On Tue, Nov 25, 2014 at 10:41 PM, Markus Schade wrote: > http://mentors.debian.net/debian/pool/main/y/yadifa/yadifa_2.0.0-1.dsc
I don't intend to sponsor this but here is a quick review... > I have been able to establish contact with upstream and while the > website may not be updated frequently the next release (2.1.0) is > scheduled at the beginning of 2015. Have they integrated your patches and systemd support upstream? Have you asked them to sign their releases with OpenPGP? The comment in debian/source/lintian-overrides doesn't make it clear. I don't think it is a good idea to override the lintian complaint unless they specifically rejected doing that. I note that upstream doesn't appear to have a public version control repository, have you asked them about that? I noticed you added a systemd service file. The most recent Misc Developer News included a section about improving security of services under systemd, you might want to take a look at the talk mentioned in it and the associated documentation (the systemd.exec manual page). https://lists.debian.org/debian-devel-announce/2014/11/msg00015.html I don't think there is any need to guard use of invoke-rc.d with pidof in your maintainer scripts. I would recommend using the standard things generated by dh_installinit. I believe that Debian discourages removal of system users on purge. I suggest using _yadifa as the system username to avoid conflict with real users. Another alternative might be Debian-yadifa. I suggest switching to debian/compat 9, then you won't need the buildflags stuff in debian/rules since dh will do it for you. Please rebuild the build system during package build by build-depending on dh-autoreconf instead of autotools-dev and using dh --with autoreconf instead of dh --with autotools-dev. Please ask upstream to change the libraries from static to shared, static libraries mean more work for Debian in identifying things that need rebuilding etc. You might want to run wrap-and-sort -sa to make diffs of debian/ more readable when doing things like adding dependencies. There appears to be a tmpfile vulnerability in lib/dnscore/src/server-setup.c when the code is compiled with DEBUG set. This is a minor issue but I would suggest it should be fixed nevertheless. Given the cppcheck output below you might want to run a fuzzer like zzuf to ensure there are no lurking vulnerabilities. Automated checks: https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git $ cme check dpkg ... Warning in 'control binary:yadifa Depends:5' value 'lsb-base (>= 3.2-14)': unnecessary versioned dependency: lsb-base >= 3.2-14. Debian has squeeze -> 3.2-23.2squeeze1; wheezy -> 4.1+Debian8+deb7u1; jessie -> 4.1+Debian13+nmu1; sid -> 4.1+Debian13+nmu1; checking data Warning in 'patches:"fix-yadifa-manpage.patch" Synopsis' value <undef>: Empty synopsis (code is: 'defined $_ && /\w/ ? 1 : 0 ;') Warning in 'patches:"fix-yadifad-manpage.patch" Synopsis' value <undef>: Empty synopsis (code is: 'defined $_ && /\w/ ? 1 : 0 ;') Warning in 'patches:"fix-yadifad.conf-manpage-whatis.patch" Synopsis' value <undef>: Empty synopsis (code is: 'defined $_ && /\w/ ? 1 : 0 ;') ... $ codespell --quiet-level=3 <logs of misspellings> $ cppcheck -j1 --quiet -f . [bin/yadifa/query-result.c:89]: (error) syntax error [lib/dnscore/src/dnscore.c:134]: (error) Possible null pointer dereference: msg [lib/dnscore/src/dnscore.c:135]: (error) Possible null pointer dereference: msg [lib/dnscore/src/logger_channel_syslog.c:101]: (error) Buffer is accessed out of bounds. [lib/dnscore/src/logger_channel_syslog.c:122]: (error) Buffer is accessed out of bounds. $ find -type f \( -iname '*.c' -o -iname '*.cc' -o -iname '*.cxx' -o -iname '*.cpp' -o -iname '*.h' -o -iname '*.hh' -o -iname '*.hxx' -o -iname '*.hpp' \) -exec include-what-you-use {} \; <lots of warnings> $ uscan --report-status Processing watchfile line for package yadifa... Newest version on remote site is 1.0.3, local version is 2.0.0 yadifa: remote site does not even have current version -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6h2rj0ssozu1o_hkqognyhzmedjrcey9x-vo6trzrw...@mail.gmail.com
