Ubuntu Wiki

This page is intended to provide a brief 'checklist' for Archive Admin's reviewing a new source package, as well as packagers submitting a new source package.

1. References

The following references provide copious documentation on various packaging processes. Archive Admins and packagers should be familiar with the information provided at:

• https://wiki.ubuntu.com/ArchiveAdministration#NEW%20Processing

• https://wiki.ubuntu.com/PackagingGuide/Basic

  • https://wiki.ubuntu.com/PackagingGuide/Basic#NewPackages

  • https://wiki.ubuntu.com/PackagingGuide/Basic#Copyright

• http://ftp-master.debian.org/REJECT-FAQ.html

2. Basic Checklist

1. Does the source package build (debuild -S)?

2. Does the binary package build (pbuild or sbuild environment)?

   • NB: This perhaps impractical for the Archive Admin, but absolutely the responsibility of the packager!

3. Is the source package lintian clean? Hint: use

   lintian -Ivi *dsc

   • There should be detailed explanations for any excusable lintian flags.

4. Is the binary package lintian clean? Hint: use

   lintian -Ivi *deb

   • There should be detailed explanations for any excusable lintian flags.

5. licensecheck -r on the source, ensure that files are licensed appropriately, and match what's stated in debian/copyright

   • while not required, use of DEP-3 should be encouraged. A package should not be rejected for this alone, but can be given as feeback to the submitter.

6. Are the files in the source package redistributable (eg, for GPL, they can be built from source):

   • This command should help identify potentially problematic files:

     suspicious-source | xargs -r file | egrep -v ':.*(XML|text|empty|very short file)' | sed 's/\(.*\)/ \1/g'

7. Meticulously review debian/*. This can be very time consuming.

   1. Is debian/control thorough and accurate?

   2. Is debian/copyright thorough and accurate?

   3. Are the debian/pre* and debian/post* maintainer scripts thorough and accurate?

      • Run checkbashisms. Look for errant, illegal, or inadvisable behavior, since these scripts run as root!!!

   4. Cursory review of debian/rules, ensuring accuracy.

   5. Thoroughly review of debian/patches, if any, ensuring that the packager has sent these upstream.

8. Examine *orig.tar.gz, ensuring there are no unintended artifacts.

   • Also in the source tree, run

     find . \( -name "*.orig" -o -name "*.rej" -o -name "*.swp" -o -name "*~" \)

   • and for Vcs files, run

     find . \( -name ".git*" -o -name ".bzr*" -o -name ".svn*" -o -name "CVS*" -o -name "RCS*" -o -name ".hg" \)

9. Examine *diff.gz, ensuring that this is accurate.

10. Run dpkg -c on the resulting *.deb's, ensuring that the contents meet the FHS

    • NB: This can be exceedingly difficult with Partner packages; particularly Java applications, which rarely meet the FHS
11. Test package installation, uninstallation, and purging (perhaps in a VM), ensuring that these happen cleanly.

    • NB: This perhaps impractical for the Archive Admin, but absolutely the responsibility of the packager!

3. Useful tools

• lintian
• licensecheck (from ubuntu-dev-tools)
• suspicious-source (from ubuntu-dev-tools)
• what-patch (from devscripts)
• checkbashisms (from devscripts)
• diffstat

• check-source-package from the ubuntu-security-tools project can be used to help with review. It is meant to complement lintian on things that are often Ubuntu-specific, are informational, or are common packaging errors encountered when sponsoring. While it can be quite helpful, it should not replace manual inspection of the package.