diff --git a/audited-null-licenses.toml b/audited-null-licenses.toml new file mode 100644 index 0000000000000000000000000000000000000000..4af45e9ac451263aa8e0157478a6325ce83dfee8 --- /dev/null +++ b/audited-null-licenses.toml @@ -0,0 +1,56 @@ +[any] + +[prod] + +[dev] + +# Just a module wrapper around the code in tslib, which does have a proper +# license (0BSD) in its package.json: +# tslib/modules +modules = "" +# A “dummy” module in the tests for tslib +# tslib/test/validateModuleExportsMatchCommonJS +validateModuleExportsMatchCommonJS = "" + +# Similarly, these are all just ES6 module (mjs) or CommonJS (cjs) module +# wrappers in packages that do have proper license information: +# node_modules_dev/@ungap/structured-clone/cjs +# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/mjs +# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/mjs +# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/mjs +# node_modules_dev/flatted/cjs +cjs = "" +mjs = "" + +# These are all “dummy” modules in the tests for resolve: +# resolve/test/module_dir/zmodules/bbb +bbb = "" +# resolve/test/resolver/invalid_main +"invalid main" = "" +# resolve/test/resolver/incorrect_main +incorrect_main = "" +# resolve/test/resolver/dot_slash_main +dot_slash_main = "" +# resolve/test/resolver/dot_main +dot_main = "" +# resolve/test/resolver/baz +baz = "" +# resolve/test/resolver/browser_field +browser_field = "" +# resolve/test/resolver/symlinked/package +package = "" + +# These are all part of nanoid, which is MIT-licensed. +# nanoid/url-alphabet +url-alphabet = "" +# nanoid/non-secure +non-secure = "" +# nanoid/async +async = "" + +# This is part of yargs, which is MIT-licensed. +# mocha/node_modules/yargs/helpers +helpers = "" diff --git a/check-null-licenses b/check-null-licenses new file mode 100644 index 0000000000000000000000000000000000000000..fe0e4eb1c982ba1a2cb5955385d96ee0c71d90cb --- /dev/null +++ b/check-null-licenses @@ -0,0 +1,179 @@ +#!/usr/bin/python3 +# -*- coding: utf-8 -*- + +import json +from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter +from pathlib import Path +from sys import exit, stderr + +import tomllib + + +def main(): + args = parse_args() + problem = False + if not args.tree.is_dir(): + return f"Not a directory: {args.tree}" + for pjpath in args.tree.glob("**/package.json"): + name, version, license = parse(pjpath) + identity = f"{name} {version}" + if version in args.exceptions.get(name, ()): + continue # Do not even check the license + elif license is None: + problem = True + print(f"Missing license in package.json for {identity}", file=stderr) + elif isinstance(license, dict): + if isinstance(license.get("type"), str): + continue + print( + ( + "Missing type for (deprecated) license object in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + elif isinstance(license, list): + if license and all( + isinstance(entry, dict) and isinstance(entry.get("type"), str) + for entry in license + ): + continue + print( + ( + "Defective (deprecated) licenses array-of objects in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + elif isinstance(license, str): + continue + else: + print( + ( + "Weird type for license in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + problem = True + if problem: + return "At least one missing license was found." + + +def parse(package_json_path): + with package_json_path.open("rb") as pjfile: + pj = json.load(pjfile) + try: + license = pj["license"] + except KeyError: + license = pj.get("licenses") + try: + name = pj["name"] + except KeyError: + name = package_json_path.parent.name + version = pj.get("version", "") + + return name, version, license + + +def parse_args(): + parser = ArgumentParser( + formatter_class=RawDescriptionHelpFormatter, + description=("Search for bundled dependencies without declared licenses"), + epilog=""" + +The exceptions file must be a TOML file with zero or more tables. Each table’s +keys are package names; the corresponding values values are exact version +number strings, or arrays of version number strings, that have been manually +audited to determine their license status and should therefore be ignored. + +Exceptions in a table called “any” are always applied. Otherwise, exceptions +are applied only if a corresponding --with TABLENAME argument is given; +multiple such arguments may be given. + +For +example: + + [any] + example-foo = "1.0.0" + + [prod] + example-bar = [ "2.0.0", "2.0.1",] + + [dev] + example-bat = [ "3.7.4",] + +would always ignore version 1.0.0 of example-foo. It would ignore example-bar +2.0.1 only when called with “--with prod”. + +Comments may (and should) be used to describe the manual audits upon which the +exclusions are based. + +Otherwise, any package.json with missing or null license field in the tree is +considered an error, and the program returns with nonzero status. +""", + ) + parser.add_argument( + "-x", + "--exceptions", + type=FileType("rb"), + help="Manually audited package versions file", + ) + parser.add_argument( + "-w", + "--with", + action="append", + default=[], + help="Enable a table in the exceptions file", + ) + parser.add_argument( + "tree", + metavar="node_modules_dir", + type=Path, + help="Path to search recursively", + default=".", + ) + args = parser.parse_args() + + if args.exceptions is None: + args.exceptions = {} + xname = None + else: + with args.exceptions as xfile: + xname = getattr(xfile, "name", "") + args.exceptions = tomllib.load(args.exceptions) + if not isinstance(args.exceptions, dict): + parser.error(f"Invalid format in {xname}: not an object") + for tablename, table in args.exceptions.items(): + if not isinstance(table, dict): + parser.error(f"Non-table entry in {xname}: {tablename} = {table!r}") + overlay = {} + for key, value in table.items(): + if isinstance(value, str): + overlay[key] = [value] + elif not isinstance(value, list) or not all( + isinstance(entry, str) for entry in value + ): + parser.error( + f"Invalid format in {xname} in [{tablename}]: " + f"{key!r} = {value!r}" + ) + table.update(overlay) + + x = args.exceptions.get("any", {}) + for add in getattr(args, "with"): + try: + x.update(args.exceptions[add]) + except KeyError: + if xname is None: + parser.error(f"No table {add}, as no exceptions file was given") + else: + parser.error(f"No table {add} in {xname}") + # Store the merged dictionary + args.exceptions = x + + return args + + +if __name__ == "__main__": + exit(main()) diff --git a/files_in_srpm.txt b/files_in_srpm.txt new file mode 100644 index 0000000000000000000000000000000000000000..45d4d2de6028f2d717f24cb974455be547f13b1b --- /dev/null +++ b/files_in_srpm.txt @@ -0,0 +1,6 @@ +audited-null-licenses.toml +check-null-licenses +llhttp-9.2.1-nm-dev.tar.zst +llhttp-9.2.1.tar.gz +llhttp-packaging-bundler +llhttp.spec diff --git a/llhttp-9.2.1-nm-dev.tar.zst b/llhttp-9.2.1-nm-dev.tar.zst new file mode 100644 index 0000000000000000000000000000000000000000..c0c55d7f53e628afa035eb04f975881cf8902e43 Binary files /dev/null and b/llhttp-9.2.1-nm-dev.tar.zst differ diff --git a/llhttp-9.2.1.tar.gz b/llhttp-9.2.