All of this is just my opinion, of course...If it were my package, I'd probably do something like this (which could list multiple files):
Files: testdata/valid-evidence.json Copyright: OWASP Foundation License: Apache-2.0 Comment: This file contains strings that are test copyright statements, which are being used as a test vector for proper license/copyright parsing. They do not correspond to any copyright of this package.That way, you are really explicit about which files have the issue. If you put the comment at the top-level and just say "Several files", it's a lot less clear which files you're talking about. You said it was many, and I haven't looked at the package itself, so I might do something different if it was really a large number that couldn't be covered by glob patterns.
I wouldn't copy the fake copyright statements into debian/copyright. That feels wrong to me.
-- Richard
OpenPGP_signature.asc
Description: OpenPGP digital signature
