Hi Paul,
On Wed, 23 Sep 2015 at 18:03:41 +0200, Paul Wise wrote:
> The source package should not be a native source package as netmask
> isn't Debian specific.
It has however (to my surprise as well) been a native package since its
integration to Debian in 1999. Just made it non-native as you
suggested, though.
> Are buildflags.mk and override_dh_auto_build nessecary? Usually they
> aren't for autoconf.
Yes, upstream has a weird way to manage the CFLAGS/CPPFLAGS/LDFLAGS.
The only way I could override the variables to add the hardening options
was to pass them to ‘make’.
> Is debian/info nessecary? Usually the upstream build system is
> responsible for installing info documents.
No indeed it's not, thanks.
> The upstream NEWS file doesn't look very useful, I would suggest
> asking upstream to rename the ChangeLog to NEWS (or just not
> installing NEWS).
>
> The upstream README file has an incorrect version number and claim
> about initial public release in it, you might want to suggest upstream
> to remove the version number from it.
Will do. Not a reason for rejection though :-P
> Is debian/dirs nessecary? Usually the upstream build system and
> debhelper automatically create those two dirs.
No indeed it's not, thanks.
> I would suggest adding a Homepage field pointing at the github page to
> debian/control.
>
> I would suggest adding a debian/watch file and a debian/upstream/metadata file.
>
> https://wiki.debian.org/debian/watch
> https://wiki.debian.org/UpstreamMetadata
Done for the homepage and upstream/metadata. Thanks for the tips.
(Unfortunately upstream currently doesn't tag their release nor provide
tarballs, so the watchfile is useless right now since I don't know how
to mangle the versions, right?)
> I would suggest that upstream tag their releases and upload their
> tarballs to github using the releases feature.
>
> https://github.com/talby-/netmask/releases
Yeah, that would be great. I asked about that already ;-)
> I would suggest that upstream should remove from git all the files
> generated or copied in by autotools.
>
> Yourself and upstream might want to OpenPGP-sign git commits, git tags
> and release tarballs:
>
> http://mikegerwitz.com/papers/git-horror-story
> https://help.riseup.net/en/security/message-security/openpgp/best-practices
I have done that right after my ITA :-) Didn't get a reply yet, though.
> This line in the upstream configure.in looks weird, usually -O only
> goes up to 3:
>
> : ${CFLAGS='-Wall -g -O6'}
Will tell upstream about that.
> aclocal: warning: autoconf input should be named 'configure.ac', not
> 'configure.in'
> automake: warning: autoconf input should be named 'configure.ac', not
> 'configure.in'
> configure.in:3: warning: AM_INIT_AUTOMAKE: two- and three-arguments
> forms are deprecated. For more info, see:
> configure.in:3:
> http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
> automake: warning: autoconf input should be named 'configure.ac', not
> 'configure.in'
>
> lintian:
>
> X: netmask source: deprecated-configure-filename
Yeah, the build system is from 1999 and hasn't been much upgraded since
:-/ Surely upstream noticed the warning already, but I'll point it out
anyway. However IMHO it's not a reason for rejection either :-P
> $ duck
> E: debian/control: Vcs-Git: https://git.guilhem.org/netmask: ERROR
> (Certainty:certain)
> fatal: unable to access 'https://git.guilhem.org/netmask/': server
> certificate verification failed. CAfile:
> /etc/ssl/certs/ca-certificates.crt CRLfile: none
I serve git over (smart) HTTP. And well, the CA is valid, it just
happen not to be in your CA store :-P
> $ fdupes -q -r .
> ./testdata.14
> ./testdata.15
>
> ./testdata.19
> ./testdata.23
>
> ./version.texi
> ./stamp-vti
>
> $ licensecheck --check=. --recursive --copyright . | grep -i incorrect
> ./errors.h: GPL (v2 or later) (with incorrect FSF address)
> ./main.c: GPL (v2 or later) (with incorrect FSF address)
> ./missing: GPL (v2 or later) (with incorrect FSF address)
> ./mdate-sh: GPL (v2 or later) (with incorrect FSF address)
> ./errors.c: GPL (v2 or later) (with incorrect FSF address)
> ./texinfo.tex: GPL (v2 or later) (with incorrect FSF address)
> ./netmask.c: GPL (v2 or later) (with incorrect FSF address)
>
> $ licensecheck --check=. --recursive --copyright . | grep -F 'GENERATED FILE'
> ./configure: GENERATED FILE
> ./Makefile.in: GENERATED FILE
Again I intend to be the maintainer, not upstream :-P (And the package
has been around in its current state for 16 years.) I'll forward your
remarks upstream though.
In the meantime I have uploaded a new version:
dget -x http://mentors.debian.net/debian/pool/main/n/netmask/netmask_2.4.0-1.dsc
Thanks for the feedback,
cheers,
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature