Bug#766982: RFS: plowshare4/1.0.6-1
Thanks very much Eriberto! Is it better if I send new versions to the mentors list or to you directly? I wasn't quite sure how it works. I'll have the new version packaged soon. Cheers, Carl signature.asc Description: OpenPGP digital signature
Bug#766982: RFS: plowshare4/1.0.6-1
Dear mentors, In the time that this request has been sitting here there have been two new upstream versions released. Since this tool depends on many external (website) APIs which are constantly in flux, it needs to be updated relatively often to keep pace. Is it best if I package these one version at a time keeping each diff minimal for easier review? Or should I just jump directly to the latest version and abandon the present request? It seems that my previous sponsor is still away from this list, so in the meantime if anyone else would consider sponsoring my package I would be very grateful. Cheers, Carl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766982: RFS: plowshare4/1.0.6-1
Control: tags -1 -pending Hi Eriberto, I've addressed some of the feedback from Paul above in a new upload to mentors. I will address the remainder when I work on packaging the next upstream release, since none of the suggested changes are pressing. Could you please consider uploading my package to experimental? plowshare4 (1.0.6-1) experimental; urgency=medium * New upstream release. * Bump Standards-Version to 3.9.6, no changes. * Point Vcs-Git field to the correct branch. * Improve the derivation of the version string from git. * Update list of supported modules. * Remove Depends: bash (bash =4.1 is present and essential in debian). * Add watch file using fakeupstream.cgi script. * spelling_comments.patch: corrects typos in comments * spelling_helpfull_flag.patch: corrects typo in CLI option. * utf8.patch: repairs an encoding issue. * Add upstream metadata. Cheers, Carl signature.asc Description: OpenPGP digital signature
Bug#766982: RFS: plowshare4/1.0.6-1
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package plowshare4 Package name : plowshare4 Version : 1.0.6-1 Upstream Author : Matthieu Crapet mcra...@gmail.com URL : https://code.google.com/p/plowshare/ Licence : GPL-3+ Section : web It builds those binary packages: plowshare4 - Download and upload files from file sharing websites To access further information about this package, please visit the following URL: http://mentors.debian.net/package/plowshare4 Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/p/plowshare4/plowshare4_1.0.6-1.dsc Changes since the last upload: * New upstream release. * Bump Standards-Version to 3.9.6, no changes. * Point Vcs-Git field to the correct branch. * Improve the derivation of the version string from git. * Update list of supported modules. Regards, Carl Suster
Bug#766982: RFS: plowshare4/1.0.6-1
On Mon, Oct 27, 2014 at 7:45 PM, Carl Suster wrote:
I am looking for a sponsor for my package plowshare4
I don't intend to sponsor this but here is a review.
This looks like the only thing that would block the upload:
Some of the copyright holders are missing from debian/copyright.
These things would be nice to fix:
Whoa that is a lot of shell. shellcheck says it is probably
buggy/insecure shell too. Personally Python seems a better choice for
writing this sort of software but I guess upstream wouldn't want to
rewrite everything...
Upstream might want to switch from their homebrew version stuff to autorevision:
https://packages.debian.org/sid/autorevision
Is there any reason for not using the upstream `make install` target?
It seems to be very much correct. The only issue might be the git
version stuff but you can override that with GIT_VERSION until
upstream switches to autorevision (or if they do not want to).
I would suggest running `wrap-and-sort -sa` so that diffs of the
source package are easier to read.
The README, plowup manual page and Makefile use of /tmp in various
examples. Using /tmp can cause vulnerabilities on multi-user systems
or systems where an attacker has a shell and is looking to escalate
that access. It would be better for the examples to use a path in the
home directory using ~/ or $HOME depending on the example.
Upstream has some tests but the build does not run them. Is that
because they require network to work? Network can't be used on the
buildds but you could run them using DEP-8:
http://dep.debian.net/deps/dep8/
http://ci.debian.net/
You might want to add some upstream metadata:
https://wiki.debian.org/UpstreamMetadata
You might want to add a watch file:
https://wiki.debian.org/debian/watch
https://qa.debian.org/cgi-bin/fakeupstream.cgi?upstream=vcs/git/google/plowshare
You might want to add some debtags:
http://debtags.debian.net/edit/plowshare4
You might want to add some screenshots of typical usage:
https://screenshots.debian.net/upload/plowshare4
Automated checks:
https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git
$ lintian
I: plowshare4 source: debian-watch-file-is-missing
P: plowshare4: no-upstream-changelog
$ cme check dpkg
...
Warning in 'control binary:plowshare4 Depends:0' value 'bash (=4.1)':
unnecessary versioned dependency: bash = 4.1. Debian has squeeze -
4.1-3; squeeze-lts - 4.1-3+deb6u2; wheezy-security -
4.2+dfsg-0.1+deb7u3; wheezy - 4.2+dfsg-0.1+deb7u3; jessie - 4.3-11;
sid - 4.3-11;
Cannot find license text for BSD-3-clause
...
