Re: RFS: jarifa

To: debian-mentors@lists.debian.org
Subject: Re: RFS: jarifa
From: Paul Wise <pabs@debian.org>
Date: Mon, 13 Dec 2010 00:58:41 +0800
Message-id: <[🔎] AANLkTinTdrM5eDEz5G1+hAeh_7kC-D-xoA8F=XZvhwPX@mail.gmail.com>
In-reply-to: <[🔎] AANLkTim-9eaNJsni7uU5vPiDzSPa+MhjbupptEhDmO2d@mail.gmail.com>
References: <[🔎] AANLkTim-9eaNJsni7uU5vPiDzSPa+MhjbupptEhDmO2d@mail.gmail.com>

2010/12/9 Daniel Lombraña González <teleyinex@gmail.com>:

> I am looking for a sponsor for my package "jarifa".

A review of the source package:

Your upstream version should be 1.0~rc8 since that sorts before 1.0
and rc usually means release candidate.

debian/patches/debian-changes-1.0-rc8-1 looks like it can be removed
or applied upstream.

Please add a debian/watch file (see uscan manual page for details).

You might want to wrap the Depends line in debian/control since it is
very long. I like to split the line after every comma.

Can jarifa not connect to a MySQL server over the network? If so you
might want to demote mysql-server to recommends.

README.source looks like it belongs in the upstream README since it is
not Debian specific.

You add a symlink to ttf-dejavu fonts but do not depend on it. At the
very least I would say you need a Recommend.

Please switch jarifa to a randomly generated password instead of a
static easily guessable one when the user does not set a password.

www-data is defined in base-passwd so I think you can set permissions
on /usr/share/jarifa/img/stats at build time instead of in
postinstall.

Why does your prerm remove files from /usr? I think maybe your
software should use /var/lib/jarifa instead for runtime-created data.

I would replace your debian/rules file with
/usr/share/doc/debhelper/examples/rules.tiny and add "conf/jarifa.sql
usr/share/dbconfig-common/data/jarifa/install/mysql" to
debian/jarifa.install.

libchart-1.2 is an embedded code copy (with its own embedded font
copy), please remove it from the tarball and package it separately.
db_conn.inc is similar, but I'm wondering why I don't see that in the
boinc package in Debian.

These files look like they were created in Inkscape/GIMP but I don't
see any SVG/XCF source for them: computer.png cpus.png credit.png
supplier.png volunteer.png.

I wonder what the license/source for vcss.png is, since it looks like
an image from the W3C. Same for agplv3.png since it is an FSF image.

Why is there a lang/es_ES.utf8/LC_MESSAGES/messages.mo but no
lang/es_ES.utf8/LC_MESSAGES/messages.po?

Have you had the PHP code audited for vulnerabilities or run any
automated exploit finding tools against jarifa? Examples of such tools
available in Debian include w3af wapiti sqlmap rats. owasp.org is a
good place to go to learn about web application security.

Your jarifa.apache.conf forces jarifa to be available at /jarifa on
all apache vhosts. As a sysadmin I would expect to be either asked
what vhost, URL path to configure jarifa at or expect me to configure
it manually based on an example config.

lintian complaints:

I: jarifa source: no-complete-debconf-translation
I: jarifa source: debian-watch-file-is-missing

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: RFS: jarifa
  - From: Daniel Lombraña González <teleyinex@gmail.com>

References:
- RFS: jarifa
  - From: Daniel Lombraña González <teleyinex@gmail.com>

Prev by Date: Re: RFS: lilo (updated package) (new Maintainer)
Next by Date: Re: RFS: teapot
Previous by thread: RFS: jarifa
Next by thread: Re: RFS: jarifa
Index(es):
- Date
- Thread