On Wed, Jun 03, 2026 at 02:46:52PM +0200, Marc Haber wrote:
> Who is the upstream of aclocal.m4? Do I REALLY have to talk to people who
> contributed two lines of code to GNU autotools three decades ago to maintain
> a simple package in Debianß
No-one, because it is a generated file. So if you care, you provide
sources without all those files, which are already rebuilt by
dh_autoreconf anyway. This then also plugs the xz shaped hole.
> This all doesn't help. We need definitive guidelines that package
> maintainers can adhere to. Maintaining debian/copyright already takes more
> time than maintaining the actual package, it is impossible to do right, and
> frankly, I ask myself why I am still maintaining packages for Debian EVERY
> time I open up an editor in debian/copyright.
The complete current concept of debian/copyright is not useful. Someone
who looks at binary packages cares about what the accumulative licenses
of this are. They don't need another copy of the source information.
So yes, we need proper SBOM information.
Bastian
--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
