[pkg-php-pear] php-parser_0.9.4-1_amd64.changes REJECTED

Fri Jun 6 21:33:34 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Thorsten,

Le 06/06/2014 16:45, Thorsten Alteholz a écrit :
> On Fri, 6 Jun 2014, David Prévot wrote:
>> Actually the <license> is documented in the package.xml file provided in
>> the source tarball,
> 
> but where did this file come from?

$ uscan --force --download-version 0.9.4 --verbose
- -- Scanning for watchfiles in .
- -- Found watchfile in ./debian
- -- In debian/watch, processing watchfile line:
   http://nikic.github.io/pear/
http://nikic.github.io/pear/get/PHPParser-([\d\.]+)\.tgz
- -- Found the following matching hrefs:
     http://nikic.github.io/pear/get/PHPParser-0.9.4.tgz (0.9.4)
[…]

> I couldn't find it in the release
> tarballs from upstream!? Actually your source tarball looked rather
> different from the upstream one.

PHPParser-0.9.4.tgz is identical to php-parser_0.9.4.orig.tar.gz TTBOMK.

>>                     and debian/copyright reproduces the license provided
>> in the upstream source repository at that time, so the source package is
>> “accompanied by a verbatim copy of its copyright information and
>> distribution license” as expected by the Debian policy.
> 
> But the package.xml contained just "BSD", which could be BSD2, BSD3,
> BSD4. In this case it would be nice to have a comment in
> debian/copyright how to get the complete license information.

Well, I did copy the verbatim license as mandated by the policy [1], and
don’t expect upstream to provide a PEAR package anymore (1.0.0~beta1 is
only available via Composer, which is a recurrent trend), so I don’t
believe such workaround (i.e. double check the license file from the
upstream repository that is anyway provided in the package VCS) will be
needed after this initial upload.

	1: https://github.com/nikic/PHP-Parser/blob/v0.9.4/LICENSE
	2:
http://anonscm.debian.org/gitweb/?p=pkg-php/php-parser.git;a=blob;f=LICENSE;h=443210b44ab103f18d4246919ef885df52faf43a;hb=1e5e280ae88a27effa2ae4aa2bd088494ed8594f

>> What are you exactly expecting? I mean that I don’t understand what is
>> actually missing, and thus ask for guidance.
> 
> I expect to find the complete license text within the source tarball
> (ok, only if the license requires that). I also expect that this license
> information appears in debian/copyright.
> Further I expect to be able to download the original source tarball from
> the links in debian/copyright or debian/control. In case this is not
> possible, it should be documented in debain/README.source.

I expect uscan (and thus d/watch) to be the usual way to download an
upstream tarball for a Debian package. Would an explicit get-orig-source
rule in debian/rules (simply calling uscan), since that is documented in
the Debian policy, put you at ease (i.e., would that be enough to
address the initial issue that lead you to reject that package)?

I can admit abusing a little bit the Source field from the format 1.0
copyright because it provides a nice and easy way to document the
upstream VCS as needed by the gbp worflow “When upstream uses GIT”[3],
but didn’t expect such bending would lead to a rejection ;).

	3:
http://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.import.html#GBP.IMPORT.UPSTREAM.GIT.TARBALL

> You can do almost anything as long as it is documented and all steps are
> easily comprehensible for others.

I’m happy to provide an explicit get-orig-source rule, and/or an
explicit link to [1] in d/copyright, and/or add a one shot
d/README.source file as you see fit. Thanks anyway for the attention put
into the Debian archive.

Regards

David

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJTkjOtAAoJEAWMHPlE9r08h1sH/2m57XDu0s4CQhaINN6l+ho7
cU2VZE7xyXFaoh+hDgBLClCOmnFCcwDk51hE01WtFFxEJX5jTISSvgiAACMHL3F6
o9M3hdRR2dHPJvOxfk0f7XrmbtuwSkR6ECxKkqZ+Vr+zowRu1UZW87AYsUpsbCYA
iFNuRdE5HtJBsViKOSNjI+A/wh6N7yXhPWrVITWRosBXPnJy8LHF8FpD8/4jU7nE
GuPVyJKfEI0DzE9vOvxwoOTM/4vYux+ufXCy3qoTsbpwkvyaRpbcOKVnp5XU4xoa
e6ofZbpH0GwYtCWwT0jqaMkfoDD6DfCE1Nl1u+0c0mgnT1w35k1q6Gr7sZ+A6JI=
=Uayd
-----END PGP SIGNATURE-----