[pkg] New package: wcc

Fri Jun 16 13:55:37 UTC 2017

Hello Philippe,

On Thu, 25 May 2017, Philippe Thierry wrote:
> I've uploaded the wcc package to pkg-security repository:
> https://anonscm.debian.org/cgit/pkg-security/wcc.git

Here are my comments:

1/ the debian/copyright file looks strange to me, you should not put all
files under the same block when they have different licenses applied.
Createe one default block for the main code (MIT) and then supplementary
blocks for third-party dependencies that are embedded and that have
different licenses.

2/ you have put names in debian/copyright that I am not able to find in
the sources... where do they come from? Also I see one name
("Dag-Erling Co�dan Sm�rgrav") which has certainly been badly
copy-pasted... read in UTF-8 when it was Latin1 or something like this.

=> I see that third-party dependencies are managed as git submodule,
and I don't have those submodules on a fresh clone obviously

3/ there are PDF files in "doc", I think that ftpmasters want sources
for PDF files. See https://ftp-master.debian.org/REJECT-FAQ.html ("Source
missing")

4/ debian/compat is 9, but you have debhelper >= 10 in Build-Depends, you
probably want to bump it.

5/ debian/control contains hardcoded dependencies on C shared libraries:
   libcapstone3, libelf1, libreadline7, libgsl2. You don't need those as
   they are generated as part of ${shlibs:Depends}.

6/ debian/control containes "Testsuite: autopkgtest", you don't need that
as dpkg will add this field automatically when it finds
debian/tests/control

7/ I don't see any pristine-tar branch, how am I supposed to get
the upstream tarball that you are using ? => you should be using
--git-pristine-tar-commit too.

8/ debian/source/lintian-overrides are too generic, you are ignoring all
instances of the source-contains-prebuilt-doxygen-documentation
source-contains-prebuilt-binary and source-is-missing tags... you should
only ignore them for the specific cases that you have analyzed. You
can use patterns to match multiple files e.g.
wcc source: source-contains-prebuilt-doxygen-documentation src/tex/*
Same for debian/lintian-overrides (which should be renamed
debian/wcc.lintian-overrides to match other debian/wcc.* files).

9/ in debian/source/options, you should escape the dots in
extend-diff-ignore otherwise the dots are matching any character (and not
only a dot)

10/ the way you use gbp buildpackage and its submodule support (I wasn't
even aware of this feature) should probably be documented in
debian/README.source as this is not really a widely known practice yet.

11/ debian/gbp.conf overrides the upstream tag name so that it points
to a real upstream tag... I'm not sure that this is a very good idea.
What happens when you run "gbp import-orig --uscan" with a new upstream
version? It will create a Debian specific tag that will conflict with
the upstream tag. And the associated tarball will lack the submodules I
guess. You probably don't expect to use gbp import-orig but this is still
what people are used to use by default and it will create problems. =>
again very important to document how to work with your package

12/ drop debian/README.Debian, it doesn't add anything over the current
description in debian/control

13/ drop debian/wcc.dirs, it's not needed, those dirs are created by
dh_install implicitly

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/