Bug#1095780: RFS: lighttpd/1.4.77-2 -- light, fast, functional web server
Control: tags -1 +confirmed
Glenn,
Preamble...
Thank you for taking the time to prepare this package and your contribution to
the Debian project.
This review is offered to help package contributors to Debian mentors improve
their packages (where needed) prior to possible sponsorship into Debian by a
Debian Developer.
Review...
1. Build:
* pbuilder [1]: Good
* sbuild [2]: Good
2. Lintian [3]: None blocking, info only
Running lintian...
N:
W: lighttpd source: orig-tarball-missing-upstream-signature
lighttpd_1.4.77.orig.tar.xz
N:
N: The packaging includes an upstream signing key but the corresponding .asc
N: signature for one or more source tarballs are not included in your
N: .changes file.
N:
N: Please ensure a <package>_<version>.orig.tar.<ext>.asc file exists in the
N: same directory as your <package>_<version>.orig.tar.<ext> tarball prior to
N: dpkg-source --build being called.
N:
N: If you are repackaging your source tarballs for Debian Free Software
N: Guidelines compliance reasons, ensure that your package version includes
N: dfsg or similar.
N:
N: Sometimes, an upstream signature must be added for an orig.tar.gz that is
N: already present in the archive. Please include the upstream sources again
N: with dpkg-genchanges -sa while the signature is also present. Your upload
N: will be accepted as long as the new orig.tar.gz file is identical to the
N: old one.
N:
N: Please refer to Bug#954743 and Bug#872864 for details.
N:
N: Visibility: warning
N: Show-Always: no
N: Check: upstream-signature
N:
N:
I: lighttpd: hardening-no-fortify-functions [usr/lib/lighttpd/mod_rrdtool.so]
N:
N: This package provides an ELF binary that lacks the use of fortified libc
N: functions. Either there are no potentially unfortified functions called by
N: any routines, all unfortified calls have already been fully validated at
N: compile-time, or the package was not built with the default Debian
N: compiler flags defined by dpkg-buildflags. If built using dpkg-buildflags
N: directly, be sure to import CPPFLAGS.
N:
N: NB: Due to false-positives, Lintian ignores some unprotected functions
N: (e.g. memcpy).
N:
N: Please refer to https://wiki.debian.org/Hardening and Bug#673112 for
N: details.
N:
N: Visibility: info
N: Show-Always: no
N: Check: binaries/hardening
N:
N:
I: lighttpd: hardening-no-fortify-functions [usr/lib/lighttpd/mod_ssi.so]
N:
I: lighttpd-mod-openssl: hardening-no-fortify-functions
[usr/lib/lighttpd/mod_openssl.so]
N:
I: lighttpd-mod-webdav: hardening-no-fortify-functions
[usr/lib/lighttpd/mod_webdav.so]
N:
I: lighttpd-modules-lua: hardening-no-fortify-functions
[usr/lib/lighttpd/mod_magnet.so]
N:
I: lighttpd: package-contains-documentation-outside-usr-share-doc
[usr/share/lighttpd/index.html]
N:
N: This package ships a documentation file outside /usr/share/doc
N: Documentation files are normally installed inside /usr/share/doc.
N:
N: If this file doesn't describe the contents or purpose of the directory it
N: is in, please consider moving this file to /usr/share/doc/ or maybe even
N: removing it. If this file does describe the contents or purpose of the
N: directory it is in, please add a lintian override.
N:
N: Visibility: info
N: Show-Always: no
N: Check: documentation
N:
N: Screen: python/egg/metadata
N: Advocates: "Scott Kitterman" <debian@kitterman.com>
N: Reason: The folders XXX.dist-info/ and XXX.egg-info/ hold metadata for
N: Python modules. Those files are not documentation even though
N: some of their names carry the .txt file extension.
N:
N: Python modules can be both public and private.
N:
N: Read more in
N:
https://www.python.org/dev/peps/pep-0427/#the-dist-info-directory,
N: https://www.python.org/dev/peps/pep-0376/#id16,
N: https://www.python.org/dev/peps/pep-0610/,
N: https://www.python.org/dev/peps/pep-0639/,
N:
https://setuptools.pypa.io/en/latest/deprecated/python_eggs.html,
N: and Bug#1003913.
N:
N:
I: lighttpd source: rules-silently-require-root lighttpd (www-data:www-data)
var/cache/lighttpd/ [debian/control:41]
N:
N: These sources require fakeroot(1) or similar to build the installation
N: packages, but the field Rules-Requires-Root is empty or missing.
N:
N: At least the shown path in the indicated installation package is owned by
N: user (or a group) other than root:root.
N:
N: Over time, Debian has successively narrowed the steps for which elevated
N: privileges are required. It speeds up the building of installation
N: packages in the archive.
N:
N: Please declare whether the sources require root privileges. Eventually,
N: Debian will switch the default archive-wide behaviour to expedite the
N: build process.
N:
N: You can use the field Rules-Requires-Root in the source stanza of
N: debian/control to declare the required build privileges.
N:
N: Please refer to usr/share/doc/dpkg/spec/rootless-builds.txt, debian/rules
N: and Rules-Requires-Root (Section 4.9.2) in the Debian Policy Manual, and
N: Rules-Requires-Root (Section 5.6.31) in the Debian Policy Manual for
N: details.
N:
N: Visibility: info
N: Show-Always: no
N: Check: debian/control/field/rules-requires-root
N: Renamed from: should-specify-rules-requires-root
N:
N:
I: lighttpd: spelling-error-in-binary ment meant [usr/lib/lighttpd/mod_ssi.so]
N:
N: Lintian found a spelling error in the given binary. Lintian has a list of
N: common misspellings that it looks for. It does not have a dictionary like
N: a spelling checker does.
N:
N: If the string containing the spelling error is translated with the help of
N: gettext or a similar tool, please fix the error in the translations as
N: well as the English text to avoid making the translations fuzzy. With
N: gettext, for example, this means you should also fix the spelling mistake
N: in the corresponding msgids in the *.po files.
N:
N: You can often find the word in the source code by running:
N:
N: grep -rw <word> <source-tree>
N:
N: This tag may produce false positives for words that contain non-ASCII
N: characters due to limitations in strings.
N:
N: Visibility: info
N: Show-Always: no
N: Check: binaries/spelling
N:
N:
I: lighttpd: systemd-service-file-missing-documentation-key
[usr/lib/systemd/system/lighttpd.service]
N:
N: The systemd service file does not contain a Documentation key.
N:
N: Documentation for systemd service files can be automatically viewed using
N: systemctl help servicename if this field is present.
N:
N: Please refer to the systemd.unit(5) manual page for details.
N:
N: Visibility: info
N: Show-Always: no
N: Check: systemd
N:
N:
P: lighttpd: manual-page-for-system-command [usr/sbin/lighty-enable-mod]
N:
N: The command in /sbin or /usr/sbin are system administration commands;
N: their manual pages thus belong in section 8, not section 1.
N:
N: Please check whether the command is actually useful to non-privileged user
N: in which case it should be moved to /bin or /usr/bin, or alternatively the
N: manual page should be moved to section 8 instead, ie. /usr/share/man/man8.
N:
N: Please refer to Bug#348864, Bug#253011, and the hier(7) manual page for
N: details.
N:
N: Visibility: pedantic
N: Show-Always: no
N: Check: documentation/manual
N: Renamed from: command-in-sbin-has-manpage-in-incorrect-section
N:
N:
N: Lighttpd uses var/www/html/ as a new default document root # See #730372
N: and https://lists.debian.org/debian-devel/2012/04/msg00301.html
O: lighttpd: dir-or-file-in-var-www [var/www/html/]
N:
N: Debian packages should not install files under /var/www. This is not one
N: of the /var directories in the File Hierarchy Standard and is under the
N: control of the local administrator. Packages should not assume that it is
N: the document root for a web server; it is very common for users to change
N: the default document root and packages should not assume that users will
N: keep any particular setting.
N:
N: Packages that want to make files available via an installed web server
N: should instead put instructions for the local administrator in a
N: README.Debian file and ideally include configuration fragments for common
N: web servers such as Apache.
N:
N: As an exception, packages are permitted to create the /var/www directory
N: due to its past history as the default document root, but should at most
N: copy over a default file in postinst for a new install. In this case,
N: please add a Lintian override.
N:
N: Please refer to The /var Hierarchy (Chapter 5) in the Filesystem Hierarchy
N: Standard for details.
