--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+ <meta name="description" content="Reject FAQ for Debians NEW Queue" />
+ <meta name="generator" content="GNU/Emacs" />
+
+ <title>Reject FAQ for Debian's NEW-Queue</title>
+ <link type="text/css" rel="stylesheet" href="style.css" />
+ <link rel="shortcut icon" href="http://www.debian.org/favicon.ico" />
+</head>
+
+<body>
+ <div class="c1">
+ <a href="http://www.debian.org/"><img src=
+ "http://www.debian.org/logos/openlogo-nd-50.png" border="0" hspace="0"
+ vspace="0" alt="" /></a> <a href="http://www.debian.org/"><img src=
+ "http://www.debian.org/Pics/debian.png" border="0" hspace="0" vspace=
+ "0" alt="Debian Project" /></a>
+ </div><br />
+
+ <table class="reddy" width="100%">
+ <tr>
+ <td class="reddy"><img src="http://www.debian.org/Pics/red-upperleft.png" align="left" border=
+ "0" hspace="0" vspace="0" alt="" width="15" height="16" /></td>
+
+ <td rowspan="2" class="reddy">Reject FAQ for Debian's NEW-Queue</td>
+
+ <td class="reddy"><img src="http://www.debian.org/Pics/red-upperright.png" align="right" border=
+ "0" hspace="0" vspace="0" alt="" width="16" height="16" /></td>
+ </tr>
+
+ <tr>
+ <td class="reddy"><img src="http://www.debian.org/Pics/red-lowerleft.png" align="left" border=
+ "0" hspace="0" vspace="0" alt="" width="16" height="16" /></td>
+
+ <td class="reddy"><img src=
+ "http://www.debian.org/Pics/red-lowerright.png" align="right" border=
+ "0" hspace="0" vspace="0" alt="" width="15" height="16" /></td>
+ </tr>
+ </table>
+
+ <h2>Introduction</h2>
+
+ <p class="text">NEW checking is about three things. In order of
+ priority:</p>
+
+ <ul>
+ <li>trying to keep the archive legal,</li>
+
+ <li>trying to keep the package namespace sane,</li>
+
+ <li>trying to reduce the number of bugs in Debian.</li>
+ </ul>
+
+ <p class="text">Not all QA issues will be noticed; we don't test
+ packages, but we do look through them and note problems that jump out at
+ us. Sometimes that'll result in a bug, sometimes it will result in an
+ email, sometimes it will result in a REJECT, depending on how serious the
+ issue seems.</p>
+
+ <p class="text">Of course this does not take away the developers
+ responsibility to do their own QA before upload. Its the maintainer who
+ is responsible for everything that happens with a bad package, not the
+ ftpteam!</p>
+
+ <p class="text">All items are things that <b>really</b> should never
+ happen anyway, but exist in some packages nonetheless. Visit this list
+ from time to time, as we may change points or add new ones.</p>
+
+ <p class="text">Note: This is a purely informational list, there may be
+ more reasons. If there is a third column it states the date when the
+ entry was added to this list.</p>
+
+ <p class="text">If you want to make it easy for us, then please state
+ <b>why</b> you've added a NEW binary package or renamed source. A simple
+ <i>New upstream</i> or <i>Fixed bug</i> isn't great.</p>
+
+ <table border="0">
+ <tr>
+ <th class="reject" colspan="3">Serious violations (direct rejects
+ even if we only find one point)</th>
+ </tr>
+
+ <tr>
+ <td>OpenSSL</td>
+
+ <td>You have a GPL program linking with OpenSSL. This is only ok if
+ upstream gave a license exception for this otherwise the two licenses
+ are incompatible. Visit <a href=
+ "http://www.openssl.org/support/faq.html#LEGAL2">the OpenSSL FAQ</a>
+ or/and <a href=
+ "http://www.gnome.org/~markmc/openssl-and-the-gpl.html">another
+ infotext</a> for more information.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>CDBS</td>
+
+ <td>
+ You have a cdbs package and for whatever reason turned on the
+ <i>play with my debian/control in a bad way</i> option. See
+ <a href="http://bugs.debian.org/311724">#311724</a> for a long text
+ on that matter.<br />
+ Small overview: The <i>DEB_AUTO_UPDATE_DEBIAN_CONTROL</i> option
+ turned on modifies Build-Depends, which doesn't affect the build
+ that's running. But it affects all following builds, which can be
+ NMU, buildd builds and worst case: security builds. You <b>DO
+ NOT</b> want to have such a build getting a different result
+ (except for the small changes intended with the build) just because
+ there is now another thing in the build-depends.<br />
+ Two solutions for this:
+
+ <ol>
+ <li>Think about it and set the Build-Depends yourself. That's
+ <b>easy</b> and you can check them in pbuilder.</li>
+
+ <li>Do this only in a special target in debian/rules that is
+ NEVER called automagically. So you can check what it did before
+ you start the real build.</li>
+ </ol>
+ </td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>PHP License</td>
+
+ <td>You have a PHP add-on package (any php script/"app"/thing, not
+ PHP itself) and its licensed only under the standard PHP license.
