Bug#683120: RFS: yadifa/2.0.0-1 [ITP]

To: Markus Schade <markus.schade@gmail.com>, 683120@bugs.debian.org
Subject: Bug#683120: RFS: yadifa/2.0.0-1 [ITP]
From: Paul Wise <pabs@debian.org>
Date: Wed, 26 Nov 2014 21:56:25 +0800
Message-id: <[🔎] CAKTje6H2RJ0sSoZU1O_HkQoGNYhzMEDJrcey9x-vO6trZrW_jw@mail.gmail.com>
Reply-to: Paul Wise <pabs@debian.org>, 683120@bugs.debian.org
In-reply-to: <[🔎] 54749520.5090505@gmail.com>
References: <[🔎] 54749520.5090505@gmail.com>

On Tue, Nov 25, 2014 at 10:41 PM, Markus Schade wrote:

> http://mentors.debian.net/debian/pool/main/y/yadifa/yadifa_2.0.0-1.dsc

I don't intend to sponsor this but here is a quick review...

> I have been able to establish contact with upstream and while the
> website may not be updated frequently the next release (2.1.0) is
> scheduled at the beginning of 2015.

Have they integrated your patches and systemd support upstream?

Have you asked them to sign their releases with OpenPGP? The comment
in debian/source/lintian-overrides doesn't make it clear. I don't
think it is a good idea to override the lintian complaint unless they
specifically rejected doing that.

I note that upstream doesn't appear to have a public version control
repository, have you asked them about that?

I noticed you added a systemd service file. The most recent Misc
Developer News included a section about improving security of services
under systemd, you might want to take a look at the talk mentioned in
it and the associated documentation (the systemd.exec manual page).

https://lists.debian.org/debian-devel-announce/2014/11/msg00015.html

I don't think there is any need to guard use of invoke-rc.d with pidof
in your maintainer scripts. I would recommend using the standard
things generated by dh_installinit.

I believe that Debian discourages removal of system users on purge.

I suggest using _yadifa as the system username to avoid conflict with
real users. Another alternative might be Debian-yadifa.

I suggest switching to debian/compat 9, then you won't need the
buildflags stuff in debian/rules since dh will do it for you.

Please rebuild the build system during package build by
build-depending on dh-autoreconf instead of autotools-dev and using dh
--with autoreconf instead of dh --with autotools-dev.

Please ask upstream to change the libraries from static to shared,
static libraries mean more work for Debian in identifying things that
need rebuilding etc.

You might want to run wrap-and-sort -sa to make diffs of debian/ more
readable when doing things like adding dependencies.

There appears to be a tmpfile vulnerability in
lib/dnscore/src/server-setup.c when the code is compiled with DEBUG
set. This is a minor issue but I would suggest it should be fixed
nevertheless.

Given the cppcheck output below you might want to run a fuzzer like
zzuf to ensure there are no lurking vulnerabilities.

Automated checks:

https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git

$ cme check dpkg
...
Warning in 'control binary:yadifa Depends:5' value 'lsb-base (>=
3.2-14)': unnecessary versioned dependency: lsb-base >= 3.2-14. Debian
has squeeze -> 3.2-23.2squeeze1; wheezy -> 4.1+Debian8+deb7u1; jessie
-> 4.1+Debian13+nmu1; sid -> 4.1+Debian13+nmu1;
checking data
Warning in 'patches:"fix-yadifa-manpage.patch" Synopsis' value
<undef>: Empty synopsis (code is: 'defined $_ && /\w/ ? 1 : 0 ;')
Warning in 'patches:"fix-yadifad-manpage.patch" Synopsis' value
<undef>: Empty synopsis (code is: 'defined $_ && /\w/ ? 1 : 0 ;')
Warning in 'patches:"fix-yadifad.conf-manpage-whatis.patch" Synopsis'
value <undef>: Empty synopsis (code is: 'defined $_ && /\w/ ? 1 : 0
;')
...

$ codespell --quiet-level=3
<logs of misspellings>

$ cppcheck -j1 --quiet -f .
[bin/yadifa/query-result.c:89]: (error) syntax error
[lib/dnscore/src/dnscore.c:134]: (error) Possible null pointer dereference: msg
[lib/dnscore/src/dnscore.c:135]: (error) Possible null pointer dereference: msg
[lib/dnscore/src/logger_channel_syslog.c:101]: (error) Buffer is
accessed out of bounds.
[lib/dnscore/src/logger_channel_syslog.c:122]: (error) Buffer is
accessed out of bounds.

$ find -type f \( -iname '*.c' -o -iname '*.cc' -o -iname '*.cxx' -o
-iname '*.cpp' -o -iname '*.h' -o -iname '*.hh' -o -iname '*.hxx' -o
-iname '*.hpp' \) -exec include-what-you-use {} \;
<lots of warnings>

$ uscan --report-status
Processing watchfile line for package yadifa...
Newest version on remote site is 1.0.3, local version is 2.0.0
yadifa: remote site does not even have current version

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- Bug#683120: RFS: yadifa/2.0.0-1 [ITP]
  - From: Markus Schade <markus.schade@gmail.com>

Prev by Date: Re: Arasan
Next by Date: Re: Arasan
Previous by thread: Bug#683120: RFS: yadifa/2.0.0-1 [ITP]
Next by thread: Bug#750592: marked as done (RFS: pyformex/0.9.1-1 -- new upstream release, fixes #704458 #750351)
Index(es):
- Date
- Thread