Re: Bug#744045: RFS: xsd/3.3.0.2-1 [ITA]

[Vincent Cheng <vcheng@debian.org>]

Hi Jörg,

Please don't forget to cc your RFS bug (#744045).

On Sun, Apr 13, 2014 at 7:31 AM, Jörg Frings-Fürst
<debian@jff-webhosting.net> wrote:
> Hallo,
>
> Am Samstag, den 12.04.2014, 01:12 -0700 schrieb Vincent Cheng:
>> Control: tag -1 + moreinfo
>>
>> On Wed, Apr 9, 2014 at 7:17 AM, Jörg Frings-Fürst
>> <debian@jff-webhosting.net> wrote:
>> > Package: sponsorship-requests
>> >   Severity: normal [important for RC bugs, wishlist for new packages]
>> >
> [...]
>>
>> Please use upstream's tarball (assuming that [1] is the correct
>> source, please use the ones that don't have dependencies bundled
>> inside) directly as your orig tarball, and apply the contents of
>> "bug604256.tar.gz" and any other diffs as quilt patches, unless
>> there's a good reason for the current tarball-in-a-tarball approach
>> (if there is, please explain). Also remove your debian packaging from
>> the source tarball.
>>
>
> Changes since the last upload:
>
>   * rename version from the orig-tarball
>   * replace old tarball-in-tarball with the the orig-tarball
>   * remove
>     - patches included in tarball
>     - debian/README.source
>   * add hardenning-wrapper to Build-Depends
>   * rewrite debian/rules
>   * rename debian/patches/xsd_xsdcxx-rename.patch to
>       0001-xsd_xsdcxx-rename.patch
>   * add file xsdcxx.lintian-overrides
>     - duplicate-files
>     - debian-watch-may-check-gpg-signature
>     - no-upstream-changelog
>   * change debian/compat to 9
>

Here's a laundry list of things that can be improved in your packaging:

- debian/copyright should contain per-file license information (if
this was a NEW package, it would get rejected by ftpmasters for
failing this), e.g. not all files are under GPLv2; some are public
domain, like xsd/examples/cxx/parser/hello/driver.cxx). I suggest
using DEP-5 [1] to ease the task of documenting this, but free-form
debian/copyright is still ok as long as everything is documented. You
can also take advantage of licensecheck (from the devscripts package),
but you'll still have to manually check the source.
- collapse your debian/changelog entries into a single entry; I'd
suggest versioning your current package as 3.3.0.2-1, leaving the
"+dep" out
- your watch file is broken:

$ uscan --report-status
Processing watchfile line for package xsd...
Newest version on remote site is 3.3.0-2+, local version is 3.3.0.2+dep
xsd: remote site does not even have current version

- remove Vcs-Arch from debian/control (see Policy 5.6.26 [2] for what
it's actually supposed to be used for)
- (pedantic) removing the unnecessary quilt build-dep and running
wrap-and-sort to have the build-deps listed in alphabetical order
would be nice
- (pedantic) I'd suggest not overriding lintian tags that are actually
valid (no-upstream-changelog, debian-watch-may-check-gpg-signature);
you can safely just ignore those tags instead
- (pedantic) debian/rules: compress (gzip) your installed manpage and
changelog (or use dh_install{man,docs} which would do that for you,
instead of a single override_dh_auto_install target)

Also, is there a timeline on when you plan on tackling the issues in
debian/TODO (i.e. are you waiting for some changes to be made
upstream, or is it just lack of time that's hindering you for now,
etc.)?

Regards,
Vincent

[1] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
[2] https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-VCS-fields