[Pkg-tigervnc-devel] tigervnc and lintian (was: Bug#911712: tigervnc: diff for NMU version 1.9.0+dfsg-1.1)
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Mon Oct 29 11:11:54 GMT 2018
Hi all,
On So 28 Okt 2018 23:31:28 CET, Joachim Falk wrote:
> Hi Christoph,
>
> On 28.10.18 11:53, Christoph Biedl wrote:
>> tags 911712 + patch
>> tags 911712 + pending
>> user debian-release at lists.debian.org
>> usertags -1 + bsp-2018-10-de-karlsruhe
>> thanks
>>
>> Dear maintainer,
>>
>> I've prepared a NMU for tigervnc (versioned as 1.9.0+dfsg-1.1) and will
>> upload it to DELAYED/5 in a moment. Please feel free to tell me if I
>> should delay it longer.
> I have prepared 1.9.0+dfsg-2 integrating the fix as well as a bug fix for
> the missing icons and desktop file.
>
> @Yaroslav or @Mike, can you upload. Please replace
> 1.9.0+dfsg-2~RC3 with 1.9.0+dfsg-2 and release to unstable.
>
> Regards,
>
> Joachim Falk
I have just uploaded 1.9.0+dfsg-2 to unstable.
While looking at the package, I found plenty of lintian issues, that
could be fixed:
```
P: tigervnc source: file-contains-trailing-whitespace debian/rules (line 303)
N:
N: This file appears to contain one or more lines with trailing whitespace
N: characters.
N:
N: Whilst typically harmless and merely unsightly, they can often cause
N: difficult-to-spot issues where tools interpret the whitespace characters
N: literally. They are thus best avoided in their entirity.
N:
N: Whitespace at the end of lines may be removed with the following:
N:
N: $ sed -i -e 's@[[:space:]]*$@@g' debian/control debian/changelog
N:
N: If you use Emacs, you can also use "M-x wh-cl" (whitespace-cleanup).
N:
N: However, if you wish to only remove trailing spaces and leave trailing
N: tabs (eg. for Makefiles), you can use the following code snippet:
N:
N: $ sed -i -e 's@[ ]*$@@g' debian/rules
N:
N: To remove empty lines from the end of a file, you can use:
N:
N: $ sed -i -e :a -e '/^\n*$/{$d;N;};/\n$/ba' debian/rules
N:
N: Severity: pedantic, Certainty: certain
N:
N: Check: cruft, Type: source
N:
P: tigervnc source: package-uses-old-debhelper-compat-version 9
N:
N: The debhelper compatibility version used by this package is marked as
N: not recommended by the debhelper developer. You may consider using a
N: recommended compatibility version.
N:
N: The compatibility version can be set in (preferred) debian/compat or by
N: setting and exporting DH_COMPAT in debian/rules. If it is not set in
N: either place, debhelper defaults to the deprecated compatibility version
N: 1.
N:
N: Refer to the debhelper(7) manual page for details.
N:
N: Severity: pedantic, Certainty: certain
N:
N: Check: debhelper, Type: source
N:
W: tigervnc source: changelog-should-mention-nmu
N:
N: When you NMU a package, that fact should be mentioned on the first line
N: in the changelog entry. Use the words "NMU" or "Non-maintainer upload"
N: (case insensitive).
N:
N: Maybe you didn't intend this upload to be a NMU, in that case, please
N: double-check that the most recent entry in the changelog is
N: byte-for-byte identical to the maintainer or one of the uploaders. If
N: this is a local package (not intended for Debian), you can suppress this
N: warning by putting "local" in the version number or "local package" on
N: the first line of the changelog entry.
N:
N: Refer to Debian Developer's Reference section 5.11.3 (Using the DELAYED/
N: queue) for details.
