Bug#861581: ITP: rainloop -- Simple, modern & fast web-based email client

["Daniel Ring" <dring@wolfishly.me>]

Hi Andreas,

Thanks for the review! I've made most of the changes, but a lot of packages
are missing from Debian so I had to bundle far more than I'd like.

Bundling the libraries doesn't make /too/ much of a difference since they're
compiled into the app anyway, but the build system itself has some troublesome
dependency issues. Most can be resolved by switching to a Makefile (though it
would be a lot of work), but the javascript compilation requires external
software. A package for it is being worked on (see #805906 and
https://wiki.debian.org/Javascript/Nodejs/Tasks/webpack) but progress is slow.
I've bundled it to allow the build to run for the time being, but I expect
opposition to that as it's against the Debian guidelines.


May 8, 2017 2:30 AM, "Andreas Henriksson" <andreas@fatal.se> wrote:

> Noticed your ITP announcement on debian-devel and it seemed your package
> could be a useful addition. I might sponsor you if needed (but like I
> tell everyone I offer to sponsor please go through the regular RFS
> procedure and CC me just so others can also review your changes and
> sponsor your uploads when I'm too busy).
> I noticed Gunnar has already offered to review and sponsor but I figured
> the more the merrier, right? ;)

Thanks for the offer! I'll do that if I don't hear back from Gunnar for a while.

> Hopefully also npm from experimental works?

NPM was removed from experimental as well, since it's currently unmaintained.
It's not necessary with bundled dependencies so I removed it from the list.

> In my view, maintaining a package also means you need to look at the
> health of your dependencies and get them in shape where needed.
> Are you interested in getting involved with packaging of npm itself
> or how do you view the current outlook of not being included in
> next stable release?

I'd definitely like the package to be included in stable, but I don't
have the time to maintain the forest of NodeJS dependencies as packages.
Updates if/when someone else packages a dependency (some are already
being worked on) are fairly easy though, and I'll keep an eye out for that.

> I guess you're already aware though that (atleast on official Debian buildds)
> there's no internet connectivity available at package build time...

Yep, that's why I mentioned NPM as a concern. Bundling missing libraries until
they're properly packaged solves this.

> Me neighter, but preferably the amalgation process should be a step in
> the package building. One reason is it's easier to fix any future found
> issues by patching the source and rebuilding rather than having to patch
> something generated.

It's a build step from upstream. Several of the javascript packages provide
minified versions as part of the package itself, so I included a copy of the
source for those cases.

> I've quickly looked at the packaging and in general it looks well prepared.
> I made some notes about things that popped up on my mind attached below.
> One more general question I have is about security though. See for example
> roundcube which has had quite a few CVEs found and fixed during the years.
> Has rainloop taken any particular stance on development practises for
> security? How new is the project or how widely has it been deployed yet
> that might give it some kind of practical security track record?

That's a good question, but not one I can easily answer. There are a number of
security features (PGP, 2FA, etc.) included in the software itself, and the
developer seems to pay some attention to security from what I can see on the
issue tracker, but there haven't been any major issues so I don't know what
the response would be.

Rainloop is dual-licensed as a commercial product and seems to have a decently
large userbase based on the activity on Github. It's been around for several
years and is fairly mature software at this point, but the long dependency list
is somewhat concerning as it increases the likelihood of an upstream
vulnerability being exposed (should one be discovered).

> debian/control:
> ...
> - Mix of php(7) and php5 dependencies? Only php5 compatible? Will we
> ship php5 or will rloop soon be php7 compatible?
> 
> debian/copyright:
> ...
> 
> debian/*postinst:
> ...

Rainloop runs on both PHP5 and PHP7; I overlooked the meta-packages for
a few of the dependencies when putting the list together. I've applied
all of the changes you suggested. Thanks for the tip about dh_fixperms;
I looked for that when first putting together the package but couldn't
find it.

I've published the new version of the package to mentors:
https://mentors.debian.net/debian/pool/main/r/rainloop/rainloop_1.11.0.205-2.dsc

Sincerely,
Daniel Ring