Bug#683184: RFS: suckless-tools/39-1 [ITA]

To: 683184@bugs.debian.org
Subject: Bug#683184: RFS: suckless-tools/39-1 [ITA]
From: Jakub Wilk <jwilk@debian.org>
Date: Mon, 30 Jul 2012 10:48:11 +0200
Message-id: <[🔎] 20120730084811.GA6351@jwilk.net>
Mail-followup-to: 683184@bugs.debian.org
Reply-to: Jakub Wilk <jwilk@debian.org>, 683184@bugs.debian.org
In-reply-to: <[🔎] 20120729165717.GA28131@vasudev.homelinux.net>
References: <[🔎] 20120729165717.GA28131@vasudev.homelinux.net>

This is only a very rudimentary review. I don't have time to review thisproperly for the time being. Anybody else is welcome to do it for me. :)


* Vasudev Kamath <kamathvasudev@gmail.com>, 2012-07-29, 22:27:

   dget -x http://mentors.debian.net/debian/pool/main/s/suckless-tools/suckless-tools_39-1.dsc

 More information about hello can be obtained from http://www.example.com.

 Changes since the last upload:

suckless-tools (39-1) unstable; urgency=low

It doesn't look like it's suitable for wheezy, so please make its/unstable/experimental/.

 [ Michael Stummvoll ]
 * New Maintainer (Closes: #647090)

[0]

 [ Vasudev Kamath ]
 * Imported new version of slock (Closes: #667796)

This fixes a security issue, so please mention CVE number in thechangelog.

   + Added myself as maintainer and Michael Stummvoll as Uploader


I'd merge this item with [0].

   + Added dependency on dpkg-dev >= 1.16.1.1


It'd nice to mention why it's needed.

+This package contains a set of tools from suckless community as
+single package. To build the package you need to create source
+tarballs of individual tool component involved. This can be done
+by running following command from suckless-tools folder
+
+ fakeroot debian/rules get-orig-source


Why fakeroot?

+Forwarded: <no|not-needed|url proving that it has been forwarded>


Please choose one. :)

+-$ $(tabbed -d >/tmp/tabbed.xid); urxvt -embed $(</tmp/tabbed.xid);
++$ $(tabbed \-d >/tmp/tabbed.xid); urxvt \-embed $(</tmp/tabbed.xid);

If you're fixing this, please also fix the security hole (insecure useof temporary files).

+override_dh_installdocs:
+	dh_installdocs
+	for TOOL in $(TOOLS); \
+	do \
+		cp $${TOOL}/README $(D)/usr/share/doc/suckless-tools/README.$${TOOL}; \
+	done

This for loop needs a "set -e"; see Policy §4.6. I see other parts ofdebian/rules has the same problem.

+	@cd /tmp
+	@tar -cvf - suckless-tools_$(CURRENT_VERSION) 2> /dev/null | gzip -9 > ../suckless-tools_$(CURRENT_VERSION).orig.tar.gz
+	@rm -rf /tmp/suckless-tools_$(CURRENT_VERSION)


This creates temporary files insecurely.

--
Jakub Wilk

Reply to:

Follow-Ups:
- Bug#683184: RFS: suckless-tools/39-1 [ITA]
  - From: Vasudev Kamath <kamathvasudev@gmail.com>

References:
- Bug#683184: RFS: suckless-tools/39-1 [ITA]
  - From: Vasudev Kamath <kamathvasudev@gmail.com>

Prev by Date: Bug#680544: RFS: muffin/1.0.6-1 [ITP] -- lightweight window and compositing manager
Next by Date: Bug#677379: New upstream version.
Previous by thread: Bug#683184: RFS: suckless-tools/39-1 [ITA]
Next by thread: Bug#683184: RFS: suckless-tools/39-1 [ITA]
Index(es):
- Date
- Thread