On Thu, Oct 24, 2019 at 11:40, Jonas Smedegaard <d...@jones.dk> wrote:
Package: node-lodash
Version: 4.17.15+dfsg-1
Severity: serious
Justification: Policy 2.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The source package src:node-lodash states in its debian/copyright file
that its upstream source is <https://github.com/lodash/lodash>
I don't thik that is how DFSG is intrepreted. If that were the case,
then we won't able to modify upstream tarball at all.
$ apt source node-lodash
$ cd node-lodash-4.17.15+dfsg
$ tree -ad -I .pc
.
├── debian
│ ├── source
│ ├── tests
│ └── upstream
├── dist
├── doc
├── fp
├── .github
├── lib
│ ├── common
│ ├── fp
│ │ └── template
│ │ ├── doc
│ │ └── modules
│ └── main
├── lodash-cli
│ ├── bin
│ ├── lib
│ └── template
├── perf
│ └── asset
├── test
│ └── asset
└── vendor
├── backbone
│ └── test
│ └── setup
├── firebug-lite
│ ├── skin
│ │ └── xp
│ └── src
├── json-js
└── underscore
└── test
34 directories
$ git clone <https://github.com/lodash/lodash>
$ cd lodash
$ tree -ad -I '.git*'
.
├── .internal
└── test
2 directories
The tarball distributed as the "source" for the Debian packaging
clearly
is *not* what upstream considers its source nor is it what is stated
in
debian/copyright was used as source.
You need to check with the release tarballs.
https://github.com/lodash/lodash/releases We don't usually specify the
releases page in debian/copyright only the project page. You can verify
this against any other package in debian.
All files derived from source have their corresponding source code and
it is regenerated during build.
As for lodash-cli, it is included as another source tarball and you can
see this in the dsc file.
For example you can see
https://packages.debian.org/source/unstable/node-lodash lists
File Size (in kB) MD5 checksum
node-lodash_4.17.15+dfsg-1.dsc 2.5 kB 7fe2561d015989f65c5fbb62363f796c
node-lodash_4.17.15+dfsg.orig-lodash-cli.tar.xz 40.6 kB
b2217589333a9b2e1dd198bdfa1f3948
node-lodash_4.17.15+dfsg.orig.tar.xz 586.6 kB
fedbf4804767031ddc8d34f43bc37dbe
node-lodash_4.17.15+dfsg-1.debian.tar.xz 5.3 kB
4221804f94c6e7a19c62352d6045d1c7
If you are concerned about lack of a canonical place to document the
embedded modules, then please be clear about it.
Can you be more specific which files do you think violate DFSG and be
specific which section. I assume you meant section 2,
Source Code
The program must include source code, and must allow distribution
in source code as well as compiled form.
So you need to tell which files you think are not following this
requirement.
Are you concerned about files in vendor directory?
If I remove vendor directory from upstream tarball would your concern
be addressed?
- Jonas
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl2xcaUACgkQLHwxRsGg
ASGnLg/+Lsiq8c+vzd/2x9lXH7SwucK3bNiYl8X5QJYpC3Wuh72jEOHjl1gWl5MZ
uYBnR9G8h3UQNm0Tn2lgUAudhtV7af3mYJkKxBA6FMfYGEwPvig+8SoX0i0C3sjE
+fU01KFebmRsxJ+Of278titobzfgX2MJzWVQtzN5VbIvfAfuaQ4hjun0NCyPdbeM
2GKH5vnfs9Woi6P6ZmixlCvyT3B6bwl71q+x7RCNtAa5NhB8GrBMBG07jehrpCvK
gmhYNDnQeFYVQLObS8M5r/bLvT/9K7EuaPZxyhAg73c2bMOxcElwVC/IuZA832IL
woRqco6pJVYhLZ59sngrtqP9f/dkUF8IJkkFHCiDSfkcyFv37Vr0tJYSur1q+bWB
2viX9k2Nh4xbQ/P9RrWBhAcjrLRqTh3KD94kIJ6iVVhYxcwqVY/E31p2lwBLZZVx
jAGmdb4fYF+3Qgkmv0Hn67rWMEz8cWW0QZocIRMD/PmJJNgOUuTBV8asdF3wLo87
FfLJeeL6B6+taXJKK7lGgPv6cOkgjWamFNh7c4K1xsMWC2jmbQ6nSv23NJh8AwqQ
fNvKe2wXYqK0vedy4Z1QwXYXhA2yTGY4FmMvo+nXSuJ8Cp7/hbt0xy/g6N84cybX
v2SA5RhlSN8Y7xBvrK1DW1U+bATi6zTiIUSrnElg1tkj1JkcaTs=
=kSoi
-----END PGP SIGNATURE-----
--
Pkg-javascript-devel mailing list
pkg-javascript-de...@alioth-lists.debian.net
<mailto:pkg-javascript-de...@alioth-lists.debian.net>
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel>
