[Debian-olpc-devel] ITP: bitfrost -- Python library for BIOS security on the OLPC XO laptop

Sun Apr 25 13:14:24 UTC 2010

On Sat, Apr 24, 2010 at 11:31:49PM -0400, Luke Faraone wrote:

>On 04/24/2010 11:17 PM, Luke Faraone wrote:
>> * Package name    : bitfrost
>> [..]
>> Bitfrost is the OLPC security platform. This package contains tools 
>> to handle securing the early boot stages of the system running on the 
>> XO laptop.
>
>Jonas: I've pushed the current packaging to
><http://git.debian.org/?p=collab-maint/bitfrost.git;a=summary>.

Great!

>CDBS decides that my package should depend on python-dev, yet my 
>package does not require (as far as I can tell) anything provided by 
>this package. This is also triggering a lintian warning:
>> W: bitfrost source: build-depends-on-python-dev-with-no-arch-any
>
>Am I missing something? Should the package be arch-any, or is there 
>some way to omit the dependency?

No, you are on the right track :-)

Debian Python Policy states that Python modules should build-depend on 
python-dev, but then adds that it may not be necessary in all cases 
(read: only in some cases is this really needed).

CDBS is on the safe side, but if you feel certain that this particular 
Python module builds fine without python-dev, then you can override by 
(un)setting CDBS_BUILD_DEPENDS_class_python-distutils.

Please declare that variable _below_ included CDBS snippets - leaving 
only variables above which must be declared early (yes, this is an odd 
detail in CDBS which needs proper documentation, but that's off topic).

Another issue that I noticed: The git has prinstine-tar branch enabled 
in debian/gbp.conf (good!) but lacks an actual branch (not good).  You 
probably imported the tarball before adding the config file, and without 
explicitly declaring --pristine-tar.  I suggest you re-import same 
tarball on top of the current one, to include the pristine-tar branch.

Another one: debian/copyright contains GPL and LPGL licenses, but lack 
the related disclaimer and reference to FSF.  I used to do the same in 
the past, but have since learned that even if not strictly part of 
"copyright and licensing", the disclaimer is in a broader sense part of 
the legal text, so should be included.  Similar for the reference to 
FSF, but here there's the odd situation that FSF have moved physically 
so the "verbatim copy" may be outdated and lintian (and the Debian legal 
team) will want the address to be adjusted.  I recommend to a) include 
the disclaimers right below the licensing text, and add the most modern 
reference to FSF website (even if that text is newer than used in any of 
the actual files of this project) and add it below the Debian comment on 
where to find the full license (so as to indicate that it was not copied 
verbatim but added by us).

Other than those minor issues, your packaging looks fine :-)

Kind regards,

  - Jonas

-- 
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debian-olpc-devel/attachments/20100425/76e2261f/attachment.pgp>