[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Review of new lintian tags

bastien ROUCARIES wrote:
> +Tag: backports-upload-has-incorrect-version-number
> +Severity: serious
> +Certainty: certain
> +Info: The version number doesn't comply with the standard backport version
> + rules. It should end in ~bpoXX+N, where XX refers to the version number of
> + the base distribution.
> +Ref: http://backports.debian.org/Contribute/

Why "base" distribution?  Is that "the distribution it's based on", or
"base" as in "ignoring point releases", or what?

Come to that, isn't it releases (like Wheezy) that get version numbers
rather than distributions (like unstable)?  And while Squeeze was
officially "6.0", Wheezy is plain "7", so shouldn't that "XX" be plain


   Info: The version number doesn't comply with the standard backport version
   rules. It should end in ~bpoX+N, where X is the release version number of
   the target distribution.

(We're going to have trouble eventually when v1~bpo9+1 is followed by 
v1~bpo10+1, but I suppose that would be a good time to stop pretending
that backports come from BackPorts.Org...)

> +Tag: debian-upstream-obsolete-path
> +Severity: important
> +Certainty: certain
> +Info: Upstream metadata is stored under an obsolete path.
> + .
> + Upstream MEtadata GAthered with YAml (UMEGAYA) an effort to collect
> + meta-information about upstream projects in a file called
> + <tt>debian/upstream/metadata</tt> in the source packages
> + maintained in a publicly accessible version control system (VCS).

This sentence no verb.  s/an effort/is an effort/

Also, "in a file... in the packages... in a VCS" is confusing.  For a
start, does it mean information is collected *from* that file or
*into* that file?  Maybe both, "via" that file?

Why define the abbreviation "VCS" if you're not going to use it?
Though in fact I suspect we'd be entitled to take it for granted in a
message intended for Debian Developers.

    Upstream MEtadata GAthered with YAml (UMEGAYA) is an effort to collect
    meta-information about upstream projects from any source package
    with a publicly accessible VCS via a file called

> + .
> + Older version of this specification used
> + <tt>debian/upstream-metadata.yaml</tt> and <tt>debian/upstream</tt>
> + as file storage of meta-information.
> + .
> + You should move these file to <tt>debian/upstream/metadata</tt>.

"And"?  This isn't clear; are these two files that used to be separate
(in "THE older version of this spec") but have now been unified?  Or
one file that has been moved twice (so that it should be talking about
"older versionS")?  Or what?

    Older versions of this specification used
    <tt>debian/upstream-metadata.yaml</tt> or <tt>debian/upstream</tt>
    as meta-information storage file.
    You should move any such file to <tt>debian/upstream/metadata</tt>.

(This is one for my Why-The-Name files; yes, it's an acronym, but
mostly it's Japanese for... what, plum blossom or something?)

> +Tag: source-contains-prebuilt-ms-help-file
> +Severity: serious
> +Certainty: possible
> +Info: The source tarball contains a prebuilt microsoft precompiled help


> + file (CHM file).  These are often included by mistake when developers generate
> + a tarball without cleaning the source directory first.
> + CHM files are mainly produced by proprietary, Windows-specific software.
> + They are also mainly consumed by Windows internal HTML Help Workshop.
> + There is Linux software to read them and an incomplete
> + FreePascal related project to create them,
> + but any examples in source packages are likely to be created
> + by the proprietary Microsoft software and are probably missing
> + the source HTML and associated files.
> + .
> + If there is no sign this was intended, consider reporting it as
> + an upstream bug.

"Windows internal HTML Help Workshop" sounds unlikely; it's not
internal to Windows, is it?  It's a development tool.  It should
probably say:

    They are also mainly consumed by the Microsoft HTML Help Workshop.

> +Tag: license-problem-php-license
> +Severity: serious
> +Certainty: possible
> +Info: This package appears to be covered by version 3.0 (exactly) of the
> + PHP license.  This license is not applicable to anything that is not PHP
> + and has no contributions from the PHP Group.
> +Ref: https://ftp-master.debian.org/REJECT-FAQ.html

Slightly notty, but I think it's okay.

> +Tag: description-too-short
> +Severity: serious
> +Certainty: certain
> +Ref: devref 6.2.2
> +Info: The description contains only a single word. It is likely that the
> + description won't be very clear for the user.

(There are languages where one word would often work fine, but we
don't seem to have an active l10n community for Inuit.)

> +
> +Tag: description-is-pkg-name
> +Severity: serious
> +Certainty: certain
> +Ref: devref 6.2.2
> +Info: The description is the same the package name. A better description should
> + be provided for the user.

Missing word:                  same as the

> +Tag: package-contains-thumbnails-dir
> +Severity: important
> +Certainty: certain
> +Info: Package contains a .thumbnails directory. It was most likely installed by
> + accident, since thumbnails usually don't belong in packages.
> +Ref: http://standards.freedesktop.org/thumbnail-spec/thumbnail-spec-0.8.0.html
> +

For consistency,
   Info: This package contains a .thumbnails directory. [...]

> +Tag: privacy-breach-may-use-debian-package

The tag name makes it sound as if a privacy breach might possibly use
this Debian package.  Should it perhaps be:

   Tag: privacy-breach-avoidable

> +Severity: important
> +Certainty: possible
> +Info: This package creates a potential privacy breach by fetching data
> + from an external website at runtime. Please remove these scripts or
> + external HTML resources.
> + .
> + You may use if compatible the debian package indicated in the hint.

Phrase that as:

    Instead you can use the Debian package indicated in the hint, if it is

> +Tag: package-contains-timestamped-gzip
> +Severity: wishlist
> +Certainty: certain
> +Info: The package contains a gzip'ed file that has timestamps.
> + Such files make the packages unreproducible, because their
> + contents depend on the time when the package was built.
> + .
> + Please consider passing the "-n" flag to gzip to avoid this.
> +Ref: https://wiki.debian.org/ReproducibleBuilds

I would advise against that spelling "gzip'ed".  Personally I would
just use "gzipped", but if you don't like that, there's always

> +Tag: no-dep5-copyright
> +Severity: pedantic
> +Certainty: possible
> +Info: This package does not use Machine-readable debian/copyright file.
> + .
> + This format help to review license problem and could be easily parsed
> + by Lintian.
> +Ref: https://dep.debian.net/deps/dep5/
> +

Do you review problems, or just review licenses to find problems?

   Info: This package does not use a machine-readable debian/copyright file.
    This format makes it easier to review licenses and can be easily parsed
    by Lintian.

JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Reply to: