Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-05-19 Thread Pali Rohár 
On Wednesday 27 April 2016 13:01:20 Gianfranco Costamagna wrote:
> Hi, the packaging seems good now, I would like to ask you a final question:
> 
> how do you feel about using the same license for debian packaging and 
> upstream?
> (asking about changing GPL-3+ to MIT).

Ok, I changed debian files to MIT (same as upstream).

> Forwarding patches otherwise would be impossible without a relicense.
> 
> and the copyright still needs to be updated:
> 
> >So in this case, how to update copyright? Just for src/lzma? Or for all
> >other embedded libraries even when they are not used and needed?
> 
> 
> you have to list *every* copyright and license on copyright file, regardless
> of it being used or not.
> This is a showstopper for ftpmasters.

Done, now all embedded libraries have entry in copyright file.

Package is now updated on mentors server. Something more is needed?

-- 
Pali Rohár
pali.ro...@gmail.com

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-27 Thread Dominique Dumont 
On Wednesday 27 April 2016 13:01:20 Gianfranco Costamagna wrote:
> >So in this case, how to update copyright? Just for src/lzma? Or for all
> >other embedded libraries even when they are not used and needed?
> 
> you have to list *every* copyright and license on copyright file, regardless
> of it being used or not.
> This is a showstopper for ftpmasters.

You may want to give "cme update dpkg-copyright" a try.

See 
https://github.com/dod38fr/config-model/wiki/Updating-debian-copyright-file-with-cme

HTH
-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-27 Thread Gianfranco Costamagna 
Hi, the packaging seems good now, I would like to ask you a final question:

how do you feel about using the same license for debian packaging and upstream?
(asking about changing GPL-3+ to MIT).

Forwarding patches otherwise would be impossible without a relicense.

and the copyright still needs to be updated:

>So in this case, how to update copyright? Just for src/lzma? Or for all
>other embedded libraries even when they are not used and needed?


you have to list *every* copyright and license on copyright file, regardless
of it being used or not.
This is a showstopper for ftpmasters.


let me know,

Gianfranco





Il Lunedì 18 Aprile 2016 22:24, Pali Rohár  ha scritto:
Now I updated stormlib package on mentors.debian.net.


-- 
Pali Rohár
pali.ro...@gmail.com

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Pali Rohár 
Now I updated stormlib package on mentors.debian.net.

-- 
Pali Rohár
pali.ro...@gmail.com


signature.asc
Description: This is a digitally signed message part.

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Pali Rohár 
On Monday 18 April 2016 19:08:09 Gianfranco Costamagna wrote:
> Hi again
> 
> >ok, so maybe this might be a question for -mentors.>did you try to
> >make the debhelper dependency more explicit? e.g. >= 9.0.whatever
> >
> >IIRC some checks were added based on the debhelper version
> 
> When building programs that handle untrusted data (parsers, network
> listeners, etc.), or run with elevated privileges (PAM, X, etc.),
> please enable "PIE" and "BINDNOW" in the build. The "all" option
> enables "PIE" and "BINDNOW" and future hardening flags:
> 
> export DEB_BUILD_MAINT_OPTIONS = hardening=+all
> 
> did you try that?

Now trying, and I do not see difference between adding that option and 
not adding. And even worse I'm not able to reproduce that error 
hardening-no-bindnow :-(

> >not sure here, I'm not a symbols-savvy man :(
> >please ask on -mentors and come back if you have fixes for them...
> 
> man dpkg-gensymbols should help there...

Did not helped.

Anyway, symbols file supports regex, so I added: (regex|optional).*

-- 
Pali Rohár
pali.ro...@gmail.com


signature.asc
Description: This is a digitally signed message part.

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Gianfranco Costamagna 


Hi again

>ok, so maybe this might be a question for -mentors.>did you try to make the 
>debhelper dependency more explicit?
>e.g. >= 9.0.whatever
>
>IIRC some checks were added based on the debhelper version


When building programs that handle untrusted data (parsers, network listeners, 
etc.), or run with elevated privileges (PAM, X, etc.), please enable "PIE" and 
"BINDNOW" in the build. The "all" option enables "PIE" and "BINDNOW" and future 
hardening flags:

export DEB_BUILD_MAINT_OPTIONS = hardening=+all

did you try that?
>not sure here, I'm not a symbols-savvy man :(
>please ask on -mentors and come back if you have fixes for them...


man dpkg-gensymbols should help there...

g.

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Gianfranco Costamagna 
Hi,




>You are looking at wrong file! We do not use Makefile.linux, but 
>CMakeLists.txt. And then cmake in /<>/obj-x86_64-linux-gnu 
>directory generate own Makefile, nothing from Makefile.linux.


ok, so maybe this might be a question for -mentors.
did you try to make the debhelper dependency more explicit?
e.g. >= 9.0.whatever

IIRC some checks were added based on the debhelper version


>Will making them as "private" helps? And how to do that? Or better, how 
>to ignore all symbols expect those which are whitelisted specified in 
>debian/libstorm9.symbols file?


not sure here, I'm not a symbols-savvy man :(
please ask on -mentors and come back if you have fixes for them...

thanks!

Gianfranco

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Pali Rohár 
On Monday 18 April 2016 18:31:42 Gianfranco Costamagna wrote:
> Hi Pali,
> 
> >Ehm... repacking is ugly!
> 
> I agree here
> 
> >Ok, I can ask, but I doubt that upstream will do that. This is
> >windows project and in windows world is PGP not supported by Visual
> >Studio/MS. (We can be happy that library working fine under linux
> >with gcc :-))
> 
> asking is free :)
> 
> > >hardening-no-bindnow usr/lib/libstorm.so.9.0.0
> > >==> How to do that for current debian/rules which uses cmake?
> > 
> > https://wiki.debian.org/HardeningWalkthrough
> >
> >As a workaround appending CPPFLAGS to CFLAGS and CXXFLAGS should
> >work in most cases. Debhelper (since 0.9.20120417, only with
> >compat=9 and dh_auto* commands!) and cdbs (since 0.4.110) handle
> >this automatically so the workaround is no longer necessary if they
> >are used.
> >
> >As you can see debhelper 9.2015 is in Debian and stormlib has
> >compat=9. So what to do?
> 
> well, there is an implicit declaration in that wiki:
> the upstream makefile should not override Debian flags :)
> 
> 
> in Makefile.linux
> DFLAGS = -D__SYS_ZLIB
> OFLAGS =
> LFLAGS = -lbz2 -lz
> CFLAGS = -fPIC -D_7ZIP_ST
> CFLAGS += $(OFLAGS) $(DFLAGS)
> 
> 
> I guess a += instead of = will fix the issue.

You are looking at wrong file! We do not use Makefile.linux, but 
CMakeLists.txt. And then cmake in /<>/obj-x86_64-linux-gnu 
directory generate own Makefile, nothing from Makefile.linux.

> >And this did not helped me too! I read debian lintian description
> >for symbols-file-contains-current-version-with-debian-revision
> >before.
> >
> >File debian/libstorm9.symbols already contains *all* public
> >functions which can be used by other libraries. And all those
> >functions do not have any debian suffix.
> >
> >So I do not understand why it show error message and even how to fix
> >it.
> 
> I did a build, opened the deb file/control/shlibs (or whatever is
> called) indeed, *your* exported symbols are fine, but many public
> symbols are missing (note: this is a build failures on
> debian-buildds)
> 
> look e.g.
> http://debomatic-amd64.debian.net/distribution#unstable/stormlib/9.20
> -1/buildlog
> 
> you need to list all of them, or make them private

Now I see couple of symbols, but those are not public. They are private 
and probably without stable ABI. For sure they should not be listed or 
used in Debian.

Will making them as "private" helps? And how to do that? Or better, how 
to ignore all symbols expect those which are whitelisted specified in 
debian/libstorm9.symbols file?

> dh_makeshlibs
> dpkg-gensymbols: warning: some new symbols appeared in the symbols
> file: see diff output below dpkg-gensymbols: warning:
> debian/libstorm9/DEBIAN/symbols doesn't match completely
> debian/libstorm9.symbols
> 
> making makeshlibs sad is a build failure here!
> 
> HTH,
> 
> Gianfranco

-- 
Pali Rohár
pali.ro...@gmail.com


signature.asc
Description: This is a digitally signed message part.

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Gianfranco Costamagna 
Hi Pali,




>Ehm... repacking is ugly!


I agree here
>Ok, I can ask, but I doubt that upstream will do that. This is windows 
>project and in windows world is PGP not supported by Visual Studio/MS.
>(We can be happy that library working fine under linux with gcc :-))


asking is free :)

> >hardening-no-bindnow usr/lib/libstorm.so.9.0.0
> >==> How to do that for current debian/rules which uses cmake?
> 
> https://wiki.debian.org/HardeningWalkthrough
>As a workaround appending CPPFLAGS to CFLAGS and CXXFLAGS should work in 
>most cases. Debhelper (since 0.9.20120417, only with compat=9 and 
>dh_auto* commands!) and cdbs (since 0.4.110) handle this automatically 
>so the workaround is no longer necessary if they are used.
>
>As you can see debhelper 9.2015 is in Debian and stormlib has compat=9. 
>So what to do?


well, there is an implicit declaration in that wiki:
the upstream makefile should not override Debian flags :)


in Makefile.linux
DFLAGS = -D__SYS_ZLIB
OFLAGS =
LFLAGS = -lbz2 -lz
CFLAGS = -fPIC -D_7ZIP_ST
CFLAGS += $(OFLAGS) $(DFLAGS)


I guess a += instead of = will fix the issue.