+ That license, up to the 3.x which is actually out, is not really
+ usable for anything else than PHP itself.
+ <a href="http://lists.debian.org/debian-legal/2005/08/msg00128.html">I've
+ mailed</a> our -legal list about that and got only one response,
+ which basically supported my view on this. Basically this license
+ talks only about PHP, the PHP Group and <i>includes Zend Engine</i>,
+ so its not applicable to anything else. And even worse, older
+ versions include the nice ad-clause.<br />
+ One good solution here is to suggest a license change to your
+ upstream, as they clearly wanted a free one. LGPL or BSD seems to be
+ what they want.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>License</td>
+
+ <td>Be sure that you correctly document the license of the package.
+ We often find packages having a GPL COPYING file in the source, but
+ if one goes and looks at every file there are a few here and there
+ having different licenses in them, sometimes as bad as <i>You aren't
+ allowed to do anything with this file, and if you do we will send our
+ lawyers to you</i>. Of course it's hard to check a tarball with
+ thousands of files (think about X, KDE, Kernel or similar big
+ packages), but most of the tarballs aren't that big. Also not-nice is
+ a package, itself being GPL, having documentation licensed with a
+ non-free license, like the CC licenses. Makes the original tarball
+ non-free, this is one of the cases where you need to repackage it
+ (look in the archive for examples, mostly having .dfsg. in their
+ tarballs name).</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Transition</td>
+
+ <td>You <i>break</i> a transition. Like, in the past we had the
+ C++ one, but there might be any number of transitions running.
+<!-- Well, right at the moment it's the -->
+<!-- nice C++ ABI thing, but in the future it may be something else. For -->
+<!-- this C++ one it's basically - if you link against libstdc++5 you are -->
+<!-- out, <b>EXCEPT</b> if you declare a special Build-Depends on the -->
+<!-- right compiler to get this, which most people haven't done, it's -->
+<!-- nearly always not a part of the updated build environment.<br /> -->
+<!-- Also having dependencies on non-transitioned C++-libraries gets you -->
+<!-- rejected. I think most important libs are done, but until recently a -->
+<!-- nice candidate was libqt[whatever]c102. Watch out for c102 names in -->
+<!-- your Depends lines if you want to be sure. -->
+ </td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Experimental Library</td>
+
+ <td>Also not good is to build against a version of a library only in
+ experimental, but uploading to unstable. We may not detect all of
+ that, but if it happens the package will be rejected.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Hijack</td>
+
+ <td>You try to hijack a package of an active maintainer ( or team).
+ Don't do that.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Package split</td>
+
+ <td>You split a package too much or in a broken way. Well, broken or
+ too much is a wide definition, so this is a case-by-case thing, but
+ you should really think about a split before you do it. For example
+ it doesn't make any sense to split a 50k arch:all package from a 250k
+ arch:any one. Or splitting a package for only one file, depending on
+ the main package. Yes, big dependency chains can be a reason. Or big
+ documentation splitted into one -doc package. The point there is
+ <b>big</b>.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>FTBFSIASW</td>
+
+ <td>Your package <b>fails to build from source in a sane way</b>. A
+ good example is behind <a href="http://bugs.debian.org/300683">#300683</a>,
+ but I can think of more creative ways to do it. Basically you need be able
+ to build all .debs with only one call to debian/rules. Not two, not three.
+ Not an extra script.<br />
+ This only includes .debs that should get uploaded. Stuff that's only
+ built by users for their local system doesn't matter.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>debian/control breakage #2</td>
+
+ <td>Your package builds binary packages not listed in
+ debian/control.
+ While this is technically possible it is not allowed, all
+ binaries need to be listed in your control file *prior* to the
+ build (ie. that information needs to be included in the uploaded
+ source). This mostly happens to kernel-module packages.<br />
+
+ Now, if you follow Policy you have
+ <a href="http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-sourcecontrolfiles">
+ Section 5.2 (Source package control files -- debian/control)</a>
+ which says
+
+ <p class="text">
+ <cite>The debian/control file contains the most vital (and
+ version-independent) information about the source package and
+ about the binary packages it creates.<br />
+
+ The first paragraph of the control file contains information
+ about the source package in general. The subsequent sets each
+ describe a binary package that the source tree builds.
