Bug#699651: RFS: mosquitto/1.1.2-1

To: 699651@bugs.debian.org
Subject: Bug#699651: RFS: mosquitto/1.1.2-1
From: Jakub Wilk <jwilk@debian.org>
Date: Mon, 4 Feb 2013 16:06:25 +0100
Message-id: <[🔎] 20130204150625.GA4052@jwilk.net>
Mail-followup-to: 699651@bugs.debian.org
Reply-to: Jakub Wilk <jwilk@debian.org>, 699651@bugs.debian.org
In-reply-to: <[🔎] CAH7zdyc+3Gxd4F9sEjysbyOkHbe=XagRk6xEgY-aQoab6sZXRw@mail.gmail.com>
References: <[🔎] CAH7zdyc+3Gxd4F9sEjysbyOkHbe=XagRk6xEgY-aQoab6sZXRw@mail.gmail.com>

I don't indent to sponsor this package, but here's a quick review:

* Roger Light <roger@atchoo.org>, 2013-02-02, 22:52:

 * Bumped standards release to 3.9.3. No changes needed.


Lintian says:
W: mosquitto source: out-of-date-standards-version 3.9.3 (current is 3.9.4)

 * Debhelper bumped to version 9 to help fix hardening-no-fortify-functions.


Well, it didn't fix it. Lintian emits:
W: libmosquitto1: hardening-no-relro usr/lib/libmosquitto.so.1
W: libmosquitto1: hardening-no-fortify-functions usr/lib/libmosquitto.so.1
W: mosquitto: hardening-no-fortify-functions usr/bin/mosquitto_passwd
W: mosquitto: hardening-no-fortify-functions usr/sbin/mosquitto

blhc confirms that at least some binaries were built without hardening.

 * Added upstart init script.
 * Modified normal init script to work if upstart is used.


Lintian says:
I: mosquitto: output-of-updaterc.d-not-redirected-to-dev-null mosquitto postinst
E: mosquitto: duplicate-updaterc.d-calls-in-postinst mosquitto
I: mosquitto: output-of-updaterc.d-not-redirected-to-dev-null mosquitto postrm
E: mosquitto: duplicate-updaterc.d-calls-in-postrm mosquitto

What is the build-dependency on python-setuptools for? AFAICS thispackage doesn't use setuptools.

Both debian/rules and the top-level Makefile don't trap errors. SeePolicy §4.6 for details.

Why do you need two for loops in debian/rules? They do exactly the samething.

You iterate over all supported Python 3 versions, but you build-dependonly on the default one.

Similarly, the "python (>= 2.6.6-3~), python2.7" build-dependency is notsufficient. You want: "python-all (>= 2.7)".


Why "X-Python-Version: >= 2.7"? Upstream's setup.py says:
'Programming Language :: Python :: 2.6'

What happened to python-mosquitto's Depends?

Unless you have very good reasons, the -dev packages should beunversioned.

License and copyright information for uthash.h is not included indebian/copyright.

uthash is packaged separately in Debian. You should buildmosquitto against the uthash-dev package instead of the embedded copy.

mosquitto_passwd creates temporary files in current working directory ina non-atomic way. This is insecure if cwd if world-writable (e.g. /tmp).Moreover, rename() will fail if the password file is on a differentpartition than cwd. (And it'll fail silently, since the return value isignored...)


--
Jakub Wilk

Reply to:

Follow-Ups:
- Bug#699651: RFS: mosquitto/1.1.2-1
  - From: Roger Light <roger@atchoo.org>

References:
- Bug#699651: RFS: mosquitto/1.1.2-1
  - From: Roger Light <roger@atchoo.org>

Prev by Date: Bug#699669: RFS: agar/1.4.1+repack1-1 [ITP] -- toolkit for graphical applications
Next by Date: Re: nbc package has been removed from Mentors
Previous by thread: Bug#699651: RFS: mosquitto/1.1.2-1
Next by thread: Bug#699651: RFS: mosquitto/1.1.2-1
Index(es):
- Date
- Thread