The Debian NEW review of mstpd 0.2.0-1 has been completed. Decision: REJECTED Reviewer: Reinhard Tartler
Review comment: Thanks for your diligence while working on this package. It's great to see the broadcom_xstrata issues resolved. I've had another look through the source, and there is a significant legal concern regarding derived works that needs to be cleared up. The README.md mentions that the initial code was partially "shamelessly stolen" from the rstplib project. This is a bit of a problem because if mstp.c or other files are derived from rstplib, we have a legal obligation under the GPL to preserve the original copyright notices and attributions. Failing to document Alex Rozin <[email protected]> and Michael Rozhavsky <[email protected]> as copyright holders for the relevant code is effectively a license violation. It makes the package legally hazardous for the project to distribute, as we would be misrepresenting the ownership of the code. I also noticed a few other spots where the attribution is a bit thin. Satish Ashok <[email protected]> is listed as the author for several scripts in utils/ (like ifupdown.sh.in) and is credited in the README for major features like BPDU Guard. Similarly, Alexandru Ardelean <[email protected]> is the author of clock_gettime.h. These contributors should really be added to the relevant stanzas in debian/copyright rather than just falling into the generic "mstpd contributors" catch-all. Finally, on brmon.c, the header lists specific modification dates from 2006 and 2011. It would be good to update the years in the copyright file to reflect these more accurately. Please take a moment to do a thorough sweep for any other missing authors, update debian/copyright to include these attributions, and re-upload once it's all squared away. -rt Full review details: https://dfsg-new-queue.debian.org/reviews/mstpd
