Please review my package

wbrana wbrana at gmail.com
Thu Jul 5 13:49:04 UTC 2012 

I fixed most things and updated mentor's repository. Please check.

> - - the version is "12.5-1.1", indicating a non-maintainer upload (which
> you also state in the changelog).
> even though you are not an official "Debian Maintainer", you (or d-m-m
> as a team) is "the maintainer" of the package. you, personally, will
> never do a non-maintainer upload (or rather: you will no _exactly_
> what "non-maintainer upload" means long before you will do one)
should be fixed

> - - the long description of the binary-package is weirdly formatted and
> rather short.
should be fixed

> - - please use a machine-parseable debian/copyright, using DEP-5 [2] format
should be fixed

> - - why are you setting setuid permissions in the postinst script?
> this is a security hazard (and if you do it to gain realtime
> priviliges, then it is no-longer needed and deprecated for a while, in
> favour of pam_limits)
mplayer_nice changes nice to -20 and id to id of user.
There shouldn't be security hazard as it refuses to run MPlayer as root
I will check if it is possible to use nice -20 with pam_limits.

> - - try to make your package lintian clean, by providing manpages,
> building with fortification flags and removing .sh suffix in /usr/bin.
I tried, but following warning remained

W hardening-no-fortify-functions
usr/bin/qemplayer

I added following compiler flags, but it didn't help. Do you know how to fix it?

        cxxflags+='-fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security'
        ldflags+='-Wl,-z,relro'
        cppflags+='-D_FORTIFY_SOURCE=2'


> - - any specific reason why you build your own debian/rules file in
> stead of using shortform dh or cdbs?
It didn't work. Empty package was created.

> obviously i rephrased this paragraph and (the little that is left of
> my english) syntax went missing...
> anyhow:the d-m-m team uses "git" to do the packaging. you should
> consider doing the same.
I will use git when I will have access to repository

> and of course the debian/copyright as it is lacks all the necessary
> information.
> what is the license of the upstream package? (the fact that there is a
> COPYING files in the upstream code is _not_ enough; you must make the
> licenseS (there might be more) explicit in debian/copyright)
> who are the upstream copyright holders?
> you claim copyright for yourself, but nobody knows which files are
> covered by your copyright.
> the first file i inspected a bit closer ("./gch.py") is "Copyright
> 2006 Tim Blechmann", who afaik is not you.
> "./ebuild" is "Copyright 1999-2012 Gentoo Foundation" which is not you
> either.
should be fixed

> if you have contact with upstream, you might convince them to add
> proper copyright information in all the source files.
Isn't debian/copyright enough?
Some source would be probably broken if I add copyright information
e.g. XML files.

More information about the pkg-multimedia-maintainers mailing list