N:
N: Severity: normal, Certainty: certain
N:
N: Check: nmu, Type: source
N:
W: tigervnc source: source-nmu-has-incorrect-version-number 1.9.0+dfsg-2
N:
N: A source NMU should have a Debian revision of "-x.x" (or "+nmuX" for a
N: native package). This is to prevent stealing version numbers from the
N: maintainer.
N:
N: Maybe you didn't intend this upload to be a NMU, in that case, please
N: double-check that the most recent entry in the changelog is
N: byte-for-byte identical to the maintainer or one of the uploaders. If
N: this is a local package (not intended for Debian), you can suppress this
N: warning by putting "local" in the version number or "local package" on
N: the first line of the changelog entry.
N:
N: Refer to Debian Developer's Reference section 5.11.2 (NMUs and
N: debian/changelog) for details.
N:
N: Severity: normal, Certainty: certain
N:
N: Check: nmu, Type: source
N:
I: tigervnc source: quilt-patch-missing-description
0102-fix-spelling-error-in-manpages-to-shutup-lintian.patch
N:
N: quilt patch files should start with a description of patch. All lines
N: before the start of the patch itself are considered part of the
N: description. You can edit the description with quilt header -e when the
N: patch is at the top of the stack.
N:
N: As well as a description of the purpose and function of the patch, the
N: description should ideally contain author information, a URL for the bug
N: report (if any), Debian or upstream bugs fixed by it, upstream status,
N: the Debian version and date the patch was first included, and any other
N: information that would be useful if someone were investigating the patch
N: and underlying problem. Please consider using the DEP-3 format for this
N: information.
N:
N: Refer to https://dep-team.pages.debian.net/deps/dep3/ for details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: patch-systems, Type: source
N:
I: tigervnc source: quilt-patch-missing-description
0151-make-cmake-enable-options-mandatory-if-turned-on.patch
I: tigervnc source: quilt-patch-missing-description rh/tigervnc-manpages.patch
I: tigervnc source: quilt-patch-missing-description rh/tigervnc-cursor.patch
I: tigervnc source: quilt-patch-missing-description
rh/tigervnc-working-tls-on-fips-systems.patch
I: tigervnc source: quilt-patch-missing-description find-fltk-libs.diff
I: tigervnc source: quilt-patch-missing-description fix-linking.diff
I: tigervnc source: quilt-patch-missing-description CVE-2014-8240-849479.patch
I: tigervnc source: quilt-patch-missing-description CVE-2014-8241-849478.patch
W: tigervnc source: patch-file-present-but-not-mentioned-in-series
rework/0200-add-tcpwrappers-support.patch
N:
N: The specified patch is present under the debian/patches directory but is
N: not mentioned in any "series" or "00list" file.
N:
N: This may mean that a patch was created with the intention of modifying
N: the package but is not being applied.
N:
N: Please either add the filename to the series file, or ensure it is
N: commented-out in a form that Lintian can recognise, for example:
N:
N: 0001_fix-foo.patch
N: # 0002_fix-bar.patch
N:
N: Severity: normal, Certainty: certain
N:
N: Check: patch-systems, Type: source
N:
W: tigervnc source: patch-file-present-but-not-mentioned-in-series
rh/0001-rpath-hack.patch
W: tigervnc source: patch-file-present-but-not-mentioned-in-series
rh/dustbin/tigervnc-xserver119.patch
I: tigervnc source: missing-explanation-for-repacked-upstream-tarball
N:
N: The version of this package contains dfsg, ds, or debian which normally
N: indicates that the upstream source has been repackaged, but there is no
N: "Comment" or "Files-Excluded" field in its copyright file which explains
N: the reason why.
N:
N: Please add a comment why this tarball was repacked or add a suitable
N: "Files-Excluded" field.
N:
N: Severity: wishlist, Certainty: possible
N:
N: Check: source-copyright, Type: source
N:
I: tigervnc source: out-of-date-standards-version 3.9.8 (released
2016-04-06) (current is 4.2.1)
N:
N: The source package refers to a Standards-Version older than the one that
N: was current at the time the package was created (according to the
N: timestamp of the latest debian/changelog entry). Please consider
N: updating the package to current Policy and setting this control field
N: appropriately.
