Bug#950363: licensecheck reports dubious (may be misleading) information for image files

Fri Jan 31 18:34:08 GMT 2020

Package: licensecheck
Version: 3.0.40-1
Severity: normal

Dear Maintainer,

When parsing an image file as a binary blob, licenscheck report that the copyright of the image is owned by HP:

$ licensecheck --encoding utf8 --copyright --machine --deb-fmt --recursive docs/src/static/diagrams.key//Data/st0-311.jpg
docs/src/static/diagrams.key//Data/st0-311.jpg  UNKNOWN 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ óQÌXYZ XYZ o¢8õXYZ b· / ±¹ÁÉÑÙáéòú / ®²·¼ÁÆËÐÕÛàåëðöû

I think licensecheck is misled by the copyright ownership of the color profile
of this image:

$ exiftool docs/src/static/diagrams.key//Data/st0-311.jpg | grep Profile
Profile CMM Type                : Linotronic
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Profile Creator                 : Hewlett-Packard
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1

The image itself has not Copyright information:

$ exiftool docs/src/static/diagrams.key//Data/st0-311.jpg | grep -i copyright
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company

All the best

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-3-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages licensecheck depends on:
ii  libarray-intspan-perl                  2.003-1
ii  libgetopt-long-descriptive-perl        0.104-1
ii  liblist-someutils-perl                 0.58-1
ii  liblog-any-adapter-screen-perl         0.140-1
ii  liblog-any-perl                        1.708-1
ii  libmoo-perl                            2.003006-1
ii  libnamespace-clean-perl                0.27-1
ii  libpath-iterator-rule-perl             1.014-1
ii  libpath-tiny-perl                      0.108-1
ii  libpod-constants-perl                  0.19-1
ii  libre-engine-re2-perl                  0.13-4+b1
ii  libregexp-pattern-license-perl         3.1.100-1
ii  libregexp-pattern-perl                 0.2.11-1
ii  libscalar-list-utils-perl              1:1.53-1
ii  libsort-key-perl                       1.33-2+b2
ii  libstrictures-perl                     2.000006-1
ii  libstring-copyright-perl               0.003006-1
ii  libstring-escape-perl                  2010.002-2
ii  libtry-tiny-perl                       0.30-1
ii  perl                                   5.30.0-9
ii  perl-base [libscalar-list-utils-perl]  5.30.0-9

licensecheck recommends no packages.

Versions of packages licensecheck suggests:
ii  bash-completion  1:2.10-1

-- no debconf information