DD ping - request for sponsor

Marcos Fouces marcos.fouces at gmail.com
Tue Nov 14 22:07:56 UTC 2017 

Hello Lukas (and team),

Many thanks for the good review and the corrections you pointed out.

dnsrecon is hopefully ready for upload but ncrack is not ready to be
built with openssl 1.1 so it will surely be removed.

Time ago, I asked upstream to adapt it but the work isn't done, yet.

Greetings,

Marcos



El 05/11/17 a las 13:30, Lukas Schwaighofer escribió:
> Hi Marcos,
>
> On Sun, 5 Nov 2017 12:32:11 +0100
> Marcos Fouces <marcos.fouces at gmail.com> wrote:
>
>> I prepared new releases for dnsrecon and ncrack. Please, point out
>> corrections needed or directly upload them.
> I took a look and found a few things :
>
> dnsrecon:
> * There is a new lintian pedantic tag
>   "file-contains-trailing-whitespace" which has a few hits you might
>   want to correct
> * Upstream's README.md is really the changelog; I think you should
>   remove debian/dnsrecon.docs and instead add something like this to
>   debian/rules:
>
>     override_dh_installchangelogs:
>     	dh_installchangelogs README.md
>
>   This will install the upstream changelog in the location preferred by
>   policy [1].  Also avoids a lintian warning that the upstream
>   changelog is missing.
> * Since your helper script changes the current working directory, all
>   options that allow specifying a file do not work as expected (e.g.
>   --db, --xml, --csv, --dictionary):  Any files given as a relative
>   path will be relative to /usr/share/dnsrecon which is quite
>   unexpected.  I think you should install the main python script
>   to /usr/bin/ directly and patch it so it can load the components
>   from its "lib" module.
>
> ncrack:
> * Also some trailing whitespaces.
> * debian/copyright needs *a lot* of work.  It's very incomplete, e.g.
>   claiming that anything under opensshlib/* is under the GPL-2+ with
>   nmap exception as well (and the license clearly states "version 2",
>   so the "+" should probably be dropped).  I know this part of the work
>   is no fun at all :( .
>   - This is really an RC bug, as we violate the terms of the license by
>     distributing the binary packages without the copyright.
>   - By the way, the format link is preferred to be https since policy
>     version 4.0.0
> * debian/watch could be extended to check upstream's gpg signature.
>   Signatures can be found here: https://nmap.org/ncrack/dist/sigs/
> * the package does not create a dbgsym package, because upstream build
>   system strips the debug information away.  Add "STRIP=/bin/true" to
>   dh_auto_configure (after --prefix=/usr) to avoid that.
>
> Regards
> Lukas
>
> [1] https://www.debian.org/doc/debian-policy/#changelog-files

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20171114/583d4007/attachment.html>

More information about the Pkg-security-team mailing list