+ </cite>
+ </p>
+
+ Next location to look is
+ <a href="http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-debiansourcecontrolfiles">
+ Section 5.4 (Debian source control files -- .dsc)</a> which says
+
+ <p class="text">
+ <cite>The source package control file is generated by
+ dpkg-source when it builds the source archive, from other files
+ in the source package,
+ </cite>
+ </p>
+
+ which basically means that everything must be defined at the
+ beginning of the build.<br/>
+
+ Following the Binary reference we find
+ <a href="http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Binary">
+ Section 5.6.19 (Binary)</a> where the important part reads
+
+ <p class="text">
+ <cite>
+ When it appears in the .dsc file it is the list of binary
+ packages which a source package can produce. It does not
+ necessarily produce all of these binary packages for every
+ architecture. The source control file doesn't contain details of
+ which architectures are appropriate for which of the binary
+ packages.
+ </cite>
+ </p>
+
+ Putting all of that together you can simplify it with
+ <em>debian/control has to contain a list of binaries to be built
+ <b>before</b> the build-process starts, do not modify that in
+ the running build-process.</em>
+
+ <hr/>
+
+ Of course that makes life hard(er) for packages like kernel
+ modules. But not that much. There is nothing to say against a
+ target in <i>debian/rules</i> that generates the control file
+ for you, <b>IFF</b> this is only run manually. And if you run in
+ troubles with debhelper's -a you may want to read man debhelper(7) for
+ the -s switch.
+ </td>
+
+ <td>Feb 2006</td>
+ </tr>
+ <tr>
+ <td>Copyright</td>
+
+ <td>Your debian/copyright file must have at least the minimum needed
+ stuff. A good overview of what you need is behind
+ <a href="http://lists.debian.org/debian-devel-announce/2006/03/msg00023.html">this mail</a>.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>License II</td>
+ <td>If the upstream tarball does not include a copy of the license,
+ debian/copyright must document when and how the license information was
+ obtained (i.e. include "Downloaded by John Doe on 2008-12-24 from
+ http://example.net/license" or reproduce email correspondence including
+ some header) in addition to the reproducing the license itself.
+ In the past there were uploads where one couldn't
+ find the license statement in the tarball or on the website from
+ upstream, which is bad.
+ </td>
+ <td>Revised Dec 2008</td>
+ </tr>
+ <tr>
+ <td>License III</td>
+ <td>You need to list <b>all</b>
+ copyright information with all licenses in the copyright file itself. That one has
+ to be the single point of information. Only files you find in /usr/share/common-licenses
+ have a special exception here, everthing else needs to be fully included!</td>
+ <td>Revised Dec 2008</td>
+ </tr>
+
+ <tr>
+ <td>Non-Main</td>
+
+ <td>If you want your package in main it must <b>not</b>
+ (Build-)Depend: or Recommend: a package which isn't in main too.
+ That's what we have contrib for.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Package Content</td>
+
+ <td>You most probably want to have some content in your package. From
+ time to time we find packages which don't have any. An example is a
+ rename of a lib* package, but to miss updating the place where the
+ files are installed.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Policy Violation</td>
+
+ <td>It should really not violate policy, for example violating FHS.
+ Like installing libFOO.so in /usr/share, creating random new
+ /pathentries or any other obvious policy violation.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Contents of orig.tar.gz</td>
+
+ <td>If you rebuild the orig.tar.gz (in the few cases this is needed,
+ most of the times it is NOT) - be sure to not include .so/.a/other
+ compiled files. You should also exclude
+ .cvs/.svn/.whatever_your_version_control_system_has directories you
+ added.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Lintian</td>
+
+ <td>Lintian errors and warnings, without a good reason to ignore them
+ can get you a reject. Sometimes there are valid reasons, but then you
+ should either file a bug against lintian if it's generally wrong or
+ include an override in your package, giving a reason in the changelog
+ for it.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>rpath</td>
+
+ <td>Watch out if you include a rpath in your binaries. Most of the
+ time this is not what you want but it is easy to fix. See
+ <a href="http://wiki.debian.org/RpathIssue">this Wiki</a> for
+ more.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Package name</td>
+
+ <td>Use the right package names. A lib should start with lib, a perl
+ module with lib and end with -perl, etc.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Common license</td>
+
+ <td>Do not include a license that is in /usr/share/common-licenses
+ into your debian/copyright. That's a waste of space.</td>
+
+ <td> </td>
+ </tr>
+
+ <tr>
+ <td>Renaming source for DFSG-removals</td>
+
+ <td>Do not rename the source if you delete files that are not DFSG free.
