Re: Comments regarding libowasp-antisamy-java_1.5.3+dfsg-1_amd64.changes
Hi, On 30/05/14 18:33, Thorsten Alteholz wrote: Hi Matthew, I marked your package for accept now, but please take care of: W: libowasp-antisamy-java: copyright-refers-to-deprecated-bsd-license-file I've pushed a fix for this, but it doesn't seem worth minting a new package version for right away. Hopefully you're happy with my fixes to libowasp-esapi-java too? Regards, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
Hi, On 22/05/14 14:00, Thorsten Alteholz wrote: Some js-files are licensed under MIT, GPL or Apache-2. These licenses are not mentioned in debian/copyright. Please also remove all minified js-files where no sources are provided. Right, I understand the problem now, and I'd like some advice, please, before proceeding. libowasp-antisamy-java (hereafter antisamy) comes with a test suite, which we don't use during the build process, as that would involve creating a policy file just for the build-time tests, and I don't think that's worth the pain right now. Part of that test suite is a performance test ( src/test/java/org/owasp/validator/html/test/AntiSamyPerformanceTest.java ) which uses some larger items previously downloaded by upstream from the internet ( src/test/resources/s ); it's those that contain the minified js of uncertain license. I can see 3 ways forward: i) leave tarball as-is, since the test data aren't used in the build process ii) rm src/test/resources/s and leave a note in README saying the tests won't work even if you write a policy file because of the missing data iii) remove the entire test suite code What would you prefer? i) has the advantages of leaving the source as upstream have it in their SVN ; ii) is perhaps the right compromise option; iii) seems too extreme. Thanks, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-esapi-java_2.1.0-1_amd64.changes REJECTED
Hi, On 22/05/14 14:00, Thorsten Alteholz wrote: For example src/test/resources/log4j.dtd is licensed under Apache-2, which is not mentioned in debian/coypright. There might be other licenses missing! Well spotted; I rashly belived upstream's LICENSE-README :-/. I did some grepping and just found 2 apache-2 licensed files; I've updated copyright accordingly, and uploaded again (also noting the git repo location). Do you really want to dirstribute all those .svn-directories in the source tarball? Oops. Fixed. Thanks, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
On 30/05/14 10:32, Emmanuel Bourg wrote: Le 30/05/2014 11:11, Matthew Vernon a écrit : What would you prefer? i) has the advantages of leaving the source as upstream have it in their SVN ; ii) is perhaps the right compromise option; iii) seems too extreme. IMHO if the minified JavaScript files are only test objects they should be left as is (assuming they are available under an appropriate license). It's difficult to determine what license they might be covered by; AFAICT they are the result of pointing something like wget at a bunch of sites, namely: cnn.com, deadspin.com, fark.com, google.com, microsoft.com, slashdot.org They're used for testing the performance of the library; the library is aimed at letting you handle user-supplied HTML/CSS safely (i.e. avoiding XSS etc.) [see https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project for more on the purpose of antisamy] Regards, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
On 30/05/14 10:47, Emmanuel Bourg wrote: Le 30/05/2014 11:37, Matthew Vernon a écrit : It's difficult to determine what license they might be covered by; AFAICT they are the result of pointing something like wget at a bunch of sites, namely: cnn.com, deadspin.com, fark.com, google.com, microsoft.com, slashdot.org In this case I don't think we are allowed to distribute them. libjsoup-java also had HTML pages from Google, Yahoo and The New York Times, and we replaced them with pages from Wikipedia. Right, I think then the answer is to remove the src/test/resources/s directory. Thanks, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#740826: libjgrapht0.8-java: packaging should be jar not pom
