Bug#725210: embeds multiple libraries, at least two of which undistributable

Jeremy Lainé jeremy.laine at m4x.org
Thu Oct 3 05:49:35 UTC 2013


On 10/02/2013 10:23 PM, Faidon Liambotis wrote:
> Package: asterisk
> Version: 1:11.5.1~dfsg-2
> Severity: serious
>
> I was surprised and initially happy to see Asterisk 11 uploaded into
> sid. My happiness quickly diminished when I saw that the upload contains
> the embedded pjproject as-is, despite this issue having been flagged for
> months now and being the sole blocker for an upload since the release of
> Asterisk 11 eleven months ago.
>
> There are several policy violations here:
>  - Contains a convenience copy of pjproject under res/pjproject (§4.13)

This is indeed a slip-up, the pjproject source was definitely intended to be stripped from
the asterisk tarball, as documented in debian/changelog. I found the commit which removed
the pjproject-stripping-code from debian/rules:

http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=commitdiff;h=6148e287cc35d0756785af74fe2bfa6f3148d706

>  - pjproject itself contains convenience copies of several libraries
>    under res/pjproject/third_party/ some of which already packaged in
>    Debian (§4.13)
>  - All of the above are completely undocumented in d/copyright (§12.5)
>  - Not only they are undocumented, but it looks like no audit has
>    happened on them whatsoever. From a very cursory look, at least
>    res/pjproject/third_party/milenage/ & res/pjproject/third_party/g7221/
>    seem to completely lack license information other than the occasional
>    "All right reserved", which makes them undistributable by Debian or
>    anyone else. (§2.3)
>

You may not have noticed, but pjproject has its own package:

http://packages.qa.debian.org/p/pjproject.html

Go take a look at the pjproject packaging and you will find these points have been addressed.

> I'm baffled on how a DD could ever upload this into the archive, esp.
> since these issues were widely known and discussed beforehand. Please
> refrain from making such uploads in the future, as it's both a disgrace
> to Debian's standards and a legal risk.

I suggest you have more than a cursory look next time before using this kind of tone.

Thanks anyway for the report,
Jeremy



More information about the Pkg-voip-maintainers mailing list