El jue, 22 de ene 2015 a las 9:33 , Hendrik Buchwald <h...@zecure.org>
escribió:
Package: sponsorship-requests
Severity: wishlist
Dear mentors,
I am looking for a sponsor for my package "shadowd".
* Package name : shadowd
Version : 1.0.0
Upstream Author : Hendrik Buchwald <h...@zecure.org>
* URL : https://shadowd.zecure.org/
* License : GPL
Programming Lang: C++
Description : Shadow Daemon web application firewall server
shadowd is the main component of the web application firewall Shadow
Daemon.
Currently it is possible to use Shadow Daemon to protect PHP, Perl
and Python
web applications by detecting and removing malicious user input. The
firewall
intercepts requests and uses a combination of white- and blacklisting
to detect
attacks. More detailed information can be found on the homepage. A
new, fancier
homepage is in the works and will be released shortly. The
development of all
components is public and takes place at https://github.com/zecure.
The Debian packages and files are hosted at
https://shadowd.zecure.org/files/debian/.
I would be grateful if someone is interested in sponsoring me,
because I think
better web application security is of great importance :)
Unfortunately I am not a DD, so I can not sponsor, however I do have a
few comments:
In prerm, you manually stop shadowd. You do not have to do that;
dh_installinit already does it itself (you can check the generated
prerm in the .deb).
In postrm, you manually delete the config file and config directory on
purge. You do not have to do that, because they will be automatically
be deleted because they are owned by the shadowd package.
In control, you explicitly list the libraries it depends on (e.g.
libcrypto++9). Why did you add that? Were ${shlibs:Depends} and
${misc:Depends} not adding all the libraries that you listed in the
build depends field / the libraries shadowd linked to?
This one I am not 100% on, so you may want to look at other packages
for reference or ask on debian-mentors if that does not help. Anyway, I
believe that users and groups are supposed to be left around, even
after a package is purged. Otherwise a new package would inherit the
same UID and with it access to potentially security sensitive files. So
it is best to remove the entire postrm.
Also, I have written an Upstart job that I would appreciate you
including in the package. (Just put it into the debian/ directory under
the filename `shadowd.upstart`).
Lastly, you may want to put your package on mentors.debian.org so that
people can look at the lintian results at a glance.
Good luck!
--
Cameron Norman
description "Shadow Daemon Web Application Firewall"
start on runlevel [2345]
stop on runlevel [016] or unmounting-filesystem
exec /usr/bin/shadowd -c /etc/shadowd/shadowd.ini -U shadowd -G shadowd
