You can help to review packages. That is possible even if you are not a Debian developer (yet). No reason to be shy, it is ok if you do not know everything or you are not entirely sure if your suggestions are correct. Any help is appreciated. Interested in diving in? It is easy:
Why should I review packages? I can not upload them!
Glad you ask! There are many reasons why you should review packages even if you can't actually upload them.
- The person you are reviewing will appreciate it. Chances are, you find problems in a package the person was not aware of yet. So they can learn from you.
- Eventually the package you are reviewing will be in a very good shape and you happen to learn something yourself. Moreover, you will also learn about best practices and workflows other people are using. Even if the package does not meet Debian's quality standards you can learn how not to do things.
- People who can upload may decide based on your review whether the package in question is a suitable candidate or not.
How can I review packages?
Pick a source package and start. There is no single correct way to review packages, but chances are you may want to have a look on the following things:
- Verify Lintian outputs: Did Lintian miss something, are fixes semantically correct?
- Does the package satisfy Debian's best practices for packages?
- Does the package correctly declare dependencies as defined in the policy?
- Does the package meet the DFSG? If yes, is the copyright file up to date and correct?
- Do the maintainer scripts supplied with the package look robust, idempotent and useful?
- Is there a watch file? If yes, does it work?
- Can you build the package in a clean build chroot?
- Was the upstream tarball modified? If yes, is there a good reason to do so?
You might also want to retrieve the maintainer GPG key to verify that all subsequent uploads are signed using the same key. While the key should be publicly available on servers such as keys.openpgp.org or keyserver.ubuntu.com, mentors.debian.net can also act as a basic keyserver. Note that only key retrieval is implemented. Update or search are not available.
Given a key id, you can retrieve a key using:
gpg --keyserver hkps://mentors.debian.net --recv-keys 0x123456789
Established sponsor guidelines
Several Debian Developers published their personal sponsor guidelines. Those are rules applying for a particular person or a specific packaging team in case you want to have a package sponsored by them. Typically those rules extend the Debian policy by custom requirements, or require a particular workflow from you. You can have a look at some guidelines from different people on our sponsors side