Bug#893377: RFS: taptempo/1.2.1-1 [ITP]
Hi François, I'm trying to apply for DD so I'm helping newcomers to review their packages. As agreed by Gianfranco, once we've finished polising the packaging, he will check and sponsor the package. Now your package is in good shape, and there is nothing left to be dealt with except for waiting for the sponsorship. Let's hope Gianfranco will find a time doing the sponsorship. Regards, On 9 April 2018 at 17:43, François Mazenwrote: > Hi Lumin, > > I just want to know if I must do something to go on with the > integration of TapTempo into Debian. > Should I submit again a RFS for the new package version? > > Thanks a lot for your help, > François > > > Le mardi 03 avril 2018 à 23:13 +0200, François Mazen a écrit : >> Hi Lumin, >> >> upload to mentors done, please check: >> https://mentors.debian.net/package/taptempo >> >> Regards, >> >> François >> >> >> >> Le mardi 03 avril 2018 à 06:17 +, Lumin a écrit : >> > Hi François, >> > >> > On 31 March 2018 at 21:59, François Mazen wrote: >> > > >> > > This program is useful to quickly find the tempo of a song. >> > > The idea is to type "taptempo" in a terminal, then hit enter key >> > > at >> > > each beat while hearing a song, and display the tempo. >> > > >> > > The targeted people are mainly musicians who need to transcribe >> > > music >> > > or play the song at the exact original tempo. The typical >> > > situation >> > > to >> > > use this software is when you are in a hurry and you don't have >> > > time to >> > > launch a big workstation like Ardour or Lmms in order to find the >> > > tempo. >> > >> > Got it. Thank you for this explanation. >> > >> > > >> > > > 8. When you have built the latest version of the modified >> > > > package, >> > > > you could run lintian against it: >> > > > >> > > > lintian -EviI --pedantic .changes >> > > > >> > > > There generally shouldn't be any Error or Warning. >> > > >> > > I've fixed all the error and the lintian output should be clean. >> > >> > You have done quite a good job making the package in a good shape, >> > and making the upstream very standard. >> > >> > By the way I'm surprised that you have fixed all lintian outputs, >> > including the pedantic stuff. The pedantic items are only optional, >> > not what must be fixed. Errors and Warnings should be dealt with, >> > and some lintian Info can even pass if the maintainer has a good >> > reason. >> > >> > In return everything's shining and in good shape :-) >> > >> > > Let me know if it still require more work. >> > >> > Nitpicking: >> > >> > 1. Please collapse the two lines in changelog into one. They refer >> > to >> > the same thing. >> > >> > - * Initial debian package. >> > - * Closes: #893306 >> > + * Initial debian package. (Closes: #893306) >> > >> > 2. there is still an autpkgtest problem: >> > >> > autopkgtest [07:01:02]: test version: [--- >> > spawn taptempo --version >> > couldn't execute "taptempo": no such file or directory >> > while executing >> > "spawn taptempo --version" >> > (file >> > "/tmp/autopkgtest.C3pEq9/build.uWo/src/debian/tests/version" line >> > 6) >> > autopkgtest [07:01:03]: test version: ---] >> > autopkgtest [07:01:03]: test version: - - - - - - - - - - results >> > - >> > - >> > - - - - - - - - >> > version FAIL non-zero exit status 1 >> > autopkgtest [07:01:03]: test version: - - - - - - - - - - stderr - >> > - >> > - - - - - - - - >> > couldn't execute "taptempo": no such file or directory >> > while executing >> > "spawn taptempo --version" >> > (file >> > "/tmp/autopkgtest.C3pEq9/build.uWo/src/debian/tests/version" line >> > 6) >> > >> > this can be fixed by the patch. It looks somewhat wired but we need >> > it. >> > >> > --- a/debian/tests/control >> > +++ b/debian/tests/control >> > @@ -1,2 +1,2 @@ >> > Tests: version, help, tempo >> > -Depends: expect >> > +Depends: expect, taptempo >> > >> > The autopkgtest result after patched: >> > >> > http://debomatic-amd64.debian.net/distribution#unstable/taptempo/1. >> > 3. >> > 0-1/autopkgtest >> > >> > build result: >> > >> > http://debomatic-amd64.debian.net/distribution#unstable/taptempo/1. >> > 3. >> > 0-1/buildlog >> > >> > > Should I update this new package to the mentors website? >> > >> > Yes, please fix the two problem mentioned above, and upload to >> > mentors. >> > >> > Thank you for you contribution to Debian, and have a good day. -- Best,
Bug#895337: RFS: 9wm/1.4.1-1
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "9wm" * Package name: 9wm Version : 1.4.1-1 Upstream Author : Jacob Adams* URL : https://github.com/9wm/9wm * License : Expat Section : x11 It builds those binary packages: 9wm - X11 window manager inspired by Plan 9's rio To access further information about this package, please visit the following URL: https://mentors.debian.net/package/9wm Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/9/9wm/9wm_1.4.1-1.dsc Changes since the last upload: 9wm (1.4.1-1) unstable; urgency=medium * New upstream version * Manual page now states that 9wm spawns a xterm by default (Closes: #864194) * Bump standards version; no changes -- Jacob Adams Mon, 09 Apr 2018 21:27:48 -0400 Regards, Jacob Adams signature.asc Description: OpenPGP digital signature
Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]
On Mon 04/09 14:02, Adam Borowski wrote: > On Mon, Apr 09, 2018 at 05:29:14PM +0800, Yanhao Mo wrote: > > Hi, Adam > > Very thanks for checking my package and pointing these issues. > > I have communicate with upstream author of deepin-system-monitor, and he > > confirmed these security problems. As a result, he is willing to modify > > d-s-m sources to limited the privilege operations within a very small > > helper program with some capabilities, at the same time he > > will refactor gui program of d-s-m to perform these operations by > > sending request to the helper program via dubs. The helper program will > > refuse any other request which is not sent from d-s-m. > > You might want to ask someone with a clue about policykit/etc for advice. I > don't currently even know where to look. > > > I hope this will fix these issues. And that will take some times. So > > let's wait. > > There's no hurry -- Ubuntu is long since frozen, Debian won't freeze until > November or December. > > But, you might want to just drop the caps: a system monitor that can kill > only your own processes is pretty useful; this is what all other similar > tools do. Elevating to kill others might be useful but is not the primary > feature I'd expect from such a program. > > Obviously, this is moot if you prefer to wait for the full fix. > > > For the nethogs part, the situation is: d-m-s need a library from > > it, but the nethogs maintainer of debian doesn't package libnethogs > > separately, we(pkg-deepin team) have already request for that [1], but > > got no reply. So I decided to use the nethogs sources within upstream > > d-m-s source tree directly to build d-m-s. Maybe this is a bad idea? > > Maybe it's better to take a nmu upload for nethogs? Some advice is > > very appreciated. > > Looking at the maintainer's QA page: > https://qa.debian.org/developer.php?email=kretcheu%40gmail.com > I see he's not very active but nowhere close to being gone (did three > uploads of other packages this year). It's likely he saw the request but > couldn't act on it immediately -- what about pinging him if that's the case? > Also, most people are a lot more willing to accept a patch compared to being > told to do the work themselves. > > > > d-s-m crashed for me twice (segfault) while casually perusing it, > > As for this. The upstream author says It's very sorry for the insufficient > > testing. He will try his best to find why and fix it. > > It seems both of these segfaults happened while shutting down the program. > > > Meow! > -- > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢰⠒⠀⣿⡁ > ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? > ⠈⠳⣄ I will try to communicate more with the upstream author several times, to help him to believe policykit is a better solution before he start to refactor the code. During this time, I will prepare a patch set and send to nethogs maintainer to try to solve the libnethogs problem. Thanks the advice about this :) . -- Yanhao Mo signature.asc Description: PGP signature
Bug#895310: RFS: golang-github-zyedidia-glob/0.0~git20170209.dd4023a-1 [ITP] -- Go package for glob matching
Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "golang-github-zyedidia-glob" * Package name : golang-github-zyedidia-glob Version : 0.0~git20170209.dd4023a-1 Upstream Author : Zachary Yedidia * URL : https://github.com/zyedidia/glob * License : Expat Section : devel It builds those binary packages: golang-github-zyedidia-glob-dev - Go package for glob matching To access further information about this package, please visit the following URL: https://mentors.debian.net/package/golang-github-zyedidia-glob Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/g/golang-github-zyedidia-glob/golang-github-zyedidia-glob_0.0~git20170209.dd4023a-1.dsc More information about golang-github-zyedidia-glob can be obtained from https://github.com/zyedidia/glob. Changes since the last upload: golang-github-zyedidia-glob (0.0~git20170209.dd4023a-1) unstable; urgency=medium * Initial release (Closes: #895021) Regards, Sagar Ippalpalli
Bug#895287: marked as done (RFS: groonga/8.0.1-1)
Your message dated Mon, 9 Apr 2018 20:47:05 +0200 with message-id <20180409184705.r5ktmdikl6kcq...@angband.pl> and subject line Re: Bug#895287: RFS: groonga/8.0.1-1 has caused the Debian Bug report #895287, regarding RFS: groonga/8.0.1-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895287 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "groonga" * Package name: groonga Version : 8.0.1-1 Upstream Author : Groonga Project* Url : http://groonga.org/ * Licenses: LGPL-2.1 Section : database It builds those binary packages: * groonga * groonga-server-common * groonga-server-gqtp * libgroonga-dev * libgroonga0 * groonga-tokenizer-mecab * groonga-token-filter-stem * groonga-plugin-suggest * groonga-bin * groonga-httpd * groonga-doc * groonga-examples * groonga-munin-plugins To access further information about this package, visit the following URL: https://mentors.debian.net/package/groonga Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/g/groonga/groonga_8.0.1-1.dsc More information about groonga can be obtained from http://groonga.org/ Changes since last upload: * New upstream release. * debian/patches/fix-nginx-FTBFS-on-kfreebsd.patch - Refresh patch to fix FTBFS on kFreeBSD. * debian/patches/remove-groonga-keyring-postrm.patch - Remove non-existent file. Regards, pgpxrVzFhijDC.pgp Description: PGP signature --- End Message --- --- Begin Message --- On Mon, Apr 09, 2018 at 09:44:01PM +0900, Kentaro Hayashi wrote: > * Package name: groonga > Version : 8.0.1-1 > Changes since last upload: > > * New upstream release. > * debian/patches/fix-nginx-FTBFS-on-kfreebsd.patch > - Refresh patch to fix FTBFS on kFreeBSD. > * debian/patches/remove-groonga-keyring-postrm.patch > - Remove non-existent file. ✓ -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? ⠈⠳⣄--- End Message ---
Re: C++ and Python package combined
Nico, On 09/04/18 15:13, Nico Schlömer wrote: > Thanks Leo, > > I've checked out ros-bond-core now and found that it's simpler than what I > have: The Python package is installed just like the rest of the library > with CMake, plus there are no compiled Python extensions that would need to > link against the bond library. That's why d/rules can be so simple. > Unfortunately, this doesn't help much with my problem. https://salsa.debian.org/science-team/ros-vision-opencv there's a python extension cv_bridge https://salsa.debian.org/science-team/ros-image-common Cheers, Leopold > Cheers, > Nico > > On Mon, Apr 9, 2018 at 1:18 PM Leopold Palomo-Avellaneda> wrote: > >> On 06/04/18 16:38, Nico Schlömer wrote: >>> Hi everyone, >>> >>> I would like to package a piece of software that includes both a C++ >>> library and a Python package. When building locally from scratch, one is >>> supposed to >>> >>> * build and install the library first, >>> (* then build and run the tests, compiling against what just has been >>> installed,) >>> * then build and install the Python package, compiling against what >> just >>> has been installed. >>> >>> If C++ library and Python packages came from two different sources, >> things >>> would be easy. It's not clear to me though how to first install one part >> of >>> a source, and then another against it. Perhaps there are example packages >>> out there that do that already. >>> >>> Any hints? >> >> Nico, >> >> maybe it helps. The ROS robotics packages has a lot of examples of C++ >> libraries >> and Python code. They are located in salsa, for instance: >> >> https://salsa.debian.org/science-team/ros-bond-core >> >> Take one eye. Look any example of package that begins with ros- >> >> Best regards, >> >> Leopold >> >> >> -- >> -- >> Linux User 152692 GPG: 05F4A7A949A2D9AA >> Catalonia >> - >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> A: Top-posting. >> Q: What is the most annoying thing in e-mail? >> > -- -- Linux User 152692 GPG: 05F4A7A949A2D9AA Catalonia - A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? signature.asc Description: OpenPGP digital signature
