Path: csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod From: Carsten Schoenert Newsgroups: linux.debian.maint.python Subject: Re: RFS: python-cvss/3.4-1 [ITP] -- CVSS2/3/4 library with interactive calculator for Python Date: Sun, 06 Jul 2025 10:40:01 +0200 Message-ID: References: X-Original-To: Nishit Majithia , debian-python@lists.debian.org X-Mailbox-Line: From debian-python-request@lists.debian.org Sun Jul 6 08:39:17 2025 Old-Return-Path: X-Amavis-Spam-Status: No, score=-8.596 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, FREEMAIL_FROM=0.001, LDO_WHITELIST=-5, MD5_SHA1_SUM=-1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US Autocrypt: addr=c.schoenert@t-online.de; keydata= xsFNBFIDTk4BEACx6disb51q5rTdDmnkOayFDiLgOrZ4InnRmbTsgYJaigcRXjVtjFaxwL0M Qtzrt9srlLBReWD4JvoLP9/8z2C1ORaoOUatApssuKd32Qa80lBlduIQCfaZ6K5Ij0TXeqIb dWXMWSvpaOwt+ecBGSdEepgABtxO9Xel9zqDsAauFxBRHGzJs3bSG8QRtwnQA2+9J8UEtzAc dY69YAkF3Q6HIPP/0mbGiget/1WGR+8tPKlVMYcgZtGIP2J36GkDbfDvdbH5QLn2KtMuGXLv f1CTy+vvQL3mY4caKamCU7tLi8FSufNZpPChguNOHsbuO//ACrTFqGysVFvq25zEb60t9Hoq AXHIMlDJFnR7XBUCyAHV4NROMvGZlFbLuZpUA81Kukj72xifqk9ZFl9sxqKPgheqi+dT8peV LgvgCgMgQjvZgQ5X4AG2kiIezWtjlToCZAZ4ufQ26aofvwZqhBrogQF/+272B9CJuKBLIx+R CEhtW4gTKShY3moc8Aqh8AFH3pWkXILAxEGnvMu8oapAUiRNXNOb/nBlYXH1BEc+Boarm8vj LElQxdI4uNEQsLvZxsL4iYvrbZ5OLZnjkMJjvU7XVFjxAkDAHT8eYH9LWK/VeiK8fm+zsDZU qy2dN77RYlQbO9TkKlJs3CR2lpT7Dr/ObtIqEf4VFOplxTY9kwARAQABzStDYXJzdGVuIFNj aG9lbmVydCA8Yy5zY2hvZW5lcnRAdC1vbmxpbmUuZGU+wsF3BBMBCAAhBQJSA05OAhsDBQsJ CAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEIMBYBQlHR2w8DoP/2RO8DOOA/P2Bf5atiNtEbSD nPGlN5Roml4paIPoGMw42cezBekdkJ4B/Ccr2x5MigroUTYLZwxP6U7YUNVuZhRmaEjGVD35 pIklW/os+9b5srxpdHWatHC6w/OoRL0P5EtK3sHeMOrhhMsSZe/fCiXr5VetpVgNx9fdFmSs UhkiyaBar24bLNAaY3KAAnDAUxXfQxZdYZ6kxH2Wq6sypgfq1lk4TTzGUx32nmGcR/fBZmmc +ZbZPzjd3Mor9/Dg57aMt87j/MqIndHVuucAB+/lENM4ufK04DBoqHEorD2CQJvEkn7HjydE e0YNITrFkpsqbbeltIMNV6viIxQluoYjBobY+5CRvCtYr/9m5ND0tDwHesfaBY7NWkkWhCYs M+CtlyqCtSo9Y23i/ap99GSNfguVISp8nxy3i8w/ZQ44TIRv/0zEcRoYgl/iF3wB3Gug6DVa XSZKveGMc2Q1+5u9jWfC/Jvy+J1qPM9h2m5pvTwuBrdfaMGvOzCk0iqWvHUN4cZIa8io2WXD pbbnytAhqFDFYCfgpL1Q9eczVIOO3WaITAJVHGBYnLLpsgwdsIMGXyhRO9wSpC80o2HhQK90 ifpYS1VnLJLNt2D+B31uuQr6LIuq1rtUvAzM39i3ftMLCnL1jSa+6q0uVzyTWI1xsmF7g0md ulwfQ+5zLW4KzsFNBFIDTk4BEADKWf/qL0X1KWdBdTyI6qoz/1YL/hLniKAvR9J43Wtfv9EY NxRpIMGzNTOyCi/qlw0HbMo6vIxy/Tw8nTj36OjZrZQ0dFHKM66Vl4KNbA5kI0lCTj1FIjGR adMsBXWpJ44SdXF5BtAuq2/vZzYbLtjYGu5tnQrYLjGOQ0FByw3wuGnlBJVzGbbCxSB06mGa w5LXRq5HZN5zzmaiqx+z+hlOAtyo61x+gxT5BNQXGIdZkBKyzItx4OxFaiWh3JtLqSQDBkDo yzhPvEBaOFn99QUgfk4Maoj1PgFgoteKQrywY18HCtlpSMUAvX+k074kDYgrTLrh26ApECl+ bOK6P1BPWRN0uedKewnGGemJJwq2RihdpLzyHBaRlwokRH9Drs7pCsxfy9VgPCEbm7ytgzk0 EHkA7Hl/ur39TT8VLluc+zZ10xU4uuTWIBiUOeIbuJo+UVRZBFVMmsKDVQeFSi0ujz/VW/0N sW1L73406B3jYZB/bffFTGkH5acrq3cQ25Wcur92da30g5TOq3sG71+XDPVcNZgiMbDJf6tK 39rB/GjQ0Pk0O2GaiSL9tGkfjsxhZ7p5+lNCDOWWK8IAH6T7PKoIGPqRl8KmANE6qZsevgaM CWsvkJastf9a3F6ZbL15QD1qdtRebv8yhCxyikaqy8oZKWDer4pBy0oD+g9/CwARAQABwsFf BBgBCAAJBQJSA05OAhsMAAoJEIMBYBQlHR2wMKAP/iL+tk5G2vbVJCw0BKJBoMEjBedQI38l f9CeLSVtJeokIR8GkDqgTpwKJaH0/cou2Q2GUMJ5U4J/vvYFNzJk8jyT1fdC0N83HUGNKQ3H NGGcq0GQFoOHcSVeo1V77Fuf3YYhzD5mPz/ypvIvsnbuiRgxWx5meU9LfZzf8Ijzv6e67q1O G+JAKvitV4UvUo9l05ewadRg53QpWNmmRHSXflpmw0PX5C9TKsyY/Sg4DdBf2NIzktQyOxya T2yHaVuQUUQRQ0248NdA1ql7zV48ZjF1ADhagQ8bgYuGMdOW6upfUBvPqQl0poV8FwjNErex N+CUbA5inlT9oIP03LtwZoKKDuK2PojoTtGp7WZ4ryQX9i9ogUOGknAABxFg4iMBQVkyl9oF QSgHa0HlbjRj8uY1kqsO4FgrcoGiouNzEfhP5zpxvCg3BBuWngo9ApU+MXOAwuq1Gt4dzUg4 7Ir2s32nhiv5TErJzPdNrUSK/tOUZOSkOzXv1kOGbXAlhC/5a5VGfA99uFcYK899gpfB4q64 jrc3wewP0MXjVl8U004Px7sYT4BkAoCupRtmBoRWhttvbcv6T8uFMAF+j91ng0X1+n21fV+O 9wPRnD3/KJThRVMR8poUevmJbFgPfvGGmz1asVIK8tBamAZp5aCeqZ7HVkTmMbj1x07Ry7o0 iWLO Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Toi-Expurgateid: 150726::1751791130-FDFF94B1-C86C0755/0/0 CLEAN NORMAL X-Toi-Msgid: 935d5df5-4381-49f3-9454-2fe7ac4ec0dd X-Mailing-List: archive/latest/23105 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/b26c1c5f-374d-45fc-8ef4-d0024c6feaff@t-online.de Approved: robomod@news.nic.it Lines: 87 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Sun, 6 Jul 2025 10:38:46 +0200 X-Original-Message-ID: X-Original-References: <17269471-9d81-4760-9cc3-fe53e90897a1@gmail.com> Xref: csiph.com linux.debian.maint.python:16962 Hello Nishit, Am 04.07.25 um 15:10 schrieb Nishit Majithia: > hey mentors, > > Seeking sponsorship for this python-cvss [1] package. Package has been > uploaded to mentors.debian.net [2]. These are the respective ITP and RFS > bugs: #1108637 and #1108712. > > I would be grateful for your review and sponsorship. Any feedback or > suggestions would be highly appreciated. you using the branch upstream/latest which contains the full git history of the upstream project. There is nothing really wrong with that, but it's also unusual. There are other packaging trees which using a similar way because it's of course more convenient to work with the upstream git tree in case you want or need to deal with patches or MRs you want target to upstream. But having the full blown git history this way has also downsides, at least to me. There is the pydoctor [1] packaging that is doing something similar, but it is using the upstream git data only on the local side and only uses the upstream tagged commit that get used for merging in the new upstream version into upstream(/latest). By this way you don't see all the "noise" from the upstream workflow while looking at some 'git log' or in your preferred graphical git history visualizations and do some packaging $stuff. In the end it's probably some personal choice, I just want to mention that this kind of upstream data handling is quite unusual for packages in the DPT. At least you would need to describe for other team members how the workflow for this tree is to prepare newer versions. You might want to take a look at the file debian/README.source in the referenced package to get an inspiration. My motivation goes down to zero for working on some package to update if it's to time consuming to find out how the package in question needs to get handled. other things... debian/control: Please do the ordering of the Build-Depends in alphabetical ordering, this helps me and others too see the "right" listed package I'm searching there because we are humans and finding things quicker if they are ordered alphabetical. You can use wrap-and-sort (e.g. with the options '-ast') to do that for you. This would also do a bit of reordering in debian/tests/control so the content is a bit better readable there. debian/copyright: You can shorten the license text of LGPL-3+ to just this short text. > On Debian systems, the full text of the GNU Lesser General Public > License version 3 can be found in the file > `/usr/share/common-licenses/LGPL-3'. debian/cvss_calculator.1: The man page states it was created by help2man. I suggest you add some target/code to debian/rules so it gets created on every package build. Lintian is mention this by a pedantic tag. > P: python-cvss source: maintainer-manual-page [debian/cvss_calculator.1] In case upstream is adding or modifying an option you would then get automatically an updated man page into the newer package. Get an idea how to add this by look into the package time-decode [2]. debian/gbp.conf: 'compression = xz' is the default, no need to add this key. debian/upstream/metadata: Drop the comments in that file, these are mostly boiler plates and useless. You can add three dashes as first line so it's valid YAML code in the end. Otherwise the package is building fine and looks quite good for an upload to me. [1] https://salsa.debian.org/python-team/packages/pydoctor [2] https://salsa.debian.org/pkg-security-team/time-decode/-/commit/bfc3b35a3e72acae241c0324a513e4c879a453e6 -- Regards Carsten