N:
N: Visibility: error
N: Show-Always: no
N: Check: files/hierarchy/standard
N:
N:
N: Policy says in §10.9: "Directories should be mode 755 or (for
N: group-writability) mode 2775." This is not preferred for sensible
N: information like log files which may disclose error messages or session
N: URLs. Therefore we consider Lintian being wrong here and an override to
N: be appropriate.
O: lighttpd: non-standard-dir-perm 0750 != 0755 [var/log/lighttpd/]
N:
N: The directory has a mode different from 0755, and it's not one of the
N: known exceptions.
N:
N: Please refer to Permissions and owners (Section 10.9) in the Debian Policy
N: Manual for details.
N:
N: Visibility: warning
N: Show-Always: no
N: Check: files/permissions
N:
N:
N: This is intentionally provided
O: lighttpd: package-contains-empty-directory [usr/lib/cgi-bin/]
N:
N: This package installs an empty directory. This might be intentional but
N: it's normally a mistake. If it is intentional, add a Lintian override.
N:
N: If a package ships with or installs empty directories, you can remove them
N: in debian/rules by calling:
N:
N: $ find path/to/base/dir -type d -empty -delete
N:
N: Visibility: info
N: Show-Always: no
N: Check: files/empty-directories
N:
N:
N: # See #1031669 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031669
O: lighttpd: shared-library-lacks-prerequisites
[usr/lib/lighttpd/mod_sockproxy.so]
N:
N: The listed shared library doesn't include information about the other
N: libraries against which it was linked.
N:
N: More specifically, "ldd foo.so" should report such other libraries. In
N: your case, it reports "statically linked".
N:
N: The fix is to specify the libraries. One way to do so is to add something
N: like "-lc" to the command-line options for "ld".
N:
N: Visibility: warning
N: Show-Always: no
N: Check: binaries/prerequisites
N: Renamed from: shared-lib-without-dependency-information
N:
N: Screen: coq/cmxs/prerequisites
N: Advocates: "Julien Puydt" <julien.puydt@gmail.com>
N: Reason: The Coq project comes with a kind of compiler that generates
N: files which are ELF shared objects. Unfortunately, they contain
N: many undefined symbols, but those are expected.
N:
N: There are a lot of false positives.
N:
N: Read more in Bug#999602.
N:
E: Lintian run failed (runtime error)
3. Licenses [4]: Good
4. Watch file [uscan --force-download]: Good
5. Build Twice (build source after successful build) [1]: Good
6. Reproducible builds [5]: Good
Note: Test does not block sponsorship and is for information only at this time.
7. Tail of the ratt (architecture dependant packages only) [6]: Info only
Note: Test does not block sponsorship and is for information only at this time.
philwyett@ks-tarkin:~/Development/builder/debian$ ratt --dist trixie
lighttpd_1.4.77-2_amd64.changes
2025/02/12 17:34:20 Loading changes file "lighttpd_1.4.77-2_amd64.changes"
2025/02/12 17:34:20 - 35 binary packages: lighttpd lighttpd-dbgsym lighttpd-
doc lighttpd-mod-authn-gssapi lighttpd-mod-authn-gssapi-dbgsym lighttpd-mod-
authn-pam lighttpd-mod-authn-pam-dbgsym lighttpd-mod-authn-sasl lighttpd-mod-
authn-sasl-dbgsym lighttpd-mod-deflate lighttpd-mod-deflate-dbgsym lighttpd-
mod-gnutls lighttpd-mod-gnutls-dbgsym lighttpd-mod-maxminddb lighttpd-mod-
maxminddb-dbgsym lighttpd-mod-mbedtls lighttpd-mod-mbedtls-dbgsym lighttpd-mod-
nss lighttpd-mod-nss-dbgsym lighttpd-mod-openssl lighttpd-mod-openssl-dbgsym
lighttpd-mod-vhostdb-pgsql lighttpd-mod-vhostdb-pgsql-dbgsym lighttpd-mod-
webdav lighttpd-mod-webdav-dbgsym lighttpd-mod-wolfssl lighttpd-mod-wolfssl-
dbgsym lighttpd-modules-dbi lighttpd-modules-dbi-dbgsym lighttpd-modules-ldap
lighttpd-modules-ldap-dbgsym lighttpd-modules-lua lighttpd-modules-lua-dbgsym
lighttpd-modules-mysql lighttpd-modules-mysql-dbgsym
2025/02/12 17:34:20 Corresponding .debs (will be injected when building):
2025/02/12 17:34:20 lighttpd-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-doc_1.4.77-2_all.deb
2025/02/12 17:34:20 lighttpd-mod-authn-gssapi-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-authn-gssapi_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-authn-pam-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-authn-pam_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-authn-sasl-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-authn-sasl_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-deflate-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-deflate_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-gnutls-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-gnutls_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-maxminddb-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-maxminddb_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-mbedtls-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-mbedtls_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-nss-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-nss_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-openssl-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-openssl_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-vhostdb-pgsql-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-vhostdb-pgsql_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-webdav-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-webdav_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-wolfssl-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-mod-wolfssl_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-dbi-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-dbi_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-ldap-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-ldap_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-lua-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-lua_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-mysql-dbgsym_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd-modules-mysql_1.4.77-2_amd64.deb
2025/02/12 17:34:20 lighttpd_1.4.77-2_amd64.deb
2025/02/12 17:34:20 Figuring out reverse build dependencies using dose-ceve(1).
