Bug#851756: RFS: telegram-desktop/1.0.6-1 [ITP]

To: 851756@bugs.debian.org
Subject: Bug#851756: RFS: telegram-desktop/1.0.6-1 [ITP]
From: Boyuan Yang <073plan@gmail.com>
Date: Fri, 03 Feb 2017 01:33:40 +0800
Message-id: <[🔎] 1791493.agQYEdSosy@hosiet-tp>
Reply-to: Boyuan Yang <073plan@gmail.com>, 851756@bugs.debian.org

Hi,

I just heard that someone filed an RFS for telegram-desktop. Good job! Wish 
that you could make this package into good shape and put it into Debian.

> I can't understand how pristine-tar works. Should I manually download [...]

You should use upstream tarball when applicable. If we use the tarball which 
is *identical* with the tarball released by upstream, we can have confidence 
that no source code is modified in the distribution version of this software. 
If upstream signs the tarball, we may also verify its integrity using gpg. 
(Debian supports such check via debian/watch file and public key inside debian/ 
dir. Well, that's not the case for telegram-desktop so never mind.)

Downloading manually can be unnecessary. If you carefully write debian/watch 
file, the "uscan" tool can do it for you according to information in d/watch 
file. If you don't really want to hack into d/watch, then manual download 
should be needed.

A big trouble is that upstream usually bundles lots of third-party sources 
into its release. You will need to write detailed d/copyright file for those 
files.

Of course you may still use gbp-generated orig tarball. The decision is up to 
you.

------

Here are my incomplete reviews for current packaging (1.0.6). Note that I am 
not a DD nor DM, so I won't be able to sponsor your package.

* I really don't recommend using "ronn" tool to generate man page. Even we 
have ronn in Debian, ronn is already dead upstream [1] and we shouldn't use a 
dead tool in build toolchain. Writing man pages manually won't take up too 
much time, or at least we can consider tools other than ronn (yes, there are 
other tools available).

* Please consider explicitly enable (full) hardening flags in d/rules and test 
if the build can pass.

* Is the hard Depends: to fcitx-frontend-qt5 necessary? Your instruction would 
make everyone who installs telegram-desktop to install fcitx, which is an 
Input Method Framework. I recommend you downgrade it to Suggests.

* Build-depends fcitx-frontend-qt5 seems very wrong. Could you please explain 
why you add this one?

[1] https://github.com/rtomayko/ronn/

After all, this is a big software and the package may need further polishment. 
Please keep going ahead. I am looking forward to seeing telegram-desktop 
inside Debian.

--
Sincerely,
Boyuan Yang

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#851756: RFS: telegram-desktop/1.0.6-1 [ITP]
  - From: Mattia Rizzolo <mattia@debian.org>

Prev by Date: Bug#853903: RFS: scap-security-guide/0.1.31-6 [ITP] -- security guides and conformity checks using SCAP standard
Next by Date: Bug#853925: RFS: bglibs/2.03+dfsg-1
Previous by thread: Re: Bug#852415: RFS: scap-security-guide/0.1.31-6 [ITP] -- security guides and conformity checks using SCAP standard
Next by thread: Bug#851756: RFS: telegram-desktop/1.0.6-1 [ITP]
Index(es):
- Date
- Thread