[Pkg-javascript-devel] Bug#943389: Bug#943389: node-lodash: source package does not contain upstream source

Pirate Praveen praveen at onenetbeyond.org
Thu Oct 24 14:34:15 BST 2019 


On Thu, Oct 24, 2019 at 11:40, Jonas Smedegaard <dr at jones.dk> wrote:
> Package: node-lodash
> Version: 4.17.15+dfsg-1
> Severity: serious
> Justification: Policy 2.1
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> The source package src:node-lodash states in its debian/copyright file
> that its upstream source is <https://github.com/lodash/lodash>
> 

I don't thik that is how DFSG is intrepreted. If that were the case, 
then we won't able to modify upstream tarball at all.

> $ apt source node-lodash
> $ cd node-lodash-4.17.15+dfsg
> $ tree -ad -I .pc
> .
> ├── debian
> │   ├── source
> │   ├── tests
> │   └── upstream
> ├── dist
> ├── doc
> ├── fp
> ├── .github
> ├── lib
> │   ├── common
> │   ├── fp
> │   │   └── template
> │   │       ├── doc
> │   │       └── modules
> │   └── main
> ├── lodash-cli
> │   ├── bin
> │   ├── lib
> │   └── template
> ├── perf
> │   └── asset
> ├── test
> │   └── asset
> └── vendor
>     ├── backbone
>     │   └── test
>     │       └── setup
>     ├── firebug-lite
>     │   ├── skin
>     │   │   └── xp
>     │   └── src
>     ├── json-js
>     └── underscore
>         └── test
> 
> 34 directories
> 
> $ git clone <https://github.com/lodash/lodash>
> $ cd lodash
> $ tree -ad -I '.git*'
> .
> ├── .internal
> └── test
> 
> 2 directories
> 
> 
> The tarball distributed as the "source" for the Debian packaging 
> clearly
> is *not* what upstream considers its source nor is it what is stated 
> in
> debian/copyright was used as source.
> 

You need to check with the release tarballs.
https://github.com/lodash/lodash/releases We don't usually specify the 
releases page in debian/copyright only the project page. You can verify 
this against any other package in debian.

All files derived from source have their corresponding source code and 
it is regenerated during build.

As for lodash-cli, it is included as another source tarball and you can 
see this in the dsc file.

For example you can see 
https://packages.debian.org/source/unstable/node-lodash lists

File	Size (in kB)	MD5 checksum
node-lodash_4.17.15+dfsg-1.dsc 	2.5 kB 	7fe2561d015989f65c5fbb62363f796c
node-lodash_4.17.15+dfsg.orig-lodash-cli.tar.xz 	40.6 kB 
	b2217589333a9b2e1dd198bdfa1f3948
node-lodash_4.17.15+dfsg.orig.tar.xz 	586.6 kB 
	fedbf4804767031ddc8d34f43bc37dbe
node-lodash_4.17.15+dfsg-1.debian.tar.xz 	5.3 kB 
	4221804f94c6e7a19c62352d6045d1c7

If you are concerned about lack of a canonical place to document the 
embedded modules, then please be clear about it.

Can you be more specific which files do you think violate DFSG and be 
specific which section. I assume you meant section 2,

Source Code
    The program must include source code, and must allow distribution 
in source code as well as compiled form.

So you need to tell which files you think are not following this 
requirement.

Are you concerned about files in vendor directory?

If I remove vendor directory from upstream tarball would your concern 
be addressed?

>  - Jonas
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl2xcaUACgkQLHwxRsGg
> ASGnLg/+Lsiq8c+vzd/2x9lXH7SwucK3bNiYl8X5QJYpC3Wuh72jEOHjl1gWl5MZ
> uYBnR9G8h3UQNm0Tn2lgUAudhtV7af3mYJkKxBA6FMfYGEwPvig+8SoX0i0C3sjE
> +fU01KFebmRsxJ+Of278titobzfgX2MJzWVQtzN5VbIvfAfuaQ4hjun0NCyPdbeM
> 2GKH5vnfs9Woi6P6ZmixlCvyT3B6bwl71q+x7RCNtAa5NhB8GrBMBG07jehrpCvK
> gmhYNDnQeFYVQLObS8M5r/bLvT/9K7EuaPZxyhAg73c2bMOxcElwVC/IuZA832IL
> woRqco6pJVYhLZ59sngrtqP9f/dkUF8IJkkFHCiDSfkcyFv37Vr0tJYSur1q+bWB
> 2viX9k2Nh4xbQ/P9RrWBhAcjrLRqTh3KD94kIJ6iVVhYxcwqVY/E31p2lwBLZZVx
> jAGmdb4fYF+3Qgkmv0Hn67rWMEz8cWW0QZocIRMD/PmJJNgOUuTBV8asdF3wLo87
> FfLJeeL6B6+taXJKK7lGgPv6cOkgjWamFNh7c4K1xsMWC2jmbQ6nSv23NJh8AwqQ
> fNvKe2wXYqK0vedy4Z1QwXYXhA2yTGY4FmMvo+nXSuJ8Cp7/hbt0xy/g6N84cybX
> v2SA5RhlSN8Y7xBvrK1DW1U+bATi6zTiIUSrnElg1tkj1JkcaTs=
> =kSoi
> -----END PGP SIGNATURE-----
> --
> Pkg-javascript-devel mailing list
> Pkg-javascript-devel at alioth-lists.debian.net 
> <mailto:Pkg-javascript-devel at alioth-lists.debian.net>
> <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20191024/f904740e/attachment.html>

More information about the Pkg-javascript-devel mailing list