Package: libjgrapht0.8-java Version: 0.8.3-4 Severity: important Hi, The POMs for libjgrapht0.8-java include the following: groupIdorg.jgrapht/groupId artifactIdjgrapht/artifactId packagingpom/packaging I think this latter should be jar not pom, since that's how the compiled java is supplied? mh_resolve_dependencies certainly complains otherwise. This is my fault, since I supplied the POM files in #740360 -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libjgrapht0.8-java depends on: ii libjgraph-java 5.12.4.2+dfsg-2 libjgrapht0.8-java recommends no packages. libjgrapht0.8-java suggests no packages. -- no debconf information __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#740346: mh_installpom - will always exit non-zero if called with -n
Package: maven-repo-helper Version: 1.8.7 Severity: normal Hi, the -n do nothing, print what would have been done argument to mh_installpom is mishandled. Specifically, what will happen is: mh_cleanpom is called with -n [correct] once with --keep-pom-version and once without. source debian/.mh/pom.properties This line will always fail, since mh_cleanpom -n will have done nothing, so not created debian/.mh/pom.properties. Indeed, if debian/.mh/pom.properties did exist, then mh_installpom would continue on and try to install poms that it found in debian/.mh, in violation of the -n argument which means it shouldn't do such a thing. Regards, Matthew -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages maven-repo-helper depends on: ii default-jre-headless [java2-runtime-headless]1:1.6-47 ii libstax-java 1.2.0-3 ii openjdk-6-jre-headless [java2-runtime-headless] 6b27-1.12.6-1~deb7u1 Versions of packages maven-repo-helper recommends: ii debhelper 9.20120909 Versions of packages maven-repo-helper suggests: ii maven-debian-helper 1.6.7 -- no debconf information __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#740347: mh_installpoms -n should output what it would have done, not just exit
Package: maven-repo-helper Version: 1.8.7 Severity: important Hi, mh_installpoms has an -n argument, documented thus: -n --no-act: don't actually do anything, just print the results But in fact, if you use -n, it does nothing at all and prints nothing - line 96's check: if [ -z $NOACT ]; then means that mh_installpoms does nothing and prints nothing. I think in fact that this check should just be removed - then the enclosed code would call mh_installpom -n which is what you wanted in this case. Thanks, Matthew -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages maven-repo-helper depends on: ii default-jre-headless [java2-runtime-headless]1:1.6-47 ii libstax-java 1.2.0-3 ii openjdk-6-jre-headless [java2-runtime-headless] 6b27-1.12.6-1~deb7u1 Versions of packages maven-repo-helper recommends: ii debhelper 9.20120909 Versions of packages maven-repo-helper suggests: ii maven-debian-helper 1.6.7 -- no debconf information __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#740360: Needs maven support
Package: libjgrapht0.8-java Version: 0.8.3-3 Severity: normal Tags: patch Hi, The enclosed patch adds maven support (i.e. it installs relevant entries into /usr/share/maven-repo/), meaning that other java code that builds with maven and depends upon this package will build. Thanks, Matthew -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libjgrapht0.8-java depends on: ii libjgraph-java 5.12.4.2+dfsg-2 libjgrapht0.8-java recommends no packages. libjgrapht0.8-java suggests no packages. -- no debconf information diff -ruN libjgrapht0.8-java-0.8.3/debian/control libjgrapht0.8-java-0.8.3-new/debian/control --- libjgrapht0.8-java-0.8.3/debian/control 2013-05-21 09:14:48.0 +0100 +++ libjgrapht0.8-java-0.8.3-new/debian/control 2014-02-28 16:28:11.143550981 + @@ -5,6 +5,7 @@ Uploaders: Giovanni Mascellani g...