This might take a while
2025/02/12 17:43:30 Found 10 reverse build dependencies
2025/02/12 17:43:30 Setting -sbuild_dist=unstable (from .changes file)
2025/02/12 17:43:30 Building package 1 of 10: genparse
2025/02/12 17:47:26 Building package 2 of 10: libreswan
2025/02/12 17:51:35 Building package 3 of 10: latex2rtf
2025/02/12 17:54:29 Building package 4 of 10: pyhoca-cli
2025/02/12 17:56:35 Building package 5 of 10: mini-buildd
2025/02/12 18:00:10 Building package 6 of 10: daisy-player
2025/02/12 18:02:48 Building package 7 of 10: slurm-wlm
2025/02/12 18:03:08 building slurm-wlm failed: exit status 3
2025/02/12 18:03:08 Building package 8 of 10: libiio
2025/02/12 18:06:02 Building package 9 of 10: html-xml-utils
2025/02/12 18:08:22 Building package 10 of 10: privoxy
2025/02/12 18:13:33 1 packages failed the first pass; you can rerun ratt only
for them passing the option -include '^(slurm-wlm)$'
2025/02/12 18:13:33 Build results:
2025/02/12 18:13:33 PASSED: libreswan
2025/02/12 18:13:33 PASSED: latex2rtf
2025/02/12 18:13:33 PASSED: pyhoca-cli
2025/02/12 18:13:33 PASSED: mini-buildd
2025/02/12 18:13:33 PASSED: daisy-player
2025/02/12 18:13:33 PASSED: privoxy
2025/02/12 18:13:33 PASSED: genparse
2025/02/12 18:13:33 PASSED: libiio
2025/02/12 18:13:33 PASSED: html-xml-utils
2025/02/12 18:13:33 FAILED: slurm-wlm (see buildlogs/slurm-wlm_24.11.0-2)
8. Install [No previous installs]: Good
9. Upgrade [Over previous installs if any]: Good
Additional...
Nothing. :-)
Summary...
I believe 'lighttpd' is ready for review/possible sponsorship. Could a Debian
Developer (DD) with available free time, please review this package and upload
if you feel it is ready.
Please try the below on your packages...
[1] pbuilder:
* Command for 1.: sudo pbuilder build <PACKAGE>.dsc
* Command for 5.: sudo pbuilder build --twice <PACKAGE>.dsc
* Document: https://wiki.ubuntu.com/PbuilderHowto.
* Document: https://wiki.debian.org/PbuilderTricks
[2] sbuild:
* Command: sbuild -d unstable <PACKAGE>.dsc
* Document: https://wiki.debian.org/sbuild
* autopkgtests. See link below.
https://wiki.debian.org/sbuild#Using_qemu_for_autopkgtests
[3] lintian:
* Command: lintian --display-info --verbose --fail-on error --info --pedantic
--show-overrides (*.dsc, *.changes, *.buildinfo). Each can throw up different
results, so be thorough.
* Document: https://wiki.debian.org/Lintian
[4] lrc:
* Command: lrc
* Document: https://wiki.debian.org/CopyrightReviewTools#licenserecon
Note: Please report false positives as bug reports against 'licenserecon'
Reply to: