Modified tarballs [was: Re: RFS: minidlna (updated package and FTBFS fix)]
On Fri, Jul 22, 2011 at 09:03:07PM -0300, Fernando Lemos wrote: Hi, Just to clarify, I find it concerning that we might be accepting source uploads that don't come straight from upstream and don't match what was released upstream. I'm relieved to hear that there is a way to ensure in your specific case that the source is the same as shipped upstream. I wish this was a requirement for new packages entering Debian. We do it all the time. Just 'dpkg -l|grep dfsg' on your local system and you should find plenty of those modified source tarballs. What I, as an uploader, do in such cases is a diff between the upstream provided tarball and what's in the dfsg orig.tar.gz. You can get a rough overview with diffstat and then review suspicious additions in more detail. Sven -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110723074614.GA2371@marvin
Re: RFS: minidlna (updated package and FTBFS fix)
Hi Benoît, On Sat, Jul 23, 2011 at 01:39:11AM +0200, Benoît Knecht wrote: Kilian Krause wrote: On Fri, Jul 22, 2011 at 12:36:51PM +0200, Benoît Knecht wrote: I am looking for a sponsor for the new version 1.0.21+dfsg-1 of my package minidlna. - dget http://mentors.debian.net/debian/pool/main/m/minidlna/minidlna_1.0.21+dfsg-1.dsc 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. Yes, that's what the +dfsg in the upstream version is all about; I've replaced the icons.c file, which contained binary blobs of possibly unfree images. I've included a script to generate it, but not a get-orig-source yet, as I'm not sure how to achieve the this target may be invoked in any directory part of the policy. Any advices welcome. I'd either put a dh_testdir check in place if you don't want to make sure you can pull in the new file with `dirname $0` or just use the latter to make sure you refrence the same directory your rules file is in and build the new tarball in /tmp and then move it to the current working directory as per Debian Policy. 2. The 1.0.20+dfsg-2 never made it into Debian. Changes generated accordingly. Please double check next time. I'm not sure what you mean. I did some changes before 1.0.21 was released and checked them into git; the next version came before I had a chance to submit that one, so I added a new changelog entry and recorded further changes there. I actually prefer this to merging the changelog entries together, but maybe I should have tagged the previous version as UNRELEASED. Yes, that would have been better. You had put up a version on mentors.d.n which had a 1.0.20+dfsg-2 entry labelled as if it was uploaded to unstable yet the dak doesn't show any such version ever made it. Thus I've made it a cumulative upload with dpkg-buildpackage -v1.0.20+dfsg-1 covering both entries as opposed to only the newest one which would be the default. 3. Your patches don't use DEP-3 headers. It would be nice to have them to see which of those have already been pushed upstream etc.. I'll consider it, but right now I'm using the format generated by git-format-patch, which I find quite convenient. As said, there's nothing wrong with what you have. No offense intended. It was just a remark that there's DEP-3 out there and may come in handy but if you already use git-format-patch that's fine, too! -- Best regards, Kilian signature.asc Description: Digital signature
Re: Modified tarballs [was: Re: RFS: minidlna (updated package and FTBFS fix)]
On Sat, Jul 23, 2011 at 9:46 AM, Sven Hoexter s...@timegate.de wrote: We do it all the time. Just 'dpkg -l|grep dfsg' on your local system and you should find plenty of those modified source tarballs. What I, as an uploader, do in such cases is a diff between the upstream provided tarball and what's in the dfsg orig.tar.gz. You can get a rough overview with diffstat and then review suspicious additions in more detail. Best practice for modified tarballs is to write a debian/rules get-orig-source target that downloads the upstream tarball and removes anything that needs to be removed. IIRC this is documented either in policy or devref. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caktje6f1mlrfda_ayqihxuytynwhdrjuae0vxui+fxyv_bd...@mail.gmail.com
Re: RFS: minidlna (updated package and FTBFS fix)
Salut Benoît, On Fri, Jul 22, 2011 at 12:36:51PM +0200, Benoît Knecht wrote: I am looking for a sponsor for the new version 1.0.21+dfsg-1 of my package minidlna. - dget http://mentors.debian.net/debian/pool/main/m/minidlna/minidlna_1.0.21+dfsg-1.dsc 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. 2. The 1.0.20+dfsg-2 never made it into Debian. Changes generated accordingly. Please double check next time. 3. Your patches don't use DEP-3 headers. It would be nice to have them to see which of those have already been pushed upstream etc.. Anyway, built, signed, uploaded. Thanks! -- Best regards, Kilian signature.asc Description: Digital signature
Re: RFS: minidlna (updated package and FTBFS fix)
Hi, On Fri, Jul 22, 2011 at 11:16:54PM +0200, Kilian Krause wrote: 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. ..that would be get-orig-source of course... -- Best regards, Kilian signature.asc Description: Digital signature
Re: RFS: minidlna (updated package and FTBFS fix)
2011/7/22 Kilian Krause kil...@debian.org: On Fri, Jul 22, 2011 at 12:36:51PM +0200, Benoît Knecht wrote: I am looking for a sponsor for the new version 1.0.21+dfsg-1 of my package minidlna. - dget http://mentors.debian.net/debian/pool/main/m/minidlna/minidlna_1.0.21+dfsg-1.dsc 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. Please take no offense, Benoît. But in such a case, Kilian, can you be sure the source hasn't been tampered with? I'd feel rather unconfortable otherwise. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANVYNa-Jy6Fvvfn2k=yt6txkgz8d6-jhxwt_-+ednocckur...@mail.gmail.com
Re: RFS: minidlna (updated package and FTBFS fix)
Hi Kilian, Kilian Krause wrote: Salut Benoît, On Fri, Jul 22, 2011 at 12:36:51PM +0200, Benoît Knecht wrote: I am looking for a sponsor for the new version 1.0.21+dfsg-1 of my package minidlna. - dget http://mentors.debian.net/debian/pool/main/m/minidlna/minidlna_1.0.21+dfsg-1.dsc 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. Yes, that's what the +dfsg in the upstream version is all about; I've replaced the icons.c file, which contained binary blobs of possibly unfree images. I've included a script to generate it, but not a get-orig-source yet, as I'm not sure how to achieve the this target may be invoked in any directory part of the policy. Any advices welcome. 2. The 1.0.20+dfsg-2 never made it into Debian. Changes generated accordingly. Please double check next time. I'm not sure what you mean. I did some changes before 1.0.21 was released and checked them into git; the next version came before I had a chance to submit that one, so I added a new changelog entry and recorded further changes there. I actually prefer this to merging the changelog entries together, but maybe I should have tagged the previous version as UNRELEASED. 3. Your patches don't use DEP-3 headers. It would be nice to have them to see which of those have already been pushed upstream etc.. I'll consider it, but right now I'm using the format generated by git-format-patch, which I find quite convenient. Anyway, built, signed, uploaded. Thanks a lot, for the upload and for the review. Cheers, -- Benoît Knecht -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110722233910.ga26...@marvin.lan
Re: RFS: minidlna (updated package and FTBFS fix)
Hi Fernando, Fernando Lemos wrote: 2011/7/22 Kilian Krause kil...@debian.org: On Fri, Jul 22, 2011 at 12:36:51PM +0200, Benoît Knecht wrote: I am looking for a sponsor for the new version 1.0.21+dfsg-1 of my package minidlna. - dget http://mentors.debian.net/debian/pool/main/m/minidlna/minidlna_1.0.21+dfsg-1.dsc 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. Please take no offense, Benoît. But in such a case, Kilian, can you be sure the source hasn't been tampered with? I'd feel rather unconfortable otherwise. I did tamper with the source, in the sense that I replaced the non-free icons.c file. This is documented in debian/copyright. I'm not sure what kind of tampering you're worried about, but you can easily check that no other file from upstream was modified. Cheers, -- Benoît Knecht -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110722234629.gb26...@marvin.lan
Re: RFS: minidlna (updated package and FTBFS fix)
2011/7/22 Benoît Knecht benoit.kne...@fsfe.org: Hi Fernando, Fernando Lemos wrote: 2011/7/22 Kilian Krause kil...@debian.org: On Fri, Jul 22, 2011 at 12:36:51PM +0200, Benoît Knecht wrote: I am looking for a sponsor for the new version 1.0.21+dfsg-1 of my package minidlna. - dget http://mentors.debian.net/debian/pool/main/m/minidlna/minidlna_1.0.21+dfsg-1.dsc 1. Your upoad uses a tarball that's not identical to upstream's one. Please consider adding a get-orig-tarball target to debian/rules to verify what steps are required to generate it. Please take no offense, Benoît. But in such a case, Kilian, can you be sure the source hasn't been tampered with? I'd feel rather unconfortable otherwise. I did tamper with the source, in the sense that I replaced the non-free icons.c file. This is documented in debian/copyright. I'm not sure what kind of tampering you're worried about, but you can easily check that no other file from upstream was modified. Again, no offense meant. I have no reason to believe anyone is acting in bad faith. Just to clarify, I find it concerning that we might be accepting source uploads that don't come straight from upstream and don't match what was released upstream. I'm relieved to hear that there is a way to ensure in your specific case that the source is the same as shipped upstream. I wish this was a requirement for new packages entering Debian. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANVYNa_yUwOg58O5JjdF3Su75o3YNA4co48TkFK-=-h63+s...@mail.gmail.com
