Bug#835286: RFS: mmh/0.3-1 ITP

To: Dmitry Bogatov <KAction@gnu.org>, 835286@bugs.debian.org
Subject: Bug#835286: RFS: mmh/0.3-1 ITP
From: Paul Wise <pabs@debian.org>
Date: Wed, 24 Aug 2016 19:38:22 +0800
Message-id: <[🔎] CAKTje6ESgiy3FR5Q10w==nRrThUfqG3Asde-Y1O5+LCGLmE9TA@mail.gmail.com>
Reply-to: Paul Wise <pabs@debian.org>, 835286@bugs.debian.org
In-reply-to: <[🔎] E1bcTw7-0003pd-UU@eggs.gnu.org>
References: <[🔎] E1bcTw7-0003pd-UU@eggs.gnu.org>
On Wed, Aug 24, 2016 at 4:53 PM, Dmitry Bogatov wrote:

>     dget -x http://mentors.debian.net/debian/pool/main/m/mmh/mmh_0.3-1.dsc

I don't intend to sponsor this but here is a review:

Please include the upstream tarball signature alongside the upstream
tarball. uscan doesn't yet put it in the right place, but it should be
named mmh_0.3.orig.tar.gz.asc and dpkg-buildpackage will include it
into the .dsc file.

These should get fixed before this package is suitable for upload in my opinion:

sbr/dtimep.c is a generated file (using flex I think), please remove
it in `debian/rules build` before ./configure is run so that we know
we can build it from source. You'll probably need to also remove it in
`debian/rules clean`. I found this using licensecheck.

These would be nice to fix in my opinion:

I don't think this is needed in the patches, just the headers should be enough:

This patch header follows DEP-3: http://dep.debian.net/deps/dep3/

Personally, I wrap debian/watch after the opts line with a
continuation character ("\").

Upstream should probably bump their copyright years, since they worked
on it in 2016.

Please add some upstream metadata: https://wiki.debian.org/UpstreamMetadata

Automatic checks:

build:

gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I.. -I. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security path.c
path.c: In function 'expanddir':
path.c:247:3: warning: ignoring return value of 'getcwd', declared
with attribute warn_unused_result [-Wunused-result]
   getcwd(buf, sizeof buf);
   ^~~~~~~~~~~~~~~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I.. -I. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security utils.c
utils.c: In function 'pwd':
utils.c:94:4: warning: ignoring return value of 'chdir', declared with
attribute warn_unused_result [-Wunused-result]
    chdir(curwd);
    ^~~~~~~~~~~~
whatnowproc.c: In function 'what_now':
whatnowproc.c:96:3: warning: ignoring return value of 'chdir',
declared with attribute warn_unused_result [-Wunused-result]
   chdir(cwd);
   ^~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security mhshowsbr.c
mhshowsbr.c: In function 'show_content_aux2':
mhshowsbr.c:478:4: warning: ignoring return value of 'chdir', declared
with attribute warn_unused_result [-Wunused-result]
    chdir(cracked);
    ^~~~~~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security new.c
new.c: In function 'check_folders':
new.c:226:3: warning: ignoring return value of 'chdir', declared with
attribute warn_unused_result [-Wunused-result]
   chdir(toabsdir("+"));
   ^~~~~~~~~~~~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security dropsbr.c
dropsbr.c: In function 'mbox_open':
dropsbr.c:75:3: warning: ignoring return value of 'chown', declared
with attribute warn_unused_result [-Wunused-result]
   chown(file, uid, gid);
   ^~~~~~~~~~~~~~~~~~~~~
dropsbr.c: In function 'mbox_copy':
dropsbr.c:171:4: warning: ignoring return value of 'write', declared
with attribute warn_unused_result [-Wunused-result]
    write(to, ">", 1);
    ^~~~~~~~~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security refile.c
refile.c: In function 'opnfolds':
refile.c:246:3: warning: ignoring return value of 'chdir', declared
with attribute warn_unused_result [-Wunused-result]
   chdir(toabsdir("+"));
   ^~~~~~~~~~~~~~~~~~~~
refile.c:261:3: warning: ignoring return value of 'chdir', declared
with attribute warn_unused_result [-Wunused-result]
   chdir(maildir);
   ^~~~~~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security rmf.c
rmf.c: In function 'rmf':
rmf.c:199:2: warning: ignoring return value of 'chdir', declared with
attribute warn_unused_result [-Wunused-result]
  chdir("..");
  ^~~~~~~~~~~
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security slocal.c
slocal.c: In function 'main':
slocal.c:300:3: warning: ignoring return value of 'chdir', declared
with attribute warn_unused_result [-Wunused-result]
   chdir("/");
   ^~~~~~~~~~
slocal.c:305:3: warning: ignoring return value of 'setgid', declared
with attribute warn_unused_result [-Wunused-result]
   setgid(pw->pw_gid);
   ^~~~~~~~~~~~~~~~~~
slocal.c:307:3: warning: ignoring return value of 'setuid', declared
with attribute warn_unused_result [-Wunused-result]
   setuid(pw->pw_uid);
   ^~~~~~~~~~~~~~~~~~
slocal.c: In function 'usr_pipe':
slocal.c:1001:3: warning: ignoring return value of 'freopen', declared
with attribute warn_unused_result [-Wunused-result]
   freopen("/dev/null", "w", stdout);

