Control: tags -1 moreinfo Paulo Ricardo Paz Vital: > Package: sponsorship-requests > Severity: normal > > Dear mentors, > > [...] Hi, I have done an initial review of the changes and I have a few remarks. Please CC me directly on any follow ups to this bug. > > Changes since the last upload: > > keychain (2.8.4+dfsg-1) unstable; urgency=medium > > * New upstream release > * Set DFSG build since the upstream tarball have changed a lot ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The "dfsg" marker is used solely for the purpose of removing non-free parts or parts with missing licensing terms. However, it is not clear to me with the current wording whether this is the reason why we use "dfsg" here. Were the files removed under a non-free license (or missing a license)? * If yes, then please use that argument in the changelog a la: "Repacked the source package to removed some non-free files" (Feel free to adapt the wording) * If no, then please either reconsider the repacking or use the "ds" (short for "debian source") marker instead of "dfsg"[0]. => This is my only "blocking" concern. > [...] > > -- Paulo Vital <pvital@gmail.com> Thu, 16 Nov 2017 11:50:24 -0200 > > > Regards, > Paulo Vital > Beyond my concern above, I also have a few suggestions for some improvements to the packaging: * In debian/uscan-dfsg-clean.sh: Please use "-n" (e.g. "gzip -9n") to avoid adding an unnecessary and non-deterministic timestamp to the file. * debian/dirs: This file appears to be redundant as I can successfully build keychain without it. I am sure it made sense long ago and no one discovered until now that it is no longer necessary. :) * debian/docs: I am not sure it makes sense to install keychain.pod as it is basically used to generate the manpage. (I know you did not introduce this change; I just noticed it and thought it would make sense to bring it up). * The keychain package can build without using (fake)root. Please consider setting "Rules-Requires-Root: no" in d/control in the "Source" stanza. - It requires no changes to (Build-)Depends in keychain (even if you intend to backport keychain to stable once 2.8.4 hits testing) ... and some suggestions regarding the upstream code: * Makefile: Upstream uses "gzip -9" (without -n) which /would/ cause keychain to become "unreproducible"[1]. However, I suspect that dh_installman happens to save us as a side effect. - Please consider asking upstream to use "-n" with gzip to ensure that their build is natively reproducible. None of these suggestions are mandatory for getting keychain updated. Thanks, ~Niels [0] https://wiki.debian.org/DebianMentorsFaq#What_does_.2BIBw-dfsg.2BIB0_or_.2BIBw-ds.2BIB0_in_the_version_string_mean.3F [1] https://reproducible-builds.org/
Attachment:
signature.asc
Description: OpenPGP digital signature