[pkg-eucalyptus-maintainers] Comments regarding eucalyptus_3.1.0-3_amd64.changes

Luca Falavigna ftpmaster at debian.org
Thu Jul 26 21:09:17 UTC 2012 

Hi,

here are some comments about your package, kindly provided with the
huge aid of one of our tireless trainees:

source:
=======

 * libhamcrest1.2-java | libhamcrest-java (>=1.2)

   The former is Ubuntu-only, Debian has libhamcrest-java only. This
   would result in autobuilders failing to build the source if they do
   not resolve alternatives in build-deps. Would you mind switching the
   order of the two build-dependencies?

copyright file
==============

  debian/copyright has a License: Apache section, where the license
  itelf is Apache-2.0. The short license abbreviationshould be
  Apache-2.0 too, according to my reading of the machine readable
  copyright format.

eucalyptus-cc
=============

* Depends on dhcp3-server, which is a transitional package, which was
  aiding in the lenny->squeeze upgrade.

  The correct dependency would be isc-dhcp-server.

eucalyptus-admin-tools
======================

* Lots of missing man pages. Are there plans to provide some?

eucalyptus-cloud
================

Recommends postfix | m-t-a. While minor, I believe it's good manners
to recommend the default MTA first. But that's arguable, and most
definitely a minor thing.

eucalyptus-java-common
======================

Depends on libhamcrest1.2-java | libhamcrest-java (>= 1.2), probably
for Ubuntu compatibility. The first is not satisfiable by debian,
though. While it will work, as apt will resolve alternatives, it's
still nicer to list the only valid candidate first.

Looking at this snippet:

  if dpkg --compare-versions "$2" lt "3.0~"; then
      if [ -f /tmp/eucaback.dir ]; then
	  BACKDIR=`cat /tmp/eucaback.dir`
	  if [ -d "$BACKDIR" ]; then
              if [ -f "$BACKDIR/etc/eucalyptus/eucalyptus-version" -a -f "/etc/eucalyptus/eucalyptus-version" ]; then
		  export OLDVERSION=`cat $BACKDIR/etc/eucalyptus/eucalyptus-version`
		  export NEWVERSION=`cat /etc/eucalyptus/eucalyptus-version`
		  if [ "$OLDVERSION" != "$NEWVERSION" ]; then
                      rm -f /usr/share/eucalyptus/eucalyptus-*$OLDVERSION*.jar
		  fi
              fi
	  fi
      fi
  fi

A bigger problem is that *any* user can write to /tmp/eucaback.dir,
and using the tempfile this way might open up the postinst to
attack. So, it is an unsafe use, although differently so than the
common case, I believe.

Why is /usr/sbin/eucalyptus-cloud in this package, and not in eucalyptus-cloud?

Also, could you comment about the following lintian warnings?

W: eucalyptus-java-common: codeless-jar usr/share/eucalyptus/eucalyptus-bootstrap-3.1.0.jar

W: eucalyptus-java-common: missing-classpath libpostgresql-jdbc-java, libjboss-common-java, libhibernate-commons-annotations-java, libactivemq-java, libasm3-java, libavalon-framework-java, libaxiom-java, libbackport-util-concurrent-java, libbatik-java, libbcel-java, libbcprov-java, libbsf-java, libcommons-beanutils-java, libcommons-cli-java, libcommons-codec-java, libcommons-collections3-java, libcommons-digester-java, libcommons-discovery-java, libcommons-fileupload-java, libcommons-httpclient-java, libcommons-io-java, libcommons-jxpath-java, libcommons-lang-java, libcommons-logging-java, libcommons-pool-java, libdnsjava-java, libdom4j-java, libehcache-java, libexcalibur-logkit-java, libezmorph-java, libgeronimo-activation-1.1-spec-java, libgeronimo-ejb-3.0-spec-java, libantlr-java, libgeronimo-javamail-1.4-provider-java, libgeronimo-javamail-1.4-spec-java, libgeronimo-jms-1.1-spec-java, libgeronimo-jpa-2.0-spec-java, libgeronimo-jta-1.1-spec-java, libgeronimo-stax-1.2-spec-java, libguava-java, libhamcrest1.2-java, libhamcrest-java, libhsqldb-java, libitext-java, libjavassist-java, libjaxen-java, libjaxp1.3-java, libjboss-marshalling-java, libjcip-annotations-java, libjettison-java, libjetty-extra-java, libjetty-java, libjgroups-java, libjibx1.2-java, libjna-java, libjsch-java, libjson-java, libjug-java, liblog4j1.2-java, libmule-java, libnetty3.1-java, libnetty-java, libproxool-java, libquartz-java, libregexp-java, libservlet2.5-java, libslf4j-java, libspring-beans-java, libspring-context-java, libspring-context-support-java, libspring-core-java, libspring-web-java, libstax2-api-java, libwsdl4j-java, libwss4j-java, libxalan2-java, libxerces2-java, libxml-security-java, libxom-java, libxpp3-java, libaxis-java, libhibernate3-java, libcommons-compress-java, libbtm-java, libjasperreports3.7-java, libwoodstox-java, libcglib-java, libclean-crypto-java, libgeronimo-j2ee-connector-1.5-spec-java, libjboss-cache3-java, libha-jdbc-java, libgroovy1.7.2-java, libgroovy1.7-java, libhibernate-jbosscache-java, libhibernate-validator-java, libspring-expression-java

W: eucalyptus-java-common: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:14

eucalyptus-walrus
=================

This has a heavy set of dependencies (on lvm2 and drbd8-utils), but
the effective contents are a drbd config example. Are there some missing
files from this binary?

eucalpytus-nc
=============

N: helper, will never have manpage
O: eucalyptus-nc: binary-without-manpage usr/sbin/euca_test_nc

If it's a helper, why is it in usr/sbin, and not under
/usr/lib/eucalyptus or some other private directory?

eucalyptus-common
=================

It is a little bit uncommon to have a -common package to be arch:any, this is
probably because of the /usr/lib/eucalyptus/euca_* binaries.

W: eucalyptus-common: possibly-insecure-handling-of-tmp-files-in-maintainer-script postrm:4
W: eucalyptus-common: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:27
W: eucalyptus-common: possibly-insecure-handling-of-tmp-files-in-maintainer-script preinst:11

If one wants to back up the data, back it up under /var seems a much
better option than the one implemented here.

Misc
====

By the way, someone else filed an ITP: eucalyptus bug recently:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680589


Cheers,
Luca

More information about the pkg-eucalyptus-maintainers mailing list