Bug#887659: RFS: urlwatch/2.7-1 [ITA]

[Paul Wise <pabs@debian.org>]

Control: owner -1 !
Control: tags -1 + moreinfo

I intend to sponsor this.

On Thu, 18 Jan 2018 21:42:33 +0100 Maxime Werlen wrote:

> I am looking for a sponsor for my package "urlwatch"

These issues block the upload of this package:

The package FTBFS in a clean chroot, you need to package minidb and
build-depend on python3-minidb, python3-setuptools, python3-keyring,
python3-appdirs and python3-requests.

https://wiki.debian.org/pbuilder

It would be nice to fix these issues at some point:

When you package minidb, if possible, please also make a python-minidb
package so that you can report a bug against gpodder to get it to use
the system minidb as it currently includes a minidb copy.

I would suggest stripping the DEPENDENCIES section from README.md in
the installed binary package since users of the binary package will
already automatically get the dependencies installed.

I would suggest adding a NEWS.Debian about migrating from the legacy
hooks to the new class-based filter system.

debian/copyright has an incorrect copyright year for the upstream code,
 upstream mentions 2016 but debian/copyright has 2018.

debian/copyright should have BSD-3-Clause rather than BSD-3-Clause.

debian/clean can probably be reduced to one line:

lib/urlwatch.egg-info/

I like to wrap and sort the debian directory:

wrap-and-sort --short-indent --wrap-always --sort-binary-packages --trailing-comma

I like to wrap debian/watch to separate fields:

version=3
opts="filenamemangle=s/(\d[\d\.]*)\.tar\.gz/urlwatch-$1.tar.gz/" \
https://github.com/thp/urlwatch/releases \
(?:.*/)?v?(\d[\d\.]*)\.tar\.gz

uscan fails unless I delete the debian/watch opts:

$ uscan --verbose --download-current-version --destdir . 
...
uscan info: Executing internal command:
   mk-origtargz --package urlwatch --version 2.7 --rename --compression gzip --directory . --copyright-file debian/copyright .//thp/urlwatch/archive/urlwatch-2.7.tar.gz
Could not read .//thp/urlwatch/archive/urlwatch-2.7.tar.gz: No such file or directory at /usr/bin/mk-origtargz line 397.
uscan: error: mk-origtargz --package urlwatch --version 2.7 --rename --compression gzip --directory . --copyright-file debian/copyright .//thp/urlwatch/archive/urlwatch-2.7.tar.gz subprocess returned exit status 2

Please add some upstream metadata:

https://wiki.debian.org/UpstreamMetadata

Please ask upstream to sign their commits and tarballs with OpenPGP:

https://mikegerwitz.com/papers/git-horror-story
https://wiki.debian.org/Creating%20signed%20GitHub%20releases

Upstream should give a warning when the legacy hooks are being used.

Upstream is storing a cache file in the xdg config directory, I suggest
that they probably need to read the specs and fix the code/docs:

https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html

examples_path.diff is still present in the source package but is not
present in the series file. IMO it should either get deleted or still
be present in the series file, possibly commented out and with a reason
for being disabled in a comment before that.

Automatic checks:

lintian

P: urlwatch source: file-contains-trailing-whitespace debian/changelog (line 5)
P: urlwatch source: file-contains-trailing-whitespace debian/control (line 5)
P: urlwatch source: file-contains-trailing-whitespace debian/control (line 21)
P: urlwatch source: file-contains-trailing-whitespace debian/rules (line 7)
P: urlwatch source: package-uses-old-debhelper-compat-version 10
P: urlwatch source: insecure-copyright-format-uri http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
I: urlwatch source: testsuite-autopkgtest-missing
P: urlwatch source: debian-watch-may-check-gpg-signature

build

/usr/lib/python3.6/distutils/dist.py:261: UserWarning: Unknown distribution option: 'copyright'

check-all-the-things

$ find .. -maxdepth 1 -type f -iwholename '../*.build' -exec grep -nHw E {} +
../urlwatch_2.7-1_amd64.build:375:E: pybuild pybuild:283: clean: plugin distutils failed with: exit code=1: python3.6 setup.py clean 

$ find .. -maxdepth 1 -type f -iwholename '../*.build' -exec grep -nHi error {} +
../urlwatch_2.7-1_amd64.build:374:ModuleNotFoundError: No module named 'setuptools'
../urlwatch_2.7-1_amd64.build:378:make: *** [clean] Error 25
../urlwatch_2.7-1_amd64.build:379:dpkg-buildpackage: error: fakeroot debian/rules clean subprocess returned exit status 2

$ find .. -maxdepth 1 -type f -iwholename '../*.build' -exec grep -nHi warn {} +
../urlwatch_2.7-1_amd64.build:6:/usr/lib/python3.6/distutils/dist.py:261: UserWarning: Unknown distribution option: 'copyright'
../urlwatch_2.7-1_amd64.build:7:  warnings.warn(msg)

