<div id="geary-body" dir="auto"><div><br></div></div><div id="geary-quote" dir="auto"><br>On Thu, Oct 24, 2019 at 11:40, Jonas Smedegaard <dr@jones.dk> wrote:<br><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;">Package: node-lodash
Version: 4.17.15+dfsg-1
Severity: serious
Justification: Policy 2.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The source package src:node-lodash states in its debian/copyright file
that its upstream source is <a href="https://github.com/lodash/lodash">https://github.com/lodash/lodash</a>
<br></div></blockquote><span style="white-space: pre-wrap;"><div><span style="white-space: pre-wrap;"><br></span></div>I don't thik that is how DFSG is intrepreted. If that were the case, then we won't able to modify upstream tarball at all.</span><div><br></div><div><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;">$ apt source node-lodash
$ cd node-lodash-4.17.15+dfsg
$ tree -ad -I .pc
.
├── debian
│   ├── source
│   ├── tests
│   └── upstream
├── dist
├── doc
├── fp
├── .github
├── lib
│   ├── common
│   ├── fp
│   │   └── template
│   │       ├── doc
│   │       └── modules
│   └── main
├── lodash-cli
│   ├── bin
│   ├── lib
│   └── template
├── perf
│   └── asset
├── test
│   └── asset
└── vendor
    ├── backbone
    │   └── test
    │       └── setup
    ├── firebug-lite
    │   ├── skin
    │   │   └── xp
    │   └── src
    ├── json-js
    └── underscore
        └── test

34 directories

$ git clone <a href="https://github.com/lodash/lodash">https://github.com/lodash/lodash</a>
$ cd lodash
$ tree -ad -I '.git*'
.
├── .internal
└── test

2 directories


The tarball distributed as the "source" for the Debian packaging clearly
is *not* what upstream considers its source nor is it what is stated in
debian/copyright was used as source.
<br></div></blockquote><div style="white-space: pre-wrap;"><span style="white-space: pre-wrap;"><br></span></div><div style="white-space: pre-wrap;"><span style="white-space: pre-wrap;">You need to check with the release tarballs.</span></div><span style="white-space: pre-wrap;">https://github.com/lodash/lodash/releases We don't usually specify the releases page in debian/copyright only the project page. You can verify this against any other package in debian.</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">All files derived from source have their corresponding source code and it is regenerated during build.</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">As for lodash-cli, it is included as another source tarball and you can see this in the dsc file.</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">For example you can see https://packages.debian.org/source/unstable/node-lodash lists</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">File        Size (in kB)    MD5 checksum
node-lodash_4.17.15+dfsg-1.dsc  2.5 kB  7fe2561d015989f65c5fbb62363f796c
node-lodash_4.17.15+dfsg.orig-lodash-cli.tar.xz         40.6 kB         b2217589333a9b2e1dd198bdfa1f3948
node-lodash_4.17.15+dfsg.orig.tar.xz    586.6 kB        fedbf4804767031ddc8d34f43bc37dbe
node-lodash_4.17.15+dfsg-1.debian.tar.xz        5.3 kB  4221804f94c6e7a19c62352d6045d1c7</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">If you are concerned about lack of a canonical place to document the embedded modules, then please be clear about it.</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">Can you be more specific which files do you think violate DFSG and be specific which section. I assume you meant section 2,</span></div><div><br></div><div><span style="white-space: pre-wrap;">Source Code
    The program must include source code, and must allow distribution in source code as well as compiled form.
<br></span></div><div><span style="white-space: pre-wrap;">So you need to tell which files you think are not following this requirement.</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">Are you concerned about files in vendor directory?</span></div><div><span style="white-space: pre-wrap;"><br></span></div><div><span style="white-space: pre-wrap;">If I remove vendor directory from upstream tarball would your concern be addressed?</span></div><div><span style="white-space: pre-wrap;">
</span><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;"> - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl2xcaUACgkQLHwxRsGg
ASGnLg/+Lsiq8c+vzd/2x9lXH7SwucK3bNiYl8X5QJYpC3Wuh72jEOHjl1gWl5MZ
uYBnR9G8h3UQNm0Tn2lgUAudhtV7af3mYJkKxBA6FMfYGEwPvig+8SoX0i0C3sjE
+fU01KFebmRsxJ+Of278titobzfgX2MJzWVQtzN5VbIvfAfuaQ4hjun0NCyPdbeM
2GKH5vnfs9Woi6P6ZmixlCvyT3B6bwl71q+x7RCNtAa5NhB8GrBMBG07jehrpCvK
gmhYNDnQeFYVQLObS8M5r/bLvT/9K7EuaPZxyhAg73c2bMOxcElwVC/IuZA832IL
woRqco6pJVYhLZ59sngrtqP9f/dkUF8IJkkFHCiDSfkcyFv37Vr0tJYSur1q+bWB
2viX9k2Nh4xbQ/P9RrWBhAcjrLRqTh3KD94kIJ6iVVhYxcwqVY/E31p2lwBLZZVx
jAGmdb4fYF+3Qgkmv0Hn67rWMEz8cWW0QZocIRMD/PmJJNgOUuTBV8asdF3wLo87
FfLJeeL6B6+taXJKK7lGgPv6cOkgjWamFNh7c4K1xsMWC2jmbQ6nSv23NJh8AwqQ
fNvKe2wXYqK0vedy4Z1QwXYXhA2yTGY4FmMvo+nXSuJ8Cp7/hbt0xy/g6N84cybX
v2SA5RhlSN8Y7xBvrK1DW1U+bATi6zTiIUSrnElg1tkj1JkcaTs=
=kSoi
-----END PGP SIGNATURE-----
<div>-- 
</div>Pkg-javascript-devel mailing list
<a href="mailto:Pkg-javascript-devel@alioth-lists.debian.net">Pkg-javascript-devel@alioth-lists.debian.net</a>
<a href="https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel">https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel</a></div></blockquote></div></div>