Hi Helmut, On Thu, 30 Jul 2015 at 22:21:21 +0200, Helmut Grohne wrote: > Thanks for your work on dropbear. Much appreciated.
And thanks for the extensive feedback! I know it's quite a heavy
changelog, so I didn't really expect anyone other than Gerrit perhaps to
check it out that closely.
> On Sat, Jul 11, 2015 at 03:20:52PM +0200, Guilhem Moulin wrote:
>> Note that while the current maintainer (Gerrit, CC'ed) told me to go
>> ahead and proceed with a NMU, they are not able to sponsor me at the
>> moment. Furthermore I'm currently a DM and would be open to
>> co-maintenance once time is ripe.
>
> My reading of Gerrit's mail is a bit more limited. He wrote to d-devel:
> | Unfortunately I cannot support you, but don't hesitate to NMU the
> | dropbear package to be able to proceed.
>
> May be this is hair-splitting, but I'd read this as NMUing specifically
> for the purpose of splitting out the initramfs stuff (and then moving it
> to a different source package). I'd not assume that doing a new upstream
> release is covered by the above. Maybe Gerrit can clarify that or we can
> go via a delayed queue.
Yeah true, I might have taken too much liberty here. I noticed upstream
was already two releases ahead so I wildly pulled in the new tarball :-/
(plus it fixed #775222 ;-) Then I couldn't split the package without
doing major refactoring (which thanks to debhelper automatically solved
#689618, #692932, #777324, #793006, #793917). And later I guess I got
carried away with enthusiasm on the way and decided to try to fix the
remaining bugs (some of them were quite old, and most fixes were rather
easy; at least the one relevant to the initramfs feature, which didn't
seem to be maintained anymore, and which bothered me personally since I
use this feature myself) :-P
> Despite me having lots of comments, your changes are actually of high
> quality. Don't get scared! Some comments are picky/matter of taste. Feel
> free to disagree.
No worries. Constructive criticism never hurts anyway ;-)
> Since you bump the upstream release your NMU version should be -0.1
> instead of -1.1.
Thanks, fixed.
> I note that the new tilde expansion functionality in the upstream
> release is a bit strange. If my own home is "/home/helmut", it will
> expand "~/foo" to "/home/helmut//foo" (note the double slash). Worse, it
> will expand expand "~otheruser/foo" to "/home/helmut/otheruser/foo",
> which does not match the general expectation of tilde expansion.
Well spotted. I guess one ought to file a bug.
> Gerrit asked for the binaries to be located in "dropbear", but you place
> them in "dropbear-bin". Maybe Gerrit can also ack this? (It was stated
> as a preference.)
In fact in a later mail in the d-d thread Gerrit agreed to make
“dropbear” a transitional package and place binaries to “dropbear-bin”,
as suggested to me by Adam Borowski:
https://lists.debian.org/debian-devel/2015/06/msg00290.html
> Since dropbear-initramfs relies on initramfs-tools 0.94 features, the
> dependency should be versioned.
Thanks, fixed. (Didn't think it mattered since even oldoldstable has
said feature.)
> If you disable password logins by default, please mention in a NEWS
> entry!
It was never enabled in the initramfs (disabling it without notice would
have been foolish otherwise, indeed). The change I made (initramfs-only
only) is to no longer make the server *advertise* it, so that clients
won't prompt for a password and try to send it to the server (which is
bound to reject it anyway). Sorry for the confusion.
> Would it make sense to install the NEWS file to the transitional package
> only? (i.e. mv debian/NEWS debian/dropbear.NEWS)
Yes it would! Fixed, thanks for the suggestion.
> It might be safer in the future if dropbear-{initramfs,run} use a (=
> ${binary:Version}) dependency on dropbear-bin. Will you remember to bump
> such a dependency when dropbear-run starts to use a new option? (But
> --link-doc incurs this dependency anyway.)
You mean if upstream starts deprecate options used in
dropbear-{initramfs,run}? Which by the way seems to happen right now
with ‘-d’ with is now an alias for ‘-r’ but has been removed from the
manpage, see #761143. (And now I realize I could have written a note
regarding s/-d/-r/ in the NEWS regarding that change :-/)
Yeah that makes sense, I tightened the dependency by specifying the
${binary:Version}.
> Please consider whether Multi-Arch:foreign markings are appropriate for
> some packages.
Alright, this one is new to me. I'm not sure how blindly I can follow
https://wiki.debian.org/Multiarch/Implementation#dh.281.29_and_autotools
because dropbear-bin ships an executable ‘/usr/lib/dropbear/dropbearconvert’.
So checked the package source for openssh and found that openssh-server
uses Multi-Arch:foreign, but openssh-sftp-server, which ships
‘/usr/lib/openssh/sftp-server’, doesn't. So all in all I'm unsure what
to in my case.
> Why are dropbear-{initramfs,run} marked as Architecture:any? Do they
> contain any architecture specific files? Is that an artifact of
> --link-doc only? Maybe reconsider whether --link-doc is worth
> duplicating these packages for each architecture.
Yes, it's to make dh_installdocs happy, and avoid it spitting
WARNING: --link-doc between architecture all and not all packages breaks
binNMUs
What are you suggesting as an alternative?
> I think it is an unfortunate choice to license the initramfs unlock
> stuff under GPL when the rest of the package is MIT. That's your choice
> of course. The mixing of GPL-2+ and GPL-3+ doesn't make things better.
Well I'd agree it doesn't hurt either (beside making the copyright file
longer) :-P. Anyway the original author of the initramfs feature chose
GPL-2+ back in 2008, so I picked the same license when working on the
same file.
> Your GPL license paragraphs should include the actual license grant, not
> just the reference to the GPL. (I think this point would be sufficient
> for a ftp-master rejection. This incurs the moreinfo tag.)
Oops. I believe I started doing that quite a while ago when I learned
packaging by example. I think took that one from git-annex
http://source.git-annex.branchable.com/?p=source.git;a=blob;f=debian/copyright
That said I'm happy to learn more and I have added the header already.
> dropbear-initramfs.postinst exits before running #DEBHELPER# unless $1
> is "configure". #DEBHELPER# should be run unconditionally.
Good catch, thanks.
> In dropbear-initramfs.postinst, when ssh-keygen is unavailable, the
> creation of the $pubkey could be avoided.
This one is really nitpicking IMHO :-P Fixed anyway.
> Some of those comments also apply to dropbear-run.postinst.
Fixed.
> It should not be necessary to pass --host to dh_auto_configure, as it
> does that automatically for cross builds only.
Didn't know that. Fixed, thanks.
> You pass CFLAGS to dh_auto_configure. Why do you not pass CPPFLAGS or
> LDFLAGS to configure? Both typically enable further hardening features.
No I *extend* CFLAGS with -DSFTPSERVER_PATH='"/usr/lib/sftp-server"'.
Aren't CPPFLAGS and LDFLAGS passed as is already? The build log seems
to suggests it at least.
> In general, I'd find sponsoring this NMU much easier if the package
> split and the fixing of those many bugs could happen in separate
> uploads. Each part is complex and the fallout is hard to estimate. I
> understand that such a separation would mean more work for you. Do you
> think that doing this in two steps is worth the added effort?
Actually I spitted the package after merging the new upstream version
(which is easily revertible anyway), but *before* starting fixing bugs
in the BTS, so maybe it wouldn't be that hard to perform the upload in
two steps.
https://gitweb.guilhem.org/dropbear
That said, while I understand the heavy changelog is frown upon by
potential sponsors, I have to say I would find it quite frustrating if
my work on this package, including the fixes to the many bugs regarding
dropbear-initramfs (which I heavily rely on in my own infrastructure),
wasn't eventually uploaded :-P
However any step in the right direction is good to take IMHO :-) So
thanks again for your feedback and interest!
--
Guilhem.
signature.asc
Description: Digital signature
