RE : SAGE in Debian status page
Hello Alexander,
I just checkout your package and now there is only one lintian complain about the hardening
N: Processing binary package libpolybori-0.8.2-1 (version 0.8.2-1, arch i386) ...
W: libpolybori-0.8.2-1: hardening-no-relro usr/lib/libpolybori-0.8.2.so.1.0.0
N:
N: This package provides an ELF binary that lacks the "read-only
N: relocation" link flag. This package was likely not built with the
N: default Debian compiler flags defined by dpkg-buildflags. If built using
N: dpkg-buildflags directly, be sure to import LDFLAGS.
N:
N: Refer to http://wiki.debian.org/Hardening for details.
N:
N: Severity: normal, Certainty: certain
N:
N: Check: binaries, Type: binary, udeb
N:
W: libpolybori-0.8.2-1: hardening-no-fortify-functions usr/lib/libpolybori-0.8.2.so.1.0.0
N:
N: This package provides an ELF binary that lacks the use of fortified libc
N: functions. Either there are no potentially unfortified functions called
N: by any routines, all unfortified calls have already been fully validated
N: at compile-time, or the package was not built with the default Debian
N: compiler flags defined by dpkg-buildflags. If built using
N: dpkg-buildflags directly, be sure to import CPPFLAGS.
N:
N: NB: Due to false-positives, Lintian ignores some unprotected functions
N: (e.g. memcpy).
N:
N: Refer to http://wiki.debian.org/Hardening and
N: http://bugs.debian.org/673112 for details.
N:
N: Severity: normal, Certainty: possible
N:
N: Check: binaries, Type: binary, udeb
N:
W: libpolybori-0.8.2-1: hardening-no-relro usr/lib/libpolybori_groebner-0.8.2.so.1.0.0
W: libpolybori-0.8.2-1: hardening-no-fortify-functions usr/lib/libpolybori_groebner-0.8.2.so.1.0.0
- I can see that you did not use dpkg-buildflags in your rules file
please read this page [1] and follow the advices to add the hardening flags to your package.
- I see also some inconsistencies in the package,
the compat file contain 7 and the minimum debhelper from the control file says >=5
you should switch to at least 8.
- you should use cme to help you fix the control and copyright files like this
cme fix dpkg-control
cme fix dpkg-copyright
this program is provided by this package
ii libconfig-model-dpkg-perl 2.030 all editor for Dpkg source files with validation
at this occasion you should switch to the DEP5 copyright format before running cme on the copyright.
look for licensecheck2dep5 that can help you.
- your package seems to use the -release versionning schema [2], does it mean that your library change its API at each release ?
* If what you are "selling" to your users is only the python module, it should be nice to avoid provinding the libraries at all.
this would reduce a lot the amount of work for the maintenance of X verison of the libraries.
* if you are providing also the c++ library and the dev environment with the -dev package, you should also provide a -dbg package.
nevertheless If your package is API compatible with the previous 0.5~rc1-2.2, you should reconsider the naming schema of your libraries.
* one other good practice is also to package only one library per binary package, but you bundled two of them in your binary.
* so please read all [2] and explain me what is your plan for polybori, thanks.
- you should acknowledge or not also the .2 NMU
- since you are part of the upstream, I would encourage you to read also this document[3] which explain why scons should be avoid as much as possible.
Especially, when it will comes to multi-archify your package :).
I know this is lot's of work but the quality of the overall distribution dependes on this.
thanks for your efforts on the packaging side and for polybori itself.
Cheers,
Frederic
[1] http://wiki.debian.org/HardeningWalkthrough
[2] http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html#id291350
[3] http://wiki.debian.org/UpstreamGuide
Reply to: