Control: tags -1 moreinfo Hi Daniel,
thanks for working on the package, appreciating the progress!
I've enabled CI for the package on salsa, in case you're wondering about
that.
Let me continue on the review, as said, the last one was only a short
review.
- lintian
W: libapache2-mod-authn-otp source: timewarp-standards-version (2022-05-05
< 2022-12-17)
(You need to touch the date on d/changelog… hint: dch -r "" )
I: libapache2-mod-authn-otp: hardening-no-bindnow [usr/bin/genotpurl]
I: libapache2-mod-authn-otp: hardening-no-bindnow [usr/bin/otptool]
This could be false positives, please review whether this is true or a
false positive, e.g some compiler flags are not passed appropiatly.
(There's a wiki page on wiki.d.o about hardening:
https://wiki.debian.org/Hardening)
Update: CI revealed that this are indeed missing compiler flags.
I also see that in configure.ac CFLAGS are replaced, not ammended.
- d/copyright is incomplete / inaccurate.
d/copyright needs to reflect what the code says, and must be "verbatim".
For example, You write "2009-", the "-" is incorrectly, a correct span
needs to have a target. In the case of this source (but I did only
grep on it), it seems that it should be 2009 only.
- Please make sure every license is covered. For example, base32.c has a
different license and copyright holder.
- upstream tarball differs in hash.
probably a pristine-tar issue, if you re-generated the tarball from
there. Please use the tarball retrived from upstream:
sha256 sums:
c2c41cd3404d1d9560e38a92d1afc70751d3d569978e8b4fe7e4a53b5e806033
upstream/1.1.10.tar.gz
9151b4ee47680ef21ba89b66bb45a4b49c5d5a33cf12562507d6405e3d61f480
mentors/libapache2-mod-authn-otp_1.1.10.orig.tar.gz
- (not required to be fixed for this upload)
The package does not cross-compile. It would be nice if that could be
fixed.
- There is a warning emitted by the compiler that indicates that there
might be a buffer overflow. Please investigate and patch if required.
(I did not investigate the context of the usage of snprintf e.g in
motp.c, but this might well have security impact.)
--
Cheers,
tobi
On Fri, Nov 17, 2023 at 07:03:30PM +0000, Daniel Fancsali wrote:
> Control: tag - moreinfo
>
> Thanks for the review Tobias.
>
> Well, that happens if you put something on the back-burner for some time. ;)
>
> I do apologise...
>
> All should be fixed now.
>
> Cheers,
> Daniel
>
signature.asc
Description: PGP signature
