[Pkg-security-team] Review of ncrack and t50
Marcos Fouces
mfouces at yahoo.es
Mon Jul 25 18:38:56 UTC 2016
El 21/07/16 a las 15:27, Raphael Hertzog escribió:
> Hello Marcos,
>
> I took a look at ncrack and t50. Here are my comments and questions. Please
> address them and I will upload the packages. Feel free to ask questions
> if you have any.
>
> For ncrack first:
> * why is there a Depends on python and Build-Depends on python-all-dev?
> can we get rid of them?
Yes, as i said to you in a previous mail, this dependencies seemed a bit
strange to me.
When i try "dpkg-depcheck -d ./configure" i did not see any of these.
The package builds correctly without them.I just left these fields
unmodified as in Kali package because i was unsure.
> * same question for all other build dependencies except libssl-dev in
> fact...
OK, now i just left libssl-dev, autotools-dev and debhelper (>= 9) as
Build-Depends and no specific Depends.
> * there are remaining typos that can be fixed:
> I: ncrack: spelling-error-in-binary usr/bin/ncrack guage gauge
Fixed
> I: ncrack: spelling-error-in-binary usr/bin/ncrack addres address
This is a variable in source code: if (!strncmp(buf, "addres", 6))
I don't know if it should be fixed. Please, re-check it in the
ncrack_input.cc file (line 198).
> * debian/control: use "optional" instead of "extra" as priority, extra
> is only for packages that are alternatives for some other optional package
Fixed.
> * debian/copyright: the license is basically the GPL but with exceptions,
> I wonder if we must mark it that way instead of "Other", it would probably
> also make sense to add a sentence referring to /usr/share/common-licenses/GPL-2
Fixed
> You should also update the list of copyright holders for "debian/*" to include
> all persons who worked on the package.
I added all Kali repo commiters and myself.
> * please forward the typo patches to the upstream developers and mark
> the patch as forwarded (using DEP-3 headers).
Fixed. I did a pull request on Github.
> For t50:
> * why do you override dh_strip in the way you do it?
Because the default behavior of dh_strip creates an extra dbg_sym
package at building time and Lintian complained about it. This way the
binaries are also stripped (hopefully) and there is no extra debug package.
> * "dh $@ --with-autoreconf" should be "dh $@ --with autoreconf"
> * don't set DH_VERBOSE=1 by default
> * drop the boilerplate comments in debian/rules (line 1 to 7)
> * clean up debian/changelog, it contains unneeded "[ Marcos Fouces ]" and "[ Marcos ]"
> since were the only one working on it
Fixed.
> * add DEP-3 headers to debian/patches/fix-spelling-errors.patch
> and forward the patch upstream (likely with a pull request here:
> https://github.com/fredericopissarra/t50/pulls)
Done.
> * debian/copyright: Source still mentions t50.sourceforge.net but everywhere
> else you mentionnedhttps://github.com/fredericopissarra/t50
> maybe use the same everywhere if sf.net is obsolete...
Done.
> * debian/copyright: update the copyright holders for the main code,
> it seems to be "2010 - 2015 - T50 developers" everywhere now.
Fixed
> Cheers,
Thank you very much for your time.
Greetings. Marcos
More information about the Pkg-security-team
mailing list