I suggest we wait a little for a response from non-f...@buildd.debian.org before we make another upload. However if there is no response in two weeks, we can just proceed by making a binary upload of runescape.
Bug #956275 can be resolved by replacing the runescape.png icon. The license is most likely not BSD-2-clause. You should either document the correct license, the image must be distributable at least, or you can create or find your own icon. For instance you could create an image the same size with a black, red or blue background and then you add the R S initials in white. Simple icon, easily done. Bug #956276 is about an additional verification step, e.g. to verify the integrity of the launcher with a hashsum. You could store the value in a text file in our Git repository and then fetch the value and compare it with the hashsum of the binary before you run the java command. By storing the value in Git we can adjust the value whenever there is a new runescape update without having to make another Debian upload. This could be especially useful for stable releases. In any case I would try to avoid to hardcode the value. I don't consider bug #956276 release critical because there is no Debian Policy justification for it and there is no more risk involved than downloading the file with a web browser normally poses, so it should be treated as a normal or important bug. What you can and should do is to improve the package description. It should be clear that src:runescape is a mere script that downloads and runs the runescape launcher and that Debian cannot guarantee the integrity of this binary file because it is non-free and it is closed source. So simply warn about that in the package description and when your script is executed. The warning message could be displayed in a text terminal or you could use zenity to make it more user friendly and obvious. Regards, Markus
signature.asc
Description: OpenPGP digital signature