[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#807763: RFS: tomahawk-player/0.8.4-1 [ITP]

On Sat, Dec 12, 2015 at 10:40 PM, Stefan Ahlers wrote:

> How can I handle the lintian error message "source-is-missing"?
> I'm unable to find the source code of this JavaScript files in the internet.

data/js/cryptojs**.js are already in the archive as libjs-cryptojs.

data/www/js/html5shim.js isn't packaged yet, it needs to be packaged
from here, unfortunately the build-dependencies for it aren't yet
packaged.

https://github.com/afarkas/html5shiv

> Do I have to cleanup the source code and remove all windows/mac related files?

It isn't nessecary to remove files related to other platforms unless
they are not DFSG-free (don't have source code, non-free licenses
etc).

> Because of the complexity of the software and the package, I decide to ask for a revision now.

I don't intend to sponsor it, but here is my incomplete review:

If I were interested in sponsoring it, these things would block my upload:

I'm assuming the GMail, itunes, echonest, beats, soundcloud, spotify
and maybe playdar logos are not under a free license.

I would suggest removing the whole thirdparty/ directory (using
Files-Excluded in debian/copyright and repacksuffix in debian/watch)
and packaging each dependency separately. Same goes for the other
embedded copies in these files, some of them are already packaged,
others are not. This would be best done upstream but generally
upstreams are hostile to removing embedded code copies so it might not
be wise to ask about this.

data/www/js/html5shim.js
data/www/css/font-awesome.css
data/www/css/bootstrap.css
data/www/css/animate.css
data/js/cryptojs/
data/js/cryptojs-core.js
data/fonts/

https://wiki.debian.org/UscanEnhancements
https://wiki.debian.org/EmbeddedCodeCopies

These things would be nice to fix:

debian/repack.* can be replaced with Files-Excluded in
debian/copyright and repacksuffix in debian/watch.

https://wiki.debian.org/UscanEnhancements

Please add some upstream metadata: https://wiki.debian.org/UpstreamMetadata

It would be nice to build the PNG files in data/icons from the SVG
file at build time.

Automated checks:

lintian

P: tomahawk-player source: source-contains-prebuilt-javascript-object
data/js/cryptojs-core.js line length is 761 characters (>512)
E: tomahawk-player source: source-is-missing data/js/cryptojs-core.js
<lots more>
P: tomahawk-player source: source-contains-prebuilt-windows-binary
admin/win/nsi/nsis_processes/bin/Processes.dll
P: tomahawk-player source:
source-contains-autogenerated-visual-c++-file
admin/win/nsi/nsis_processes/src/processes.rc
P: tomahawk-player source:
source-contains-autogenerated-visual-c++-file
admin/win/nsi/nsis_processes/src/resource.h
P: tomahawk-player source: source-contains-prebuilt-windows-binary
admin/win/nsi/nsis_uac/Release/A/UAC.dll
P: tomahawk-player source: source-contains-prebuilt-windows-binary
admin/win/nsi/nsis_uac/Release/U/UAC.dll
P: tomahawk-player source: debian-watch-may-check-gpg-signature

check-all-the-things

# bashate produces style warnings only, can be ignored
$ find -type f \( -iname '*.sh' -o -iname '*.bash' \) -exec bashate
--ignore E002,E003 {} +
E011: Then keyword is not on same line as if or elif keyword: 'if [ -z "$1" ]'
 - ./admin/mac/create-dmg.sh : L16
E011: Then keyword is not on same line as if or elif keyword: 'if [ -z "$2" ]'
 - ./admin/mac/build-release-osx.sh : L21
E011: Then keyword is not on same line as if or elif keyword: '    if
[ -f ~/sign_step.sh ];'
 - ./admin/mac/build-release-osx.sh : L50
E011: Then keyword is not on same line as if or elif keyword: 'if [ -e
"$schema" -a -n "$name" ]'
 - ./src/libtomahawk/database/gen_schema.h.sh : L9
4 bashate error(s) found

# Check with upstream where the Inkscape SVG source files are.
$ find -type f \( -iname '*.png' -o -iname '*.gif' -o -iname '*.jpg'
-o -iname '*.jpeg' \) -exec grep -iF inkscape {} +
Binary file ./src/libtomahawk/accounts/configstorage/telepathy/kde.png matches

