[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: uhub (closes ITP bug)

(Please don't CC me, when replying to list mail)

Boris Pek <tehnick-8@mail.ru> writes:

>>* debian/copyright appears to be a mix between free-form and DEP-5. I
>>  would recommend using either, but not a mix between the two, as that
>>  looks just awkward.
> I have not aimed to support DEP5. Such form of writing just seems more human
> readable for me. Maybe I will update copyright file according the DEP-5 spec later.

I don't mind either free-form copyright or DEP-5. But your copyright
file's first part is free-form, while the end looks suspiciously
dep-5-like. That's a bit... weird. At least for me.

>>  It would also be nice if you'd describe how exactly the .orig.tar.bz2
>>  is generated: is it downloaded from the specified location as-is? Is
>>  it repackaged in one way or the other? (I suppose so, the debian/ dir
>>  is not present in the .orig.tar.gz)
> All necessary information available in debian/copyright file:
> https://github.com/tehnick/uhub-debian/blob/master/debian/copyright#L7
> The GitHub has no possibility to make bzip tarballs from git tags
> automatically. So only zip archive and gzip tarballs are available there.

Yeah, I know how GitHub works, but those two lines don't tell me what
you wrote just above: that it's the same as the tarball from github,
except it's bz2 and debian/ is not included in the orig.tar.gz.

This is the information I'd like to see in the copyright file, as it
tells me exactly what steps were taken to generate the
tarball. Otherwise I have to guess and double-check, and I'm waaay too
lazy to do that.

> So .orig.tar.bz2 formed in such way:
> https://github.com/tehnick/deb_packages/blob/master/Debian/uhub/automatic_update_uhub#L77 

This could be included in the package sources, perhaps even worked into
debian/rules get-orig-source. That'd be awesome.

>>* debian/uhub.postinst
>>  The postinst unconditionally chmods /var/log/uhub to 750 on every
>>  upgrade.
> This is important security issue. I think this logs shouldn't be available
> for reading by others.

I agree. But you can accomplish that by shipping /var/log/uhub in the
.deb binary, with permissions set to 750, instead of chmodding in the
postinst. (But see below)

>>  I would suggestshipping the directory in the deb with that
>>  permission already, and drop the postinst.
> This is bad idea:
> W: uhub: non-standard-dir-perm var/log/uhub/ 0750 != 0755
> N: 
> N:    The directory has a mode different from 0755, and it's not one of the
> N:    known exceptions.
> N:    
> N:    Refer to Debian Policy Manual section 10.9 (Permissions and owners) for
> N:    details.
> N:    
> N:    Severity: normal, Certainty: possible
> N:    
> N:    Check: files, Type: binary, udeb

Note the Certainty: possible. Also, quoting the first two sentences of
the referenced section:

"The rules in this section are guidelines for general use. If necessary
you may deviate from the details below. "

I believe that setting /var/lib/uhub to 0750 in the deb, instead of the
postinst is a good enough reason to deviate from the recommendation, and
override the lintian warning.

On the other hand, there exist packages in the archive that do this in
postinst, so.. whichever way you prefer.

>>* Other notes
>>  Since uhub seems to have the option of being compiled with SSL
>>  support, it might be a good idea to enable that, perhaps?
> In this stable release SSL support is very experimental on my opinion.
> But in current developing version it is quite good. So I will enable this
> option in the next stable release.

Fair enough!


Reply to: