DD ping - request for sponsor

Lukas Schwaighofer lukas at schwaighofer.name
Sun Nov 5 12:30:34 UTC 2017 

Hi Marcos,

On Sun, 5 Nov 2017 12:32:11 +0100
Marcos Fouces <marcos.fouces at gmail.com> wrote:

> I prepared new releases for dnsrecon and ncrack. Please, point out
> corrections needed or directly upload them.

I took a look and found a few things :

dnsrecon:
* There is a new lintian pedantic tag
  "file-contains-trailing-whitespace" which has a few hits you might
  want to correct
* Upstream's README.md is really the changelog; I think you should
  remove debian/dnsrecon.docs and instead add something like this to
  debian/rules:

    override_dh_installchangelogs:
    	dh_installchangelogs README.md

  This will install the upstream changelog in the location preferred by
  policy [1].  Also avoids a lintian warning that the upstream
  changelog is missing.
* Since your helper script changes the current working directory, all
  options that allow specifying a file do not work as expected (e.g.
  --db, --xml, --csv, --dictionary):  Any files given as a relative
  path will be relative to /usr/share/dnsrecon which is quite
  unexpected.  I think you should install the main python script
  to /usr/bin/ directly and patch it so it can load the components
  from its "lib" module.

ncrack:
* Also some trailing whitespaces.
* debian/copyright needs *a lot* of work.  It's very incomplete, e.g.
  claiming that anything under opensshlib/* is under the GPL-2+ with
  nmap exception as well (and the license clearly states "version 2",
  so the "+" should probably be dropped).  I know this part of the work
  is no fun at all :( .
  - This is really an RC bug, as we violate the terms of the license by
    distributing the binary packages without the copyright.
  - By the way, the format link is preferred to be https since policy
    version 4.0.0
* debian/watch could be extended to check upstream's gpg signature.
  Signatures can be found here: https://nmap.org/ncrack/dist/sigs/
* the package does not create a dbgsym package, because upstream build
  system strips the debug information away.  Add "STRIP=/bin/true" to
  dh_auto_configure (after --prefix=/usr) to avoid that.

Regards
Lukas

[1] https://www.debian.org/doc/debian-policy/#changelog-files

More information about the Pkg-security-team mailing list