Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #16962

Re: RFS: python-cvss/3.4-1 [ITP] -- CVSS2/3/4 library with interactive calculator for Python

From Carsten Schoenert <c.schoenert@t-online.de>
Newsgroups linux.debian.maint.python
Subject Re: RFS: python-cvss/3.4-1 [ITP] -- CVSS2/3/4 library with interactive calculator for Python
Date 2025-07-06 10:40 +0200
Message-ID <L5t4J-fBA0-1@gated-at.bofh.it> (permalink)
References <L5t4J-fBA0-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hello Nishit,

Am 04.07.25 um 15:10 schrieb Nishit Majithia:
> hey mentors,
> 
> Seeking sponsorship for this python-cvss [1] package. Package has been
> uploaded to mentors.debian.net [2]. These are the respective ITP and RFS
> bugs: #1108637 and #1108712.
> 
> I would be grateful for your review and sponsorship. Any feedback or
> suggestions would be highly appreciated.

you using the branch upstream/latest which contains the full git history 
of the upstream project.
There is nothing really wrong with that, but it's also unusual. There 
are other packaging trees which using a similar way because it's of 
course more convenient to work with the upstream git tree in case you 
want or need to deal with patches or MRs you want target to upstream.
But having the full blown git history this way has also downsides, at 
least to me.

There is the pydoctor [1] packaging that is doing something similar, but 
it is using the upstream git data only on the local side and only uses 
the upstream tagged commit that get used for merging in the new upstream 
version into upstream(/latest).

By this way you don't see all the "noise" from the upstream workflow 
while looking at some 'git log' or in your preferred graphical git 
history visualizations and do some packaging $stuff.

In the end it's probably some personal choice, I just want to mention 
that this kind of upstream data handling is quite unusual for packages 
in the DPT. At least you would need to describe for other team members 
how the workflow for this tree is to prepare newer versions.
You might want to take a look at the file debian/README.source in the 
referenced package to get an inspiration. My motivation goes down to 
zero for working on some package to update if it's to time consuming to 
find out how the package in question needs to get handled.

other things...

debian/control:
Please do the ordering of the Build-Depends in alphabetical ordering, 
this helps me and others too see the "right" listed package I'm 
searching there because we are humans and finding things quicker if they 
are ordered alphabetical.
You can use wrap-and-sort (e.g. with the options '-ast') to do that for you.
This would also do a bit of reordering in debian/tests/control so the 
content is a bit better readable there.

debian/copyright:
You can shorten the license text of LGPL-3+ to just this short text.

>  On Debian systems, the full text of the GNU Lesser General Public
>  License version 3 can be found in the file
>  `/usr/share/common-licenses/LGPL-3'.

debian/cvss_calculator.1:
The man page states it was created by help2man. I suggest you add some 
target/code to debian/rules so it gets created on every package build. 
Lintian is mention this by a pedantic tag.

> P: python-cvss source: maintainer-manual-page [debian/cvss_calculator.1]

In case upstream is adding or modifying an option you would then get 
automatically an updated man page into the newer package. Get an idea 
how to add this by look into the package time-decode [2].

debian/gbp.conf:
'compression = xz' is the default, no need to add this key.

debian/upstream/metadata:
Drop the comments in that file, these are mostly boiler plates and 
useless. You can add three dashes as first line so it's valid YAML code 
in the end.

Otherwise the package is building fine and looks quite good for an 
upload to me.


[1] https://salsa.debian.org/python-team/packages/pydoctor
[2] 
https://salsa.debian.org/pkg-security-team/time-decode/-/commit/bfc3b35a3e72acae241c0324a513e4c879a453e6

-- 
Regards
Carsten

Back to linux.debian.maint.python | Previous | NextNext in thread | Find similar

Thread

Re: RFS: python-cvss/3.4-1 [ITP] -- CVSS2/3/4 library with  interactive calculator for Python Carsten Schoenert <c.schoenert@t-online.de> - 2025-07-06 10:40 +0200
  Re: RFS: python-cvss/3.4-1 [ITP] -- CVSS2/3/4 library with  interactive calculator for Python Peter Pentchev <roam@ringlet.net> - 2025-07-06 12:30 +0200

csiph-web