[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: sqlmap (updated package)

On Mon, Mar 15, 2010 at 9:03 AM, Bernardo Damele A. G.
<bernardo.damele@gmail.com> wrote:

> I am looking for a sponsor for the new version 0.8-1 of my package "sqlmap".

Here is a review:

Please read upgrading-checklist.txt from debian-policy and do the
steps needed to comply with the changes policy version 3.8.0 and
3.8.4.

extra/runcmd/windows/runcmd/runcmd.cpp and other files seem to have
been removed, the copyright file should be updated.

Since the software has a variety of copyright holders and licenses,
you might want to adopt the DEP-5 format for debian/copyright.

http://dep.debian.net/deps/dep5/

Please add some comments to the lintian overrides file about why you
are overriding the lintian tags.

You can use dh_lintian to auto-install the lintian overrides.

Lintian complaints, please read the lintian-info output for each and
fix or override:

P: sqlmap source: source-contains-prebuilt-windows-binary
udf/postgresql/windows/8.4/lib_postgresqludf_sys.dll
P: sqlmap source: source-contains-prebuilt-windows-binary
udf/postgresql/windows/8.2/lib_postgresqludf_sys.dll
P: sqlmap source: source-contains-prebuilt-windows-binary
udf/mysql/windows/lib_mysqludf_sys.dll
P: sqlmap source: source-contains-prebuilt-windows-binary
udf/postgresql/windows/8.3/lib_postgresqludf_sys.dll
P: sqlmap source: source-contains-prebuilt-binary
udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
P: sqlmap source: source-contains-prebuilt-binary
udf/postgresql/linux/8.3/lib_postgresqludf_sys.so
P: sqlmap source: source-contains-prebuilt-binary
udf/mysql/linux/lib_mysqludf_sys.so
P: sqlmap source: source-contains-prebuilt-binary
udf/postgresql/linux/8.2/lib_postgresqludf_sys.so
W: sqlmap source: out-of-date-standards-version 3.8.0 (current is 3.8.4)
I: sqlmap: binary-has-unneeded-section
./usr/share/sqlmap/udf/mysql/linux/lib_mysqludf_sys.so .comment
I: sqlmap: binary-has-unneeded-section
./usr/share/sqlmap/udf/postgresql/linux/8.2/lib_postgresqludf_sys.so
.comment
I: sqlmap: binary-has-unneeded-section
./usr/share/sqlmap/udf/postgresql/linux/8.3/lib_postgresqludf_sys.so
.comment
I: sqlmap: binary-has-unneeded-section
./usr/share/sqlmap/udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
.comment
P: sqlmap: no-upstream-changelog
I: sqlmap: hyphen-used-as-minus-sign usr/share/man/man1/sqlmap.1.gz:38
I: sqlmap: hyphen-used-as-minus-sign usr/share/man/man1/sqlmap.1.gz:49
I: sqlmap: hyphen-used-as-minus-sign usr/share/man/man1/sqlmap.1.gz:186
I: sqlmap: hyphen-used-as-minus-sign usr/share/man/man1/sqlmap.1.gz:195
I: sqlmap: possible-documentation-but-no-doc-base-registration

Why do you install sqlmap.py to /usr/share/sqlmap/sqlmap and then add
a symlink in /usr/bin? Surely you should just install it into
/usr/bin?

README.Debian says the software requires metasploit, which is not yet
available in Debian. Software in main cannot depend on software not
available in main. Could you detail the relationship between sqlmap
and metasploit? Will sqlmap work without metasploit? I read somewhere
that metasploit is now BSD licensed so it might be able to enter
Debian if all the copyright and licensing is in order. The RFP is
#323420 if you are interested in this.

The source package contains quite a few binaries without source code,
this needs to be fixed. The upstream source package needs to not
contain the binaries, contain the source code and needs to have a
build system to build the binaries at install time. IMHO this includes
the obfuscated binaries containing exploits. Upstream could distribute
a separate tarball containing pre-built binaries (for those without a
cross-compiler or whatever), but the source package needs to be source
only. Please work with upstream to achieve this. Debian contains a
Win32 cross-compiler so this should be doable.

The manual page lists sqlmap.py, I think you should remove the .py from there.

Please send the patches and manual page upstream if you have not
already done so.

The configure target in debian/rules does nothing and can be removed.

Did you manage to fix #561371 for the 0.8 release? Please update the
bug and or debian/changelog.

You should close #561167 in the changelog.

#561164 looks like it is an invalid bug and should be closed:

http://www.debian.org/Bugs/Developer#closing

The package fails to build for me with debuild -j2:

 dpkg-buildpackage -rfakeroot -D -us -uc -j2 -i -ICVS -I.svn -j2
dpkg-buildpackage: set CFLAGS to default value: -g -O2
dpkg-buildpackage: set CPPFLAGS to default value:
dpkg-buildpackage: set LDFLAGS to default value:
dpkg-buildpackage: set FFLAGS to default value: -g -O2
dpkg-buildpackage: set CXXFLAGS to default value: -g -O2
dpkg-buildpackage: source package sqlmap
dpkg-buildpackage: source version 0.8-1
dpkg-buildpackage: source changed by Bernardo Damele A. G.
<bernardo.damele@gmail.com>
dpkg-buildpackage: host architecture amd64
 fakeroot debian/rules clean
test -d debian/patched || install -d debian/patched
dpatch  deapply-all
dpatch  apply-all
03_upx_path not applied to ./ .
02_update not applied to ./ .
01_paths_home_dir not applied to ./ .
rm -rf patch-stamp patch-stampT debian/patched
applying patch 01_paths_home_dir to ./ ...mv: cannot stat
`.//debian/patched/01_paths_home_dir.dpatch.new': No such file or
directory
make: *** [patch-stamp] Error 1
dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2
debuild: fatal error at line 1330:
dpkg-buildpackage -rfakeroot -D -us -uc -j2 -i -ICVS -I.svn -j2 failed

You might want to consider adopting some/any of the following:
debhelper 7 minimal rules file, dpkg-source v3 format, quilt for
patches.

The security team can always use new people, you might be interested
in getting involved there.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Reply to: