Bug#846325: RFS: netperfmeter/1.6.1-1

To: 846325@bugs.debian.org, Thomas Dreibholz <dreibh@iem.uni-due.de>
Subject: Bug#846325: RFS: netperfmeter/1.6.1-1
From: Tobias Frost <tobi@debian.org>
Date: Sun, 04 Dec 2016 13:13:19 +0100
Message-id: <[🔎] 1480853599.15207.3.camel@debian.org>
Reply-to: Tobias Frost <tobi@debian.org>, 846325@bugs.debian.org
In-reply-to: <1809385.ZHERDRK1l6@nordmarka.simula.nornet>
References: <1809385.ZHERDRK1l6@nordmarka.simula.nornet>
Control: owner -1 !
Control: tags -1 +moreinfo


Hi Thomas,

required fixes for uploads:
- d/changelog:
The entries for not released Debian versions should be deleted
(preferred) or marked as UNRELEASED. You also can concentrate all
entries not part of a prior (Debian) release into the most recent
entry.
- d/copyright: The license short tag should be GPL-3+ not GPL-3 (note
the "+")
- d/control: Is colorgcc really needed as B-D? Here it builds
without...
- d/control: Standard-Version is not latest.
- d/compat: Please migrate to compat level 10 -- then also autoreconf
and stuff will be run automatically.
- d/control: your homepage is down.
- d/rules: the override for dh_installchangelogs is not needed. 

nitpicks, not required for upload
- As far as I can see debian/netperfmon.(install|manpages) is not
needed, picked up automatically.

For the check-all-the-thing I recommend to install this package and run
it yourself. I only quoted a bit of it.
Use e.g
check-all-the-things --checks-output-lines 256 


Check-All-The-Things: (nitpick section, but please implement as much as
you think makes sense)

- several versioned B-Ds are already fulfilled in oldstable, can be
dropped: 

Warning in 'control source Build-Depends:3' value 'dpkg-dev (>=
1.16.1~)': unnecessary versioned dependency: dpkg-dev (>= 1.16.1~).
Debian has oldstable -> 1.16.18; stable-kfreebsd -> 1.17.25; stable ->
1.17.27; testing -> 1.18.15;
Warning in 'control source Build-Depends:4' value 'libbz2-dev (>=
1.0)': unnecessary versioned dependency: libbz2-dev (>= 1.0). Debian
has oldstable -> 1.0.6-4; stable -> 1.0.6-7+b3; unstable -> 1.0.6-8;
unstable -> 1.0.6-8+b1;
Warning in 'control source Build-Depends:6' value 'libglib2.0-dev (>=
2.0.0)': unnecessary versioned dependency: libglib2.0-dev (>= 2.0.0).
Debian has oldstable -> 2.33.12+really2.32.4-5; stable-kfreebsd ->
2.42.1-1; stable -> 2.42.1-1+b1; jessie-backports -> 2.48.0-1~bpo8+1;
testing -> 2.50.2-2; experimental -> 2.51.0-2;
Warning in 'control source Build-Depends:7' value 'libsctp-dev (>=
1.0.5)': unnecessary versioned dependency: libsctp-dev (>= 1.0.5).
Debian has oldstable -> 1.0.11+dfsg-2; stable -> 1.0.16+dfsg-2;
unstable -> 1.0.17+dfsg-1;

Warning in 'control binary:netperfmeter Recommends:2' value 'subnetcalc
(>= 2.0.2)': unnecessary versioned dependency: subnetcalc (>= 2.0.2).
Debian has stable-kfreebsd -> 2.1.3-1; testing -> 2.1.3-1+b1;

-- your homepage is down:
E: debian/control: Homepage: http://www.iem.uni-due.de/~dreibh/netperfm
eter/: ERROR (Certainty:certain)
   Curl:28 HTTP:0 Timeout was reached Connection timed out after 60001
milliseconds

E: debian/copyright:4: URL: http://www.iem.uni-due.de/~dreibh/netperfme
ter/: ERROR (Certainty:possible)
   Curl:28 HTTP:0 Timeout was reached Connection timed out after 60000
milliseconds

-- flawfinder (could be false positive)
$ flawfinder -Q -c .
Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset:
169
./src/outputfile.cc:153:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be
exploited
  (CWE-134). Use a constant for the format specification.
bool OutputFile::printf(const char* str, ...)
./src/outputfile.cc:160:  [4] (format) vsnprintf:
  If format strings can be influenced by an attacker, they can be
exploited,
  and note that sprintf variations do not always \0-terminate (CWE-
134). Use
  a constant for the format specification.
(clipped, more hints exists)



include-what-you-use:
========================

src/outputfile.h should remove these lines:
- #include <iostream>  // lines 28-28

===============================
# As per RFC 6068, there should be no slashes after "mailto:";.
$ grep -rF mailto:/ .
./src/createsummary.1:mailto://dreibh@iem.uni-due.de
./src/netperfmeter.1:mailto://dreibh@iem.uni-due.de
./src/combinesummaries.1:mailto://dreibh@iem.uni-due.de
./src/pdfmetadata.1:mailto://dreibh@iem.uni-due.de
./src/plot-netperfmeter-results.1:mailto://dreibh@iem.uni-due.de
./src/extractvectors.1:mailto://dreibh@iem.uni-due.de
./src/runtimeestimator.1:mailto://dreibh@iem.uni-due.de
./src/pdfembedfonts.1:mailto://dreibh@iem.uni-due.de

=======================
Typos:
./ChangeLog:5727: priviledges  ==> privileges
./src/netperfmeter.cc:528: successfull  ==> successful


=================
deheader

./src/flow.cc has more than one inclusion of <set>
deheader: ./src/tools.cc has more than one inclusion of <stdio.h>
deheader: in ./src/combinesummaries.cc, =\s*false portability requires
<stdbool.h>.
deheader: remove <fstream> from ./src/combinesummaries.cc
deheader: remove <iostream> from ./src/combinesummaries.cc
deheader: remove <unistd.h> from ./src/combinesummaries.cc
deheader: in ./src/control.cc, fopen() portability requires <stdio.h>.
deheader: in ./src/control.cc, =\s*false portability requires
<stdbool.h>.
deheader: in ./src/control.cc, ntohs() portability requires
<arpa/inet.h>.
deheader: in ./src/control.cc, exit() portability requires <stdlib.h>.
deheader: remove <iostream> from ./src/control.cc
deheader: remove <poll.h> from ./src/control.cc
deheader: remove "tools.h" from ./src/control.cc
deheader: remove <sys/sysctl.h> from ./src/cpustatus.cc
deheader: remove <sys/types.h> from ./src/cpustatus.cc
deheader: remove <errno.h> from ./src/cpustatus.cc
deheader: in ./src/createsummary.cc, free() portability requires
<stdlib.h>.
deheader: in ./src/createsummary.cc, fprintf() portability requires
<stdio.h>.
deheader: in ./src/createsummary.cc, index() portability requires
<strings.h>.
deheader: in ./src/createsummary.cc, =\s*true portability requires
<stdbool.h>.
deheader: in ./src/createsummary.cc, isdigit() portability requires
<ctype.h>.
deheader: remove <string> from ./src/createsummary.cc
deheader: remove <iostream> from ./src/createsummary.cc
deheader: in ./src/defragmenter.cc, ntohl() portability requires
<arpa/inet.h>.
deheader: in ./src/defragmenter.cc, =\s*false portability requires
<stdbool.h>.
deheader: remove <map> from ./src/defragmenter.cc
deheader: remove <stdlib.h> from ./src/defragmenter.cc
deheader: in ./src/extractvectors.cc, =\s*false portability requires
<stdbool.h>.
deheader: remove <string> from ./src/extractvectors.cc
deheader: remove <fstream> from ./src/extractvectors.cc
deheader: remove <iostream> from ./src/extractvectors.cc
(and more, output clipped)


Signing GPG Key
===============

Your key is too weak -- please consider to transit to something
stronger.
See also:

https://keyring.debian.org/creating-key.html
https://riseup.net/en/security/message-security/openpgp/best-practices#
use-a-strong-primary-key
 

find -type f -iname '*.asc' -exec cat {} + | hot dearmor | hokey lint
hot (hopenpgp-tools) 0.19.4
Copyright (C) 2012-2016  Clint Adams
hot comes with ABSOLUTELY NO WARRANTY. This is free software, and you
are welcome to redistribute it under certain conditions.
hokey (hopenpgp-tools) 0.19.4
Copyright (C) 2012-2016  Clint Adams
hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you
are welcome to redistribute it under certain conditions.

Key has potential validity: good
Key has fingerprint: 7266 D8CD A688 C4D5 1F36  2A62 DF60 5BB0 760F 2D65
Checking to see if key is OpenPGPv4: V4
Checking to see if key is RSA or DSA (>= 2048-bit): DSA 1024
Checking user-ID- and user-attribute-related items:
  Thomas Dreibholz <dreibh@iem.uni-due.de>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-1, RIPEMD-160]
    Key expiration times: []
    Key usage flags: [[sign-data, certify-keys]]
  Thomas Dreibholz <dreibh@exp-math.uni-essen.de>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [RIPEMD-160, SHA-1]
    Key expiration times: []
    Key usage flags: []
  Thomas Dreibholz <dreibh@simula.no>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-256, SHA-1, SHA-384, SHA-512, SHA-
224]
    Key expiration times: []
    Key usage flags: [[sign-data, certify-keys]]
  <uat:[jpeg:17616:c0af10648640]>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-1, SHA-256, RIPEMD-160]
    Key expiration times: []
    Key usage flags: [[sign-data, certify-keys]]
Checking subkeys:
  one of the subkeys is encryption-capable: False
  fpr: 7A6A D097 0FF8 E7FB B9C6  E1AD 7DC9 A272 E842 F628
    version: v4
    timestamp: 20010507-095508
    algo/size: Elgamal encrypt-only 2048
    binding sig hash algorithms: [SHA-1]
    usage flags: []
    embedded cross-cert: False
    cross-cert hash algorithms: [SHA-1]
Reply to:
Follow-Ups:
- Bug#846325: RFS: netperfmeter/1.6.1-1
  - From: Gianfranco Costamagna <locutusofborg@debian.org>
Prev by Date: Bug#846546: RFS: ora2pg/17.6-1 [RC] [QA]
Next by Date: Bug#846325: RFS: netperfmeter/1.6.1-1
Previous by thread: Bug#843394: marked as done (RFS: zfs-auto-snapshot/1.2.1-1 ITP 720657: -- ZFS automatic snapshots)
Next by thread: Bug#846325: RFS: netperfmeter/1.6.1-1
Index(es):
- Date
- Thread