@debian.org Build-Depends: cdbs, debhelper (= 5), ant, default-jdk, junit4, libjgraph-java, javahelper +Build-Depends-Indep: maven-repo-helper Standards-Version: 3.9.4 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/libjgrapht-java/branch_0.8 Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/libjgrapht-java/branch_0.8 diff -ruN libjgrapht0.8-java-0.8.3/debian/libjgrapht0.8-java.poms libjgrapht0.8-java-0.8.3-new/debian/libjgrapht0.8-java.poms --- libjgrapht0.8-java-0.8.3/debian/libjgrapht0.8-java.poms 1970-01-01 01:00:00.0 +0100 +++ libjgrapht0.8-java-0.8.3-new/debian/libjgrapht0.8-java.poms 2014-02-28 16:27:18.162461837 + @@ -0,0 +1,28 @@ +# List of POM files for the package +# Format of this file is: +# path to pom file [option]* +# where option can be: +# --ignore: ignore this POM and its artifact if any +# --ignore-pom: don't install the POM. To use on POM files that are created +# temporarily for certain artifacts such as Javadoc jars. [mh_install, mh_installpoms] +# --no-parent: remove the parent tag from the POM +# --package=package: an alternative package to use when installing this POM +# and its artifact +# --has-package-version: to indicate that the original version of the POM is the same as the upstream part +# of the version for the package. +# --keep-elements=elem1,elem2: a list of XML elements to keep in the POM +# during a clean operation with mh_cleanpom or mh_installpom +# --artifact=path: path to the build artifact associated with this POM, +# it will be installed when using the command mh_install. [mh_install] +# --java-lib: install the jar into /usr/share/java to comply with Debian +# packaging guidelines +# --usj-name=name: name to use when installing the library in /usr/share/java +# --usj-version=version: version to use when installing the library in /usr/share/java +# --no-usj-versionless: don't install the versionless link in /usr/share/java +# --dest-jar=path: the destination for the real jar. +# It will be installed with mh_install. [mh_install] +# --classifier=classifier: Optional, the classifier for the jar. Empty by default. +# --site-xml=location: Optional, the location for site.xml if it needs to be installed. +# Empty by default. [mh_install] +# +debian/pom.xml --has-package-version diff -ruN libjgrapht0.8-java-0.8.3/debian/pom.xml libjgrapht0.8-java-0.8.3-new/debian/pom.xml --- libjgrapht0.8-java-0.8.3/debian/pom.xml 1970-01-01 01:00:00.0 +0100 +++ libjgrapht0.8-java-0.8.3-new/debian/pom.xml 2014-02-28 16:24:58.723594920 + @@ -0,0 +1,26 @@ +?xml version=1.0 encoding=UTF-8? +project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd; + modelVersion4.0.0/modelVersion + groupIdorg.jgrapht/groupId + artifactIdjgrapht/artifactId + packagingpom/packaging + nameJGraphT - Parent/name + version0.8/version + descriptionA Java class library for graph-theory data structures and algorithms./description + urlhttp://www.jgrapht.org/url + licenses + license + nameGNU Lesser General Public License Version 2.1, February 1999/name + urlhttp://jgrapht.sourceforge.net/LGPL.html/url + distributionrepo/distribution + /license + license + nameEclipse Public License (EPL) 1.0/name + urlhttp://www.eclipse.org/legal/epl-v10.html/url + distributionrepo/distribution + /license + /licenses + properties + project.build.sourceEncodingUTF-8/project.build.sourceEncoding + /properties +/project diff -ruN libjgrapht0.8-java-0.8.3/debian/rules libjgrapht0.8-java-0.8.3-new/debian/rules --- libjgrapht0.8-java-0.8.3/debian/rules 2012-05-08 18:15:24.0 +0100 +++ libjgrapht0.8-java-0.8.3-new/debian/rules 2014-02-28 16:31:16.059344374
Bug#740368: libjargs-java: Needs maven support
Package: libjargs-java Version: 1.0.0-3 Severity: normal Tags: patch Hi, The enclosed patch adds maven support (i.e. it installs relevant entries into /usr/share/maven-repo/), meaning that other java code that builds with maven and depends upon this package will build. Thanks, Matthew -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash libjargs-java depends on no packages. libjargs-java recommends no packages. Versions of packages libjargs-java suggests: pn libjargs-java-doc none -- no debconf information diff -ruN jargs-1.0.0/debian/control jargs-1.0.0-new/debian/control --- jargs-1.0.0/debian/control 2011-02-12 17:03:56.0 + +++ jargs-1.0.0-new/debian/control 2014-02-28 17:28:17.889467668 + @@ -4,7 +4,7 @@ Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Uploaders: Dominik Smatana dominik.smat...@gmail.com Build-Depends: debhelper (= 7), cdbs, default-jdk, ant, javahelper (= 0.32~) -Build-Depends-Indep: junit, default-jdk-doc +Build-Depends-Indep: junit, default-jdk-doc, maven-repo-helper Standards-Version: 3.9.1 Homepage: http://jargs.sourceforge.net/ diff -ruN jargs-1.0.0/debian/libjargs-java.poms jargs-1.0.0-new/debian/libjargs-java.poms --- jargs-1.0.0/debian/libjargs-java.poms 1970-01-01 01:00:00.0 +0100 +++ jargs-1.0.0-new/debian/libjargs-java.poms 2014-02-28 17:32:47.678996209 + @@ -0,0 +1,28 @@ +# List of POM files for the package +# Format of this file is: +# path to pom file [option]* +# where option can be: +# --ignore: ignore this POM and its artifact if any +# --ignore-pom: don't install the POM. To use on POM files that are created +# temporarily for certain artifacts such as Javadoc jars. [mh_install, mh_installpoms] +# --no-parent: remove the parent tag from the POM +# --package=package: an alternative package to use when installing this POM +# and its artifact +# --has-package-version: to indicate that the original version of the POM is the same as the upstream part +# of the version for the package. +# --keep-elements=elem1,elem2: a list of XML elements to keep in the POM +# during a clean operation with mh_cleanpom or mh_installpom +# --artifact=path: path to the build artifact associated with this POM, +# it will be installed when using the command mh_install. [mh_install] +# --java-lib: install the jar into /usr/share/java to comply with Debian +# packaging guidelines +# --usj-name=name: name to use when installing the library in /usr/share/java +# --usj-version=version: version to use when installing the library in /usr/share/java +# --no-usj-versionless: don't install the versionless link in /usr/share/java +# --dest-jar=path: the destination for the real jar. +# It will be installed with mh_install. [mh_install] +# --classifier=classifier: Optional, the classifier for the jar. Empty by default. +# --site-xml=location: Optional, the location for site.xml if it needs to be installed. +# Empty by default. [mh_install] +# +debian/pom.xml --has-package-version diff -ruN jargs-1.0.0/debian/pom.xml jargs-1.0.0-new/debian/pom.xml --- jargs-1.0.0/debian/pom.xml 1970-01-01 01:00:00.0 +0100 +++ jargs-1.0.0-new/debian/pom.xml 2014-02-28 17:37:08.032334164 + @@ -0,0 +1,11 @@ +project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd; + modelVersion4.0.0/modelVersion + groupIdjargs/groupId + artifactIdjargs/artifactId + packagingjar/packaging + version1.0/version + nameCommand-line argument parsing for Java/name + urlhttp://jargs.sourceforge.net//url + descriptionprovides a convenient, compact, pre-packaged and comprehensively documented suite of command line option parsers for the use of Java programmers./description + +/project diff -ruN jargs-1.0.0/debian/rules jargs-1.0.0-new/debian/rules --- jargs-1.0.0/debian/rules 2011-02-12 16:45:36.0 + +++ jargs-1.0.0-new/debian/rules 2014-02-28 17:47:11.180699298 + @@ -20,3 +20,10 @@ install/libjargs-java:: jh_installlibs -p$(cdbs_curpkg) --upstream-version=$(DEB_UPSTREAM_VERSION) lib/jargs.jar + +binary-post-install/libjargs-java:: + mh_installpoms -plibjargs-java + mh_installjar -plibjargs-java -l debian/pom.xml lib/jargs.jar + +clean:: + mh_clean __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
