From Fedora Project Wiki
Here is the template I use for doing package reviews. You're welcome to steal from it if you find it useful. Of course, you should only use the parts of this template for the package that you're reviewing. For example, there's no real point in checking comp\iler flags and debuginfo generation for noarch packages.
source files match upstream: package meets naming and versioning guidelines. specfile is properly named, is cleanly written and uses macros consistently. dist tag is present. build root is correct. %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) license field matches the actual license. license is open source-compatible. XXX License text not included upstream. XXX License text included in package. latest version is being packaged. BuildRequires are proper. compiler flags are appropriate. %clean is present. package builds in mock ( ). package installs properly debuginfo package looks complete. rpmlint is silent. final provides and requires are sane: %check is present and all tests pass: no shared libraries are added to the regular linker search paths. owns the directories it creates. doesn't own any directories it shouldn't. no duplicates in %files. file permissions are appropriate. no scriptlets present. code, not content. documentation is small, so no -docs subpackage is necessary. %docs are not necessary for the proper functioning of the package. no headers. no pkgconfig files. no libtool .la droppings. not a GUI app.
A quick script to grab the upstream source and compare it to what's in an (unpacked) srpm:
#!/bin/sh mkdir source cd source spectool -g ../*spec for i in *; do sha256sum $i sha256sum ../$i done