Bug#953487: fixed in runescape 0.7-1
Hi Markus, > I suggest we wait a little for a response from > non-f...@buildd.debian.org before we make another upload. However if > there is no response in two weeks, we can just proceed by making a > binary upload of runescape. Perfect, I will be waiting and I hope it is a positive answer. ;) > Bug #956275 can be resolved by replacing the runescape.png icon. The > license is most likely not BSD-2-clause. You should either document the > correct license, the image must be distributable at least, or you can > create or find your own icon. For instance you could create an image the > same size with a black, red or blue background and then you add the R S > initials in white. Simple icon, easily done. Removed icon that does not belong to the BSD-2-clause license and created the icon itself in SVG and PNG formats using the Inkscape software.[1] [1] https://gitlab.com/coringao/runescape/-/blob/master/src/runescape.png > Bug #956276 is about an additional verification step, e.g. to verify the > integrity of the launcher with a hashsum. You could store the value in a > text file in our Git repository and then fetch the value and compare it > with the hashsum of the binary before you run the java command. By > storing the value in Git we can adjust the value whenever there is a new > runescape update without having to make another Debian upload. This > could be especially useful for stable releases. In any case I would try > to avoid to hardcode the value. > > I don't consider bug #956276 release critical because there is no Debian > Policy justification for it and there is no more risk involved than > downloading the file with a web browser normally poses, so it should be > treated as a normal or important bug. What you can and should do is to > improve the package description. It should be clear that src:runescape > is a mere script that downloads and runs the runescape launcher and that > Debian cannot guarantee the integrity of this binary file because it is > non-free and it is closed source. So simply warn about that in the > package description and when your script is executed. The warning > message could be displayed in a text terminal or you could use zenity to > make it more user friendly and obvious. Added verification of the downloaded file against a hash in good condition. I thank Stephen Kitt for helping me. :D I added a friendly warning when running the launcher via kdialog or zenity.[2] [2] https://gitlab.com/coringao/runescape/-/blob/master/src/runescape.sh Once approved by non-f...@buildd.debian.org, I will update the package to version 0.8, where I will add this warning to the long description of "debian/control" and depends: kdialog | zenity. See you later! -- ⢀⣴⠾⠻⢶⣦⠀ Carlos Donizete Froes [a.k.a coringao] ⣾⠁⢠⠒⠀⣿⡁ Debian Wiki: https://wiki.debian.org/coringao ⢿⡄⠘⠷⠚⠋⠀ GPG: 4096R/B638B780 ⠈⠳⣄⠀⠀⠀ 2157 630B D441 A775 BEFF D35F FA63 ADA6 B638 B780 signature.asc Description: This is a digitally signed message part
Bug#953487: fixed in runescape 0.7-1
Hi Markus, I hope everything is fine with you and your family. > I had uploaded the new version of runescape to fix bug 953487 because > you stated in > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953487#25 > > that the package has been whitelisted. Apparently this is not the case > hence I am writing to non-f...@buildd.debian.org again and I kindly ask > that runescape is whitelisted for autobuilding. The package is basically > a script and the license allows autobuilding. I am grateful that you uploaded this latest version of runescape, but I didn't quite understand what happened in those discussions in the posted messages. I will create a new icon and add a warning when starting the script, as mentioned in the message https://bugs.debian.org/953487#54 I want to thank Stephen for offering help in solving the problem of validating the downloaded JAR file, where I don't know how I do it at the moment. Thanks! -- ⢀⣴⠾⠻⢶⣦⠀ Carlos Donizete Froes [a.k.a coringao] ⣾⠁⢠⠒⠀⣿⡁ Debian Wiki: https://wiki.debian.org/coringao ⢿⡄⠘⠷⠚⠋⠀ GPG: 4096R/B638B780 ⠈⠳⣄⠀⠀⠀ 2157 630B D441 A775 BEFF D35F FA63 ADA6 B638 B780 signature.asc Description: This is a digitally signed message part
Bug#953487: fixed in runescape 0.7-1
I suggest we wait a little for a response from non-f...@buildd.debian.org before we make another upload. However if there is no response in two weeks, we can just proceed by making a binary upload of runescape. Bug #956275 can be resolved by replacing the runescape.png icon. The license is most likely not BSD-2-clause. You should either document the correct license, the image must be distributable at least, or you can create or find your own icon. For instance you could create an image the same size with a black, red or blue background and then you add the R S initials in white. Simple icon, easily done. Bug #956276 is about an additional verification step, e.g. to verify the integrity of the launcher with a hashsum. You could store the value in a text file in our Git repository and then fetch the value and compare it with the hashsum of the binary before you run the java command. By storing the value in Git we can adjust the value whenever there is a new runescape update without having to make another Debian upload. This could be especially useful for stable releases. In any case I would try to avoid to hardcode the value. I don't consider bug #956276 release critical because there is no Debian Policy justification for it and there is no more risk involved than downloading the file with a web browser normally poses, so it should be treated as a normal or important bug. What you can and should do is to improve the package description. It should be clear that src:runescape is a mere script that downloads and runs the runescape launcher and that Debian cannot guarantee the integrity of this binary file because it is non-free and it is closed source. So simply warn about that in the package description and when your script is executed. The warning message could be displayed in a text terminal or you could use zenity to make it more user friendly and obvious. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#953487: fixed in runescape 0.7-1