slocal.c:1002:3: warning: ignoring return value of 'freopen', declared
with attribute warn_unused_result [-Wunused-result]
   freopen("/dev/null", "w", stderr);
gcc -c -DHAVE_CONFIG_H  -D_GNU_SOURCE -I. -I.. -I.. -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/mmh-0.3=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security whatnow.c
whatnow.c: In function 'main':
whatnow.c:241:5: warning: ignoring return value of 'fgets', declared
with attribute warn_unused_result [-Wunused-result]
     fgets(cwd, sizeof (cwd), f);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~
   dh_strip
objcopy: debian/mmh/usr/bin/mh/stjT0pTt: debuglink section already exists
objcopy: debian/mmh/usr/bin/mh/stwuMjru: debuglink section already exists
objcopy: debian/mmh/usr/bin/mh/st0iPH7u: debuglink section already exists
objcopy: debian/mmh/usr/bin/mh/stRl4zD0: debuglink section already exists
objcopy: debian/mmh/usr/bin/mh/stlkUwm4: debuglink section already exists
objcopy: debian/mmh/usr/bin/mh/stQO7sm9: debuglink section already exists
objcopy: debian/mmh/usr/bin/mh/stU2ClAc: debuglink section already exists

check-all-the-things:

$ cppcheck -j1 --quiet -f .
[sbr/makedir.c:42]: (error) Uninitialized variable: path
[uip/distsbr.c:45]: (error) Resource leak: ifp
[uip/distsbr.c:50]: (error) Resource leak: ifp
[uip/distsbr.c:50]: (error) Resource leak: ofp
[uip/distsbr.c:148]: (error) Resource leak: ifp
[uip/distsbr.c:154]: (error) Resource leak: ifp
[uip/mhmisc.c:231]: (error) va_list 'arglist' was opened but not
closed by va_end().

$ find -type f -iname '*.sh' -exec checkbashisms {} +
script ./test/common.sh does not appear to have a #! interpreter line;
you may get strange results
possible bashism in ./config/version.sh line 36 ($HOST(TYPE|NAME)):
    if [ X"$HOSTNAME" != X  -a  X"$HOSTNAME" != Xunknown ]; then
possible bashism in ./config/version.sh line 43 ($HOST(TYPE|NAME)):
echo "char *version_str = \"mmh-$VERSION [compiled on $HOSTNAME at `date`]\";"

$ env PERL5OPT=-m-lib=. cme check dpkg
...
Warning in 'control source Vcs-Git' value
'https://anonscm.debian.org/cgit/users/kaction-guest/mmh.git': URL to
debian system is not the recommended one (this can be fixed with 'cme
fix' command)
...
Warning in 'copyright Format' value
'http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/':
Format uses insecure http protocol instead of https

$ codespell --quiet-level=3
<lots>

$ find -type f -iname '*.c' -exec complexity {} +
<lots, including these>
==>    *seriously consider rewriting the procedure*.

$ fdupes -q -r . | grep -vE
'/(\.(git|svn|bzr|hg|sgdrawer|pc)|_(darcs|FOSSIL_)|CVS)(/|$)' | cat -s
./man/next.man1
./man/prev.man1

./man/fprev.man1
./man/unseen.man1
./man/fnext.man1

./etc/components
./etc/forwcomps

$ grep -Er '/(home|srv|opt)(\W|$)' .
<some output, possibly useful>

$ flawfinder -Q -c .
<lots>

# If you contact the owners of these keys, please point out OpenPGP
best practices:
# https://help.riseup.net/en/security/message-security/openpgp/best-practices
$ find -type f -iname '*.asc' -exec cat {} + | hot dearmor | hokey lint
...
    Self-sig hash algorithms: [SHA-1]
...
    binding sig hash algorithms: [SHA-1]
...
    cross-cert hash algorithms: [SHA-1]

# check if these can be switched to https://
$ grep -rF http: .
<lots>

$ find -type f \( -iname '*.c' -o -iname '*.cc' -o -iname '*.cxx' -o
-iname '*.cpp' -o -iname '*.h' -o -iname '*.hh' -o -iname '*.hxx' -o
-iname '*.hpp' \) -exec include-what-you-use {} \;
<lots>

$ isutf8 ./ChangeLog
./ChangeLog: line 17480, char 1, byte offset 65: invalid UTF-8 code

$ env PERL5OPT=-m-lib=. license-reconcile
File mismatch: Filter Std found cs/FAQ which was not in the file
mapping. This probably implies a bug in the filter. at
/usr/share/perl5/Debian/LicenseReconcile/App.pm line 222, <GEN0> line
3.
File mismatch: Filter Std found cs/COMPLETION-BASH which was not in
the file mapping. This probably implies a bug in the filter. at
/usr/share/perl5/Debian/LicenseReconcile/App.pm line 222, <GEN0> line
3.
File mismatch: Filter Std found bian/copyright which was not in the
file mapping. This probably implies a bug in the filter. at
/usr/share/perl5/Debian/LicenseReconcile/App.pm line 222, <GEN0> line
3.
File mismatch: Filter Std found p/flist.c which was not in the file
mapping. This probably implies a bug in the filter. at
/usr/share/perl5/Debian/LicenseReconcile/App.pm line 222, <GEN0> line
3.

$ find -type f \( -iname '*.sh' -o -iname '*.bash' -o -iname '*.zsh'
\) -exec shellcheck {} +
<lots>

$ find -type d \( -iname .bzr -o -iname .git -o -iname .hg -o -iname
.svn -o -iname CVS -o -iname RCS -o -iname SCCS -o -iname _MTN -o
-iname _darcs -o -iname .pc -o -iname .cabal-sandbox -o -iname .cdv -o
-iname .metadata -o -iname CMakeFiles -o -iname _build -o -iname
_sgbak -o -iname autom4te.cache -o -iname blib -o -iname cover_db -o
-iname node_modules -o -iname '~.dep' -o -iname '~.dot' -o -iname
'~.nib' -o -iname '~.plst' \) -prune -o -type f ! \( -iname '*.bak' -o
-iname '*.swp' -o -iname '#.*' -o -iname '#*#' -o -iname 'core.*' -o
-iname '*~' -o -iname '*.gif' -o -iname '*.jpg' -o -iname '*.jpeg' -o
-iname '*.png' -o -iname '*.min.js' -o -iname '*.js.map' -o -iname
'*.js.min' -o -iname '*.min.css' -o -iname '*.css.map' -o -iname
'*.css.min' -o -iname '*.wav' \) -exec env PERL5OPT=-m-lib=.
spellintian --picky {} +
<lots>

$ grep -riE 'fixme|todo|hack|xxx+|broken' .
<lots>

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
Reply to:
Follow-Ups:
- Bug#835286: RFS: mmh/0.3-1 ITP
  - From: Dmitry Bogatov <kaction@ruggedinbox.com>
References:
- Bug#835286: RFS: mmh/0.3-1 ITP
  - From: Dmitry Bogatov <KAction@gnu.org>
Prev by Date: Processed: mmh: block ITP 835276 by RFS 835286
Next by Date: Bug#834570: Sponsering request failed to build
Previous by thread: Bug#835286: RFS: mmh/0.3-1 ITP
Next by thread: Bug#835286: RFS: mmh/0.3-1 ITP
Index(es):
- Date
- Thread