- The lintian warnings about missing man pages don't excite me, but
isn't a dealbreaker.
- The packaging is a little old school (doesn't use cdbs or dh7) but is
not terribly arcane. The .install file manually lists every file to be
installed (instead of just directories) which makes me worry about
missing new files when upstream adds them.
- I don't understand why this package is a hodgepodge of libraries.
Each library should be split into its own binary package. For example,
at least libplumbgpl2 (-dev), libpils2 (-dev), libstonith1 (-dev),
liblrm2 (-dev), and libplumb2 (-dev) as well as non-library packages for
the daemons and executables (like ha_logd). This does strike me as a
dealbreaker.
- debian/copyright should have the GPL and LPGL header text verbatim
(the "This program is free software..." bit). Just the reference to
common-licenses is not enough. It should also mention which versions of
the GPL apply. Also, I'm 70% sure that while using BSD code in GPL
programs is legitimate, you actually have to relicense the BSD as GPL.
So those files should have GPL boilerplate as well. I realize this is
not a packaging bug but an upstream one. But debian/copyright needn't
mention BSD, since no binary or library is apparently (to me) being
released with BSD license.
- There is no debian/watch file.
- There are some tests in at least lrm/tests. Can those be made to run
during package build to catch any errors?
- There are some minor issues in the use of sprintf (instead of snprintf
or g_strdup_printf (which is used in one file), even in files with
comments at the top about how much better snprintf is -- see
lib/clplumbing/cl_netstring.c) and malloc (which is weird since there is
an included cl_malloc, a special wrapper for it). While I'm not a
security expert, these usages don't strike me as bad enough to hold up
the package though since this is pretty special-case software.
- The HA team seems on top of this package, which is great.
So all in all, I don't think I can approve this. The biggest issue is
that the libraries aren't split out into their own, versioned packages.
If that and the debian/copyright file is fixed, I would approve. The
rest of the issues would definitely be nice to see addressed (or passed
upstream) too though.
** Changed in: cluster-glue (Ubuntu)
Status: New => Incomplete
** Changed in: cluster-glue (Ubuntu)
Assignee: Michael Terry (mterry) => (unassigned)
--
[MIR] cluster-glue
https://bugs.launchpad.net/bugs/527142
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
