Debian NEW review of bmagic 7.13.4+dfsg-2: REJECTED

siretart at debian.org siretart at debian.org
Mon May 4 02:31:38 BST 2026 

The Debian NEW review of bmagic 7.13.4+dfsg-2 has been completed.

Decision: REJECTED
Reviewer: Reinhard Tartler

Review comment:

Thanks for your diligence while working on this package. I've had a
look through the source, and while it's mostly there, I have to
reject it for now because of a few significant DFSG issues.

The main blocker is a non-free attribution requirement found in the
LICENSE file (and echoed in README.md and debian/copyright). It
states: "Proper BitMagic reference on your product/project page is a
REQUIREMENT for using the Library." This is a significant problem for
Debian's main archive because it imposes a specific redistribution
burden that goes beyond standard free software licenses. Requiring a
reference on a "product/project page" is a restriction that violates
DFSG 1 (Free Redistribution) and DFSG 3 (Derived Works), as it forces
downstream users to maintain a specific type of presence (a project
page) to use or modify the software. It is effectively an
advertising-style clause that is too restrictive for main.

Additionally, I found a binary blob in the source package at
msvc32/.vs/bm/v15/ipch/AutoPCH/60fd1a078cd898e5/PERF.ipch. This appears
to be a Microsoft Visual C++ precompiled header file. As a binary
artifact with no corresponding source form in a format we can modify,
it must be removed from the upstream tarball (using Files-Excluded in
debian/copyright).

There are also several discrepancies in debian/copyright that need
addressing. While the package is primarily Apache-2.0, there are quite
a few files under different licenses that are not listed:

- src/sse2neon.h is under the MIT license and is a bundled copy of the
  sse2neon project.
- src/bmavx2.h and src/bmavx512.h contain significant portions of code
  from libpopcnt, which is under a BSD-2-Clause license.
- tests/stress/stacktrace_dbg.h is licensed under WTFPL-2.0.
- lang-maps/jni/src/jnialloc.h and
  lang-maps/libbm/src/try_throw_catch.h are also MIT licensed.

Please ensure all these licenses and their respective copyright
holders are fully documented. For the bundled code, Debian Policy 4.13
generally requires unbundling if the library is already available in the
archive (like sse2neon), so you should look into using the packaged
versions instead.

Finally, please double-check the copyright years. The
debian/copyright file lists up to 2023, but many source files still
only list up to 2019 or 2022. It's best to keep these consistent with
what's actually in the source headers.

-rt

Full review details: https://dfsg-new-queue.debian.org/reviews/bmagic

More information about the debian-science-maintainers mailing list