Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-05-23 Thread Mattia Rizzolo 
Hi Stefan,

On Thu, Mar 03, 2016 at 02:48:37PM +, Gianfranco Costamagna wrote:
> control: tags -1 moreinfo
> 
> Hi sorry for the late answer, it took a while to have time to dig into the 
> issue.

Did anything happen here in the past 2,5 months?

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-03-03 Thread Gianfranco Costamagna 
control: tags -1 moreinfo

Hi sorry for the late answer, it took a while to have time to dig into the 
issue.



>I'm confused, on a Ubuntu 16.04 clean environment everything works fine
>with multiarch support but on debian sid it does not work.
>(https://launchpadlibrarian.net/240678247/tomahawk-player_0.8.4+dfsg1-0ubuntu1~xenial1_amd64.build)
>Is there a different in multiarch support?


seems so.

the problem seems to come from "CMAKE_INSTALL_LIBDIR", set because of the 
include of GNUInstallDirs.cmake
file.

Probably the root of the issue is that *you* have a custom embedded 
GNUInstallDirs.cmake file, so it might be
outdated, or not working for a bunch of other reasons.
Also that file is different from the one you can find on an Ubuntu system

meld CMakeModules/GNUInstallDirs.cmake 
/usr/share/cmake-3.2/Modules/GNUInstallDirs.cmake

I see something like:
if(EXISTS "/etc/debian_version")
include(${CMAKE_ROOT}/Modules/MultiArchCross.cmake OPTIONAL RESULT_VARIABLE 
_INCLUDED_MULTIARCH_TOOLCHAIN_FILE)
endif()

probably the MultiArchCross.cmake is something Ubuntu specific [1], I'm not 
sure why Debian is not using it.

cmake (3.3.2-1ubuntu1) xenial; urgency=medium

* Merge with Debian; remaining changes:
- debian/cmake-data.install
debian/MultiArchCross.cmake
debian/patches/ubuntu_cmake-crosscompile.patch
Add MultiArchCross.cmake to installed files.
(help cmake to find libraries in multiarch path)
xnox says this is not yet ready to go upstream but he will work on it
- debian/patches/ubuntu_boost-multiarch.patch
find boost and python in multiarch path
this is a candidate for removal but needs rdepend testing
* Search for Python 3.5.


you can override the issue probably by using the system Module (and drop the 
embedded stuff)
and using LIB_SUFFIX if it doesn't work [2]


[1] https://launchpad.net/ubuntu/+source/cmake/3.3.2-1ubuntu1
[2] 
https://codesearch.debian.net/results/LIB_SUFFIX%20path%3Adebian%2Frules/page_0

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-02-21 Thread Stefan Ahlers 
Hey,

> Hi again, it doesn't build on clean environment
> http://debomatic-amd64.debian.net/distribution#unstable/tomahawk-player/0.8.4-1/buildlog

I'm confused, on a Ubuntu 16.04 clean environment everything works fine
with multiarch support but on debian sid it does not work.
(https://launchpadlibrarian.net/240678247/tomahawk-player_0.8.4+dfsg1-0ubuntu1~xenial1_amd64.build)

Is there a different in multiarch support?

> licensecheck * -r
> shows some stuff not mentioned in changelog.

debian/copyright corrected. Should be complete now.

> all the thirdparty stuff has different licenses, and should be
> packaged separately (if possible, or useful outside this package).

Most of them it is not useful. I had discussed this problematic with the
developers.

> ./src/tomahawk/sourcetree/items/LovedTracksItem.h: *the Free
> Software Foundation; either version 2 of the License, or
> ./src/tomahawk/sourcetree/items/InboxItem.h: *   the Free Software
> Foundation, either version 3 of the License, or
> 
> even inside src there are different licenses.

The developers say that this files are a bunch of code from a co-developer.

> ./data/js/cryptojs/sha384.js:code.google.com/p/crypto-js/wiki/License
> (and many more from cryptojs)

Crypto-js is removed now.

> data/fonts/*.ttf <--- please use system Roboto fonts, not any embedded
> version.

Is removed.

> so, please think with upstream about removing all the external libs,
> and package them separately (many of them should already be in debian)

Please take a look on one of my old mails in this bug reports there is a
statement to the external libs. The most java script files are removed
now and tomahawk is using the system roboto font.

Kind regards,
Stefan Ahlers

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-02-17 Thread Gianfranco Costamagna 
Hi again, it doesn't build on clean environment
http://debomatic-amd64.debian.net/distribution#unstable/tomahawk-player/0.8.4-1/buildlog




Il Mercoledì 17 Febbraio 2016 16:07, Gianfranco Costamagna 
 ha scritto:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

> Could you review the tomahawk-player package again? I know, there
> is much more work needs tobedone. It would be great, if you could
> check my answers of the first review and points out what I have to
> do next, which thirdparty code I have to pack separately and which
> code has to be removed because of the dfsg.

here we go.

licensecheck * -r
shows some stuff not mentioned in changelog.

e.g.
src/accounts/hatchet/sip/hatchet_config.hpp: BSD (3 clause)
data/js/cryptojs/hmac-ripemd160.js: BSD (2 clause)
src/libtomahawk/thirdparty/Qocoa/qsearchfield.cpp: MIT/X11 (BSD like)
licensecheck * -r |grep -v GPL |grep -v UNK |wc -l
59

but it might be highly incomplete

all the thirdparty stuff has different licenses, and should be
packaged separately (if possible, or useful outside this package).

./src/tomahawk/sourcetree/items/LovedTracksItem.h: *the Free
Software Foundation; either version 2 of the License, or
./src/tomahawk/sourcetree/items/InboxItem.h: *   the Free Software
Foundation, either version 3 of the License, or

even inside src there are different licenses.

./src/libtomahawk/accounts/lastfm/LastFmInfoPlugin.cpp:
QString biography =
lfm["artist"]["bio"]["content"].text().trimmed().replace(
"User-contributed text is available under the Creative Commons By-SA
License and may also be available under the GNU FDL.", "" );

./data/js/cryptojs/sha384.js:code.google.com/p/crypto-js/wiki/License
(and many more from cryptojs)


./data/images/lastfm-icon.svg:http://creativecommons.org/licenses/publicdomain/; />
./data/images/lastfm-icon.svg:  http://creativecommons.org/licenses/publicdomain/;>
./data/images/lastfm-icon.svg:  


data/fonts/*.ttf <--- please use system Roboto fonts, not any embedded
version.


so, at the end, so much stuff is missing, specially in the copyright
file, and I think so many external libraries have to be packaged
separately or repacked and removed from the source tree

maintaining all this number of embedded libraries will make the
package rejected, and a security nightmare to maintain.

so, please think with upstream about removing all the external libs,
and package them separately (many of them should already be in debian)


cheers,


G.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWxIymAAoJEPNPCXROn13ZkQQP/2mH99sXz3nimYNWfR2doqsL
3mZBdAXGMaKF+mSqlfNB8ITTTIR6kMuaTD9Sfv5Or25R8XvbzOWsHpuHuNHux6Uv
gJhMgLXyL0iDCLZrM/9vZbyI0fe34VIVC6cz9yB4iPU6L9HMwc3kxLGSXehf5f/n
kqCWGxZvTAlqv6irnO7EzIcbE7wiU/iFzTPUMkI6epW76XBKROFbnoGdf57aGXaz
4HCY5laAZidvU6d3y9bwzrqEqtYad3NxpLUcGIi8imjx4tjK6uVThVhTqNPjrsW9
ndiQLXk+WApUezu4FOZOojua2fGdY2vHnV0HgNgFXC1PZFWFIdsc1/9qe9nfOssx
56ZQy8zHeCVEhwjlVWBE/9zwhzWBHh4Sgoe2zq1RFjaf/U9bjjafkE8R0+i9fXZi
yKVM3cVHpQc+mu67Q5VOZcx9HCuiLSUpbupIlUoD+R4MPE1EBWbktE7oAC4xmJ2G
VLAsP2WXCLO4bA4PodHmjTc4XtXDGQ4KqjMmLQqmT5sWQOJ6TMBIxtv8yReHF9C4
Oaqyr5vv4z0JPz+QhwpKPvbdDpv5keBKby8tBhUkOyITP7eLxqa4j2kqi7qXK+K1
NSPcQJ5gXUfAax0sXBBUd333XlncmCqor1zaaGl+QP6wOBUTuOMV0zlq9gqV2chw
AqjNKfUN2rWU5yn1bmSw
=7AjV
-END PGP SIGNATURE-

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-02-17 Thread Gianfranco Costamagna 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

> Could you review the tomahawk-player package again? I know, there
> is much more work needs tobedone. It would be great, if you could
> check my answers of the first review and points out what I have to
> do next, which thirdparty code I have to pack separately and which
> code has to be removed because of the dfsg.

here we go.

licensecheck * -r
shows some stuff not mentioned in changelog.

e.g.
src/accounts/hatchet/sip/hatchet_config.hpp: BSD (3 clause)
data/js/cryptojs/hmac-ripemd160.js: BSD (2 clause)
src/libtomahawk/thirdparty/Qocoa/qsearchfield.cpp: MIT/X11 (BSD like)
licensecheck * -r |grep -v GPL |grep -v UNK |wc -l
59

but it might be highly incomplete

all the thirdparty stuff has different licenses, and should be
packaged separately (if possible, or useful outside this package).

./src/tomahawk/sourcetree/items/LovedTracksItem.h: *the Free
Software Foundation; either version 2 of the License, or
./src/tomahawk/sourcetree/items/InboxItem.h: *   the Free Software
Foundation, either version 3 of the License, or

even inside src there are different licenses.

./src/libtomahawk/accounts/lastfm/LastFmInfoPlugin.cpp:
QString biography =
lfm["artist"]["bio"]["content"].text().trimmed().replace(
"User-contributed text is available under the Creative Commons By-SA
License and may also be available under the GNU FDL.", "" );

./data/js/cryptojs/sha384.js:code.google.com/p/crypto-js/wiki/License
(and many more from cryptojs)


./data/images/lastfm-icon.svg:http://creativecommons.org/licenses/publicdomain/; />
./data/images/lastfm-icon.svg:  http://creativecommons.org/licenses/publicdomain/;>
./data/images/lastfm-icon.svg:  


data/fonts/*.ttf <--- please use system Roboto fonts, not any embedded
version.


so, at the end, so much stuff is missing, specially in the copyright
file, and I think so many external libraries have to be packaged
separately or repacked and removed from the source tree

maintaining all this number of embedded libraries will make the
package rejected, and a security nightmare to maintain.

so, please think with upstream about removing all the external libs,
and package them separately (many of them should already be in debian)


cheers,

G.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWxIymAAoJEPNPCXROn13ZkQQP/2mH99sXz3nimYNWfR2doqsL
3mZBdAXGMaKF+mSqlfNB8ITTTIR6kMuaTD9Sfv5Or25R8XvbzOWsHpuHuNHux6Uv
gJhMgLXyL0iDCLZrM/9vZbyI0fe34VIVC6cz9yB4iPU6L9HMwc3kxLGSXehf5f/n
kqCWGxZvTAlqv6irnO7EzIcbE7wiU/iFzTPUMkI6epW76XBKROFbnoGdf57aGXaz
4HCY5laAZidvU6d3y9bwzrqEqtYad3NxpLUcGIi8imjx4tjK6uVThVhTqNPjrsW9
ndiQLXk+WApUezu4FOZOojua2fGdY2vHnV0HgNgFXC1PZFWFIdsc1/9qe9nfOssx
56ZQy8zHeCVEhwjlVWBE/9zwhzWBHh4Sgoe2zq1RFjaf/U9bjjafkE8R0+i9fXZi
yKVM3cVHpQc+mu67Q5VOZcx9HCuiLSUpbupIlUoD+R4MPE1EBWbktE7oAC4xmJ2G
VLAsP2WXCLO4bA4PodHmjTc4XtXDGQ4KqjMmLQqmT5sWQOJ6TMBIxtv8yReHF9C4
Oaqyr5vv4z0JPz+QhwpKPvbdDpv5keBKby8tBhUkOyITP7eLxqa4j2kqi7qXK+K1
NSPcQJ5gXUfAax0sXBBUd333XlncmCqor1zaaGl+QP6wOBUTuOMV0zlq9gqV2chw
AqjNKfUN2rWU5yn1bmSw
=7AjV
-END PGP SIGNATURE-

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-02-13 Thread Stefan Ahlers 
Hi,

jreen is accepted, now.

Could you review the tomahawk-player package again? I know, there is
much more work needs tobedone. It would be great, if you could check my
answers of the first review and points out what I have to do next, which
thirdparty code I have to pack separately and which code has to be
removed because of the dfsg.

Kind regards,
Stefan Ahlers

Am 18.01.2016 um 14:56 schrieb Gianfranco Costamagna:
> please ping me when the jreen is accepted, I'll go in a new review spin.
> BTW, are clementine images the same as the tomahawk-player has?
> so in this case if clementine is accepted and in Debian I think the images
> are DFSG.
> please point to the sources, and look if the copyright shows them.
> http://metadata.ftp-master.debian.org/changelogs/main/c/clementine/unstable_copyright
>
> We might even end up in an RC bug against clementine :)

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-01-19 Thread Felix Natter 
Stefan Ahlers  writes:

> Hi,
>
>> please ping me when the jreen is accepted, I'll go in a new review spin.
>
> Ok, I'll do it.
>
>> please point to the sources, and look if the copyright shows them.
>> http://metadata.ftp-master.debian.org/changelogs/main/c/clementine/unstable_copyright
>
> Tomahawk and clementine uses the company logos for the provided
> services/resolvers. On both software, the logos are necessary to show
> the music streaming source. This is a requirement to use this services.
>
> I discussed the problematic with the developers of tomahawk but they
> think it is not a good idea to replace them because the company only
> allows the use of their services if there is the company branding. It
> would be more critical to replace them with self-made-ones than to ship
> the logos.
>
> For example in the clementine sources:
>  * clementine-1.2.3+git1354-gdaddbde+dfsg/data/icons/svg/spotify.svg
>  * clementine-1.2.3+git1354-gdaddbde+dfsg/data/providers/soundcloud.png
>  * clementine-1.2.3+git1354-gdaddbde+dfsg/data/providers/itunes.png
>  * clementine-1.2.3+git1354-gdaddbde+dfsg/data/providers/echonest.png
> There are many more company branding in /data/providers but there is no
> comment in the copyright file.
>
> I think this is a very important issue.

hello devs,

I am not sure this helps, but just to be complete: In JMapViewer
(which included a bing logo for accessing Bing map tiles), the
problem was solved by downloading the image at run time
(which was easy for JMapViewer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765421

Best Regards,
-- 
Felix Natter

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-01-18 Thread Stefan Ahlers 
Hi,

> please ping me when the jreen is accepted, I'll go in a new review spin.

Ok, I'll do it.

> please point to the sources, and look if the copyright shows them.
> http://metadata.ftp-master.debian.org/changelogs/main/c/clementine/unstable_copyright

Tomahawk and clementine uses the company logos for the provided
services/resolvers. On both software, the logos are necessary to show
the music streaming source. This is a requirement to use this services.

I discussed the problematic with the developers of tomahawk but they
think it is not a good idea to replace them because the company only
allows the use of their services if there is the company branding. It
would be more critical to replace them with self-made-ones than to ship
the logos.

For example in the clementine sources:
 * clementine-1.2.3+git1354-gdaddbde+dfsg/data/icons/svg/spotify.svg
 * clementine-1.2.3+git1354-gdaddbde+dfsg/data/providers/soundcloud.png
 * clementine-1.2.3+git1354-gdaddbde+dfsg/data/providers/itunes.png
 * clementine-1.2.3+git1354-gdaddbde+dfsg/data/providers/echonest.png
There are many more company branding in /data/providers but there is no
comment in the copyright file.

I think this is a very important issue.

Stefan

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-01-18 Thread Gianfranco Costamagna 
Hi,

>after the first review of my draft of the tomahawk-player package, I
>discussed the problem with the developers of the player and I commented
>all point of the review. Unfortunately, I didn't get any further
>response and so I really do not know what to do next.
>
>Because of this circumstance, I ask you to help me to solve the licence
>and third-party issues. I want to bring tomahawk-player to debian but at
>the moment, I do not know how.


please ping me when the jreen is accepted, I'll go in a new review spin.
BTW, are clementine images the same as the tomahawk-player has?
so in this case if clementine is accepted and in Debian I think the images
are DFSG.
please point to the sources, and look if the copyright shows them.
http://metadata.ftp-master.debian.org/changelogs/main/c/clementine/unstable_copyright

We might even end up in an RC bug against clementine :)

cheers,

G.

Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package

2016-01-18 Thread Stefan Ahlers 
Dear mentors,

after the first review of my draft of the tomahawk-player package, I
discussed the problem with the developers of the player and I commented
all point of the review. Unfortunately, I didn't get any further
response and so I really do not know what to do next.

Because of this circumstance, I ask you to help me to solve the licence
and third-party issues. I want to bring tomahawk-player to debian but at
the moment, I do not know how.

Kind regards,
Stefan Ahlers