Differences between revisions 2 and 22 (spanning 20 versions)
Revision 2 as of 2017-02-08 13:56:51
Size: 1540
Editor: RogerShimizu
Comment: add CopyrightReview wiki link
Revision 22 as of 2017-05-24 14:07:11
Size: 3119
Editor: RogerShimizu
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
 * Above command should download and then extract the source tarball, but if you don't have the key signing the package within your keyring, you have to extract it by yourself:
{{{
dpkg-source -x yyy_zzz-1.dsc
}}}
 * Unless you have the sponsee's key (for example, they're in the DM keyring), you should replace the `-x` with `-ux` or dpkg-source will refuse to extract the source package.
 * Consider asking the sponsee to put their package in a git repository. This makes things easier when you expect to do several rounds of review.
Line 16: Line 14:
 * There're a few automatic tools. Just apt install to get them.
   * debmake. It compares source tree and debian/copyright, then give you a report.
 There are a [[CopyrightReviewTools|few automatic tools]].
 * debmake. It compares source tree and debian/copyright, then give you a report.
Line 21: Line 19:
   * decopy. It generate a copyright file for reference.  * decopy. It generate a copyright file for reference. (not in stretch, can be installed from unstable [[https://packages.debian.org/sid/decopy]])
Line 24: Line 22:
diff -u debian/copyright debian/copyright.tmp
Line 25: Line 24:
   * cme. It generate/overwrite debian/copyright.  * cme. It generate/overwrite debian/copyright.
Line 29: Line 28:
diff -u debian/copyright.orig debian/copyright
Line 30: Line 30:

Please be also noted that as an unwritten exception to the rule, Debian packages where the copyright of the autoconf files is not documented in the Debian copyright file are routinely accepted by our archive administrators. [0][1]

 * [0] https://lists.debian.org/debian-mentors/2009/09/msg00264.html
 * [1] https://lists.debian.org/debian-devel/2015/11/msg00260.html
Line 35: Line 40:
mk-build-deps
sudo dpkg -i <yyy_build-deps_zzz-1.deb>
sudo apt install -f
# you need to have package equivs installed before running command below
mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends"
Line 42: Line 46:
- or -
Line 49: Line 54:
lintian -I --pedemic lintian --info --display-info --display-experimental --pedantic --show-overrides --color auto
Line 51: Line 56:
 * [[https://tracker.debian.org/pkg/check-all-the-things|check-all-the-things]]
Line 57: Line 63:
 * [[CopyrightReview]]  * [[CopyrightReview]] [[CopyrightReviewTools]]
 * [[https://ftp-master.debian.org/REJECT-FAQ.html|REJECT FAQ]]
 * [[HowToPackageForDebian#Check_points_for_any_package|Check points for any package]]

== Alternative workflows ==

 * [[https://manpages.debian.org/unstable/dgit/dgit-sponsorship.7.en.html|dgit-sponsorship(7)]]

== Ideas to be added to this page ==

 * add sbuild/pbuilder usage
 * "dget -u" unpacks the source in case you already trust the person (but you didn't update the keyring)
 * debdiff between versions (in case of update)
{{{
filterdiff debdiff -i "*debian*" > debdiff.filtered
}}}
 * apt build-dep (dsc-file) to build-dependencies

Procedure to review packaging for mentors

Get the package

  • Usually sponsorship-requests (RFS) email tells how to get the package:

dget -x https://mentors.debian.net/debian/pool/main/x/yyy/yyy_zzz-1.dsc
  • Unless you have the sponsee's key (for example, they're in the DM keyring), you should replace the -x with -ux or dpkg-source will refuse to extract the source package.

  • Consider asking the sponsee to put their package in a git repository. This makes things easier when you expect to do several rounds of review.

Check the license

  • There are a few automatic tools.

  • debmake. It compares source tree and debian/copyright, then give you a report.

debmake -kk

decopy -o debian/copyright.tmp
diff -u debian/copyright debian/copyright.tmp
  • cme. It generate/overwrite debian/copyright.

cp debian/copyright debian/copyright.orig
cme update dpkg-copyright -trace
diff -u debian/copyright.orig debian/copyright

Please be also noted that as an unwritten exception to the rule, Debian packages where the copyright of the autoconf files is not documented in the Debian copyright file are routinely accepted by our archive administrators. [0][1]

Build the package

  • You need to install build-dependencies first. Here's a way to remove easily afterwards.

# you need to have package equivs installed before running command below
mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends"
  • debuild or dpkg-buildpackage

debuild -us -uc
- or -
dpkg-buildpackage -us -uc

Auto Check Tools

  • lintian (Note: Just verbose the output, but not all of them is must-fix)

lintian --info --display-info --display-experimental --pedantic --show-overrides --color auto

Other things to check

Alternative workflows

Ideas to be added to this page

  • add sbuild/pbuilder usage
  • "dget -u" unpacks the source in case you already trust the person (but you didn't update the keyring)
  • debdiff between versions (in case of update)

filterdiff debdiff -i "*debian*" > debdiff.filtered
  • apt build-dep (dsc-file) to build-dependencies