[Pkg-utopia-maintainers] cockpit-files_32-1_amd64.changes REJECTED

Martin Pitt mpitt at debian.org
Sun Feb 1 09:09:51 GMT 2026 

Hello Emmanuel,

first of all, I want to thank you a lot for your courage and efforts to work in
the new DFSG team! This has been a major bottleneck in the past few years. I've
tried to get cockpit-files into Debian since July 2024, so I'm really happy to
see some progress! 🎉

Emmanuel Arias [2026-01-30 20:59 +0000]:
> - Please mention dpkg/lib/cockpit-components-checkbox-select.tsx is Expat
> - Please mention pkg/lib/cockpit-components-multi-typeahead-select.tsx is Expat
> - Please mention pkg/lib/cockpit-components-simple-select.tsx is Expat
> - Please mention pkg/lib/cockpit-components-typeahead-select.tsx is Expat
> - Please mention test/common/pixeldiff.html is Expat
> - Please add a paragraph for debian/* files
> - If it is possible, please add the Upstream-Contact
> - Please also mention Copyright 2010-2020 Python Software Foundation. and 2020 argparse.js authors for node/argparse/argparse.js
> - Only files in /node/resolve/test/resolver/nested_symlinks/mylib are Lincense ISC.

Good catches! I fixed all of these in [0]. They affect all our projects, i.e.
also cockpit{,-machines,-podman} which are already in Debian. So fixing them in
the central project first, as the others share the copyright building script.

> - Please detail that node/@bufbuild/protobuf/dist/esm/wire/varint.js and
>   node/@bufbuild/protobuf/dist/cjs/wire/varint.js are BSD-3-Clause

This is the troublesome item. Note that all the node/* entries in
debian/copyright are autogenerated from [1] by replacing `#NPM#` with actual
contents through [2]. I.e. IMHO in the long run it is more useful to actually
keep this file up to date automatically with added/removed/updated node
modules, and sacrifice a little precision and editorial "niceness" for that.

protobuf's package.json [3] directly says

> "license": "(Apache-2.0 AND BSD-3-Clause)",

and there are no sub-packages in there which would further differentiate
between which code is covered under which license (unlike for the "resolve"
module, that part is fixed in [0]).

Dissecting node package licenses by individual files automatically is error
prone, complicated, and cannot really be correct either -- these files are
written by humans which are notoriously bad at adding license statements to new
files, or keeping copyright years up to date etc. I can probably find some
quirk/special-case, but it would make the copyright generation script even more
complicated and error prone.

It seems to me that this "Apache-2.0 AND BSD-3-Clause" statement is "correct
enough", and that this is the best balance between long-term correctness
through automation and short-term "good enough" correctness.

Does that change your opinion about the bufbuild paragraph, or still want me to
special-case this?

Thanks, and all the best!

Martin


[0] https://github.com/cockpit-project/cockpit/pull/22837
[1] https://github.com/cockpit-project/cockpit/blob/main/tools/debian/copyright.template#L30
[2] https://github.com/cockpit-project/cockpit/blob/main/tools/build-debian-copyright
[3] https://github.com/cockpit-project/cockpit/blob/main/tools/build-debian-copyright
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20260201/57348b63/attachment.sig>

More information about the Pkg-utopia-maintainers mailing list