[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1079474: RFS: openscap/1.4.0+dfsg-1 -- libraries enabling integration of the SCAP line of standards - Documentation

Control: tags -1 -moreinfo

On 23.08.2024 20:09, Phil Wyett wrote:
> Control: tags -1 +moreinfo
> 
> Havard,
> 
> Preamble...
> 
> Thank you for taking the time to prepare this package and your contribution
> to the Debian project.
> 
> The review below is for assistance. This review is offered to help package
> submitters to Debian mentors inorder to improve their packages prior to
> possible sponsorship into Debian. There is no obligation on behalf of the
> submitter to make any alterations based upon information provided in the
> review.
> 
> Review...
> 
> 1. Build:
> 
>   * pbuilder [1]: Good
>   * sbuild [2]: Good
> 
> 2. Lintian [3]: Warning
> 
> W: libopenscap33: uses-dpkg-database-directly [usr/lib/x86_64-linux-
> gnu/libopenscap.so.33.0.0]
> N: 
> N:   The listed file or maintainer script appears to access the internal
> N:   database(s) of dpkg.
> N:   
> N:   The entire dpkg database, its layout and files are an internal interface
> N:   and no program or package should be accessing it, other than dpkg itself
> N:   and the suite of dpkg tools.
> N:   
> N:   Whilst the files may be editable by an admin, that's a supported (but
> N:   unrecommended) feature reserved for humans and not for automatic tools.
> N: 
> N:   Please refer to https://wiki.debian.org/DpkgConffileHandling for
> details.
> N: 
> N:   Visibility: warning
> N:   Show-Always: no
> N:   Check: files/contents
> 
> 3. Licenses [4]: Issue
> 
> Some maybe false positive, but a review is in order due to so many files
> being flagged.
> 
> philwyett@ks-tarkin:~/Development/builder/debian/mentoring/openscap-
> 1.4.0+dfsg$ lrc -t
> : Versions: recon 1.14  check 3.3.9-1
> 
> Parsing Source Tree  ....
> Reading copyright    ....
> Running licensecheck ....
> 
> d/copyright     | licensecheck
> 
>                 | BSD-2-clause     cmake/FindDBUS.cmake
>                 | LGPL-2.1+        compat/compat.h
>                 | LGPL-3+          compat/strptime.c
>                 | LGPL-2.1+        compat/strsep.c
>                 | LGPL-2.1         lgpl-2.1.rtf
>                 | LGPL-2           openscap.spec
> LGPL-2.0+       | LGPL-2+          oscap_wrapper.in
>                 | LGPL-2+          run.in
> W3C             | W3C~unknown      schemas/common/xmldsig-core-schema.xsd
>                 | W3C~unknown      schemas/oval/5.11.3/xmldsig-core-
> schema.xsd
> LGPL-2.1+ and expat| Expat and/or LGPL-2.1+ schemas/sce/1.0/sce-result-
> schema.xsd
>                 | LGPL-2.1+        src/CPE/cpe_ctx_priv.c
>                 | public-domain    src/OVAL/probes/SEAP/MurmurHash3.c
>                 | LGPL-2.1+        src/OVAL/probes/SEAP/_seap-command.h
>                 | LGPL-2.1         tests/API/probes/test_memusage.c
>                 | LGPL-2.1+        tests/bz2/test_bz2_memory_source.c
>                 | GPL-2            tests/probes/rpm/foo.spec
>                 | LGPL-2.1+        tests/sce/script_tester.py
>                 | Perl             tests/xmldiff.pl
> LGPL-2.0+       | LGPL-2+          utils/autotailor
>                 | LGPL-2.1+        utils/oscap-cpe.c
> LGPL-2.0+       | LGPL-2+          utils/oscap-docker.in
>                 | LGPL-2.1+        utils/oscap-ds.c
> LGPL-2.0+       | LGPL-2+          utils/oscap-podman
> GPL-2+          | GPL-2            utils/oscap-remediate
> LGPL-2.0+       | LGPL-2+          utils/oscap-ssh
>                 | LGPL-2.1+        utils/oscap-tool.c
> LGPL-2.0+       | LGPL-2+          utils/oscap-vm
>                 | LGPL-2.1+        utils/oscap-xccdf.c
> LGPL-2.0+       | LGPL-2+          utils/oscap_docker_python/__init__.py
>                 | LGPL-2.1+        utils/scap-as-rpm
>                 | BSD-3-clause     xsl/oval-results-report.xsl
>                 | LGPL-2.1         xsl/oval-to-xccdf.xsl
>                 | LGPL-2.1+        xsl/xccdf-branding.xsl
>                 | Expat            xsl/xccdf-resources.xsl
>                 | LGPL-2.1+        xsl/xccdf-share.xsl
> 

Added a few more licenses I had missed, but as you noted, most is false
positives.

> 4. Watch file [uscan --force-download]: Good
> 
> 5. Build Twice [sudo pbuilder build --twice <package>.dsc]: Issue
> 
>  dpkg-source -b .
> dpkg-source: info: using source format '3.0 (quilt)'
> dpkg-source: info: building openscap using existing
> ./openscap_1.4.0+dfsg.orig.tar.xz
> dpkg-source: info: using patch list from debian/patches/series
> dpkg-source: warning: file openscap-1.4.0+dfsg/.pytest_cache/v/cache/nodeids
> has no final newline (either original or modified version)
> dpkg-source: warning: file openscap-1.4.0+dfsg/.pytest_cache/v/cache/stepwise
> has no final newline (either original or modified version)
> dpkg-source: info: local changes detected, the modified files are:
>  openscap-1.4.0+dfsg/.pytest_cache/CACHEDIR.TAG
>  openscap-1.4.0+dfsg/.pytest_cache/README.md
>  openscap-1.4.0+dfsg/.pytest_cache/v/cache/nodeids
>  openscap-1.4.0+dfsg/.pytest_cache/v/cache/stepwise
> dpkg-source: info: Hint: make sure the version in debian/changelog matches
> the unpacked source tree
> dpkg-source: info: you can integrate the local changes with dpkg-source --
> commit
> dpkg-source: error: aborting due to unexpected upstream changes, see
> /tmp/openscap_1.4.0+dfsg-1.diff.Oq6MvY
> dpkg-buildpackage: error: dpkg-source -b . subprocess returned exit status 2
> I: copying local configuration
> E: Failed autobuilding of package
> I: unmounting dev/ptmx filesystem
> I: unmounting dev/pts filesystem
> I: unmounting dev/shm filesystem
> I: unmounting proc filesystem
> I: unmounting sys filesystem
> I: cleaning the build env 
> I: removing directory /var/cache/pbuilder/build/226793 and its subdirectories
> 

Fixed.

> 6. Reproducible builds [5]: Good
> 
> 7. Install [No previous installs]: Good
> 
> 8. Upgrade [Over previous installs if any]: Good
> 
> Additional...
> 
> A. It would be good to add an upstream contact to 'debian/copyright' if there
> is one or more.
> 

Found it!

> Summary...
> 
> I believe openscap is not yet ready for sponsorship at this time. Could the
> contributor rectify one of more of the rasied issues. Once updated to your
> satisfaction and a new upload done, please remove the 'moreinfo' tag on the
> Request For Sponsorship (RFS) bug report.
> 
> Regards
> 
> Phil
> 
> [1] pbuilder:
> 
>   * Command: sudo pbuilder build <PACKAGE>.dsc
>   * Document: https://wiki.ubuntu.com/PbuilderHowto.
>   * Document: https://wiki.debian.org/PbuilderTricks
> 
> [2] sbuild:
> 
>   * Command: sbuild <PACKAGE>.dsc
>   * Document: https://wiki.kathenas.org/pmwiki.php/Kathenas/Article00000002
>   * Document: https://wiki.debian.org/sbuild
> 
> [3] lintian:
> 
>   * Command: lintian -v -i -I -E --pedantic --profile debian (*.dsc,
> *.changes, *.buildinfo). Each can throw up different results, so be thorough.
>   * Document: https://wiki.debian.org/Lintian
> 
> [4] lrc:
> 
>   * Command: lrc -t
>   * Document: https://wiki.debian.org/CopyrightReviewTools#licenserecon
> 
> [5] reprotest
> 
>   * Command: sudo reprotest --vary=-build_path,domain_host.use_sudo=1 --auto-
> build <PACKAGE>.dsc -- schroot unstable-amd64-sbuild
>   * Document: https://wiki.kathenas.org/pmwiki.php/Kathenas/Article00000004
>   * Document: https://wiki.debian.org/ReproducibleBuilds/
>   * Document: https://wiki.debian.org/ReproducibleBuilds/Howto#Newer_method
>
Reply to: