Please keep the Maintainer address in the CC, talk to teams not individuals.
On 2/6/26 9:51 PM, Andrew McMillan wrote:
Hi Sebastiaan,
The tools we use to do the reviews against DFSG & Policy are semi-
automated. The review - and the e-mail - is not automatic, though it
is partly templated.
When I sent it I figured that many of these were probably false
positives.
Referencing the different variations of "MIT" license in different ways
is helpful to us, for a faster review, even if *you* might know this.
The 'cme' checks find useful information in most cases, and sometimes
find policy issues.
Our review is not purely licensing. The mandate for the "DFSG,
Licensing and New Packages" team is to review against policy, in
addition to reviewing licensing against the DFSG, as such it is helpful
*especially* for binary only packages if the review can be as easy as
possible, since we have to review them repeatedly.
And no: I'm not going to waste my or upstream time by sending them
information I discover which *might* *possibly* be a bug: you are
likely to be in a better position to know if it really is, and I just
mention it in passing. If I am the next reviewer I might remember this
and not send it to you again, but I might forget all this conversation
and still re-send it: please don't be offended if I do.
All of the issues listed in the review are of the nitpick variety not worth
wasting anyone's limited time on.
Please improve your tooling by filtering out these checks which don't report
actual issues or of a high enough severity to justify spending time on
addressing.
Regards,
Andrew McMillan
On Fri, 2026-02-06 at 12:27 +0100, Sebastiaan Couwenberg wrote:
On 2/6/26 11:57 AM, [email protected] wrote:
There are some fixes that could be made to debian/copyright and
debian/control
Full review details: https://dfsg-new-queue.debian.org/reviews/qgis
The duck m/\bnot maintained\b/i are a false positive:
"
At the GIS stackexchange or r/QGIS reddit, which are not maintained
by the QGIS team, but where the QGIS and broader GIS community
provides lots of advice
"
The http: URLs are verbatim copies from the respective source files.
The dodgy check is questionable, "Possible hardcoded password" issues
are false positives. And if they weren't that's something you should
report upstream, it has nothing to do with DFSG compliance.
The copyright check complaint about MIT is likewise of little value.
We know which version of the MIT license is predominant, and we
include the text in the license paragraph.
cme also fails to parse the license alternatives correctly, "LGPL-2.1
with Digia Qt LGPL Exception 1.1" is declared in a standalone license
paragraph.
The cme complaints about unnecessary version requirements are also
irrelevant for DFSG compliance.
Because of the false positive tendency of these tools, they are not
used in our package update work flows.
I'm probably wasting my time replying to an automated message, so
I'll only do this once just for the record.
Kind Regards,
Bas
--
PGP Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
_______________________________________________
Pkg-grass-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-grass-devel
