Bug#710989: RFS: plover/2.2.0-4 ITP

To: 710989@bugs.debian.org
Subject: Bug#710989: RFS: plover/2.2.0-4 ITP
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 4 Jun 2013 12:22:04 +0200
Message-id: <[🔎] 20130604102204.GA1548@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 710989@bugs.debian.org
In-reply-to: <[🔎] CAKTje6FwDE6iTkwktDyecu5S-p8GLZwhfObrp1PFR0xkY2nhkQ@mail.gmail.com>
References: <[🔎] 20130603212651.GT31312@chiark.greenend.org.uk> <[🔎] CAKTje6FwDE6iTkwktDyecu5S-p8GLZwhfObrp1PFR0xkY2nhkQ@mail.gmail.com>

* Paul Wise <pabs@debian.org>, 2013-06-04, 09:48:

I am looking for a sponsor for my package "plover".

As promised, here is a review...

Hey, I wrote a review, too! (But I don't intend to sponsor thispackage.)

There is a security issue (DoS attack); on multi-user systems, any usercan prevent other users from running the program. I'm not sure butthere may also be a symlink attack.

I had a look how the lockfile module is implemented: indeed symlinksattacks are possible.

The license info is in debian/copyright.

Strangely, the copyright file, unlike the package description, doesn'tcurrently say anything about GPL version.

I would suggest that 'python' is not the correct section. Either 'misc'or 'utils' would be appropriate.


Maybe "x11"?

Bug #654659 has not much to do with the desktop-is-not-a-script patch,so don't mention it in the patch header.

Why is Debian revision "4"? It should be normally "1" for initialreleases...

README lists a number of Python modules required to run plover, but theyare not in Depends.

"This manual page needs a lot of work." - yeah, it does! I think itwould be useful if you incorporated parts of README into the manpage.

Are Python modules included by this package supposed to be used by othersoftware? If yes, then the package name should be python-plover.Otherwise the modules should be moved to a private directory (say/usr/share/plover/).


application/plover has this:
| try:
|     print "If Plover is quit using Ctrl-c, the /tmp/plover.lock file must \
| be removed before Plover can be run again."
|     gui = plover.gui.main.PloverGUI()
|     gui.MainLoop()
| finally:
|     lock.release()

I don't get it. Why would I have to remove the lock file manually? Isn'tthat what the finally clause is for?


plover/config.py has this:
| CONFIG_DIR = os.path.expanduser('~/.config/plover')

It would be great if upstream could support XDG Base Directoryspecification[0] instead of hardcoding ~/.config/.


Typos:
a the default -> the default
copmose -> compose
trasnlations -> translations


[0] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

--
Jakub Wilk

Reply to:

References:
- Bug#710989: RFS: plover/2.2.0-4 ITP
  - From: Thomas Thurman <thomas@thurman.org.uk>
- Bug#710989: RFS: plover/2.2.0-4 ITP
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Bug#706514: RFS: dcraw/9.17-1
Next by Date: Bug#710103: The mentor package URL changed as well
Previous by thread: Bug#710989: RFS: plover/2.2.0-4 ITP
Next by thread: Processed: plover: block ITP 654659 by RFS 710989
Index(es):
- Date
- Thread