On Wed, 2016-10-05 at 17:29 +0200, Frederic Bonnard wrote: > Hi Ghislain, > > - d/copyright: > * based on the headers, I think it's LGPL-3+ rather than LGPL-3
You are correct. > * I see several binary files such images and dataset in the source : > a) lib/cartopy/data/netcdf/HadISST1_SST_update.nc : according to > lib/cartopy/data/netcdf/HadISST1_SST_update.README.txt, I found > that > licensing info : > http://www.metoffice.gov.uk/hadobs/hadcruh/licence_ncgl.html which > points to > : http://www.nationalarchives.gov.uk/doc/non-commercial-government > -licence/non-commercial-government-licence.htm > which seems non free (Non Commercial) > b) lib/cartopy/data/raster/sample/Miriam.A2012270.2050.2km.jpg has > this > readme : > lib/cartopy/data/raster/sample/Miriam.A2012270.2050.2km.README.txt ; > I > didn't find on http://lance-modis.eosdis.nasa.gov licensing infos. Indeed. I have asked upstream for clarification. https://github.com/SciTools/cartopy/issues/804 Meanwhile, these data could be safely excluded in a repack. > c) there's various png in lib/cartopy/tests/mpl/baseline_images > and I was > wondering also about the origin in spite of the global licensing. They come from matplotlib. I should update the copyright of these files. > Are all those files mandatory? maybe stripping source would help? > For c) > tests/mpl/ is skipped anyway for now, right ? I don't know for a) > and b) These tests are not called indeed, but it is due to a bug in the packaged version of matplotlib in Debian at the moment. This does not constitute a valid reason for a repack, I believe. > - d/rules: > * informational lintian hardening-no-bindnow : you should enable > hardening > "all" (https://wiki.debian.org/Hardening/PIEByDefaultTransition > , https://wiki.debian.org/Hardening). I noted that pie makes > compilation > fail, but adding : > export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie > does the job. Nice catch. I will apply your suggestion verbatim. > * pedantic image-file-in-usr-lib : the importance of this one has > been lowered > since 3.9.6.0 . I don't know if it's much work to move arch > independent > files in /usr/share. It would be providing an additional binary package for little benefits down the line. The static data aren't huge anyway. Many thanks for this very constructive review. Ghis
