Control: tags -1 moreinfo
On Fri, Feb 02, 2018 at 10:09:12PM +0800, Boyuan Yang wrote:
> X-Debbugs-CC: t...@debian.org
> Control: tag -1 - moreinfo
> Hi tobi,
> Thanks for your review! In fact I didn't receive your reply before
> (don't know why) and I just noticed it via BTS web interface. Anyway
> here's the updated status:
> > - small typo in d/copyright: Alexander had maintained the package in
> > 2007 and 2008. Also it should be "Comment:" (singular)
> > - Please review d/copyright. I found at least one file which is not
> > properly recorded (wrong license and wrong copyright holder)
> Done. I looked into every source files in the repository this time.
Thanks for going over it!
But two things escaped your eyes:
- Left-tover "Comments:" on line 69
- license-reconsile finds that in the libqxt is BSD-licensed (eg.
> > - don't install README.md -- it does not have extra information beyond
> > a package description and compilation instructions (which are useless
> > for the users of the binary package)
> > There is also a slight bug in it: The URLs at the bottom seems
> > outdated, they will forward to the github project from the watch file.
> > Maybe at least report that to upstream.)
> Done. The typo was forwarded upstream and got fixed in trunk code.
Ok. You should reflect this in the dep3 header though.
Forwarded: no is not what you want, the measning for this field is
when it is a Debian specific patch (value not-needed) or if you did not
bother to forward it (yet) -- then it is "no",
Here You Want(tm) "Applied-Upstream"
followed by either the commit-id or the URL pointing to it.
(see the dep3 spec for details))
(This is also valid for the other patches you mentioned below)
> > - Please upstream the manpage (Alexander as upstream should include it
> > there so that other distributions will also benefit from it)
> I've filed an issue on upstream GitHub project.
> > - The embedded libqxt -- can you use the Debian packaged version?
> Sorry but nope -- If we take a look into libqxt in Debian, #875027 says that
> libqxt is unmaintained upstream and will be removed from Debian archive
> soon. Upstream git repository also suggested that all projects previously
> using libqxt should either migrate away from libqxt or embed part of its
> code to fit their own need.  That is exactly what qstardict
> upstream is doing,
> see also the GitHub issue .
>  https://bitbucket.org/libqxt/libqxt/wiki/Home
>  https://github.com/a-rodin/qstardict/issues/16
Well, this is not exactly how we deal with embedded code copies.
When a library is gonna be removed from Debian this is not a valid excuse to
have an embedded code copy of the same in another package. So the right thing
is (as you've done already) to bring it to upstreams' attention to get that
fixed before QT4 will be removed within this development cycle.
In this case the effort is probably not required to patch the buildsystem to
use the packaged version, as long as available, but when you follow the
instructions here: https://wiki.debian.org/EmbeddedCodeCopies
Keep me CC in the mail you send the notice to the security team.
> > - Some lintian stuff:
> > N: Processing binary package qstardict (version 1.3-1, arch amd64) ...
> > I: qstardict: spelling-error-in-binary usr/bin/qstardict writen written
> > I: qstardict: spelling-error-in-binary
> > usr/lib/qstardict/plugins/libstardict.so wil will
> > I: qstardict: spelling-error-in-binary
> > usr/lib/qstardict/plugins/libstardict.so formated formatted
> > I: qstardict: desktop-entry-lacks-keywords-entry
> > usr/share/applications/qstardict.desktop
> > (spelling errors should be at least sent upstream, but they
> > are quite easy to fix and then a patch can be sent upstream :))
> > note that the spelling errors might also needs fixing in the
> > translation templates.
> Fixes are submitted upstream and got merged. Patches are also cherry-picked
> in debian/patches directory.
> > - check-all-the-things also found a bit of stuff.
> I took a look and forwarded the information from cppcheck and flawfinder
> to upstream.
> - The watch file is not working.
> > Future homework (optional -- bonus points area ;-))
> I decided not to do them this time -- will come back to them after I get to
> know qstardict better with a period of app using experience.
> The new version is now uploaded onto mentors.debian.net and
> salsa.debian.org/debian/qstardict repository.
> Boyuan Yang
OK, round 2 done :)
Its almost good, let me know when done!