$ codespell --quiet-level=3
./src/probe.sh:25: HELPFULL == HELPFUL
./src/probe.sh:279: HELPFULL == HELPFUL
./src/download.sh:25: HELPFULL == HELPFUL
./src/download.sh:758: HELPFULL == HELPFUL
./src/download.sh:865: sucessive == successive
./src/list.sh:25: HELPFULL == HELPFUL
./src/list.sh:182: HELPFULL == HELPFUL
./src/core.sh:2547: existance == existence
./src/delete.sh:25: HELPFULL == HELPFUL
./src/delete.sh:97: HELPFULL == HELPFUL
./src/upload.sh:25: HELPFULL == HELPFUL
./src/upload.sh:261: HELPFULL == HELPFUL
./src/modules/freakshare.sh:136: cant == can't
./src/modules/ryushare.sh:87: adminstrator == administrator
./src/modules/ge_tt.sh:194: recieve == receive
./src/modules/nowdownload_co.sh:215: transfered == transferred
./src/modules/nowdownload_co.sh:216: transfered == transferred
./src/modules/hipfile.sh:360: successfull == successful
./src/modules/sendspace.sh:178: folowing == following
./src/modules/filemonkey.sh:94: occured == occurred
./src/modules/bitshare.sh:98: cant == can't
$ perlcritic -1 .
lots of stuff
$ find -type f -iname '*.sh' -exec shellcheck {} +
lots of stuff
$ find -type f | xargs isutf8
./src/modules/dl_free_fr.sh: line 71, char 1, byte offset 29: invalid UTF-8 code
$ egrep -ri 'fixme|todo' .
lots of stuff
--
bye,
pabs
https://wiki.debian.org/PaulWise
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766982: RFS: plowshare4/1.0.6-1
On Monday 27 October 2014 23:26:10 Paul Wise wrote: Cannot find license text for BSD-3-clause Bummer. That's a message coming from Software::License which cannot find license text in the system. Software::License does not scan debian/copyright. This message is irrelevant and must be confusing for other users. I will fix this. Although I don't know whether I should upload this change due to the upcoming freeze All the best -- https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/ http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766982: RFS: plowshare4/1.0.6-1
Control: tags -1 + pending Hi Paul, Thanks very much for the thorough review. This looks like the only thing that would block the upload: Some of the copyright holders are missing from debian/copyright. I'm not sure what you're referring to here - `licensecheck --copyright` and grep both seem to agree with the information in d/copyright with only two differences: (1) I changed the aliases in the copyright headers to the contributors' full names from the vcs and (2) the year range for the copyrights attributed to Plowshare Team vary somewhat between headers where upstream hasn't updated those files in a while. Everyone seems to be attributed though as far as I can tell. Whoa that is a lot of shell. shellcheck says it is probably buggy/insecure shell too. Personally Python seems a better choice for writing this sort of software but I guess upstream wouldn't want to rewrite everything... Yeah, the 4 in plowshare4 refers to a rewrite based on bash 4 that happened not too long ago. They're unlikely to want to rewrite the whole thing for the moment but it may happen in the future, I suppose. Upstream might want to switch from their homebrew version stuff to autorevision: https://packages.debian.org/sid/autorevision Is there any reason for not using the upstream `make install` target? It seems to be very much correct. The only issue might be the git version stuff but you can override that with GIT_VERSION until upstream switches to autorevision (or if they do not want to). Thanks, I didn't know about autorevision so I'll have a go with it and talk to upstream. I had problems getting the upstream makefile to pick up the correct version string from the vcs and eventually found it much simpler to use d/rules overrides instead. I'll see if upstream is willing to accept some changes to tidy up the makefile so that I can use it in the package unchanged. I would suggest running `wrap-and-sort -sa` so that diffs of the source package are easier to read. I had used wrap-and-sort but without the -sa. I'll change that. The README, plowup manual page and Makefile use of /tmp in various examples. Using /tmp can cause vulnerabilities on multi-user systems or systems where an attacker has a shell and is looking to escalate that access. It would be better for the examples to use a path in the home directory using ~/ or $HOME depending on the example. Thanks, I'll add a patch and forward it upstream. Upstream has some tests but the build does not run them. Is that because they require network to work? Network can't be used on the buildds but you could run them using DEP-8: http://dep.debian.net/deps/dep8/ http://ci.debian.net/ The tests as far as I can see are intended to check for changes in the APIs of the various file hosts rather than to test if the code has installed properly. It seems like more of a developers' diagnostic than something which should be run automatically so I didn't include it. You might want to add some upstream metadata: https://wiki.debian.org/UpstreamMetadata Thanks, I'll look into this. You might want to add a watch file: https://wiki.debian.org/debian/watch https://qa.debian.org/cgi-bin/fakeupstream.cgi?upstream=vcs/git/google/plowshare Thanks! I tried for ages to get uscan to interact