Ubuntu
cluster-glue package

Bug #527142
Comment #2

Comment 2 for bug 527142

Revision history for this message

Michael Terry (mterry) wrote on 2010-02-27:

- The lintian warnings about missing man pages don't excite me, but isn't a dealbreaker.

- The packaging is a little old school (doesn't use cdbs or dh7) but is not terribly arcane. The .install file manually lists every file to be installed (instead of just directories) which makes me worry about missing new files when upstream adds them.

- I don't understand why this package is a hodgepodge of libraries. Each library should be split into its own binary package. For example, at least libplumbgpl2 (-dev), libpils2 (-dev), libstonith1 (-dev), liblrm2 (-dev), and libplumb2 (-dev) as well as non-library packages for the daemons and executables (like ha_logd). This does strike me as a dealbreaker.

- debian/copyright should have the GPL and LPGL header text verbatim (the "This program is free software..." bit). Just the reference to common-licenses is not enough. It should also mention which versions of the GPL apply. Also, I'm 70% sure that while using BSD code in GPL programs is legitimate, you actually have to relicense the BSD as GPL. So those files should have GPL boilerplate as well. I realize this is not a packaging bug but an upstream one. But debian/copyright needn't mention BSD, since no binary or library is apparently (to me) being released with BSD license.

- There is no debian/watch file.

- There are some tests in at least lrm/tests. Can those be made to run during package build to catch any errors?

- There are some minor issues in the use of sprintf (instead of snprintf or g_strdup_printf (which is used in one file), even in files with comments at the top about how much better snprintf is -- see lib/clplumbing/cl_netstring.c) and malloc (which is weird since there is an included cl_malloc, a special wrapper for it). While I'm not a security expert, these usages don't strike me as bad enough to hold up the package though since this is pretty special-case software.

- The HA team seems on top of this package, which is great.

So all in all, I don't think I can approve this. The biggest issue is that the libraries aren't split out into their own, versioned packages. If that and the debian/copyright file is fixed, I would approve. The rest of the issues would definitely be nice to see addressed (or passed upstream) too though.

- The lintian warnings about missing man pages don't excite me, but isn't a dealbreaker.

- The packaging is a little old school (doesn't use cdbs or dh7) but is not terribly arcane.  The .install file manually lists every file to be installed (instead of just directories) which makes me worry about missing new files when upstream adds them.

- I don't understand why this package is a hodgepodge of libraries.  Each library should be split into its own binary package.  For example, at least libplumbgpl2 (-dev), libpils2 (-dev), libstonith1 (-dev), liblrm2 (-dev), and libplumb2 (-dev) as well as non-library packages for the daemons and executables (like ha_logd).  This does strike me as a dealbreaker.

- debian/copyright should have the GPL and LPGL header text verbatim (the "This program is free software..." bit).  Just the reference to common-licenses is not enough.  It should also mention which versions of the GPL apply.  Also, I'm 70% sure that while using BSD code in GPL programs is legitimate, you actually have to relicense the BSD as GPL.  So those files should have GPL boilerplate as well.  I realize this is not a packaging bug but an upstream one.  But debian/copyright needn't mention BSD, since no binary or library is apparently (to me) being released with BSD license.

- There is no debian/watch file.

- There are some tests in at least lrm/tests.  Can those be made to run during package build to catch any errors?

- There are some minor issues in the use of sprintf (instead of snprintf or g_strdup_printf (which is used in one file), even in files with comments at the top about how much better snprintf is -- see lib/clplumbing/cl_netstring.c) and malloc (which is weird since there is an included cl_malloc, a special wrapper for it).  While I'm not a security expert, these usages don't strike me as bad enough to hold up the package though since this is pretty special-case software.

- The HA team seems on top of this package, which is great.

So all in all, I don't think I can approve this.  The biggest issue is that the libraries aren't split out into their own, versioned packages.  If that and the debian/copyright file is fixed, I would approve.  The rest of the issues would definitely be nice to see addressed (or passed upstream) too though.

Ubuntucluster-glue package

Comment 2 for bug 527142

Ubuntu
cluster-glue package