Bug#953487: fixed in runescape 0.7-1

[Carlos Donizete Froes]

Hi Markus,

> I suggest we wait a little for a response from
> non-free at buildd.debian.org before we make another upload. However if
> there is no response in two weeks, we can just proceed by making a
> binary upload of runescape.

Perfect, I will be waiting and I hope it is a positive answer. ;)

> Bug #956275 can be resolved by replacing the runescape.png icon. The
> license is most likely not BSD-2-clause. You should either document the
> correct license, the image must be distributable at least, or you can
> create or find your own icon. For instance you could create an image the
> same size with a black, red or blue background and then you add the R S
> initials in white. Simple icon, easily done.

Removed icon that does not belong to the BSD-2-clause license and created the
icon itself in SVG and PNG formats using the Inkscape software.[1]

[1] https://gitlab.com/coringao/runescape/-/blob/master/src/runescape.png

> Bug #956276 is about an additional verification step, e.g. to verify the
> integrity of the launcher with a hashsum. You could store the value in a
> text file in our Git repository and then fetch the value and compare it
> with the hashsum of the binary before you run the java command. By
> storing the value in Git we can adjust the value whenever there is a new
> runescape update without having to make another Debian upload. This
> could be especially useful for stable releases. In any case I would try
> to avoid to hardcode the value.
> 
> I don't consider bug #956276 release critical because there is no Debian
> Policy justification for it and there is no more risk involved than
> downloading the file with a web browser normally poses, so it should be
> treated as a normal or important bug. What you can and should do is to
> improve the package description. It should be clear that src:runescape
> is a mere script that downloads and runs the runescape launcher and that
> Debian cannot guarantee the integrity of this binary file because it is
> non-free and it is closed source. So simply warn about that in the
> package description and when your script is executed. The warning
> message could be displayed in a text terminal or you could use zenity to
> make it more user friendly and obvious.

Added verification of the downloaded file against a hash in good condition. I
thank Stephen Kitt for helping me. :D

I added a friendly warning when running the launcher via kdialog or zenity.[2]

[2] https://gitlab.com/coringao/runescape/-/blob/master/src/runescape.sh

Once approved by non-free at buildd.debian.org, I will update the package to
version 0.8, where I will add this warning to the long description of
"debian/control" and depends: kdialog | zenity.

See you later!

-- 
⢀⣴⠾⠻⢶⣦⠀ Carlos Donizete Froes [a.k.a coringao]
⣾⠁⢠⠒⠀⣿⡁ Debian Wiki: https://wiki.debian.org/coringao
⢿⡄⠘⠷⠚⠋⠀ GPG: 4096R/B638B780
⠈⠳⣄⠀⠀⠀  2157 630B D441 A775 BEFF  D35F FA63 ADA6 B638 B780
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20200413/0432e12e/attachment.sig>