Hi, Helmut! It's me again.
Almost all notices you mentioned below are fixed. At least, now we have
manpages. :-)
But i have some difficulties with hardening.
I cleanly see, that all required flags gets used during build process,
for example:
cc -D_FORTIFY_SOURCE=2 -DUDPXREC_MOD -DNDEBUG -DTRACE_MODULE -c
udpxy.c -o udpxy.o
cc -D_FORTIFY_SOURCE=2 -DUDPXREC_MOD -DNDEBUG -DTRACE_MODULE -c
sloop.c -o sloop.o
for compiling, and
cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -Wl,-z,relro -DUDPXREC_MOD -DNDEBUG
-DTRACE_MODULE -o udpxy udpxy.o sloop.o rparse.o util.o prbuf.o ifaddr.o
ctx.o mkpg.o rtp.o uopt.o dpkt.o netop.o extrn.o main.o udpxrec.o
for linking. But lintian says, that "udpxy:
hardening-no-fortify-functions usr/bin/udpxrec".
Can it be false-positive?
Helmut Grohne wrote 2012-10-26 02:57:
On Fri, Sep 14, 2012 at 09:22:46PM +1100, Alex 'AdUser' Z wrote:
WNPP request are here :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687543
Package uploaded just now :
https://mentors.debian.net/package/udpxy
So I had a look at your package version 1.0.23-1 as found on
mentors.debian.net. So here are some notes.
The long description of your package looks suspiciously short. This
is
not a problem, if it says all that needs to be said. However some
bits
are missing. Please try to answer the following questions inside the
long description:
1) What are example use cases?
2) Does a client to this proxy need special capabilities?
3) Do multicast streams have to be configured with the daemon or can
they be configured from the client?
Your copyright file mentions the location of the GPL-2, why don't you
mention the location of the GPL-3 as well?
You don't mention your full name and especially don't do so in the
copyright file. In some jurisdictions attributions to pseudonyms are
allowed, but they are not without problems. I cannot tell whether the
Debian project can redistribute your packaging as is. In addition the
Debian community has a history of using real names. Not mentioning
yours
will make finding a sponsor harder.
Your destdir patch solves the issue for Debian, but it would be
nicer,
if it would add $PREFIX as well. Then you can prod upstream to
include
the patch and drop it yourself.
Why do you patch in a distclean target? dh_auto_clean should be able
to
figure out that it does not exist and use clean instead. Please
explain
why this does not work in the patch header.
A watch file seems missing. Since the project is hosted at
sourceforge
adding one should be easy.
The documentation shipped with the package seems to be lacking as
well.
A manual page seems completely absent. Could you write one?
The daemon is interfacing with the network. As such wheezy's
hardening
release goal is applicable here (even though the package will not be
part of wheezy). Getting hardening working is a bit of work. You'll
probably have to patch more of the Makefile.
It seems like your package provides an architecture independent
interface (i.e. command line and network) to other packages. As such
you
could probably be adding a Multi-Arch: foreign header.
I'd say the most important steps are adding documentation and getting
the hardening running. Once these issues are solved the package seems
like a good addition, because it solves a task no other package
solves
yet. Thanks for your work.
Helmut
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1c474e0d6b14659e327ec432ba269...@lavabit.com