$ env PERL5OPT=-m-lib=. cme check dpkg
Warning in 'control source Standards-Version' value '4.1.3': Current standards version is '4.1.1'. Please read file:///usr/share/doc/debian-policy/upgrading-checklist.txt.gz to check what changes need to applied to your package to upgrade it from standard version '4.1.3' to '4.1.1'.
Warning in 'control source Vcs-Browser' value 'https://anonscm.debian.org/git/collab-maint/urlwatch.git': URL is not the canonical one for repositories hosted on Alioth.
Warning in 'copyright Format' value 'http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/': Format uses insecure http protocol instead of https
Configuration item 'source format' has a wrong value:
	enum type does not know '3.0 (quilt)
extend-diff-ignore="^[^/]+\.egg-info/"'. Expected '1.0' or '2.0' or '3.0 (native)' or '3.0 (quilt)' or '3.0 (custom)' or '3.0 (git)' or '3.0 (bzr)'

$ env PERL5OPT=-m-lib=. duck
I: debian/copyright:1: URL: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/: INFORMATION (Certainty:possible)
   URL schema changed from HTTP to HTTPS during redirect(s): http://www.debian.org -> https://www.debian.org
   Please investigate and update the URL eventually, to avoid unneccesary redirects!

I: debian/copyright:4: URL: http://thpinfo.com/2008/urlwatch/: INFORMATION (Certainty:possible)
   Domain redirect detected: http://thpinfo.com -> https://thp.io. Probably a new upstream website?

I: debian/control: Homepage: http://thpinfo.com/2008/urlwatch/: INFORMATION (Certainty:certain)
   Domain redirect detected: http://thpinfo.com -> https://thp.io. Probably a new upstream website?

# check if these can be switched to https://
$ grep -nHrF http: .
<lots>

# This command checks style. While a consistent style
# is a good idea, people who have different style
# preferences will want to ignore some of the output.
# Do not bother adding non-upstreamable patches for this.
$ proselint .
./README.md:87:44: typography.symbols.ellipsis '...' is an approximation, use the ellipsis symbol '…'.

# This command checks style. While a consistent style
# is a good idea, people who have different style
# preferences will want to ignore some of the output.
# Do not bother adding non-upstreamable patches for this.
$ find . -type f -iname '*.py' -exec pycodestyle --ignore W191 {} +
/usr/lib/python3/dist-packages/pycodestyle.py:2190: UserWarning: [pep8] section is deprecated. Use [pycodestyle].
  warnings.warn('[pep8] section is deprecated. Use [pycodestyle].')
./test/test_handler.py:113:121: E501 line too long (121 > 120 characters)

# This command checks style. While a consistent style
# is a good idea, people who have different style
# preferences will want to ignore some of the output.
# Do not bother adding non-upstreamable patches for this.
$ pydocstyle .
<lots>

$ find . -type f -iname '*.py' -exec pylint3 --rcfile=/dev/null --msg-template='{path}:{line}:{column}: [{category}:{symbol}] {obj}: {msg}' --reports=n {} +
<lots>

$ python3-bandit -r .
<lots>

$ find . -type d \( -iname .bzr -o -iname .git -o -iname .hg -o -iname .svn -o -iname CVS -o -iname RCS -o -iname SCCS -o -iname _MTN -o -iname _darcs -o -iname .pc -o -iname .cabal-sandbox -o -iname .cdv -o -iname .metadata -o -iname CMakeFiles -o -iname _build -o -iname _sgbak -o -iname autom4te.cache -o -iname blib -o -iname cover_db -o -iname node_modules -o -iname '~.dep' -o -iname '~.dot' -o -iname '~.nib' -o -iname '~.plst' \) -prune -o -type f ! \( -iname '*.bak' -o -iname '*.swp' -o -iname '#.*' -o -iname '#*#' -o -iname 'core.*' -o -iname '*~' -o -iname '*.gif' -o -iname '*.jpg' -o -iname '*.jpeg' -o -iname '*.png' -o -iname '*.min.js' -o -iname '*.js.map' -o -iname '*.js.min' -o -iname '*.min.css' -o -iname '*.css.map' -o -iname '*.css.min' -o -iname '*.wav' \) -exec env PERL5OPT=-m-lib=. spellintian --picky {} +
./README.md: V V (duplicate word) -> V
./README.md: python -> Python
./README.md: api -> API
./.travis.yml: python -> Python
./debian/changelog: mentionned -> mentioned
./debian/changelog: versionned -> versioned
./debian/changelog: python -> Python

$ grep -nHriE 'fixme|todo|hack|xxx+|broken' .
./lib/urlwatch/reporters.py:309:            # FIXME: This isn't ideal, but works for now...
./lib/urlwatch/reporters.py:357:        # TODO set_password(options.email_smtp, options.email_from)

$ vulture .
<lots>

# These calls are potentially vulnerable to Python code injection
$ find . -type f -iname '*.py' -exec grep -nHF 'yaml.load' {} +
./lib/urlwatch/storage.py:283:                return yaml.load(fp)
./lib/urlwatch/storage.py:320:                return yaml.load_all(fp)
./lib/urlwatch/storage.py:331:            return [JobBase.unserialize(job) for job in yaml.load_all(fp) if job is not None]

$ find . -type f \( -iname '*.yaml' -o -iname '*.yml' -o -iwholename ./debian/upstream/metadata -o -iwholename ./debian/upstream/edam \) -exec yamllint {} +
./test/data/urlwatch.yaml
  1:1       warning  missing document start "---"  (document-start)

./.travis.yml
  1:1       warning  missing document start "---"  (document-start)
  6:15      warning  too few spaces before comment  (comments)
  7:15      warning  too few spaces before comment  (comments)

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part