Re: cppcheck, does nobody really care about it?

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Cc: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: Re: cppcheck, does nobody really care about it?
From: Octavio Alvarez <alvarezp@alvarezp.ods.org>
Date: Mon, 12 May 2014 13:23:35 -0700
Message-id: <[🔎] 53712DC7.2020305@alvarezp.ods.org>
In-reply-to: <[🔎] 1399920426.5693.YahooMailNeo@web171806.mail.ir2.yahoo.com>
References: <[🔎] 1399920426.5693.YahooMailNeo@web171806.mail.ir2.yahoo.com>

On 12/05/14 11:47, Gianfranco Costamagna wrote:
> Hi debian developers,
> 
> cppcheck [1] has been removed from testing [2] because of a sourceless javascript file [3].

Hi, Gianfranco.

Not a DD here, but:

There are mixed opinions about cases like this. cppcheck doesn't need
jQuery to work (or to do anything at all, even): it's just that a copy
of the documentation website is included in the upstream package, and
thus, the Debian source package, but nothing from this is actually
included in the binary, not even used for compilation.

So, just to get back in sync: currently, Debian's cppcheck is (was)
upstream's 1.61. There was a 1.64 version available [*] but there was a
problem with tinyxml2 versioning (and therefore, packaging).

I commented on tinyxml2 issue #31 [1] regarding this and upstream
accepted to tag future releases. This helped tinyxml2 packaging [2] to
make it easier for cppcheck to Depend: libtinyxml2-2 and 2.0.2-1 is now
on testing [3].

I got asked privately to test 1.64 directly, but I've been out of town
for almost a month now and unable to contribute. Just today I returned,
so I should have some spare time during this week to try a package for
1.64 with Depend: libtinyxml2-2 and most probably without the jQuery
file altogether, given that jQuery cases and correct inclusion
discussion have still not completely settled down.

[*] 2 days ago 1.65 was released [4], so I may try 1.65 instead.

[1] https://github.com/leethomason/tinyxml2/issues/31
[2] http://packages.qa.debian.org/t/tinyxml2.html
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734617
[4] https://github.com/danmar/cppcheck/releases

> Because of this I packaged (with patch and thanks from Octavio) a new dfsg version and uploaded on mentors [4] some time ago.
> (I'm uploading it again right now since I forgot to put the bug reference into the changelog)

Personally, I'd rather see 1.61+dfsg uploaded before attempting to
package 1.65, but has its own set of implications. For example, the
patch uses the Files-Excluded: facility on debian/watch, and this
includes repackaging the same version of upstream, which I'm not exactly
sure how this would work.

So, if 1.65 works now, we should kill two big birds with one shot and
hopefully we will all be happy.

> I personally consider cppcheck a great package, that helped so far me in spotting many possible vulnerabilities in packages I comaintain, helping me in providing more secure packages in debian repositories (as well as sending security fixes upstream).

I use it on a regular basis, and most of my build scripts use it, so I'm
interested it having it included. However, not being a DD, I still need
sponsorship.

My two cents.

Reply to:

References:
- cppcheck, does nobody really care about it?
  - From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Prev by Date: Re: systemd-fsck?
Next by Date: Bug#747912: ITP: golang-uuid --
Previous by thread: cppcheck, does nobody really care about it?
Next by thread: Re: cppcheck, does nobody really care about it?
Index(es):
- Date
- Thread