reviewed scons

To: Jörg Frings-Fürst <debian@jff-webhosting.net>
Cc: debian-mentors@lists.debian.org
Subject: reviewed scons
From: Helmut Grohne <helmut@subdivi.de>
Date: Sat, 8 Nov 2014 08:53:15 +0100
Message-id: <[🔎] 20141108075314.GA22611@alf.mars>
Mail-followup-to: Jörg Frings-Fürst <debian@jff-webhosting.net>, debian-mentors@lists.debian.org

Hi Jörg,

I looked into the scons package at
http://mentors.debian.net/debian/pool/main/s/scons/scons_2.3.4-1.dsc and
copy this review to d-mentors for others to join in. Here are some
comments in random order. Importance at end of mail.

1. Earlier reviewers have observed that you are using compression-level
   9 with xz. While xz is already the default, using compression-level 9
   is actively harmful to machines with little ram. It also doesn't make
   any sense with a 1MB package. See:
   https://lists.debian.org/debian-devel/2014/09/msg00013.html

2. I am very uneasy about the following hunk to script/scons:

| +# - running from source takes priority (since 2.3.2), excluding SCONS_LIB_DIR settings
| +script_path = os.path.abspath(os.path.dirname(__file__))
| +source_path = os.path.join(script_path, '..', 'engine')
| +libs.append(source_path)

   Importing random python modules from .. is a route to security
   issues. Even if upstream is keen on keeping this hack to make scons
   work better when used from source, the Debian package almost
   certainly should revert it.

3. The fix for #760804+#761565 is needed in jessie. Can you prepare an
   upload to unstable (in addition to your experimental upload) with
   minimal changes beyond fixing RC bugs?

4. d/changelog does not mention the change to the Vcs-Browser field.

5. Why does d/copyright list yourself as sole copyright holder for
   debian/*? It seems that you are not the sole author.

6. I think that it is very unfortunate that you are restricting the
   license of debian/* files to GPL-3+ when upstream uses Expat. That
   will make it way harder to forward patches upstream. Please consider
   using Expat for your contributions to the scons package as well.

7. Did you forward the manpage-spelling.patch upstream?

1, 4, 7 are nice to have, but not essential to fix before uploading. On
the other hand 2, 3 and 5 really need to be addressed and I hope that
you change your mind about 6.

You may want to create RFS bugs against the sponsorship-requests package
to make tracking the state of scons uploads easier.

Thanks for your contributions

Helmut

Reply to:

Follow-Ups:
- Re: reviewed scons
  - From: Jörg Frings-Fürst <debian@jff-webhosting.net>

Prev by Date: Creating debian/changelog automagically with gbp dch \
Next by Date: Bug#768499: marked as done (RFS: gdal/1.11.1+dfsg-1~exp2)
Previous by thread: Bug#758163: Subject: RFS: kcm-ufw/0.4.3-1 ITP
Next by thread: Re: reviewed scons
Index(es):
- Date
- Thread