Control: owner -1 !
Control: tag -1 moreinfo
On Sun, May 24, 2020 at 02:22:42PM +0000, Vasyl Gello wrote:
> I am looking for a sponsor for my package "cryptopass"
o/
> * Vcs : https://salsa.debian.org/basilgello-guest/cryptopass
I'm mostly looking at the VCS, but I'm not ignoring the regular source
package either.
Things:
* you are not using git-buildpackage, instead everything is just thrown
into the master branch. Please look into gbp. Since this is a
totally new package, I'm actually recommending you just destroy this
repository and create it anew, starting with a blank
`gbp import-orig`.
Please also enable pristine-tar in your local configuration unless
you have a reason not to, and I also recommend you put
"sign-tags = True" in the DEFAULT section as well.
* d/control:
+ any reason not to go to compat 13?
+ just to please my OCD, could you please move the Section field up
next to Priority? (this is just me, I just can't look at that! :|)
+ on that note, you should review the Section, since this is not a
library from what I can see
+ the synopsis is not a sentence, as such it shouldn't end with a
full stop
+ also in the synopsis, grammar improvement: s/for generating/to
generate/
+ in contrast, the long description is made up of whole sentences,
but it's not really flowing: "This program can be used to generate
passwords from a seed composed by: ...." is more welcoming to read
than your initial line
* d/changelog:
+ Make that only "Initial upload. Closes: #xxx", no need for 3
lines and "initial upload" is kind of standard.
* d/copyright:
+ place the full local URI for the Apache-2.0 License
+ likewise for the CC0, you only wrote the remote URL
+ you assert that lib/base64/* is BSD-3-clause, but I can't really
say it by looking at the source. Since you are upstream, I urge
you to include an extra file (like the referenced README?)
explaining the origin of those bundled files
* d/rules:
+ you have clearly copied this file from somewhere without
understanding it… didn't you?
+ that DH_OPTIONS export to make "some magic below work", do you
know what? AFAIK it's pretty useless as it is, so please drop
that
+ also go read the section "COMPATIBILITY LEVELS" of debhelper(7),
to discover that starting with compat 10 "--with autoreconf" is
implied
+ can you please explain what's so special of this package that you
don't want to call ldconfig? Since it's something so odd there
ought to be a comment.
* d/upstream/metadata:
+ Contact is obsoleted by Upstream-Contact in d/copyright (avoids
duplication)
* building the package shows this "scary" GCC warning:
|In file included from /usr/include/string.h:495,
| from cryptopass.c:19:
|In function 'strncpy',
| inlined from 'main' at cryptopass.c:200:9:
|/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: '__builtin___strncpy_chk' specified bound depends on the length of the source argument [-Wstringop-overflow=]
| 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|cryptopass.c: In function 'main':
|cryptopass.c:191:25: note: length computed here
| 191 | passlenbuflen = strlen(argv[3]);
| | ^~~~~~~~~~~~~~~
Overall all of the above are indeed trivial matters, but this is
likewise a very trivial project to package.
One thing I have to think about is if this is something that debian
would benefit to have. I'm not really security-minded, so I tend to be
wary about anything that tried to do crypto or handling passwords. I
hope some random 3rd party will tell me that this is fine ^^
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature