Bug#725210: embeds multiple libraries, at least two of which undistributable
Jeremy Lainé
jeremy.laine at m4x.org
Thu Oct 3 05:49:35 UTC 2013
On 10/02/2013 10:23 PM, Faidon Liambotis wrote:
> Package: asterisk
> Version: 1:11.5.1~dfsg-2
> Severity: serious
>
> I was surprised and initially happy to see Asterisk 11 uploaded into
> sid. My happiness quickly diminished when I saw that the upload contains
> the embedded pjproject as-is, despite this issue having been flagged for
> months now and being the sole blocker for an upload since the release of
> Asterisk 11 eleven months ago.
>
> There are several policy violations here:
> - Contains a convenience copy of pjproject under res/pjproject (§4.13)
This is indeed a slip-up, the pjproject source was definitely intended to be stripped from
the asterisk tarball, as documented in debian/changelog. I found the commit which removed
the pjproject-stripping-code from debian/rules:
http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=commitdiff;h=6148e287cc35d0756785af74fe2bfa6f3148d706
> - pjproject itself contains convenience copies of several libraries
> under res/pjproject/third_party/ some of which already packaged in
> Debian (§4.13)
> - All of the above are completely undocumented in d/copyright (§12.5)
> - Not only they are undocumented, but it looks like no audit has
> happened on them whatsoever. From a very cursory look, at least
> res/pjproject/third_party/milenage/ & res/pjproject/third_party/g7221/
> seem to completely lack license information other than the occasional
> "All right reserved", which makes them undistributable by Debian or
> anyone else. (§2.3)
>
You may not have noticed, but pjproject has its own package:
http://packages.qa.debian.org/p/pjproject.html
Go take a look at the pjproject packaging and you will find these points have been addressed.
> I'm baffled on how a DD could ever upload this into the archive, esp.
> since these issues were widely known and discussed beforehand. Please
> refrain from making such uploads in the future, as it's both a disgrace
> to Debian's standards and a legal risk.
I suggest you have more than a cursory look next time before using this kind of tone.
Thanks anyway for the report,
Jeremy
More information about the Pkg-voip-maintainers
mailing list