N:
N: If the package is already compliant with the current standards, you
N: don't have to re-upload the package just to adjust the Standards-Version
N: control field. However, please remember to update this field next time
N: you upload the package.
N:
N: See /usr/share/doc/debian-policy/upgrading-checklist.txt.gz in the
N: debian-policy package for a summary of changes in newer versions of
N: Policy.
N:
N: Refer to
N: https://www.debian.org/doc/packaging-manuals/upgrading-checklist.txt for
N: details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: standards-version, Type: source
N:
I: tigervnc source: testsuite-autopkgtest-missing
N:
N: This package does not declare a test suite.
N:
N: Having a test suite aids with automated quality assurance of the archive
N: outside of your package. For example, if your package has a test suite
N: it is possible to re-run that test suite when any of your package's
N: dependencies have a new version and check whether that update causes
N: problems for your package.
N:
N: In addition, since May 2018 such tests now influence migration from
N: unstable to testing:
N:
N: https://lists.debian.org/debian-devel-announce/2018/05/msg00001.html
N:
N: Please add a debian/tests/control file to your package to declare a
N: testsuite, but please make sure to only add autopkgtests if they provide
N: meaningful coverage of your package.
N:
N: Refer to https://ci.debian.net/doc/ for details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: testsuite, Type: source
N:
X: tigervnc source: upstream-metadata-file-is-missing
N:
N: This source package is not Debian-native but it does not have a
N: debian/upstream/metadata file.
N:
N: The Upstream MEtadata GAthered with YAml (UMEGAYA) project is an effort
N: to collect meta-information about upstream projects from any source
N: package. This file is in YAML format and it is used in to feed the data
N: in the UltimateDebianDatabase. For example, it can contains the way the
N: authors want their software be cited in publications and some
N: bibliographic references about the software.
N:
N: Please add a debian/upstream/metadata file.
N:
N: Refer to https://dep-team.pages.debian.net/deps/dep12/ and
N: https://wiki.debian.org/UpstreamMetadata for details.
N:
N: Severity: pedantic, Certainty: certain
N:
N: Check: upstream-metadata, Type: source
N:
N: This tag is marked experimental, which means that the code that
N: generates it is not as well-tested as the rest of Lintian and might
N: still give surprising results. Feel free to ignore experimental tags
N: that do not seem to make sense, though of course bug reports are always
N: welcome.
N:
P: tigervnc source: debian-watch-does-not-check-gpg-signature
N:
N: This watch file does not include a means to verify the upstream tarball
N: using cryptographic signature.
N:
N: If upstream distributions provide such signatures, please use the
N: pgpsigurlmangle options in this watch file's opts= to generate the URL
N: of an upstream GPG signature. This signature is automatically downloaded
N: and verified against a keyring stored in
N: debian/upstream/signing-key.asc.
N:
N: Of course, not all upstreams provide such signatures, but you could
N: request them as a way of verifying that no third party has modified the
N: code against their wishes after the release. Projects such as
N: phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N: attack.
N:
N: Refer to the uscan(1) manual page for details.
N:
N: Severity: pedantic, Certainty: certain
N:
N: Check: watch-file, Type: source
N:
I: tigervnc-scraping-server: hardening-no-bindnow usr/bin/x0tigervncserver
N:
N: This package provides an ELF binary that lacks the "bindnow" linker
N: flag.
N:
N: This is needed (together with "relro") to make the "Global Offset Table"
N: (GOT) fully read-only. The bindnow feature trades startup time for
N: improved security. Please consider enabling this feature or consider
N: overriding the tag (possibly with a comment about why).
N:
N: If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N: hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N: The relevant compiler flags are set in LDFLAGS.
N:
N: Refer to https://wiki.debian.org/Hardening for details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: binaries, Type: binary, udeb
N:
I: tigervnc-viewer: hardening-no-bindnow usr/bin/xtigervncviewer
W: tigervnc-viewer: icon-size-and-directory-name-mismatch
usr/share/icons/hicolor/16x16/apps/tigervnc.png 20x20
N:
N: The icon has a size that differs from the size specified by the name of
N: the directory under which it was installed. The icon was probably
N: mistakenly installed into the wrong directory.
N:
N: Severity: normal, Certainty: certain
N:
N: Check: files, Type: binary, udeb
N:
I: tigervnc-viewer: desktop-entry-lacks-keywords-entry
usr/share/applications/xtigervncviewer.desktop
N:
N: This .desktop file does either not contain a "Keywords" entry or it does
N: not contain any keywords not already present in the "Name" or
N: "GenericName" entries.
N:
N: .desktop files are organized in key/value pairs (similar to .ini files).
N: "Keywords" is the name of the entry/key in the .desktop file containing
N: keywords relevant for this .desktop file.
N:
N: The desktop-file-validate tool in the desktop-file-utils package is
N: useful for checking the syntax of desktop entries.
N:
N: Refer to
N:
https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html,
N: https://bugs.debian.org/693918, and
N: https://wiki.gnome.org/Initiatives/GnomeGoals/DesktopFileKeywords for
N: details.
N:
N: Severity: wishlist, Certainty: certain
N:
N: Check: menu-format, Type: binary
N:
X: tigervnc-xorg-extension: shlib-calls-exit
usr/lib/xorg/modules/extensions/libvnc.so
N:
N: The listed shared library calls the C library exit() or _exit()
N: functions.
N:
N: In the case of an error, the library should instead return an
N: appropriate error code to the calling program which can then determine
N: how to handle the error, including performing any required clean-up.
N:
N: In most cases, removing the call should be discussed with upstream,
N: particularly as it may produce an ABI change.
N:
N: Severity: wishlist, Certainty: possible
N:
N: Check: shared-libs, Type: binary, udeb
N:
N: This tag is marked experimental, which means that the code that
N: generates it is not as well-tested as the rest of Lintian and might
N: still give surprising results. Feel free to ignore experimental tags
N: that do not seem to make sense, though of course bug reports are always
N: welcome.
N:
I: tigervnc-common: hardening-no-bindnow usr/bin/tigervncconfig
I: tigervnc-common: hardening-no-bindnow usr/bin/tigervncpasswd
I: tigervnc-common: conflicts-with-version tigervnc-server (<< 1.1.90)
N:
N: An earlier-than version clause is normally an indication that Breaks
N: should be used instead of Conflicts. Breaks is a weaker requirement that
N: provides the package manager more leeway to find a valid upgrade path.
N: Conflicts should only be used if two packages can never be unpacked at
N: the same time, or for some situations involving virtual packages (where
N: a version clause is not appropriate). In particular, when moving files
N: between packages, use Breaks plus Replaces, not Conflicts plus Replaces.
N:
N: Refer to Debian Policy Manual section 7.4 (Conflicting binary packages -
N: Conflicts) for details.
N:
N: Severity: normal, Certainty: wild-guess
N:
N: Check: fields, Type: binary, udeb, source
N:
I: tigervnc-common: conflicts-with-version tigervnc-viewer (<< 1.1.90)
I: tigervnc-standalone-server: hardening-no-bindnow usr/bin/Xtigervnc
```
Are any of the above issues that should rather not be fixed??? Esp.
the hardening-no-bindnow issues should be solved IMHO.
For those lintian issues, that cannot be resolved, we should add
lintian-overrides, so that people know that things get triggered by
lintian but maintainers don't intend to fix them / they are unfixable
/ whatever.
I could take a look at some of the above issues, if noone objects.
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-tigervnc-devel/attachments/20181029/22a13364/attachment-0001.sig>
More information about the Pkg-tigervnc-devel
mailing list