DFSG review of qgis 3.40.15+dfsg-1: ACCEPTED

Sebastiaan Couwenberg sebastic at xs4all.nl
Sat Feb 7 06:51:26 GMT 2026 

Please keep the Maintainer address in the CC, talk to teams not individuals.

On 2/6/26 9:51 PM, Andrew McMillan wrote:
> Hi Sebastiaan,
> 
> The tools we use to do the reviews against DFSG & Policy are semi-
> automated.  The review - and the e-mail - is not automatic, though it
> is partly templated.
> 
> When I sent it I figured that many of these were probably false
> positives.
> 
> Referencing the different variations of "MIT" license in different ways
> is helpful to us, for a faster review, even if *you* might know this.
> 
> The 'cme' checks find useful information in most cases, and sometimes
> find policy issues.
> 
> Our review is not purely licensing.  The mandate for the "DFSG,
> Licensing and New Packages" team is to review against policy, in
> addition to reviewing licensing against the DFSG, as such it is helpful
> *especially* for binary only packages if the review can be as easy as
> possible, since we have to review them repeatedly.
> 
> And no: I'm not going to waste my or upstream time by sending them
> information I discover which *might* *possibly* be a bug: you are
> likely to be in a better position to know if it really is, and I just
> mention it in passing.  If I am the next reviewer I might remember this
> and not send it to you again, but I might forget all this conversation
> and still re-send it: please don't be offended if I do.

All of the issues listed in the review are of the nitpick variety not worth wasting anyone's limited time on.

Please improve your tooling by filtering out these checks which don't report actual issues or of a high enough severity to justify spending time on addressing.

> Regards,
> Andrew McMillan
> 
> On Fri, 2026-02-06 at 12:27 +0100, Sebastiaan Couwenberg wrote:
>> On 2/6/26 11:57 AM, andrew at mcmillan.net.nz wrote:
>>> There are some fixes that could be made to debian/copyright and
>>> debian/control
>>>
>>> Full review details: https://dfsg-new-queue.debian.org/reviews/qgis
>>
>> The duck m/\bnot maintained\b/i are a false positive:
>>
>> "
>>    At the GIS stackexchange or r/QGIS reddit, which are not maintained
>> by the QGIS team, but where the QGIS and broader GIS community
>> provides lots of advice
>> "
>>
>> The http: URLs are verbatim copies from the respective source files.
>>
>>
>> The dodgy check is questionable, "Possible hardcoded password" issues
>> are false positives. And if they weren't that's something you should
>> report upstream, it has nothing to do with DFSG compliance.
>>
>>
>> The copyright check complaint about MIT is likewise of little value.
>> We know which version of the MIT license is predominant, and we
>> include the text in the license paragraph.
>>
>> cme also fails to parse the license alternatives correctly, "LGPL-2.1
>> with Digia Qt LGPL Exception 1.1" is declared in a standalone license
>> paragraph.
>>
>>
>> The cme complaints about unnecessary version requirements are also
>> irrelevant for DFSG compliance.
>>
>>
>> Because of the false positive tendency of these tools, they are not
>> used in our package update work flows.
>>
>> I'm probably wasting my time replying to an automated message, so
>> I'll only do this once just for the record.
>>
>> Kind Regards,
>>
>> Bas
> 


-- 
  PGP Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

More information about the Pkg-grass-devel mailing list