>And this did not helped me too! I read debian lintian description for 
>symbols-file-contains-current-version-with-debian-revision before.
>
>File debian/libstorm9.symbols already contains *all* public functions 
>which can be used by other libraries. And all those functions do not 
>have any debian suffix.
>
>So I do not understand why it show error message and even how to fix it.


I did a build, opened the deb file/control/shlibs (or whatever is called)
indeed, *your* exported symbols are fine, but many public symbols are missing
(note: this is a build failures on debian-buildds)

look e.g.
http://debomatic-amd64.debian.net/distribution#unstable/stormlib/9.20-1/buildlog

you need to list all of them, or make them private
dh_makeshlibs
dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see 
diff output below
dpkg-gensymbols: warning: debian/libstorm9/DEBIAN/symbols doesn't match 
completely debian/libstorm9.symbols

making makeshlibs sad is a build failure here!

HTH,

Gianfranco

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Pali Rohár 
On Monday 18 April 2016 17:58:03 Gianfranco Costamagna wrote:
> Hi,
> 
> >source-contains-prebuilt-windows-binary storm_dll/storm.dll
> >==> Not possible, problem with original upstream tarball
> 
> you can, google for "debian source" repack.
> Anyway, since this isn't a license violation, nevermind!

Ehm... repacking is ugly!

> >debian-watch-may-check-gpg-signature
> >==> Not possible, upstream does not provide such feature
> 
> you can ask them to start signing them :)

Ok, I can ask, but I doubt that upstream will do that. This is windows 
project and in windows world is PGP not supported by Visual Studio/MS.
(We can be happy that library working fine under linux with gcc :-))

> >hardening-no-bindnow usr/lib/libstorm.so.9.0.0
> >==> How to do that for current debian/rules which uses cmake?
> 
> https://wiki.debian.org/HardeningWalkthrough

I already read this and there is written:

As a workaround appending CPPFLAGS to CFLAGS and CXXFLAGS should work in 
most cases. Debhelper (since 0.9.20120417, only with compat=9 and 
dh_auto* commands!) and cdbs (since 0.4.110) handle this automatically 
so the workaround is no longer necessary if they are used.

As you can see debhelper 9.2015 is in Debian and stormlib has compat=9. 
So what to do?

> >symbols-file-contains-current-version-with-debian-revision on symbol
> >AsciiToLowerTable@Base and 215 others ==> What does this mean and
> >how to fix it?
> 
> http://lmgtfy.com/?q=symbols-file-contains-current-version-with-debia
> n-revision
> 
> :) google is your friend, and lintian too.

And this did not helped me too! I read debian lintian description for 
symbols-file-contains-current-version-with-debian-revision before.

File debian/libstorm9.symbols already contains *all* public functions 
which can be used by other libraries. And all those functions do not 
have any debian suffix.

So I do not understand why it show error message and even how to fix it.

-- 
Pali Rohár
pali.ro...@gmail.com


signature.asc
Description: This is a digitally signed message part.

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Gianfranco Costamagna 
Hi,



>source-contains-prebuilt-windows-binary storm_dll/storm.dll
>==> Not possible, problem with original upstream tarball


you can, google for "debian source" repack.
Anyway, since this isn't a license violation, nevermind!

>debian-watch-may-check-gpg-signature
>==> Not possible, upstream does not provide such feature


you can ask them to start signing them :)

>hardening-no-bindnow usr/lib/libstorm.so.9.0.0
>==> How to do that for current debian/rules which uses cmake?


https://wiki.debian.org/HardeningWalkthrough
>symbols-file-contains-current-version-with-debian-revision on symbol 
>AsciiToLowerTable@Base and 215 others
>==> What does this mean and how to fix it?


http://lmgtfy.com/?q=symbols-file-contains-current-version-with-debian-revision

:) google is your friend, and lintian too.


bests,

Gianfranco

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Pali Rohár 
On Friday 15 April 2016 16:21:16 Gianfranco Costamagna wrote:
> please also try to fix lintian and symbols
> http://debomatic-amd64.debian.net/distribution#unstable/stormlib/9.20-1/lintian

source-contains-prebuilt-windows-binary storm_dll/storm.dll
==> Not possible, problem with original upstream tarball

debian-watch-may-check-gpg-signature
==> Not possible, upstream does not provide such feature

hardening-no-bindnow usr/lib/libstorm.so.9.0.0
==> How to do that for current debian/rules which uses cmake?

symbols-file-contains-current-version-with-debian-revision on symbol 
AsciiToLowerTable@Base and 215 others
==> What does this mean and how to fix it?

-- 
Pali Rohár
pali.ro...@gmail.com

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-18 Thread Pali Rohár 
On Friday 15 April 2016 16:16:34 Gianfranco Costamagna wrote:
> *too* many embedded libraries, please try to exclude them, or list the 
> copyrights correctly.
> 
> libtomcrypt
> libtommath
> bzip2
> zlib
> lzma

Upstream tarball comes with all those embedded libraries included. But
for Debian we use system version of zlib, bzip2, libtomcrypt and
libtommath libraries (see cmake switch and CMakeLists.txt).

Lzma implementation in stormlib is different as in Debian and Debian
does not provide version with compatible API/ABI.

So in this case, how to update copyright? Just for src/lzma? Or for all
other embedded libraries even when they are not used and needed?

> std-version is 3.9.8 please update
> watch file is broken "" needs to be changed

Ok.

> static libraries --> why?

Lot of (or maybe all?) Debian packages with -dev suffix contains also
static linked .a library. So stormlib build it too...

-- 
Pali Rohár
pali.ro...@gmail.com

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-15 Thread Gianfranco Costamagna 
please also try to fix lintian and symbols
http://debomatic-amd64.debian.net/distribution#unstable/stormlib/9.20-1/lintian




Il Venerdì 15 Aprile 2016 18:16, Gianfranco Costamagna 
 ha scritto:
control: owner -1 !
control: tags -1 moreinfo

*too* many embedded libraries, please try to exclude them, or list the 
copyrights correctly.



libtomcrypt
libtommath
bzip2
zlib
lzma

std-version is 3.9.8 please update
watch file is broken "" needs to be changed

static libraries --> why?



let me know about the above points, and I'll do another review!

cheers,

G.



Il Lunedì 28 Marzo 2016 1:57, Pali Rohár  ha scritto:
Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "stormlib"

* Package name: stormlib
   Version : 9.20-1
   Upstream Author : Ladislav Zezula 
* URL : http://www.zezula.net/en/mpq/stormlib.html
* License : MIT
   Section : libs

It builds those binary packages:

  libstorm-dev - Library for accessing the MPQ archives (development files)
  libstorm9  - Library for accessing the MPQ archives

To access further information about this package, please visit the following 
URL:

http://mentors.debian.net/package/stormlib


Alternatively, one can download the package with dget using this command:

  dget -x 
http://mentors.debian.net/debian/pool/main/s/stormlib/stormlib_9.20-1.dsc

More information about stormlib can be obtained from 
http://www.zezula.net/en/mpq/stormlib.html.

Changes since the last upload:

  * Initial release (Closes: #819380)


Regards,
Pali Rohár

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-04-15 Thread Gianfranco Costamagna 
control: owner -1 !
control: tags -1 moreinfo

*too* many embedded libraries, please try to exclude them, or list the 
copyrights correctly.



libtomcrypt
libtommath
bzip2
zlib
lzma

std-version is 3.9.8 please update
watch file is broken "" needs to be changed

static libraries --> why?



let me know about the above points, and I'll do another review!

cheers,

G.


Il Lunedì 28 Marzo 2016 1:57, Pali Rohár  ha scritto:
Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "stormlib"

* Package name: stormlib
   Version : 9.20-1
   Upstream Author : Ladislav Zezula 
* URL : http://www.zezula.net/en/mpq/stormlib.html
* License : MIT
   Section : libs

It builds those binary packages:

  libstorm-dev - Library for accessing the MPQ archives (development files)
  libstorm9  - Library for accessing the MPQ archives

To access further information about this package, please visit the following 
URL:

http://mentors.debian.net/package/stormlib


Alternatively, one can download the package with dget using this command:

  dget -x 
http://mentors.debian.net/debian/pool/main/s/stormlib/stormlib_9.20-1.dsc

More information about stormlib can be obtained from 
http://www.zezula.net/en/mpq/stormlib.html.

Changes since the last upload:

  * Initial release (Closes: #819380)


Regards,
Pali Rohár

Bug#819394: RFS: stormlib/9.20-1 [ITP]

2016-03-27 Thread Pali Rohár 
Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "stormlib"

 * Package name: stormlib
   Version : 9.20-1
   Upstream Author : Ladislav Zezula 
 * URL : http://www.zezula.net/en/mpq/stormlib.html
 * License : MIT
   Section : libs

It builds those binary packages:

  libstorm-dev - Library for accessing the MPQ archives (development files)
  libstorm9  - Library for accessing the MPQ archives

To access further information about this package, please visit the following 
URL:

http://mentors.debian.net/package/stormlib


Alternatively, one can download the package with dget using this command:

  dget -x 
http://mentors.debian.net/debian/pool/main/s/stormlib/stormlib_9.20-1.dsc

More information about stormlib can be obtained from 
http://www.zezula.net/en/mpq/stormlib.html.

Changes since the last upload:

  * Initial release (Closes: #819380)


Regards,
 Pali Rohár


signature.asc
Description: This is a digitally signed message part.