Re: C++ and Python package combined
Thanks Leo, I've checked out ros-bond-core now and found that it's simpler than what I have: The Python package is installed just like the rest of the library with CMake, plus there are no compiled Python extensions that would need to link against the bond library. That's why d/rules can be so simple. Unfortunately, this doesn't help much with my problem. Cheers, Nico On Mon, Apr 9, 2018 at 1:18 PM Leopold Palomo-Avellanedawrote: > On 06/04/18 16:38, Nico Schlömer wrote: > > Hi everyone, > > > > I would like to package a piece of software that includes both a C++ > > library and a Python package. When building locally from scratch, one is > > supposed to > > > > * build and install the library first, > > (* then build and run the tests, compiling against what just has been > > installed,) > > * then build and install the Python package, compiling against what > just > > has been installed. > > > > If C++ library and Python packages came from two different sources, > things > > would be easy. It's not clear to me though how to first install one part > of > > a source, and then another against it. Perhaps there are example packages > > out there that do that already. > > > > Any hints? > > Nico, > > maybe it helps. The ROS robotics packages has a lot of examples of C++ > libraries > and Python code. They are located in salsa, for instance: > > https://salsa.debian.org/science-team/ros-bond-core > > Take one eye. Look any example of package that begins with ros- > > Best regards, > > Leopold > > > -- > -- > Linux User 152692 GPG: 05F4A7A949A2D9AA > Catalonia > - > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > A: Top-posting. > Q: What is the most annoying thing in e-mail? >
Bug#895203: marked as done (RFS: sent/1-1 ITP)
Your message dated Mon, 9 Apr 2018 15:17:26 +0200 with message-id <20180409131726.a3hcqxeqaxgcq...@angband.pl> and subject line Re: Bug#895203: RFS: sent/1-1 ITP has caused the Debian Bug report #895203, regarding RFS: sent/1-1 ITP to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895203: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895203 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "sent" * Package name : sent Version : 1-1 Upstream Author : Markus Teich* Url : http://tools.suckless.org/sent * Licenses : ISC Programming Lang : C Section : misc sent does not need LaTeX, libreoffice or any other fancy file format, it uses plaintext files to describe the slides and can include images via farbfeld. Every paragraph represents a slide in the presentation. . The presentation is displayed in a simple X11 window. The content of each slide is automatically scaled to fit the window and centered so you also don't have to worry about alignment. Instead you can really concentrate on the content. It builds those binary packages: * sent This package succesfully builds on debomatic machine: http://debomatic-i386.debian.net/distribution#unstable/sent/1-1 Please note, that package is maintained with dgit(1) tool using dgit-maint-merge(7) workflow. For more information about how to sponsor this package, see dgit-sponsorship(7). Git repository: https://salsa.debian.org/iu-guest/sent.git Git branch: dgit/sid With /bin/sh following commands should suffice: $ git clone https://salsa.debian.org/iu-guest/sent.git sent $ dgit sbuild Regards, Dmitry Bogatov --- End Message --- --- Begin Message --- On Sun, Apr 08, 2018 at 02:39:26PM +0300, Dmitry Bogatov wrote: > * Package name : sent > Version : 1-1 > It builds those binary packages: > > * sent Apparently someone sponsored this already; it passed NEW, too. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? ⠈⠳⣄--- End Message ---
Bug#895287: RFS: groonga/8.0.1-1
Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "groonga" * Package name: groonga Version : 8.0.1-1 Upstream Author : Groonga Project* Url : http://groonga.org/ * Licenses: LGPL-2.1 Section : database It builds those binary packages: * groonga * groonga-server-common * groonga-server-gqtp * libgroonga-dev * libgroonga0 * groonga-tokenizer-mecab * groonga-token-filter-stem * groonga-plugin-suggest * groonga-bin * groonga-httpd * groonga-doc * groonga-examples * groonga-munin-plugins To access further information about this package, visit the following URL: https://mentors.debian.net/package/groonga Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/g/groonga/groonga_8.0.1-1.dsc More information about groonga can be obtained from http://groonga.org/ Changes since last upload: * New upstream release. * debian/patches/fix-nginx-FTBFS-on-kfreebsd.patch - Refresh patch to fix FTBFS on kFreeBSD. * debian/patches/remove-groonga-keyring-postrm.patch - Remove non-existent file. Regards, pgp1XQlqRK_Qd.pgp Description: PGP signature
Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]
On Mon, Apr 09, 2018 at 05:29:14PM +0800, Yanhao Mo wrote: > Hi, Adam > Very thanks for checking my package and pointing these issues. > I have communicate with upstream author of deepin-system-monitor, and he > confirmed these security problems. As a result, he is willing to modify > d-s-m sources to limited the privilege operations within a very small > helper program with some capabilities, at the same time he > will refactor gui program of d-s-m to perform these operations by > sending request to the helper program via dubs. The helper program will > refuse any other request which is not sent from d-s-m. You might want to ask someone with a clue about policykit/etc for advice. I don't currently even know where to look. > I hope this will fix these issues. And that will take some times. So > let's wait. There's no hurry -- Ubuntu is long since frozen, Debian won't freeze until November or December. But, you might want to just drop the caps: a system monitor that can kill only your own processes is pretty useful; this is what all other similar tools do. Elevating to kill others might be useful but is not the primary feature I'd expect from such a program. Obviously, this is moot if you prefer to wait for the full fix. > For the nethogs part, the situation is: d-m-s need a library from > it, but the nethogs maintainer of debian doesn't package libnethogs > separately, we(pkg-deepin team) have already request for that [1], but > got no reply. So I decided to use the nethogs sources within upstream > d-m-s source tree directly to build d-m-s. Maybe this is a bad idea? > Maybe it's better to take a nmu upload for nethogs? Some advice is > very appreciated. Looking at the maintainer's QA page: https://qa.debian.org/developer.php?email=kretcheu%40gmail.com I see he's not very active but nowhere close to being gone (did three uploads of other packages this year). It's likely he saw the request but couldn't act on it immediately -- what about pinging him if that's the case? Also, most people are a lot more willing to accept a patch compared to being told to do the work themselves. > > d-s-m crashed for me twice (segfault) while casually perusing it, > As for this. The upstream author says It's very sorry for the insufficient > testing. He will try his best to find why and fix it. It seems both of these segfaults happened while shutting down the program. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? ⠈⠳⣄
Re: C++ and Python package combined
On 06/04/18 16:38, Nico Schlömer wrote: > Hi everyone, > > I would like to package a piece of software that includes both a C++ > library and a Python package. When building locally from scratch, one is > supposed to > > * build and install the library first, > (* then build and run the tests, compiling against what just has been > installed,) > * then build and install the Python package, compiling against what just > has been installed. > > If C++ library and Python packages came from two different sources, things > would be easy. It's not clear to me though how to first install one part of > a source, and then another against it. Perhaps there are example packages > out there that do that already. > > Any hints? Nico, maybe it helps. The ROS robotics packages has a lot of examples of C++ libraries and Python code. They are located in salsa, for instance: https://salsa.debian.org/science-team/ros-bond-core Take one eye. Look any example of package that begins with ros- Best regards, Leopold -- -- Linux User 152692 GPG: 05F4A7A949A2D9AA Catalonia - A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Bug#894772: [yanha...@gmail.com: Re: Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP]]
- Forwarded message from Yanhao Mo- Date: Mon, 9 Apr 2018 17:29:14 +0800 From: Yanhao Mo To: Adam Borowski Subject: Re: Bug#894772: RFS: deepin-system-monitor/1.4.3-1 [ITP] User-Agent: Mutt/1.9.4 (2018-02-28) On Sun 04/08 21:55, Adam Borowski wrote: > Hi! > As for the packaging itself, the nethogs/ subproject is not included in the > copyright file; it seems to be already packaged separately, too. > > But, that's easy to fix. I found a bigger problem though: > > The program has a long list of caps (with a fallback to setuid), that allow > any user perform most of root-only actions. For example one of menus allows > anyone to kill/suspend/resume any process in the system. No authentication > of any kind, no policy, just kill any process, period. > > It's not just the GUI user who can do this, it's easy enough to simulate a > GUI to have deepin-system-monitor do what any process, by any uid, wants. > > And if you say "most computers don't have untrusted users", then well -- you > still don't want some random thing running as another uid to have full > control over the system. And, most schools/etc will install a bunch of > available desktop environments so individual users can choose; if Deepin is > one of these environments, you can take over anyone else. > > And even if deepin-system-monitor had appropriate access control, it's still > a thoroughly bad idea to grant caps to a GUI process. d-s-m crashed for me > twice (segfault) while casually perusing it, I imagine it'd be trivial to do > so intentionally. And even if your code is 100% perfectly correct and > solid, d-s-m uses many many libraries, any of which can have bugs that can > be easy to subvert; various plugins can be loaded into the process, etc. > There's no way this could be done securely: thus, the security boundary must > be elsewhere. Be it a small helper program, some kind of RPC, etc -- the > privileged action can't be done by the GUI program. > > Thus, I'm afraid that deepin-system-monitor can't go into Debian without > some serious rethinking. I cannot adequately assist you here, as I don't > know the way such policies are done these days, you'd need to ask someone > more knowledgeable than me. > > I seriously hope I'm failing to understand something here... Hi, Adam Very thanks for checking my package and pointing these issues. I have communicate with upstream author of deepin-system-monitor, and he confirmed these security problems. As a result, he is willing to modify d-s-m sources to limited the privilege operations within a very small helper program with some capabilities, at the same time he will refactor gui program of d-s-m to perform these operations by sending request to the helper program via dubs. The helper program will refuse any other request which is not sent from d-s-m. I hope this will fix these issues. And that will take some times. So let's wait. For the nethogs part, the situation is: d-m-s need a library from it, but the nethogs maintainer of debian doesn't package libnethogs separately, we(pkg-deepin team) have already request for that [1], but got no reply. So I decided to use the nethogs sources within upstream d-m-s source tree directly to build d-m-s. Maybe this is a bad idea? Maybe it's better to take a nmu upload for nethogs? Some advice is very appreciated. > d-s-m crashed for me twice (segfault) while casually perusing it, As for this. The upstream author says It's very sorry for the insufficient testing. He will try his best to find why and fix it. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893715 regards, -- Yanhao Mo - End forwarded message - Forward message. Sorry for forgetting to cc 894...@bugs.debian.org and pkg-deepin-de...@lists.alioth.debian.org . -- Yanhao Mo signature.asc Description: PGP signature