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..f3e358cba1e46dcc1cb13783583408bddd0cb1c3 Binary files /dev/null and b/llhttp-9.2.1.tar.gz differ diff --git a/llhttp-packaging-bundler b/llhttp-packaging-bundler new file mode 100644 index 0000000000000000000000000000000000000000..ea38a9128a3c7aaeb43615102d7ef0395c754fd8 --- /dev/null +++ b/llhttp-packaging-bundler @@ -0,0 +1,123 @@ +#!/bin/bash +set -o nounset +set -o errexit + +OUTPUT_DIR="$(rpm -E '%{_sourcedir}')" +SPEC_FILE="${PWD}/llhttp.spec" + +usage() { + cat 1>&2 <&2 <&2 +VERSION="$(awk '$1 == "Version:" { print $2; exit }' "${SPEC_FILE}")" +echo "Version is ${VERSION}" 1>&2 +echo "Downloading source archive" 1>&2 +spectool -g "${SPEC_FILE}" + +ARCHIVE="$( + find . -mindepth 1 -maxdepth 1 -type f -name '*.tar.gz' -print -quit +)" +echo "Downloaded $(basename "${ARCHIVE}")" 1>&2 + +tar -xzf "${ARCHIVE}" +XDIR="$(find . -mindepth 1 -maxdepth 1 -type d -print -quit)" +echo "Extracted to $(basename "${XDIR}")" 1>&2 + +cd "${XDIR}" + +echo "Downloading prod dependencies" 1>&2 +# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm +# unsuccessfully attempts to build the package. +npm install --no-optional --only=prod --ignore-scripts +echo "Successful prod dependencies download" 1>&2 +mv node_modules/ node_modules_prod + +echo "LICENSES IN BUNDLE:" +LICENSE_FILE="${TMP_DIR}/llhttp-${VERSION}-bundled-licenses.txt" +find . -name 'package.json' -exec jq '.license | strings' '{}' ';' \ + >> "${LICENSE_FILE}" +for what in '.license | objects | .type' '.licenses[] .type' +do + find . -name 'package.json' -exec jq "${what}" '{}' ';' \ + >> "${LICENSE_FILE}" 2>/dev/null +done +sort -u -o "${LICENSE_FILE}" "${LICENSE_FILE}" +cat "${LICENSE_FILE}" + +# Locate any dependencies without a provided license +find . -type f -name 'package.json' -execdir jq \ + 'if .license==null and .licenses==null then .name else null end' '{}' '+' | + grep -vE '^null$' | + sort -u > "${TMP_DIR}/nolicense.txt" + +if [[ -s "${TMP_DIR}/nolicense.txt" ]] +then + echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m" + cat "${TMP_DIR}/nolicense.txt" + echo -e "\e[5m\e[41m======================================================================\e[0m" +fi + +echo "Downloading dev dependencies" 1>&2 +# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm +# unsuccessfully attempts to build the package. +npm install --no-optional --only=dev --ignore-scripts +echo "Successful dev dependencies download" 1>&2 +mv node_modules/ node_modules_dev + +echo "LICENSES IN SOURCE BUNDLE:" +LICENSE_FILE="${TMP_DIR}/llhttp-${VERSION}-bundled-source-licenses.txt" +find ./node_modules_dev -name 'package.json' -exec jq '.license | strings' '{}' ';' \ + >> "${LICENSE_FILE}" +for what in '.license | objects | .type' '.licenses[] .type' +do + find ./node_modules_dev -name 'package.json' -exec jq "${what}" '{}' ';' \ + >> "${LICENSE_FILE}" 2>/dev/null +done +sort -u -o "${LICENSE_FILE}" "${LICENSE_FILE}" +cat "${LICENSE_FILE}" + +if [[ -d node_modules_prod ]] +then + tar -cf "../llhttp-${VERSION}-nm-prod.tar" node_modules_prod +fi +if [[ -d node_modules_dev ]] +then + tar -cf "../llhttp-${VERSION}-nm-dev.tar" node_modules_dev +fi +zstdmt --ultra -22 "../llhttp-${VERSION}-nm-prod.tar" "../llhttp-${VERSION}-nm-dev.tar" + +cd .. +find . -mindepth 1 -maxdepth 1 -type f \( -name "$(basename "${ARCHIVE}")" \ + -o -name "llhttp-${VERSION}*" \) -exec cp -vp '{}' "${OUTPUT_DIR}" ';' diff --git a/llhttp.spec b/llhttp.spec new file mode 100644 index 0000000000000000000000000000000000000000..d1be9def2b79375ff20388cf0b6cb325efa44750 --- /dev/null +++ b/llhttp.spec @@ -0,0 +1,129 @@ +Name: llhttp +Version: 9.2.1 +%global so_version 9.2 +Release: 1 +Summary: Port of http_parser to llparse + +License: MIT +URL: https://github.com/nodejs/llhttp +Source0: %{url}/archive/v%{version}/llhttp-%{version}.tar.gz + +Source1: llhttp-packaging-bundler +Source2: llhttp-%{version}-nm-dev.tar.zst + +Source3: check-null-licenses +Source4: audited-null-licenses.toml + +# For generating the C source “release” from TypeScript: +BuildRequires: nodejs-devel +BuildRequires: make + +# For compiling the C library +BuildRequires: cmake +BuildRequires: gcc + +# For tests +BuildRequires: gcc-c++ + +# For check-null-licenses +BuildRequires: python3-devel +BuildRequires: (python3dist(tomli) if python3 < 3.11) + +%description +This project is a port of http_parser to TypeScript. llparse is used to +generate the output C source file, which could be compiled and linked with the +embedder's program (like Node.js). + +%package devel +Summary: Development files for llhttp + +Requires: llhttp%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +The llhttp-devel package contains libraries and header files for +developing applications that use llhttp. + + +%prep +%autosetup + +# Remove build flags specifying ISA extensions not in the architectural +# baseline from the test fixture setup. +sed -r -i 's@([[:blank:]]*)(.*-m(sse4))@\1// \2@' test/fixtures/index.ts + +# We build the library that we install via release/CMakeLists.txt, but the +# tests are built via Makefile targets. Don’t apply non-default optimization or +# debug flags to the test executables. +sed -r -i 's@ -[Og].\b@@g' Makefile + +# Set up bundled (dev) node modules required to generate the C sources from the +# TypeScript sources. +tar --zstd --extract --file='%{SOURCE2}' +mkdir -p node_modules +pushd node_modules +ln -s ../node_modules_dev/* . +ln -s ../node_modules_dev/.bin . +popd + +# We run ts-node out of node_modules/.bin rather than using npx (which we will +# not have available). +sed -r -i 's@\bnpx[[:blank:]](ts-node)\b@node_modules/.bin/\1@' Makefile + + +%build +# Generate the C source “release” from TypeScript using the “node_modules_dev” +# bundle. +%make_build release RELEASE='%{version}' + +# To help prove that nothing from the bundled NodeJS dev dependencies is +# included in the binary packages, remove the “node_modules” symlinks. +rm -rvf node_modules + +cd release +%cmake +%cmake_build + + +%install +cd release +%cmake_install + + +%check +# Symlink the NodeJS bundle again so that we can test with Mocha +mkdir -p node_modules +pushd node_modules +ln -s ../node_modules_dev/* . +ln -s ../node_modules_dev/.bin . +popd + +# Verify that no bundled dev dependency has a null license field, unless we +# already audited it by hand. This reduces the chance of accidentally including +# code with license problems in the source RPM. +python3 '%{SOURCE3}' --exceptions '%{SOURCE4}' --with dev node_modules_dev + + +%set_build_flags +export CXXFLAGS="${CXXFLAGS-} -fpermissive" +export CFLAGS="${CFLAGS-} -fpermissive" +export CLANG=gcc +# See scripts.test in package.json: +NODE_ENV=test node -r ts-node/register/type-check ./test/md-test.ts + + +%files +%license release/LICENSE-MIT +%{_libdir}/libllhttp.so.%{so_version}{,.*} + + +%files devel +%doc release/README.md +%{_includedir}/llhttp.h +%{_libdir}/libllhttp.so +%{_libdir}/pkgconfig/libllhttp.pc +%{_libdir}/cmake/llhttp/ + + +%changelog +* Tue Nov 5 2024 shafeipaozi - 9.2.1-1 +- init diff --git a/llhttp.src.rpm b/llhttp.src.rpm new file mode 100644 index 0000000000000000000000000000000000000000..0b76b3b007d801b1819c208b6d4e98e7f87805d1 Binary files /dev/null and b/llhttp.src.rpm differ