On 2024-03-10 10:27:58-07:00, Boyuan Yang wrote:
Hi, 在 2024-03-08星期五的 17:58 -0800,Richard Hansen写道:I would like to package keyd <https://github.com/rvaiya/keyd>. You can see my ITP bug at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060023>) for complete details. To summarize: keyd is a low-level keyboard key remapping daemon specifically for the Linux kernel. keyd is kinda related to IME, so I wondered if someone here would be willing to sponsor the upload (I'm not a Debian Developer). I have been uploading my debianization attempts to <https://mentors.debian.net/package/keyd/>. The package's VCS is currently at <https://salsa.debian.org/rhansen/keyd>, but I would like to move that repository to a more permanent location (maybe under <https://salsa.debian.org/input-method-team/> if you think that would be appropriate). To increase the bus factor, would this team be willing to be listed as the maintainer for the package? Or would a different team be more appropriate?At this moment I would suggest you to go through the standard mentoring and package sponsorship (RFS) procedure first
Done: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066022>
because I believe your packaging needs to be polished up. An incomplete list as follows:
Thank you so much for the detailed review!
* I don't know whether keyd belongs to input methods. It is not important; we can always move a package to team maintenance at any time when needed afterwards.
Good point. I'll keep myself as maintainer until someone voices an opinion.
* Please avoid using adduser in postinst. Package adduser need to be explicitly installed, and that is a burden. Consider using useradd instead.
Done.I was following the guidance of <https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html> which says to use adduser. Should that document be updated?
Besides, you may want to think twice when using maintscripts like postinst.
I don't like the postinst script either. Does an alternative exist? I didn't see a debhelper command that would take care of it.
I guess I could check for the group during daemon startup and create it if it is missing. However, the admin (or a package that depends on keyd, if one is ever created) would have to either create the group themselves or start the daemon before they could add a user to the group.
Check out https://www.debian.org/doc/debian-policy/ap-flowcharts.html and https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html to see how maintscripts works during package installation, removal or upgrade. * Your postinst unconditionally adds a user but never deletes this user when the package is uninstalled.
That was intentional; <https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html> links to some discussions on the drawbacks of removing users/groups when removing/purging a package.
But after thinking about it some more I don't think those drawbacks apply to this package. keyd does not create any persistent files that are owned by the group. I added a postrm script to remove the group when the package is purged.
* Your debian/copyright file lacks information for some files. For example, the origin of data/unicode.txt as well as its license.
Doesn't the `Files: *` entry apply to all files? (Except those covered by the `Files: debian/*` entry, of course.)
* I am doubtful on keyd/keyd.service file. It mentions sysvinit.target, which looks suspicious. Does that indicate that this service needs systemd-sysv support? If yes, it must be explicitly indicated in your packaging. Besides, I remember that systemd upstream is dropping sysv compat layer very soon. Please work with upstream to sort things out.
Looks like upstream has already addressed it; I cherry-picked <https://github.com/rvaiya/keyd/commit/459cb1fff1d863edd48a2713d07b43d87fd4a182>.
Once you have answers to them, please prepare a new version of the source package, and follow the RFS procedure and open a package sponsorship request as described in https://mentors.debian.net/sponsors/rfs-howto/ . You are free to send a mail copy to input-method-team mailing list then if you want.
A new revision of the package has been uploaded. Thanks for your help! -Richard
Thanks, Boyuan Yang
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature