we apply the NodeJS packaging guidelines. However, the result of +# the build “installs like” a traditional C library package and has no NodeJS +# dependencies, including bundled ones. +# +# Furthermore, the package is registered with npm as “llhttp”, but current +# releases are not published there, so we use the GitHub archive as the +# canonical source and use a custom bundler script based on +# nodejs-packaging-bundler to fetch NodeJS build dependencies. +# +# Overall, we cherry-pick from the standard and NodeJS packaging guidelines as +# each seems to best apply, understanding that this package does not fit well +# into any of the usual patterns or templates. +# +# Note that there is now a “release” tarball, e.g. +# https://github.com/nodejs/llhttp/archive/refs/tags/release/v%%{version}tar.gz, +# that allows this package to be built without the NodeJS/TypeScript machinery. +# However, the release archive lacks the original TypeScript source code for +# the generated C code, which we would need to include in the source RPM as an +# additional source even if we do not do the re-generation ourselves. + +Name: llhttp +Version: 9.2.1 +%global so_version 9.2 +Release: %autorelease +Summary: Port of http_parser to llparse + +# License of llhttp is (SPDX) MIT; nothing from the NodeJS dependency bundle is +# installed, so its contents do not contribute to the license of the binary +# RPMs, and we do not need a file llhttp-%%{version}-bundled-licenses.txt. +License: MIT +URL: https://github.com/nodejs/llhttp +Source0: %{url}/archive/v%{version}/llhttp-%{version}.tar.gz + +# Based closely on nodejs-packaging-bundler, except: +# +# - The GitHub source tarball specified in this spec file is used since the +# current version is not typically published on npm +# - No production dependency bundle is generated, since none is needed—and +# therefore, no bundled licenses text file is generated either +Source1: llhttp-packaging-bundler +# Created with llhttp-packaging-bundler (Source1): +Source2: llhttp-%{version}-nm-dev.tar.zst + +# While nothing in the dev bundle is installed, we still choose to audit for +# null licenses at build time and to keep manually-approved exceptions in a +# file. +Source3: check-null-licenses +Source4: audited-null-licenses.toml + +# The compiled RPM does not depend on NodeJS at all, but we cannot *build* it +# on architectures without NodeJS. +ExclusiveArch: %{nodejs_arches} + +# For generating the C source “release” from TypeScript: +BuildRequires: nodejs-devel +BuildRequires: make + +# For compiling the C library +BuildRequires: cmake +BuildRequires: gcc + +# For tests +BuildRequires: gcc-c++ + +# For check-null-licenses +BuildRequires: python3-devel +%if !0%{?rhel} +# For additional license auditing: +BuildRequires: askalono-cli +BuildRequires: licensecheck +%endif + +%description +This project is a port of http_parser to TypeScript. llparse is used to +generate the output C source file, which could be compiled and linked with the +embedder's program (like Node.js). + + +%package devel +Summary: Development files for llhttp + +Requires: llhttp%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +The llhttp-devel package contains libraries and header files for +developing applications that use llhttp. + + +%prep +%autosetup + +# Remove build flags specifying ISA extensions not in the architectural +# baseline from the test fixture setup. +sed -r -i 's@([[:blank:]]*)(.*-m(sse4))@\1// \2@' test/fixtures/index.ts + +# We build the library that we install via release/CMakeLists.txt, but the +# tests are built via Makefile targets. Don’t apply non-default optimization or +# debug flags to the test executables. +sed -r -i 's@ -[Og].\b@@g' Makefile + +# Set up bundled (dev) node modules required to generate the C sources from the +# TypeScript sources. +tar --zstd --extract --file='%{SOURCE2}' +mkdir -p node_modules +pushd node_modules +ln -s ../node_modules_dev/* . +ln -s ../node_modules_dev/.bin . +popd + +# We run ts-node out of node_modules/.bin rather than using npx (which we will +# not have available). +sed -r -i 's@\bnpx[[:blank:]](ts-node)\b@node_modules/.bin/\1@' Makefile + + +%build +# Generate the C source “release” from TypeScript using the “node_modules_dev” +# bundle. +%make_build release RELEASE='%{version}' + +# To help prove that nothing from the bundled NodeJS dev dependencies is +# included in the binary packages, remove the “node_modules” symlinks. +rm -rvf node_modules + +cd release +mkdir -p %{_target_platform} +pushd %{_target_platform} +%cmake .. +popd +cmake --build %{_target_platform} %{?_smp_mflags} -v + + +%install +cd release +DESTDIR="%{buildroot}" %__cmake --install "%{_target_platform}" + + +%check +# Symlink the NodeJS bundle again so that we can test with Mocha +mkdir -p node_modules +pushd node_modules +ln -s ../node_modules_dev/* . +ln -s ../node_modules_dev/.bin . +popd + +# Verify that no bundled dev dependency has a null license field, unless we +# already audited it by hand. This reduces the chance of accidentally including +# code with license problems in the source RPM. +%{__python3} '%{SOURCE3}' --exceptions '%{SOURCE4}' --with dev node_modules_dev + +%if !0%{?rhel} +# Ensure we have checked all of the licenses in the dev dependency bundle for +# allowability. +pattern="${pattern-}${pattern+|}UNKNOWN|(Apache|Python) License 2\\.0" +pattern="${pattern-}${pattern+|}(MIT|ISC|BSD [023]-Clause) License" +pattern="${pattern-}${pattern+|}BSD 2-Clause with views sentence" +pattern="${pattern-}${pattern+|}MIT License and/or X11 License" +pattern="${pattern-}${pattern+|}GNU General Public License" +# The CC0-1.0 license is *not allowed* in Fedora for code, but the +# binary-search dev dependency falls under the following blanket exception: +# +# Existing uses of CC0-1.0 on code files in Fedora packages prior to +# 2022-08-01, and subsequent upstream versions of those files in those +# packages, continue to be allowed. We encourage Fedora package maintainers +# to ask upstreams to relicense such files. +# +# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/91#note_1151947383 +# +# This can be verified by checking out commit +# f460573ec4dc41968e600a96aaaf03a167b236bf (2021-12-16) from dist-git for this +# package, obtaining the source llhttp-6.0.6-nm-dev.tgz, and observing that +# llhttp-6.0.6/node_modules_dev/binary-search/package.json shows the CC0-1.0 +# license. +pattern="${pattern-}${pattern+|}binary-search/package.json: (\*No copyright\* )?Creative Commons CC0 1\.0" +# The license BSD-3-Clause-Clear appears in sprintf-js/bower.json. This license +# is on the not-allowed list, but it is not real: sprintf-js/package.json and +# sprintf-js/LICENSE have the correct (and allowed) BSD-3-Clause license, and +# upstream confirmed in “Licensing Question” +# https://github.com/alexei/sprintf.js/issues/211 that the appearance of +# BSD-3-Clause-Clear in this file was a mere typo. +pattern="${pattern-}${pattern+|}sprintf-js/bower.json: (\*No copyright\* )?BSD 3-Clause Clear License" + +if licensecheck -r node_modules_dev | + grep -vE "(${pattern})( \\[generated file\\])?\$" || + ! askalono crawl node_modules_dev | awk ' + $1 == "License:" { license = $0; next } + $1 == "Score:" { + if ( \ + license ~ /: (MIT|ISC) \(/ || \ + license ~ /: (0BSD|BSD-2-Clause(-Views)?|BSD-3-Clause) \(/ || \ + license ~ /: (Apache-2\.0|Python-2\.0\.1) \(/ \ + ) { + next # license is OK + } + # license needs auditing + problem = 1 + print file; print license; print $0 + next + } + { file = $0 } + END { exit problem }' + +then + cat 1>&2 <<'EOF' +================================================================= +Possible new license(s) found in dev dependency bundle! + +While these do not contribute to License, they must appear in: +https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ + +Please audit them and modify the patterns representing expected +licenses in the spec file! +================================================================= +EOF + exit 1 +fi +%endif + +# http-loose-request.c:7205:20: error: invalid conversion from 'void*' to +# 'const unsigned char*' [-fpermissive] +# 7205 | start = state->_span_pos0; +# | ~~~~~~~^~~~~~~~~~ +# | | +# | void* +export CXXFLAGS="${CXXFLAGS-} -fpermissive" +export CFLAGS="${CFLAGS-} -fpermissive" +export CLANG=gcc +# See scripts.test in package.json: +NODE_ENV=test node -r ts-node/register/type-check ./test/md-test.ts + + +%files +%license release/LICENSE-MIT +%{_libdir}/libllhttp.so.%{so_version}{,.*} + + +%files devel +%doc release/README.md +%{_includedir}/llhttp.h +%{_libdir}/libllhttp.so +%{_libdir}/pkgconfig/libllhttp.pc +%{_libdir}/cmake/llhttp/ + + +%changelog +* Fri Nov 8 2024 Ming Keke <keke.oerv@isrc.iscas.ac.cn> - 9.2.1-2 +- Initial package for repo @@ -0,0 +1,2 @@ +146ccb93d01dfdab3f227194ed80a034 llhttp-9.2.1-nm-dev.tar.zst +56a149d8ab4c5a4c79b1e4bee55bdcd2 llhttp-9.2.1.tar.gz |