[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dbconfig-common; repacking source

On Fri, Dec 9, 2011 at 1:30 AM, Christian Welzel wrote:

> currently i try to get my typo3 packages into shape, so the
> new version gets accepted by ftp-masters.

Here is a review of the package you uploaded to mentors.d.n recently:

Why does the source and one binary package name include a version number?

This sentence in one of the README.Debian files doesn't make sense to me:

"For more details to typo3-dummy look there."

You may want to run wrap-and-sort -s

The Homepage field belongs in the source section of debian/control,
not duplicated in all the binary sections.

ttf-dejavu has been split up into ttf-dejavu-core and
ttf-dejavu-extra, do you need them both? If not please update the
dependency.

The Vcs-Browser URL is 404.

Please add a Vcs-Svn field.

The blank lines and comments in debian/watch are not needed, remove them.

Please add comments to your lintian overrides file indicating why you
are overriding each tag.

debian/compat is quite old, I would suggest using debhelper compat 7 or later.

I wonder if adding a localconf.d directory and dropping a file in
there is a better way of providing Debian-specific configs.

Please work on getting your patches upstreamed.

I'm not sure that 01-fontsreadme.patch is appropriate.

03-dummy-addindexpages.patch looks misguided, shouldn't your
configuration examples and or generator simply turn off apache
directory listing? I suppose it is useful as a last resort though. I
don't it is a good idea to redirect to / though, the site might be
installed at a different path in the domain name than /. I would
instead suggest to put a message saying directory listing is not
available.

I am horrified that PHP exec() appears to take only a string instead
of an array. I suggest you run away screaming. This comment brought to
you by 06-fix-im-command.patch. After a bit more reading I found
pcntl_exec, which seems to do the right thing. Please convince your
upstream to switch to pcntl_exec and friends.

debian/typo3-src-4.6.examples can be deleted or the contents uncommented.

Have you looked at wwwconfig-common?

The package unilaterally takes over /cms on any non-typo3 domains also
hosted by the machine. This is bad if some user is using another CMS
at that URL.

Having a default password is a bad idea.

There are quite a lot of duplicated files in the source package, you
might like to inform upstream about that.

rats finds a lot of potential vulnerabilities.

There are a metric buttload of embedded code copies still:

typo3/contrib/codemirror http://codemirror.net/
typo3/contrib/extjs libjs-extjs
typo3/contrib/flashmedia/swfobject http://code.google.com/p/swfobject/
typo3/contrib/flashmedia/qtobject
http://blog.deconcept.com/2005/01/26/web-standards-compliant-javascript-quicktime-detect-and-embed/
typo3/contrib/idna http://idnaconv.phlymail.de
typo3/contrib/flashmedia/src/player/emff.as http://emff.sourceforge.net/
typo3/contrib/modernizr http://www.modernizr.com
typo3/contrib/pear/* various projects
typo3/contrib/swfupload http://swfupload.googlecode.com
typo3/contrib/websvg http://code.google.com/p/svgweb/
various parts of typo3/sysext

Sourceless files:

typo3/contrib/flashmedia/swfobject/swfobject.js
typo3/contrib/modernizr/modernizr.min.js
typo3/contrib/websvg/svg.js

At this point I stopped reviewing the package because of all the
embedded code copies.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Reply to: