# http://git.mdcc.cx/ad1810-doc.git

Some things to do when QA checking Debian packages

                      by

                Joost van Baal

                  july 2007


updated 2008-04, 2014-01, 2024-02

==================================================

These are commands and tools to run when inspecting a Debian package to check
its quality.  Useful for Debian Developers being offered a package for a
sponsored upload.

This document is inspired by/based upon Matthew Palmer's Checklist for
sponsored packages
(http://people.debian.org/~mpalmer/sponsorship_checklist.html).


The list
--------

Example for a package called "hello".

1) Get the .diff.gz.  (If you have an appropriate deb-src entry in
sources.list, you could first do something like:

 joostvb@nagy:~% apt-get --print-uris source hello

)

If you have the url to a .dsc file, you can now run:

 joostvb@nagy:/usr...src/debian/hello% dget http://mentors.debian.net/debian/pool/main/h/hello/hello_1.8.8.i-1.dsc

The last command doesn't need a full-blown aptable repository: if the packager
just puts .orig.tar.gz, .diff.gz and .dsc in one directory on her webserver,
things work.

2) Check the integrity of the .dsc file

 joostvb@nagy:/usr...src/debian/hello% gpg --verify hello_1.8.8.i-1.dsc

 gpg: Good signature from "John Doe <jdoe@example.com>"

3) Apply the the .diff.gz to the packager-supplied .orig.tar.gz

 joostvb@nagy:/usr...src/debian/hello% dpkg-source -x hello_1.8.8.i-1.dsc

4) Get the upstream tar.gz.  If the packager ships a watch file, run:

 joostvb@nagy:/usr...n/hello-1.8.8.i% uscan --verbose --force-download --no-symlink --destdir=/usr/local/src/hello

(In case a watchfile is lacking, just use e.g. wget.)

5) Check the integrity of the packager-supplied .orig.tar.gz

 joostvb@nagy:/usr/local/src% sha256sum hello/hello_1.8.8i.tar.gz debian/hello/hello_1.8.8.i.orig.tar.gz
 2fa5384d2ba6a8e1dc7f8df2d7411f0cc259e68d89f30f77023b9f7ed60ad8b0 hello/hello_1.8.8i.tar.gz
 2fa5384d2ba6a8e1dc7f8df2d7411f0cc259e68d89f30f77023b9f7ed60ad8b0 debian/hello/hello_1.8.8.i.orig.tar.gz

x) Run licensecheck(1)

% licensecheck --recursive

FIXME: should not just check header, but also footer: typical in Perl .pm files.
(btw, sub parselicense { in the source seems to be able to do just that...)


6) Eyeball the .debian.tar.gz

 % tar -vOxf ../*.debian.tar.gz 2>&1 | less


   licensecheck(1) (from the devscripts Debian package) might be helpful
   here.

7) If you have checked a previous version of the package, eyeball the differences with the prior version

 joostvb@nagy:/usr...src/debian/hello% debdiff hello_1.8.8.g-2.dsc hello_1.8.8.i-1.dsc | less

8) Build the package

 joostvb@nagy:/usr...hello-1.8.8.i% debuild -uc -us

9) inspect lintian results

debuild automagically runs lintian.

10) Eyeball the build log

 joostvb@nagy:/usr...hello-1.8.8.i% less ../hello_1.8.8.i-1_i386.build

11) Peek at the generated binary package

 joostvb@nagy:/usr...hello-1.8.8.i% debc | less

12) If you have checked a previous version of the package, inspect the differences in the binary packages

 joostvb@nagy:/usr...src/debian/hello% debdiff hello_1.8.8.g-2_all.deb hello_1.8.8.i-1_all.deb

13) Test the maintainer scripts

 root@nagy:~# dpkg -i /usr/local/src/debian/hello/hello_1.8.8.i-1_all.deb

and --remove, --purge , upgrade

14) Test any programs and scripts installed by the package.

View manpages too.

14) Build the package again, and sign it

 joostvb@nagy:/usr...hello-1.8.8.i% debuild -k0xDEADBEEF

(or sign an older build:

joostvb@arrr:~/git% debsign -k0B86B067 libtest-command-simple-perl_0.04-3_i386.changes

joostvb@oganj:~/lo...l/src/debian/braillefont% debsign -kB8FAC2E250475B8CE940A91957930DAB0B86B067 braillefont_1.0-2_source.changes

)

15) If all went well: upload it

 joostvb@nagy:/usr...hello-1.8.8.i% dupload --to anonymous-ftp-master ../hello_1.8.8.i-1_i386.changes

16) Check wether the upload went well

 joostvb@nagy:/usr...hello-1.8.8.i% cat ../hello_1.8.8.i-1_i386.upload

17) Watch your mailbox for ACK's by the Debian machines


To do
-----

use piuparts

use pbuilder(8).  (it makes sure your build environment is clean.  you'll need
root access.  set BUILDUSERID and BUILDUSERNAME to minimize root processes. use
pbuilder-uml if you want to do everything as non-root)

NB: if you use po-ized debconf, do not forget to run podebconf-report-po a
t about 1 week before uploading to the archive!


See also
--------

http://www.debian.org/doc/developers-reference/ch-new-maintainer.en.html#s-getting-started

http://people.debian.org/~mpalmer/debian-mentors_FAQ.html
http://people.debian.org/~mpalmer/sponsorship_checklist.html
http://www.hungry.com/~pere/debian-sponsoring.html

https://wiki.debian.org/SponsorChecklist

http://mentors.debian.net/
http://sponsors.debian.net/


Thanks
------

Geert Stappers for feedback.


Author, copyright
-----------------

Copyright (C) 2007, 2008 Joost van Baal <joostvb-sponsorship-2353@mdcc.cx>

Redistribution and use, with or without modification, are permitted provided
that the above copyright notice, this condition and the following disclaimer
are retained.

This work is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.