[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#687620: RFS: udpxy/1.0.23-1 [ITP]

Hi, Helmut! It's me again.

Almost all notices you mentioned below are fixed. At least, now we have manpages. :-)

But i have some difficulties with hardening.
I cleanly see, that all required flags gets used during build process, for example:


for compiling, and

cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wl,-z,relro -DUDPXREC_MOD -DNDEBUG -DTRACE_MODULE -o udpxy udpxy.o sloop.o rparse.o util.o prbuf.o ifaddr.o ctx.o mkpg.o rtp.o uopt.o dpkt.o netop.o extrn.o main.o udpxrec.o

for linking. But lintian says, that "udpxy: hardening-no-fortify-functions usr/bin/udpxrec".
Can it be false-positive?

Helmut Grohne wrote 2012-10-26 02:57:
On Fri, Sep 14, 2012 at 09:22:46PM +1100, Alex 'AdUser' Z wrote:
WNPP request are here : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687543 Package uploaded just now : https://mentors.debian.net/package/udpxy

So I had a look at your package version 1.0.23-1 as found on
mentors.debian.net. So here are some notes.

The long description of your package looks suspiciously short. This is not a problem, if it says all that needs to be said. However some bits
are missing. Please try to answer the following questions inside the
long description:
1) What are example use cases?
2) Does a client to this proxy need special capabilities?
3) Do multicast streams have to be configured with the daemon or can
   they be configured from the client?

Your copyright file mentions the location of the GPL-2, why don't you
mention the location of the GPL-3 as well?

You don't mention your full name and especially don't do so in the
copyright file. In some jurisdictions attributions to pseudonyms are
allowed, but they are not without problems. I cannot tell whether the
Debian project can redistribute your packaging as is. In addition the
Debian community has a history of using real names. Not mentioning yours
will make finding a sponsor harder.

Your destdir patch solves the issue for Debian, but it would be nicer, if it would add $PREFIX as well. Then you can prod upstream to include
the patch and drop it yourself.

Why do you patch in a distclean target? dh_auto_clean should be able to figure out that it does not exist and use clean instead. Please explain
why this does not work in the patch header.

A watch file seems missing. Since the project is hosted at sourceforge
adding one should be easy.

The documentation shipped with the package seems to be lacking as well.
A manual page seems completely absent. Could you write one?

The daemon is interfacing with the network. As such wheezy's hardening
release goal is applicable here (even though the package will not be
part of wheezy). Getting hardening working is a bit of work. You'll
probably have to patch more of the Makefile.

It seems like your package provides an architecture independent
interface (i.e. command line and network) to other packages. As such you
could probably be adding a Multi-Arch: foreign header.

I'd say the most important steps are adding documentation and getting
the hardening running. Once these issues are solved the package seems
like a good addition, because it solves a task no other package solves
yet. Thanks for your work.


Reply to: