[Pkg-javascript-devel] Bug#943389: node-lodash: source package does not contain upstream source

Jonas Smedegaard dr at jones.dk
Thu Oct 24 10:40:56 BST 2019 

Package: node-lodash
Version: 4.17.15+dfsg-1
Severity: serious
Justification: Policy 2.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The source package src:node-lodash states in its debian/copyright file
that its upstream source is https://github.com/lodash/lodash

$ apt source node-lodash
$ cd node-lodash-4.17.15+dfsg
$ tree -ad -I .pc
.
├── debian
│   ├── source
│   ├── tests
│   └── upstream
├── dist
├── doc
├── fp
├── .github
├── lib
│   ├── common
│   ├── fp
│   │   └── template
│   │       ├── doc
│   │       └── modules
│   └── main
├── lodash-cli
│   ├── bin
│   ├── lib
│   └── template
├── perf
│   └── asset
├── test
│   └── asset
└── vendor
    ├── backbone
    │   └── test
    │       └── setup
    ├── firebug-lite
    │   ├── skin
    │   │   └── xp
    │   └── src
    ├── json-js
    └── underscore
        └── test

34 directories

$ git clone https://github.com/lodash/lodash
$ cd lodash
$ tree -ad -I '.git*'
.
├── .internal
└── test

2 directories


The tarball distributed as the "source" for the Debian packaging clearly
is *not* what upstream considers its source nor is it what is stated in
debian/copyright was used as source.

 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl2xcaUACgkQLHwxRsGg
ASGnLg/+Lsiq8c+vzd/2x9lXH7SwucK3bNiYl8X5QJYpC3Wuh72jEOHjl1gWl5MZ
uYBnR9G8h3UQNm0Tn2lgUAudhtV7af3mYJkKxBA6FMfYGEwPvig+8SoX0i0C3sjE
+fU01KFebmRsxJ+Of278titobzfgX2MJzWVQtzN5VbIvfAfuaQ4hjun0NCyPdbeM
2GKH5vnfs9Woi6P6ZmixlCvyT3B6bwl71q+x7RCNtAa5NhB8GrBMBG07jehrpCvK
gmhYNDnQeFYVQLObS8M5r/bLvT/9K7EuaPZxyhAg73c2bMOxcElwVC/IuZA832IL
woRqco6pJVYhLZ59sngrtqP9f/dkUF8IJkkFHCiDSfkcyFv37Vr0tJYSur1q+bWB
2viX9k2Nh4xbQ/P9RrWBhAcjrLRqTh3KD94kIJ6iVVhYxcwqVY/E31p2lwBLZZVx
jAGmdb4fYF+3Qgkmv0Hn67rWMEz8cWW0QZocIRMD/PmJJNgOUuTBV8asdF3wLo87
FfLJeeL6B6+taXJKK7lGgPv6cOkgjWamFNh7c4K1xsMWC2jmbQ6nSv23NJh8AwqQ
fNvKe2wXYqK0vedy4Z1QwXYXhA2yTGY4FmMvo+nXSuJ8Cp7/hbt0xy/g6N84cybX
v2SA5RhlSN8Y7xBvrK1DW1U+bATi6zTiIUSrnElg1tkj1JkcaTs=
=kSoi
-----END PGP SIGNATURE-----

More information about the Pkg-javascript-devel mailing list