Hi Tong, Just to be clear, I don't feel I know enough about authentication/security to be able to sponsor you, but I do have comments on the packaging. Although you fixed your initial problem of building a package, you are not done yet. The quality of the packaging is by far not good enough yet for Debian. - This package has never been in Debian. Most people (and thus sponsors) would like the changelog to be empty except for a "Initial release (Closes: #716852)" line - Did you ever read the Debian policy [1]? Because you have to make sure that your package complies with it. YOU have to make sure it does. - What I find one of the most important aspects of the initial upload is that you check the license of ALL files in the package. You have to document this in the copyright file, for which I recommend to use the machine-readable format [2]. - Did you write the README.Debian yourself? I would assume it worth a license statement and a copyright owner notification in d/copyright. You actually note that you copied a big chuck, but that site does not provide a license. Do you have a statement from that copyright owner that you can distribute that under a DFSG license? Please make sure that that statement is included in the packaging. - The text in section "Setup authorized keys" does not describe a very professional way of setup. What you should describe is what needs to be in those files. By the way, this setup feels not so convenient for systems with a large user-base. Is this the only way to add keys to this agent? - In your README.Debian you link to examples on pastbin. I would rather have them installed in /usr/share/doc/libpam-ssh-agent-auth/examples/ - I also recommend to install the other examples from the README.Debian file as examples. - I am not so happy with the rules file. It contains commented out commands (you should remove those) and - There is a typo in the rules in the config.status target: --mandir=/usr//share <- two /'s - Why priority extra, I would go for optional - Why did you actually need more build depends than upstream? Maybe I am wrong, but e.g. I don't see liblockfile-dev being used. - The package seems to contain tests. Consider running them at build time. (I have not looked at the tests themselves, just noticed that they are there). - There is a quality checker for packages called lintian, it is even mentioned on your page on mentors.d.n. Please run it on you package as it will point you to a several things that should be fixed. I'll copy it below once without the "-i" flag, I propose you use "lintian --color=always -I -E -i --pedantic libpam-ssh-agent-auth_0.9.5-2.2_amd64.changes" W: libpam-ssh-agent-auth source: maintainer-upload-has-incorrect-version-number 0.9.5-2.2 You are the maintainer, no need to NMU. Also, most sponsors prefer to start with -1 instead of -2. W: libpam-ssh-agent-auth source: ancient-standards-version 3.8.0 (current is 3.9.4) See my comment above. You should check if the package conforms to policy. If so, you should set the standards version to 3.9.4. If not, you have to adapt, such that you can set it to 3.9.4. I: libpam-ssh-agent-auth source: debian-watch-file-is-missing Nice to see on the PTS (packages.qa.debian.org) if there is a new upstream version W: libpam-ssh-agent-auth: hardening-no-relro lib/security/pam_ssh_agent_auth.so I: libpam-ssh-agent-auth: hardening-no-fortify-functions lib/security/pam_ssh_agent_auth.so If possible I really think packages should build with hardening flags. P: libpam-ssh-agent-auth: no-upstream-changelog If it is not there, you can ignore this, but you could ask upstream to provide one. W: libpam-ssh-agent-auth: copyright-refers-to-deprecated-bsd-license-file You should carefully check the license of all files in this package. Indeed the link in the copyright file does not contain the same information as the text in the copyright file, so at least the link is wrong. W: libpam-ssh-agent-auth: manpage-has-bad-whatis-entry usr/share/man/man8/pam_ssh_agent_auth.8.gz I: libpam-ssh-agent-auth: spelling-error-in-manpage usr/share/man/man8/pam_ssh_agent_auth.8.gz explicitely explicitly Please read the lintian info. There is probably more to fix, but I spent enough time already.... Please improve at least most of the issues and I will have an other look. But again, I am not going to sponsor such a package, as I don't feel comfortable with new authentication/security stuff. Paul [1] http://www.debian.org/doc/debian-policy/ [2] http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Attachment:
signature.asc
Description: OpenPGP digital signature