[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.

Control: owner -1 !
Control: tag -1 moreinfo

On Sun, May 24, 2020 at 02:22:42PM +0000, Vasyl Gello wrote:
> I am looking for a sponsor for my package "cryptopass"


>  * Vcs             : https://salsa.debian.org/basilgello-guest/cryptopass

I'm mostly looking at the VCS, but I'm not ignoring the regular source
package either.


 * you are not using git-buildpackage, instead everything is just thrown
   into the master branch.  Please look into gbp.  Since this is a
   totally new package, I'm actually recommending you just destroy this
   repository and create it anew, starting with a blank
   `gbp import-orig`.
   Please also enable pristine-tar in your local configuration unless
   you have a reason not to, and I also recommend you put
   "sign-tags = True" in the DEFAULT section as well.
 * d/control:
   + any reason not to go to compat 13?
   + just to please my OCD, could you please move the Section field up
     next to Priority?  (this is just me, I just can't look at that! :|)
   + on that note, you should review the Section, since this is not a
     library from what I can see
   + the synopsis is not a sentence, as such it shouldn't end with a
     full stop
   + also in the synopsis, grammar improvement: s/for generating/to
   + in contrast, the long description is made up of whole sentences,
     but it's not really flowing: "This program can be used to generate
     passwords from a seed composed by:  ...." is more welcoming to read
     than your initial line
  * d/changelog:
    + Make that only "Initial upload.  Closes: #xxx", no need for 3
      lines and "initial upload" is kind of standard.
  * d/copyright:
    + place the full local URI for the Apache-2.0 License
    + likewise for the CC0, you only wrote the remote URL
    + you assert that lib/base64/* is BSD-3-clause, but I can't really
      say it by looking at the source.  Since you are upstream, I urge
      you to include an extra file (like the referenced README?)
      explaining the origin of those bundled files
  * d/rules:
    + you have clearly copied this file from somewhere without
      understanding it… didn't you?
    + that DH_OPTIONS export to make "some magic below work", do you
      know what?  AFAIK it's pretty useless as it is, so please drop
    + also go read the section "COMPATIBILITY LEVELS" of debhelper(7),
      to discover that starting with compat 10 "--with autoreconf" is
    + can you please explain what's so special of this package that you
      don't want to call ldconfig?  Since it's something so odd there
      ought to be a comment.
  * d/upstream/metadata:
    + Contact is obsoleted by Upstream-Contact in d/copyright (avoids
  * building the package shows this "scary" GCC warning:
|In file included from /usr/include/string.h:495,
|                 from cryptopass.c:19:
|In function 'strncpy',
|    inlined from 'main' at cryptopass.c:200:9:
|/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: '__builtin___strncpy_chk' specified bound depends on the length of the source argument [-Wstringop-overflow=]
|  106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
|      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|cryptopass.c: In function 'main':
|cryptopass.c:191:25: note: length computed here
|  191 |         passlenbuflen = strlen(argv[3]);
|      |                         ^~~~~~~~~~~~~~~

Overall all of the above are indeed trivial matters, but this is
likewise a very trivial project to package.

One thing I have to think about is if this is something that debian
would benefit to have.  I'm not really security-minded, so I tend to be
wary about anything that tried to do crypto or handling passwords.  I
hope some random 3rd party will tell me that this is fine ^^

                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to: