[pkg] brutespray - review

Lukas Schwaighofer lukas at schwaighofer.name
Fri Jul 7 17:26:45 UTC 2017 

Hi Stéphane,

I just had a look at brutespray:
* it only seem to be useful in combination with medusa, yet you neither
  depend nor recommend (or even suggest) it in d/control
* the package just contains one python script and no python module
  - I think that means you don't need to add a setup.py and use pybuild
  - instead you would have to patch the shebang line, however, to
    conform to the python policy
  - I don't know what's better though…
* the man page generated by ronn in d/rules should be cleaned up again
  (add to d/clean, similar to curvedns)
* d/control
  - XS-Python-Version is obsolete [1]
  - Standards version is now 4.0.0
  - as it is a python script, I expect it should be declared an
    architecture independent package by using Architecture: all
  - Build-Depends / Depends:
    . why do you need lsb-base?
    . drop the >=2.7 for python, everything is 2.7 now
    . if you keep using pybuild and dh_python2, you should follow the
      instructions from dh_python2 man page and add ${python:Depends} to
      Depends (instead of python); if you don't use it some build
      depends can be dropped…
  - Vcs-* fields should point to alioth and not your github repo
* pristine tar branch is missing
* your d/watch file is wrong: when I run `uscan -v -dd` I see that
  the deduced version according to your regular expression is "5"
  instead of "1.5".  If you need help fixing that let me know.
* the brutespray-1.5 tag in the git repository on alioth is wrong
  (different from upstream).  You should really try to avoid making that
  mistake because, while you can correct it on alioth, anyone who has
  already cloned the repsitory (like me) will have to manually remove
  the tag and pull again after you fixed it…  so always double-check
  your tags.

As a final Note: I have no idea if this <400 LOC script warrants its own
Debian package at all… maybe you should ask for advise on that before
we put too much effort into the package.

Regards
Lukas

[1] https://www.debian.org/doc/packaging-manuals/python-policy/ch-module_packages.html#s-specifying_versions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170707/375759f7/attachment.sig>

More information about the Pkg-security-team mailing list