Hello Carlos, I had uploaded the new version of runescape to fix bug 953487 because you stated in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953487#25 that the package has been whitelisted. Apparently this is not the case hence I am writing to non-f...@buildd.debian.org again and I kindly ask that runescape is whitelisted for autobuilding. The package is basically a script and the license allows autobuilding. Thanks, Markus signature.asc Description: OpenPGP digital signature
Bug#953487: fixed in runescape 0.7-1
Hi Ivo, > This new version doesn't fix the autobuilding issue: > > https://buildd.debian.org/status/package.php?p=runescape I don't understand how the package still has the autobuilding problem. I did several construction tests via pbuilder and sbuild and there were no problems, as shown in the attached file. :/ > Looking at the package, I also discovered some other issues, which I will file > as separate bugs. Ok, if you can help me with the solution of these problems that you encountered, I would be very grateful. And I will fix it as soon as possible. Thanks! -- ⢀⣴⠾⠻⢶⣦⠀ Carlos Donizete Froes [a.k.a coringao] ⣾⠁⢠⠒⠀⣿⡁ Debian Wiki: https://wiki.debian.org/coringao ⢿⡄⠘⠷⠚⠋⠀ GPG: 4096R/B638B780 ⠈⠳⣄⠀⠀⠀ 2157 630B D441 A775 BEFF D35F FA63 ADA6 B638 B780 sbuild (Debian sbuild) 0.79.0 (05 February 2020) on debian +==+ | runescape 0.7-1 (amd64) Fri, 10 Apr 2020 04:55:06 + | +==+ Package: runescape Version: 0.7-1 Source Version: 0.7-1 Distribution: unstable Machine Architecture: amd64 Host Architecture: amd64 Build Architecture: amd64 Build Type: binary I: NOTICE: Log filtering will replace 'var/run/schroot/mount/unstable-amd64-sbuild-fc24b32c-2ef2-471e-b205-948f47eacc05' with '<>' I: NOTICE: Log filtering will replace 'build/runescape-sc2aq8/resolver-HIG1xG' with '<>' +--+ | Update chroot| +--+ Hit:1 https://deb.debian.org/debian unstable InRelease Reading package lists... W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_unstable_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) Reading package lists... Building dependency tree... Reading state information... Calculating upgrade... 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. +--+ | Fetch source files | +--+ Local sources - /home/coringao/sandbox/runescape.pkg/runescape_0.7-1.dsc exists in /home/coringao/sandbox/runescape.pkg; copying to chroot I: NOTICE: Log filtering will replace 'build/runescape-sc2aq8/runescape-0.7' with '<>' I: NOTICE: Log filtering will replace 'build/runescape-sc2aq8' with '<>' +--+ | Install package build dependencies | +--+ Setup apt archive - Merged Build-Depends: debhelper-compat (= 12), default-jdk-headless | default-jdk, build-essential, fakeroot Filtered Build-Depends: debhelper-compat (= 12), default-jdk-headless, build-essential, fakeroot dpkg-deb: building package 'sbuild-build-depends-main-dummy' in '/<>/apt_archive/sbuild-build-depends-main-dummy.deb'. Ign:1 copy:/<>/apt_archive ./ InRelease Get:2 copy:/<>/apt_archive ./ Release [957 B] Ign:3 copy:/<>/apt_archive ./ Release.gpg Get:4 copy:/<>/apt_archive ./ Sources [388 B] Get:5 copy:/<>/apt_archive ./ Packages [466 B] Fetched 1811 B in 0s (69.8 kB/s) Reading package lists... W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/_build_runescape-sc2aq8_resolver-HIG1xG_apt%5farchive_._InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) Reading package lists... Install main build dependencies (apt-based resolver) Installing build dependencies Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: autoconf automake autopoint autotools-dev bsdmainutils ca-certificates-java debhelper default-jdk-headless default-jre-headless dh-autoreconf dh-strip-nondeterminism dwz file fontconfig-config fonts-dejavu-core gettext gettext-base groff-base intltool-debian java-common libarchive-zip-perl libasound2 libasound2-data libavahi-client3 libavahi-common-data libavahi-common3 libbsd0 libcroco3 libcups2 libdbus-1-3 libdebhelper-perl libelf1 libexpat1 libfile-stripnondeterminism-perl libfontconfig1 libfreetype6 libglib2.0-0 libgssapi-krb5-2 libicu63 libjpeg62-turbo libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 liblcms2-2 libmagic-mgc libmagic1 libnspr4 libnss3 libpcsclite1 libpipeline1 libpng16-16 libsigsegv2 libsqlite3-0 libsub-override-perl libtool libuchardet0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 li
Bug#953487: fixed in runescape 0.7-1
Control: reopen -1 On Wed, Apr 08, 2020 at 10:20:28PM +, Debian FTP Masters wrote: > runescape (0.7-1) unstable; urgency=medium > . >* New upstream release. (Closes: #953487, #953714) This new version doesn't fix the autobuilding issue: https://buildd.debian.org/status/package.php?p=runescape Looking at the package, I also discovered some other issues, which I will file as separate bugs. Ivo
