Re: RFS: python-cvss/3.4-1 [ITP] -- CVSS2/3/4 library with interactive calculator for Python
Hello Nishit,
Am 04.07.25 um 15:10 schrieb Nishit Majithia:
hey mentors,
Seeking sponsorship for this python-cvss [1] package. Package has been
uploaded to mentors.debian.net [2]. These are the respective ITP and RFS
bugs: #1108637 and #1108712.
I would be grateful for your review and sponsorship. Any feedback or
suggestions would be highly appreciated.
you using the branch upstream/latest which contains the full git history
of the upstream project.
There is nothing really wrong with that, but it's also unusual. There
are other packaging trees which using a similar way because it's of
course more convenient to work with the upstream git tree in case you
want or need to deal with patches or MRs you want target to upstream.
But having the full blown git history this way has also downsides, at
least to me.
There is the pydoctor [1] packaging that is doing something similar, but
it is using the upstream git data only on the local side and only uses
the upstream tagged commit that get used for merging in the new upstream
version into upstream(/latest).
By this way you don't see all the "noise" from the upstream workflow
while looking at some 'git log' or in your preferred graphical git
history visualizations and do some packaging $stuff.
In the end it's probably some personal choice, I just want to mention
that this kind of upstream data handling is quite unusual for packages
in the DPT. At least you would need to describe for other team members
how the workflow for this tree is to prepare newer versions.
You might want to take a look at the file debian/README.source in the
referenced package to get an inspiration. My motivation goes down to
zero for working on some package to update if it's to time consuming to
find out how the package in question needs to get handled.
other things...
debian/control:
Please do the ordering of the Build-Depends in alphabetical ordering,
this helps me and others too see the "right" listed package I'm
searching there because we are humans and finding things quicker if they
are ordered alphabetical.
You can use wrap-and-sort (e.g. with the options '-ast') to do that for you.
This would also do a bit of reordering in debian/tests/control so the
content is a bit better readable there.
debian/copyright:
You can shorten the license text of LGPL-3+ to just this short text.
On Debian systems, the full text of the GNU Lesser General Public
License version 3 can be found in the file
`/usr/share/common-licenses/LGPL-3'.
debian/cvss_calculator.1:
The man page states it was created by help2man. I suggest you add some
target/code to debian/rules so it gets created on every package build.
Lintian is mention this by a pedantic tag.
P: python-cvss source: maintainer-manual-page [debian/cvss_calculator.1]
In case upstream is adding or modifying an option you would then get
automatically an updated man page into the newer package. Get an idea
how to add this by look into the package time-decode [2].
debian/gbp.conf:
'compression = xz' is the default, no need to add this key.
debian/upstream/metadata:
Drop the comments in that file, these are mostly boiler plates and
useless. You can add three dashes as first line so it's valid YAML code
in the end.
Otherwise the package is building fine and looks quite good for an
upload to me.
[1] https://salsa.debian.org/python-team/packages/pydoctor
[2]
https://salsa.debian.org/pkg-security-team/time-decode/-/commit/bfc3b35a3e72acae241c0324a513e4c879a453e6
--
Regards
Carsten
Reply to: