Control: owner -1 ! Control: tag -1 moreinfo On Sun, May 24, 2020 at 02:22:42PM +0000, Vasyl Gello wrote: > I am looking for a sponsor for my package "cryptopass"
o/ > * Vcs : https://salsa.debian.org/basilgello-guest/cryptopass I'm mostly looking at the VCS, but I'm not ignoring the regular source package either. Things: * you are not using git-buildpackage, instead everything is just thrown into the master branch. Please look into gbp. Since this is a totally new package, I'm actually recommending you just destroy this repository and create it anew, starting with a blank `gbp import-orig`. Please also enable pristine-tar in your local configuration unless you have a reason not to, and I also recommend you put "sign-tags = True" in the DEFAULT section as well. * d/control: + any reason not to go to compat 13? + just to please my OCD, could you please move the Section field up next to Priority? (this is just me, I just can't look at that! :|) + on that note, you should review the Section, since this is not a library from what I can see + the synopsis is not a sentence, as such it shouldn't end with a full stop + also in the synopsis, grammar improvement: s/for generating/to generate/ + in contrast, the long description is made up of whole sentences, but it's not really flowing: "This program can be used to generate passwords from a seed composed by: ...." is more welcoming to read than your initial line * d/changelog: + Make that only "Initial upload. Closes: #xxx", no need for 3 lines and "initial upload" is kind of standard. * d/copyright: + place the full local URI for the Apache-2.0 License + likewise for the CC0, you only wrote the remote URL + you assert that lib/base64/* is BSD-3-clause, but I can't really say it by looking at the source. Since you are upstream, I urge you to include an extra file (like the referenced README?) explaining the origin of those bundled files * d/rules: + you have clearly copied this file from somewhere without understanding it… didn't you? + that DH_OPTIONS export to make "some magic below work", do you know what? AFAIK it's pretty useless as it is, so please drop that + also go read the section "COMPATIBILITY LEVELS" of debhelper(7), to discover that starting with compat 10 "--with autoreconf" is implied + can you please explain what's so special of this package that you don't want to call ldconfig? Since it's something so odd there ought to be a comment. * d/upstream/metadata: + Contact is obsoleted by Upstream-Contact in d/copyright (avoids duplication) * building the package shows this "scary" GCC warning: |In file included from /usr/include/string.h:495, | from cryptopass.c:19: |In function 'strncpy', | inlined from 'main' at cryptopass.c:200:9: |/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: '__builtin___strncpy_chk' specified bound depends on the length of the source argument [-Wstringop-overflow=] | 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |cryptopass.c: In function 'main': |cryptopass.c:191:25: note: length computed here | 191 | passlenbuflen = strlen(argv[3]); | | ^~~~~~~~~~~~~~~ Overall all of the above are indeed trivial matters, but this is likewise a very trivial project to package. One thing I have to think about is if this is something that debian would benefit to have. I'm not really security-minded, so I tend to be wary about anything that tried to do crypto or handling passwords. I hope some random 3rd party will tell me that this is fine ^^ -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
