On Thu, Oct 24, 2019 at 16:19, Jonas Smedegaard <[email protected]> wrote:
Quoting Pirate Praveen (2019-10-24 15:34:15)
On Thu, Oct 24, 2019 at 11:40, Jonas Smedegaard <[email protected]
<mailto:[email protected]>> wrote:
> The source package src:node-lodash states in its debian/copyright
> file that its upstream source is
<<https://github.com/lodash/lodash>>
>
I don't thik that is how DFSG is intrepreted. If that were the case,
then we won't able to modify upstream tarball at all.
I am not surprised (but frustrated and sad) that you try to argue that
what is listed as upstream source need not be upstream source.
You need to check with the release tarballs.
<https://github.com/lodash/lodash/releases>
If upstream source is not <https://github.com/lodash/lodash> but
instead
it is <https://github.com/lodash/lodash> then it is a(nother) bug
that the
package points at the wrong place for its upstream source.
We don't usually specify the releases page in debian/copyright only
the project page. You can verify this against any other package in
debian.
That's no bug if project page _also_ is upstream source, as is
commonly
the case e.g. at Github.
It is a minor bug when project page clearly and unambiguously
references
upstream source.
It is a severe bug when project page serves code which upstream use as
their prefered form for editing but the code distributed with Debian
as
"upstream source" is *not* that same code but instead some other code,
regardless how clearly that other non-source code is referenced from
project page, and regardless if upstream labels that other code as
their
"releases".
As far as I understood, the other code you mention here is the vendor
directory. Please correct me if I'm mistaken. Or specify which specific
files you have a problem with. Files in vendor directory usually have
their own separate projects and version control systems.
This bug is about the code upstream treats as their source *not* being
what Debian distributes as upstream *source*.
All files derived from source have their corresponding source code
and
it is regenerated during build.
It may very well be "source" but not "upstream source".
Then I fail to see how this is a serious bug. Serious bug is usually
when the source package does not ship corresponding source code for the
shipped binary. I don't think what you describe as a problem here can
be considered serious.
As for lodash-cli, it is included as another source tarball and you
can see this in the dsc file.
This bug is *not* about embedded code, it is about the main code.
As far as I understand there is not a requirement to take a git
snapshot. Can you tell which files you see as problematic? I can think
of only vendor/* that was not seen in the git repo.
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
