[Debian-med-packaging] liblemon_1.3.1+dfsg-1_amd64.changes REJECTED [and 2 more messages]

Ian Jackson ijackson at chiark.greenend.org.uk
Tue Aug 9 14:33:16 UTC 2016


Andreas Tille writes ("Re: liblemon_1.3.1+dfsg-1_amd64.changes REJECTED [and 2 more messages]"):
> On Tue, Aug 09, 2016 at 01:30:39PM +0100, Ian Jackson wrote:
> > Are you really saying that it is not necessary for the .deb to contain
> > the authorship and copyright notices for the contents of the package ?
> 
> I do not think that this was said.

Perhaps I am confused; there have been a number of positions advanced
by various people.  Sorry if I have misrepresented anyone.

> > ISTM that if the .deb contains this jquery.js, then the .deb (or
> > something it Depends on) must contain the authorship and copyright
> > notices for that jquery.js.  (This is both an ethical and legal
> > requirement.)
> 
> Sure.  But this is documented in the Build-Depends of the package,
> isn't it?

I don't understand how this response makes sense.  Perhaps I am
ignorant of the facts.

In an effort to better understand what was going on, I tried to find a
copy of the package which was rejected, or of the REJECTED notice.  I
wasn't successful.  Perhaps I looked in the wrong places.

My understanding of the facts is:

1. The source package declares Build-Depends on doxygen.  During
   the build, doxygen is run to build the documentation.

2. During this docs build doxygen copies this jquery.js into the
   resulting .debs.

3. Confusingly this jquery.js is not actually JQuery.

4. Nothing puts anything (relevantly) in Built-Using.

5. The source package contains a copyright file which does not mention
   doxygen or contain any information about this jquery.js.

6. The copyright file from the source package is copied automatically
   into the .debs and nothing modifies it.

7. Consequently, the .debs do not contain the authorship or copyright
   notices relating to this jquery.js, even though they contain the
   file.  (Nor do they contain references to the notices.)

IMO:

1 (running doxygen to build the docs) is obviously desirable.

2-4 (copied rather than referenced jquery.js; anomalous name for
jqeury.js; lack of Built-Using) are all undesirable, but none of them
are RC bugs or REJECT-worthy.

5 (source copyright file does not mention any of this) is correct,
although it would not be wrong to mention it.

6 (nothing inserts relevant info into .deb copyright files) is a
missing critical feature (probably, in dh_doxygen).

7 (lack of authorship and copright info in .deb for a file contained
in the .deb) is a release-critical bug and a proper reason for the
package to be REJECTED.

In the absence of improvements to the tools, the problem could be
worked around by each doxygen-using package putting "unused" copyright
information, about jquery.js, in the source package copyright file.
But this is annoying to do because lintian complains, and because this
copyright info would easily get out of date and need updating.


> > IMO this doesn't depend on whether this jquery.js results in a
> > Built-Using.
> 
> I'm not aware that we document in d/control any files that are not
> contained inside the package source.  If the package builds inside a
> pbuilder chroot it can be perfectly assumed that all content is
> documented properly in the Build-Depends.

I think that part of the misunderstanding is a confusion between
source copyright files and binary copyright files.

Ian.


-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.



More information about the Debian-med-packaging mailing list