properly with googlecode but it didn't play nicely since the version information was only in the vcs tags. I didn't know about this fakeupstream.cgi so it should be easy now. You might want to add some debtags: http://debtags.debian.net/edit/plowshare4 Done. You might want to add some screenshots of typical usage: https://screenshots.debian.net/upload/plowshare4 I didn't realise that this was relevant to CLI applications. I'll add a screenshot. P: plowshare4: no-upstream-changelog I wasn't sure what to do about this, any my previous sponsor said to ignore it. Upstream has a wiki page summarising significant changes (https://code.google.com/p/plowshare/wiki/PlowshareChanges) but that's currently sorted by month rather than version and not contained in the source at all. Should I maintain a separate upstream changelog even though they don't include one? Or just try and ask upstream to add it to the source? $ cme check dpkg ... Warning in 'control binary:plowshare4 Depends:0' value 'bash (=4.1)': unnecessary versioned dependency: bash = 4.1. Debian has squeeze - 4.1-3; squeeze-lts - 4.1-3+deb6u2; wheezy-security - 4.2+dfsg-0.1+deb7u3; wheezy - 4.2+dfsg-0.1+deb7u3; jessie - 4.3-11; sid - 4.3-11; Done. $ codespell --quiet-level=3 ./src/probe.sh:25: HELPFULL == HELPFUL ./src/probe.sh:279: HELPFULL == HELPFUL ./src/download.sh:25: HELPFULL == HELPFUL ./src/download.sh:758: HELPFULL == HELPFUL ./src/download.sh:865: sucessive == successive ./src/list.sh:25: HELPFULL == HELPFUL ./src/list.sh:182: HELPFULL == HELPFUL ./src/core.sh:2547: existance == existence ./src/delete.sh:25: HELPFULL
Bug#766982: RFS: plowshare4/1.0.6-1
On Tue, 2014-10-28 at 14:01 +1100, Carl Suster wrote: I'm not sure what you're referring to here - `licensecheck --copyright` and grep both seem to agree with the information in d/copyright with only two differences: (1) I changed the aliases in the copyright headers to the contributors' full names from the vcs I guess (1) is what I was seeing. In that case plowshare4 is probably ready for upload, I would encourage your previous sponsor (CCed) to upload the package. Since we are now less than 10 days until the freeze, your upload should be targeted at experimental not unstable. Once jessie is released then you can get it uploaded to unstable again. The tests as far as I can see are intended to check for changes in the APIs of the various file hosts rather than to test if the code has installed properly. It seems like more of a developers' diagnostic than something which should be run automatically so I didn't include it. Those are exactly the kind of tests one would want to run with DEP-8 for packages that interface with Internet services. You might want to add some debtags: http://debtags.debian.net/edit/plowshare4 Done. I'd suggest going through the all tags section and adding anything appropriate. For example use::downloading seems appropriate. I didn't realise that this was relevant to CLI applications. I'll add a screenshot. Anything with a human-facing interface is relevant to screenshots.d.n. P: plowshare4: no-upstream-changelog I wasn't sure what to do about this, any my previous sponsor said to ignore it. Upstream has a wiki page summarising significant changes (https://code.google.com/p/plowshare/wiki/PlowshareChanges) but that's currently sorted by month rather than version and not contained in the source at all. Should I maintain a separate upstream changelog even though they don't include one? Or just try and ask upstream to add it to the source? Fair enough if you prefer to ignore it, other options: Convince upstream to add a NEWS file containing releases and the user-visible changes in each of them. https://www.gnu.org/prep/standards/html_node/NEWS-File.html#NEWS-File Convert the git history to a ChangeLog file using git2cl or git log. https://www.gnu.org/prep/standards/html_node/Change-Logs.html#Change-Logs https://packages.debian.org/sid/git2cl Thanks for pointing me to this tool. I'll prepare and forward a patch. codespell can auto-fix spelling errors BTW (-w/--write-changes). I'm not sure that this check is relevant since all of the output is about perl and this project is pure bash shell script. Hmm, true. That would seem to be a bug in perlcritic, it shouldn't assume that the tests/*.t files are perl tests. Not sure if there is a way to fix this though. I'll check through this output, but there is the fact that these shell scripts depend on bash behaviour rather than POSIX shell so perhaps much of this is not relevant or overly defensive. I believe shellcheck understands that there are different variants of the shell language, at least the upstream website has some things that are bash-only syntax that it checks for. Is this necessarily an issue? The project is being actively developed and these are just notes that will be addressed in the future but are not critical for the time being. Not necessarily but it would be good to review them to make sure that none are indicative of serious issues. I'll address all of these points properly in the package in the coming days when I get a chance. Thanks again for your review. Great, no worries. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