$ find -type f -iname '*.sh' -exec checkbashisms {} +
could not find any possible bashisms in bash script ./admin/gen_resources.sh
could not find any possible bashisms in bash script ./admin/win/update-vlc.sh
could not find any possible bashisms in bash script
./src/libtomahawk/database/gen_schema.h.sh

$ cme check dpkg
...
Warning in 'copyright Format' value
'http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?view=markup&pathrev=174':
Format does not match the recommended URL for DEP-5

$ codespell --quiet-level=3
./admin/win/nsi/nsis_uac/RunAs.cpp:268: dont  ==> don't
./admin/win/nsi/nsis_uac/UAC_Uninstaller.nsi:46: aswell  ==> as well
./admin/win/nsi/nsis_processes/readme.txt:109: powerfull  ==> powerful
./admin/win/nsi/nsis_processes/src/processes.txt:109: powerfull  ==> powerful
...
./data/js/tomahawk.js:305: occured  ==> occurred
./CMakeModules/FindLibAttica.cmake:42: everytime  ==> every time
./thirdparty/qt-certificate-addon/src/certificate/certificaterequestbuilder.cpp:116:
reqest  ==> request
./thirdparty/libportfwd/src/portfwd.cpp:151: adress  ==> address
./thirdparty/libportfwd/third-party/miniupnpc-1.6/miniupnpc.c:508:
reponse  ==> response
./thirdparty/libportfwd/third-party/miniupnpc-1.6/minisoap.c:58: dont  ==> don't
./thirdparty/libportfwd/third-party/miniupnpc-1.6/Changelog.txt:366:
accomodate  ==> accommodate
./thirdparty/kdsingleapplicationguard/kdsingleapplicationguard.cpp:290:
emmited  ==> emitted
./thirdparty/qxt/qxtweb-standalone/web/qxthttpsessionmanager.cpp:156:
neccessarily  ==> necessarily
./thirdparty/qxt/qxtweb-standalone/web/qxthtmltemplate.cpp:58: becouse
 ==> because

$ cppcheck -j1 --quiet -f . > /dev/null
[src/libtomahawk/DropJob.cpp:266] ->
[src/libtomahawk/DropJob.cpp:268]: (error) Iterator 'it' used after
element has been erased.
[thirdparty/libportfwd/third-party/miniupnpc-1.6/miniwget.c:92]:
(error) Common realloc mistake: 'header_buf' nulled but not freed upon
failure
[thirdparty/libportfwd/third-party/miniupnpc-1.6/miniwget.c:232]:
(error) Common realloc mistake: 'content_buf' nulled but not freed
upon failure
[thirdparty/libportfwd/third-party/miniupnpc-1.6/miniwget.c:256]:
(error) Common realloc mistake: 'content_buf' nulled but not freed
upon failure
[thirdparty/libportfwd/third-party/miniupnpc-1.6/wingenminiupnpcstrings.c:62]:
(error) Resource leak: fin
[thirdparty/qxt/qxtweb-standalone/core/qxtboundfunction.h:129]:
(error) Null pointer dereference

$ find \( -name .git -o -name .svn -o -name .bzr -o -name CVS -o -name
.hg -o -name _darcs -o -name _FOSSIL_ -o -name .sgdrawer \) -prune -o
-empty -print
./thirdparty/libcrashreporter-qt

$ fdupes -q -r . | grep -vE
'/(\.(git|svn|bzr|hg|sgdrawer)|_(darcs|FOSSIL_)|CVS)(/|$)' | cat -s
./data/images/list-add.svg
./data/images/add.svg

./data/images/spotify-logo.svg
./data/images/spotify-sourceicon.svg

./data/images/collection.svg
./data/images/music-settings.svg

./admin/mac/sparkle_pub.pem
./data/misc/tomahawk_pubkey.pem

$ grep -Er '/(home|srv|opt)(\W|$)' .
./data/js/tomahawk.js:                    return "/home/tomahawk/resolver.js";
./TomahawkCPack.cmake:# CPACK_INSTALL_CMAKE_PROJECTS    List of four
values: Build directory, Project Name, Project Component, Directory in
the package     /home/andy/vtk/CMake-bin;CMake;ALL;/
./TomahawkCPack.cmake:SET( CPACK_RESOURCE_FILE_LICENSE
"${CMAKE_SOURCE_DIR}/LICENSE.txt" ) # License file for the project,
used by the STGZ, NSIS, and PackageMaker generators.
/home/andy/vtk/CMake/Copyright.txt
./TomahawkCPack.cmake:# CPACK_RESOURCE_FILE_README  ReadMe file for
the project, used by PackageMaker generator.
/home/andy/vtk/CMake/Templates/CPack.GenericDescription.txt
./TomahawkCPack.cmake:# CPACK_RESOURCE_FILE_WELCOME     Welcome file
for the project, used by PackageMaker generator.
/home/andy/vtk/CMake/Templates/CPack.GenericWelcome.txt
./src/accounts/xmpp/sip/AvatarManager.cpp:            // 00:14:48 [0]:
ASSERT: "!this->avatar( iq.from().bare() ).isNull()" in file
/home/muesli/Sources/tomahawk/master/src/accounts/xmpp/sip/AvatarManager.cpp,
line 138

$ flawfinder -Q -c .
<lots>

$ find -type f \( -iname '*.ttf' -o -iname '*.otf' -o -iname '*.sfd'
-o -iname '*.pfa' -o -iname '*.pfb' -o -iname '*.bdf' -o -iname '*.pk'
-o -iname '*.ttc' -o -iname '*.pcf' \) -exec fontlint {} \;
<lots>

$ find -type f \( -iname '*.ttf' -o -iname '*.otf' \) -exec ftvalid {} \;
[ftvalid:ot] validation targets: GDEF:GPOS:GSUB
-------------------------------------------------------------------
[ftvalid:ot] layout tables are invalid.
[ftvalid:ot] set FT2_DEBUG environment variable to
[ftvalid:ot] know the validation detail.
[ftvalid:ot] validation targets: GDEF:GPOS:GSUB
-------------------------------------------------------------------
<more>

$ find -type d \( -iname .git -o -iname .svn -o -iname .bzr -o -iname
CVS -o -iname .hg -o -iname _darcs -o -iname _FOSSIL_ -o -iname
.sgdrawer \) -prune -o -type f ! \( -iname '*.blend' -o -iname
'*.icns' -o -iname '*.bmp' -o -iname '*.ico' -o -iname '*.png' -o
-iname '*.gif' -o -iname '*.jpg' -o -iname '*.jpeg' -o -iname '*.tga'
-o -iname '*.xcf' -o -iname '*.mo' -o -iname '*.gmo' -o -iname '*.gz'
-o -iname '*.bz2' -o -iname '*.xz' -o -iname '*.lz' -o -iname '*.zip'
-o -iname '*.tar' -o -iname '*.deb' -o -iname '*.pdf' -o -iname
'*.odt' -o -iname '*.docx' -o -iname '*.doc' -o -iname '*.torrent' -o
-iname '*.pyc' -o -iname '*.pyo' -o -iname '*.o' -o -iname '*.so' -o
-iname '*.so.*' -o -iname '*.debug' -o -iname '*.wav' -o -iname
'*.ogg' -o -iname '*.oga' -o -iname '*.ogv' -o -iname '*.mid' -o
-iname '*.ttf' -o -iname '*.otf' -o -iname '*.fon' -o -iname '*.pgp'
-o -iname '*.gpg' \) -exec isutf8 {} +
./admin/win/nsi/nsis_uac/uac.cpp: line 10, char 1, byte offset 1:
invalid UTF-8 code
./admin/win/nsi/nsis_processes/readme.txt: line 9, char 1, byte offset
12: invalid UTF-8 code
./admin/win/nsi/nsis_processes/bin/Processes.dll: line 1, char 1, byte
offset 3: invalid UTF-8 code
./admin/win/nsi/nsis_processes/src/processes.txt: line 9, char 1, byte
offset 12: invalid UTF-8 code
./admin/win/nsi/nsis_processes/src/processes.ncb: line 2, char 1, byte
offset 19: invalid UTF-8 code
./src/libtomahawk/utils/GroovesharkParser.cpp: line 4, char 1, byte
offset 39: invalid UTF-8 code

$ licensecheck  --recursive --copyright . | grep -F 'GENERATED FILE'
./admin/win/nsi/nsis_uac/resource.h: *No copyright* GENERATED FILE
./admin/win/nsi/nsis_uac/UAC_Uninstaller.nsi: *No copyright* GENERATED FILE
./admin/win/nsi/nsis_uac/resource.rc: *No copyright* GENERATED FILE
./admin/win/nsi/nsis_processes/src/resource.h: *No copyright* GENERATED FILE
./admin/win/nsi/nsis_processes/src/processes.vcproj: *No copyright*
GENERATED FILE
./admin/win/nsi/nsis_processes/src/processes.rc: *No copyright* GENERATED FILE
./TomahawkCPack.cmake: *No copyright* GENERATED FILE
./src/libtomahawk/database/Schema.sql.h: *No copyright* GENERATED FILE
./src/libtomahawk/database/gen_schema.h.sh: *No copyright* GENERATED FILE
./CPackOptions.cmake.in: *No copyright* GENERATED FILE

$ licensecheck  --recursive --copyright . | grep -F 'with incorrect FSF address'
./thirdparty/libqnetwm/libqnetwm/netwm.cpp: GPL (v3 or later) (with
incorrect FSF address)
./thirdparty/libqnetwm/libqnetwm/netwm.h: GPL (v3 or later) (with
incorrect FSF address)

$ pep8 --ignore W191 .
<lots>

$ pyflakes .
./admin/mac/macdeploy.py:272: redefinition of unused 'commands' from line 21
./admin/mac/macdeploy.py:333: undefined name 'CouldNotFindFrameworkError'

$ pyflakes3 .
./admin/mac/macdeploy.py:267:32: invalid syntax
  print 'Usage: %s <bundle.app>' % sys.argv[0]

$ grep --recursive --perl-regexp --null-data --files-with-matches
'(?s)-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY-----' .
./thirdparty/qt-certificate-addon/tests/auto/certificaterequestbuilder/keys/leaf.key

$ find -type f -iname '*.sh' -exec sh -n {} \;
./admin/mac/build-release-osx.sh: 12:
./admin/mac/build-release-osx.sh: Syntax error: "}" unexpected

$ find -type f \( -iname '*.sh' -o -iname '*.bash' -o -iname '*.zsh'
\) -exec shellcheck {} +
<lots>

$ find -type d \( -iname .bzr -o -iname .git -o -iname .hg -o -iname
.svn -o -iname CVS -o -iname RCS -o -iname SCCS -o -iname _MTN -o
-iname _darcs -o -iname .pc -o -iname .cabal-sandbox -o -iname .cdv -o
-iname .metadata -o -iname CMakeFiles -o -iname _build -o -iname
_sgbak -o -iname autom4te.cache -o -iname blib -o -iname cover_db -o
-iname node_modules -o -iname '~.dep' -o -iname '~.dot' -o -iname
'~.nib' -o -iname '~.plst' \) -prune -o -type f ! \( -iname '*.bak' -o
-iname '*.swp' -o -iname '#.*' -o -iname '#*#' -o -iname 'core.*' -o
-iname '*~' -o -iname '*.gif' -o -iname '*.jpg' -o -iname '*.jpeg' -o
-iname '*.png' -o -iname '*.min.js' -o -iname '*.js.map' -o -iname
'*.js.min' -o -iname '*.min.css' -o -iname '*.css.map' -o -iname
'*.css.min' \) -exec spellintian --picky {} +
./admin/win/nsi/nsis_uac/RunAs.cpp: dont -> don't
./admin/win/nsi/nsis_processes/readme.txt: powerfull -> powerful
./admin/win/nsi/nsis_processes/src/processes.txt: powerfull -> powerful
./ChangeLog: api -> API
./ChangeLog: GTK -> GTK+
./ChangeLog: Gstreamer -> GStreamer
<more>

$ suspicious-source
./admin/mac/DS_Store.in
./admin/win/nsi/nsis_uac/Release/A/UAC.dll
./admin/win/nsi/nsis_uac/Release/U/UAC.dll
./admin/win/nsi/nsis_processes/bin/Processes.dll
./admin/win/nsi/nsis_processes/src/processes.ncb

# Possibly a tempfile vulnerability
$ grep -r '/tmp/' .
./src/tests/TestResult.h:        r = Tomahawk::Result::get(
"/tmp/test.mp3", Tomahawk::track_ptr() );
./src/tests/TestResult.h:        r = Tomahawk::Result::get(
"/tmp/test.mp3", t );

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
Reply to: