Reject: mythbuntu-bare

Fri Sep 2 16:39:56 UTC 2011

On Fri, 2011-08-19 at 21:17 -0700, Thomas Mashos wrote:
> Hello Jamie,
> 
> 
> I have a few questions regarding your concerns below.
> 
Sorry for the delay. This got misfiled and then backburnered behind some
firefighting.

> 
> 1) I wrote all but save_file.py, (which I found online and modified a
> bit). Should I add a gpl v2 txt file to the root of the tar or is
> there a different way I should be handling that?

How you handle this as an upstream is up to you. Adding a toplevel file
would be fine. However, this file needs to be separately documented in
debian/copyright. I highly recommend DEP-5 style debian/copyright for
this.

> 1) I am the upstream source, which is why you cannot find upstream
> source (unless you check the bzr branch on LP)

I suggest making an upstream tarball and then using non-native
packaging. This may sound like an extra hoop to jump through, but as an
upstream it is conceivable that others might want to build on your work,
so an upstream tarball is desirable regardless. More importantly for
this discussion, the sources included in your upload must be able to be
verified against tampering. The by far easiest way to do this is with
using an upstream tarball, checksums, a watch file and non-native Debian
packaging. You might be interested in the lp-project-upload command that
Dustin Kirkland wrote. I have not used it myself, but I believe he has
made changes recently to create a tarball, sign it and upload it to an
LP project.

> 
> 2) I'm assuming that the mythtv user exists because one of the pieces
> of software I depend on checks that it exists and creates it if it
> doesn't. It was determined that there was no need to have code that
> created the user in both places. 

Ok, but a getent call or adding '|| true' would not hurt to guard
against this scenario.

> 
> 3) I use native packaging because I created this software for the
> Mythbuntu project. The software wouldn't work in Debian without
> modification as well as Mythbuntu-control-centre making it into debian
> as well (which wouldn't make sense unless MythTV and a mess of other
> things makes it into Debian). If there is somewhere that I need to
> specify this please let me know and I do so. I've talked it over with
> both of the MOTU's that reviewed my software which is why they allowed
> it. (TBH, it was actually using non-native packaging to begin with,
> but since I was upstream and this isn't anywhere else I was told to
> use native version numbers)
> 
If this is the course of action you would prefer to take over my
previous recommendation, please provide a comments only debian/watch
file or debian/README.source that explains how the sources for this
package can be reconstructed for verification against a particular
revision.

> 4) I'm not sure what you are wanting for a proper upstream. I am the
> sole author (excluding the one save_file.py file) of this software and
> my source code exists on launchpad (IIRC I have specified the correct
> branch in the debian/copyright file, but LP seems to be down at the
> moment and I'm currently on vacation. 
> 

The 'proper upstream' comment was simply that I could not find somewhere
that I could verify the sources. If you do one of the things I recommend
above, you are fine.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-archive/attachments/20110902/3ea5598b/attachment.pgp>