Re: Anyone willing to sponsor keyd?

To: Boyuan Yang <byang@debian.org>, debian-input-method@lists.debian.org
Subject: Re: Anyone willing to sponsor keyd?
From: Richard Hansen <rhansen@rhansen.org>
Date: Sun, 10 Mar 2024 23:07:01 -0700
Message-id: <[🔎] bcaa6b40-8a10-4240-a344-93ccde795cdc@rhansen.org>
In-reply-to: <[🔎] f21cbdc29ad07f22320043695a5a0638115cca24.camel@debian.org>
References: <[🔎] 133f8b23-8211-42c6-bfc1-b30b7e2cd4ef@rhansen.org> <[🔎] f21cbdc29ad07f22320043695a5a0638115cca24.camel@debian.org>

On 2024-03-10 10:27:58-07:00, Boyuan Yang wrote:

Hi,

在 2024-03-08星期五的 17:58 -0800，Richard Hansen写道：

I would like to package keyd <https://github.com/rvaiya/keyd>.  You can
see my ITP bug at
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060023>) for
complete details.  To summarize: keyd is a low-level keyboard key
remapping daemon specifically for the Linux kernel.

keyd is kinda related to IME, so I wondered if someone here would be
willing to sponsor the upload (I'm not a Debian Developer).

I have been uploading my debianization attempts to
<https://mentors.debian.net/package/keyd/>.  The package's VCS is
currently at <https://salsa.debian.org/rhansen/keyd>, but I would like
to move that repository to a more permanent location (maybe under
<https://salsa.debian.org/input-method-team/> if you think that would be
appropriate).

To increase the bus factor, would this team be willing to be listed as
the maintainer for the package?  Or would a different team be more
appropriate?


At this moment I would suggest you to go through the standard mentoring
and package sponsorship (RFS) procedure first


Done: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066022>

because I believe your packaging
needs to be polished up. An incomplete list as follows:


Thank you so much for the detailed review!


* I don't know whether keyd belongs to input methods. It is not important;
we can always move a package to team maintenance at any time when needed
afterwards.


Good point.  I'll keep myself as maintainer until someone voices an opinion.


* Please avoid using adduser in postinst. Package adduser need to be
explicitly installed, and that is a burden. Consider using useradd instead.


Done.

I was following the guidance of<https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html>which says to use adduser. Should that document be updated?

Besides, you may want to think twice when using maintscripts like postinst.

I don't like the postinst script either. Does an alternative exist? Ididn't see a debhelper command that would take care of it.

I guess I could check for the group during daemon startup and create itif it is missing. However, the admin (or a package that depends onkeyd, if one is ever created) would have to either create the groupthemselves or start the daemon before they could add a user to the group.

Check out https://www.debian.org/doc/debian-policy/ap-flowcharts.html and
https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html to see
how maintscripts works during package installation, removal or upgrade.

* Your postinst unconditionally adds a user but never deletes this user
when the package is uninstalled.

That was intentional;<https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html>links to some discussions on the drawbacks of removing users/groups whenremoving/purging a package.

But after thinking about it some more I don't think those drawbacksapply to this package. keyd does not create any persistent files thatare owned by the group. I added a postrm script to remove the group whenthe package is purged.


* Your debian/copyright file lacks information for some files. For example,
the origin of data/unicode.txt as well as its license.

Doesn't the `Files: *` entry apply to all files? (Except those coveredby the `Files: debian/*` entry, of course.)


* I am doubtful on keyd/keyd.service file. It mentions sysvinit.target,
which looks suspicious. Does that indicate that this service needs
systemd-sysv support? If yes, it must be explicitly indicated in your
packaging. Besides, I remember that systemd upstream is dropping sysv
compat layer very soon. Please work with upstream to sort things out.

Looks like upstream has already addressed it; I cherry-picked<https://github.com/rvaiya/keyd/commit/459cb1fff1d863edd48a2713d07b43d87fd4a182>.


Once you have answers to them, please prepare a new version of the
source package, and follow the RFS procedure and open
a package sponsorship request as described in
https://mentors.debian.net/sponsors/rfs-howto/ . You are free to send
a mail copy to input-method-team mailing list then if you want.


A new revision of the package has been uploaded.

Thanks for your help!

-Richard


Thanks,
Boyuan Yang

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Anyone willing to sponsor keyd?
  - From: Richard Hansen <rhansen@rhansen.org>
- Re: Anyone willing to sponsor keyd?
  - From: Boyuan Yang <byang@debian.org>

Prev by Date: Bug#1065467: marisa: FTBFS on loongarch64 as the test case fails
Next by Date: Bug#1065467: marisa: FTBFS on loongarch64 as the test case fails
Previous by thread: Re: Anyone willing to sponsor keyd?
Next by thread: Processing of rime-emoji_0.0~git20240305.be7d308-1_source.changes
Index(es):
- Date
- Thread