+ Instead add a .dfsg. somewhere to the version part to mark it. Renaming the source
+ just confuses tools like the PTS who are source-package based, and also confuses
+ users who cant simply fetch sources anymore without looking what source package
+ it is first.
+ </td>
+
+ <td>June 2006</td>
+ </tr>
+
+ <tr>
+ <td>Wrong license pointer</td>
+
+ <td>Be careful at what file in /usr/share/common-licenses you
+ point. (L)GPL is <b>only</b> correct if the licensing allows you
+ to chose "or any later" version. If it does not and you have a
+ licensing that does not give you that option you have to use the
+ versioned file (L)GPL-2 or -3.</td>
+ <td>Januar 2008</td>
+ </tr>
+
+ <tr>
+ <td>Symbol file wrong</td>
+
+ <td>Your symbol file contains errors, as reported from lintian
+ with the two tags
+ <i>symbols-file-contains-current-version-with-debian-revision</i>
+ and <i>symbols-file-contains-debian-revision</i>.
+ </td>
+ <td>Januar 2008</td>
+ </tr>
+ <tr>
+ <td>Source missing</td>
+ <td>Your packages contains files that need source
+ but do not have it. These include PDF and PS files in the documentation.</td>
+ <td>December 2008</td>
+ </tr>
+ </table><br />
+ <br />
+
+ <table border="0">
+ <tr>
+ <th class="reject" colspan="3">Minor issues, sometimes also named
+ "Good packaging behavior". Not a single one is enough to get you a
+ REJECT, but if you collect multiple ones the probability rises:</th>
+ </tr>
+
+ <tr>
+ <td>Description</td>
+
+ <td>Have a good description for your package. Both short and long.
+ You should know what your package does but your users don't. So write
+ something that they know what they get <b>before</b> they install it.
+ A simple <b>XY, it does stuff</b> is nothing that should get
+ uploaded.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>Repackage orig.tar.gz</td>
+
+ <td>Do not repackage your orig.tar.gz unless you have to. If you need
+ to remove files due to license issues - OK. But for example to have
+ the directory in the tarball named pkgname-ver you DO NOT repackage.
+ dpkg-source completely doesn't care about that.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>Native/Non-Native</td>
+
+ <td>Be sure to look for native/non-native build. Its easy to build a
+ package native because you had a spelling error in the upstream
+ tarballs name. Simple solution: Whenever you have a -X in your
+ version number (ie a debian-revision) look if you have a .diff.gz
+ before you upload.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>Multiple versions</td>
+
+ <td>Do not add the third version of a lib/program. Get RID of them
+ instead. Always try to not have more than two version of a
+ library/program in, and that also only if its needed due to a hard
+ transition to the newer one.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>debian/rules</td>
+
+ <td>Have a clear debian/rules file. A bad example are the dh-make
+ templates. As the name says: they are templates. Edit them, test your
+ package and then delete the whole bunch of commands that are
+ commented out, make it hard to read and do not help. If you later
+ need anything: Type dh_[TAB][TAB] to see whats available.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>.ex files</td>
+
+ <td>Remove the .ex files from debian/. They are examples not meant to
+ stay around.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>Standards-Version</td>
+
+ <td>Standards-Version should be the latest available one, not any
+ ancient that may happen to get in with a template you use.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>Manpages</td>
+
+ <td>Write manpages. Yes. Really. Write them. Well. It's basically: If
+ your program/tool has a --help and --version commandline option you
+ can simply run
+ <a href="http://packages.debian.org/help2man">help2man</a> and have a working
+ start. Such easy ones are near to a reject. Yes, there are things in
+ the archive where its hard to write manpages.</td>
+
+ <td>August 2005</td>
+ </tr>
+
+ <tr>
+ <td>Useless Settings</td>
+
+ <td>Having a "INSTALL_PROGRAM += -s" setting if nostrip option is set
+ while using dh_strip later. Useless, read man dh_strip please. There
+ may be other things like this, this is just a prominent example. If
+ they are there - remove them please.</td>
+
+ <td>August 2005</td>
+ </tr>
+ </table>
+
+ <p class="validate"><!-- hhmts start -->Last modified: Sat Dec 13 15:58:41 UTC 2008 <!-- hhmts end --></p>
+ <hr />
+ <a href="http://validator.w3.org/check?uri=referer">
+ <img border="0" src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional"
+ height="31" width="88" /></a>
+ <a href="http://jigsaw.w3.org/css-validator/check/referer">
+ <img border="0" src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!"
+ height="31" width="88" /></a>
+</body>
+</html>