Many thanks Paul for your review - even though you do not wish to sponsor this, your review has been very valuable.
I've addressed your comments as discussed below.uscan --force-download --verbose
uscan info: uscan (version 2.16.2ubuntu3) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="budgie-desktop" version="10.2.5-1" (as seen in debian/changelog)
uscan info: package="budgie-desktop" version="10.2.5" (no epoch/revision)
uscan info: ./debian/changelog sets package="budgie-desktop" version="10.2.5"
uscan info: Process ./debian/watch (package=budgie-desktop version=10.2.5)
uscan info: Last orig.tar.* tarball version (from debian/changelog): 10.2.5
uscan info: Last orig.tar.* tarball version (dversionmangled): 10.2.5
uscan info: Requesting URL:
https://github.com/solus-project/budgie-desktop/releases
uscan info: Matching pattern:
(?:(?:https://github.com)?\/solus\-project\/budgie\-desktop\/releases)?.*/?(\d{2}\.\d.\d)\.tar\.xz
uscan info: Found the following matching hrefs on the web page (newest first):
/solus-project/budgie-desktop/releases/download/v10.2.5/budgie-desktop-10.2.5.tar.xz (10.2.5) index=10.2.5-4
/solus-project/budgie-desktop/releases/download/v10.2.4/budgie-desktop-10.2.4.tar.xz (10.2.4) index=10.2.4-4
/solus-project/budgie-desktop/releases/download/v10.2.3/budgie-desktop-10.2.3.tar.xz (10.2.3) index=10.2.3-4
/solus-project/budgie-desktop/releases/download/v10.2.2/budgie-desktop-10.2.2.tar.xz (10.2.2) index=10.2.2-4
/solus-project/budgie-desktop/releases/download/v10.2.1/budgie-desktop-10.2.1.tar.xz (10.2.1) index=10.2.1-4
uscan info: Matching target for downloadurlmangle: https://github.com/solus-project/budgie-desktop/releases/download/v10.2.5/budgie-desktop-10.2.5.tar.xz
uscan info: Upstream URL (downloadurlmangled):
https://github.com/solus-project/budgie-desktop/releases/download/v10.2.5/budgie-desktop-10.2.5.tar.xz
uscan info: Newest upstream tarball version selected for download (uversionmangled): 10.2.5
uscan info: Download filename (filenamemangled): budgie-desktop-10.2.5.tar.xz
uscan: Newest version of budgie-desktop on remote site is 10.2.5, local version is 10.2.5
uscan info: => Package is up to date for from
https://github.com/solus-project/budgie-desktop/releases/download/v10.2.5/budgie-desktop-10.2.5.tar.xz
uscan info: => Forcing download as requested
uscan info: Downloading upstream package: budgie-desktop-10.2.5.tar.xz
uscan info: Requesting URL:
https://github.com/solus-project/budgie-desktop/releases/download/v10.2.5/budgie-desktop-10.2.5.tar.xz
uscan info: Successfully downloaded package: budgie-desktop-10.2.5.tar.xz
uscan info: Start checking for common possible upstream OpenPGP signature files
uscan info: End checking for common possible upstream OpenPGP signature files
uscan info: Missing OpenPGP signature.
uscan info: New orig.tar.* tarball version (oversionmangled): 10.2.5
uscan info: Executing internal command:
mk-origtargz --package budgie-desktop --version 10.2.5 --compression gzip --directory .. --copyright-file debian/copyright ../budgie-desktop-10.2.5.tar.xz
uscan info: New orig.tar.* tarball version (after mk-origtargz): 10.2.5
uscan info: Successfully symlinked ../budgie-desktop-10.2.5.tar.xz to ../budgie-desktop_10.2.5.orig.tar.xz.
uscan info: Scan finished
> Does upstream have an opinion on having older versions of Budgie in
> Debian stable, which gets supported for 5 years now that we have LTS.
> I would suggest using diffoscope to compare the broken build with the
> working one, you might discover the reason for this brokenness.
This did not reveal any specific build issues.
> The package fails to build because gtk+3.0 3.20.5-1 is not yet built in Debian:
I presume this is a transition issue for Sid as it moves to GTK+3.20
> There are many hardcoded library dependencies, they shouldn't be
> needed as ${shlibs:Depends} will take care of them, unless these
> libraries are loaded using dlopen instead of linking. If they are
> loaded with dlopen, a ${dlopen:Depends} substvar and a script to
> generate it would be better than hardcoding them.
The dependencies are been cleaned up. No libraries are included. The minimal necessary dependencies have been left - these are required for the desktop system to start successfully
> debian/copyright is missing some copyright holders.
This has been substantially revised
> I think the ftp-masters will want debian/copyright to be more specific
> about which files are LGPL and which are GPL.
The copyright now identifies LGPL vs GPL. I also asked upstream https://github.com/solus-project/budgie-desktop/issues/447 and upstream recommend the following:
grep -R "Lesser General" | cut -d : -f 1 | uniq | grep -v LICENSE> I note that the upstream tarball contains generated files (*.c *.vapi
> *.css *.png *.html). I personally think these need to be removed from
> the upstream tarball and VCS if present in either of those and always
> created at build time. If upstream doesn't want to do that an
> acceptable workaround would be to remove these files in `debian/rules
> clean` and in `debian/rules build` before autoreconf/configure are
> run. Alternatively you could use the gitub-generated tarballs which
> only contain what is in git. Looks like you will need to package some
> more build-deps here though, like gulp-sass.
In the debian/clean I've removed the build artifacts that upstream have recommended here https://github.com/solus-project/budgie-desktop/issues/446#issuecomment-221378660
> The imports/natray/ and gvc/ directories appear to be embedded code
> copies from one of GNOME/cinnamon/MATE/cairo-dock-plug-ins/something.
> They should be removed from all of these including budgie and packaged
> separately. Until that happens the security team need to be notified
> about the embedded code copy, which they track.
> $ apt-file search -iIdsc na-tray
> https://wiki.debian.org/EmbeddedCodeCopies
I asked about this via a hangout session with upstream. The maintainer pointed me at this https://bugzilla.redhat.com/show_bug.cgi?id=1170875 - TL;DR - copied code is allowed due to no stable API
In summary "
There's no system version -- gnome-control-center, gnome-settings-daemon and gnome-shell all bundle libgnome-volume-control using git submodules: https://mail.gnome.org/archives/commits-list/2012-November/msg06793.html https://bugzilla.gnome.org/show_bug.cgi?id=686488 (just checked and indeed there is no standalone libgnome-volume-control lib).
Ah, OK, that's why I couldn't find it. According to [1] the submodule does not have a stable api and is supposed to be "linked" wherever it is needed. So including it in budgie-desktop is allowed by the packaging guidelines, as a "copy library". [1] https://mail.gnome.org/archives/gnomecc-list/2012-October/msg00003.html"
> Please add DEP-3 headers to the patches, particularly the
> Origin/Forwarded headers should point at URLs.
> The first line of nm-applet.diff looks a bit strange.
> Origin/Forwarded headers should point at URLs.
> The first line of nm-applet.diff looks a bit strange.
This has been done.
> The debian-watch-file-is-missing lintian tag should not be overridden
> since upstream has a git repo with tags and tarballs that can be used
> with uscan and debian/watch.
override has been removed
> Please file bugs on lintian about the
> dep5-copyright-license-name-not-unique and postinst-must-call-ldconfig
> false positives.
This has been removed since the package has been reworked.
> The binary-without-manpage lintian tag should not be overridden since
> it is true. Just ignore it until a manual page exists.
Override has been removed
> It would be great if upstream could sign their commits, tags and
> releases with OpenPGP:
Upstream are already signing their commits. Tags/releases are not going to be signed.
> Why do you disable the ibus systray icon?
I've removed this gsettings override
> I'm not sure the gnome-settings overrides are appropriate.
This has been tidied - only one vital override exists - this is needed to display the GNOME appmenu correctly in the window decoration.
> I wonder if the gsettings overrides should be renamed to
> budgie-desktop.gsettings-override so it is only installed for one
> package?
This has been renamed
> Usually in debian/control the version numbers in dependency relations
> have a space before them:
Space has been added.
>I like to wrap-and-sort the debian/ directory using this command:
> wrap-and-sort --short-indent --wrap-always --sort-binary-packages
> --trailing-comma
Done.
> I'm not sure that Section: gnome is appropriate, could you explain
> your reasoning here?
I've moved to misc since I didnt see any other obvious Sid section available. Please advise if there is a better more appropriate section for GNOME/GTK+3 based desktop systems such as budgie-desktop
> The Vcs-Browser field is reserved for the Debian packaging VCS, not
> upstream. See below for a solution for upstream.
Removed
> I would suggest setting the Homepage here instead of to github:
> https://solus-project.com/budgie/
Home-page updated.
> I note there are several stamp files that probably aren't meant to be
> in the upstream tarball:
This does not any material difference - these files are not installed - see the maintainers comments here: https://github.com/solus-project/budgie-desktop/issues/448
> There are some files in the upstream VCS that are missing from the
> upstream tarball, I wonder if that is intentional.
Apparently yes - according to the maintainer as linked above.
> A typo in theme/README.md: obejct
This is not installed - source only issue.
Added upstream metadata
>$ sudo apt-get install -t experimental check-all-the-things
> $ check-all-the-things
On the whole these findings were based on C issues - however this is due as far as I can gather due to the Vala compiler - so not something upstream can deal with.
> # Not sure why but autodep8 doesn't like your debian/control:
> $ autodep8
> grep-dctrl: debian/control:48: expected a colon.
This seems to be fixed now.
> # These should be created at build time instead
> $ find -type f \( -iname '*.png' -o -iname '*.gif' -o -iname '*.jpg'
> -o -iname '*.jpeg' \) -exec grep -iF inkscape {} +
> <lots>
Maintainer has indicated otherwise - see link above
> $ codespell --quiet-level=3
> <lots>
Vala to C compiler issues - not an upstream matter.