Bug#788724: [src:jenkins-json] Some sources are not included in your package
Package: src:jenkins-json Version: 2.4-jenkins-3-3 user: lintian-ma...@debian.org usertags: source-is-missing severity: serious X-Debbugs-CC: ftpmas...@debian.org Hi, Your package includes some files that seem to lack sources in prefered forms of modification: src/site/resources/scripts/shCore.js According to Debian Free Software Guidelines [1] (DFSG) #2: The program must include source code, and must allow distribution in source code as well as compiled form. In some cases this could also constitute a license violation for some copyleft licenses such as the GNU GPL. (While sometimes the licence allows not to ship the source, the DFSG always mandates source code.) In order to solve this problem, you could: 1. add the source files to debian/missing-sources directory. 2. repack the origin tarball and add the missing source files to it. Both way satisfy the requirement to ship all source code. The second option might be preferable due to the following reasons [2]: - Upstream can do it too and you could even supply a patch to them, thus full filling our social contract [3], see particularly §2. - If source and non-source are in different locations, ftpmasters may miss the source and (needlessly) reject the package. - The source isn't duplicated in every .diff.gz/.debian.tar.* (though this only really matters for larger sources). You could also ask debian...@lists.debian.org or #debian-qa for more guidance. [1] https://www.debian.org/social_contract.en.html#guidelines [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736873#8 [3] https://www.debian.org/social_contract signature.asc Description: This is a digitally signed message part. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#788726: [src:jspwiki] Some sources are not included in your package
Package: src:jspwiki Version: 2.8.0-6 user: lintian-ma...@debian.org usertags: source-is-missing severity: serious X-Debbugs-CC: ftpmas...@debian.org Hi, Your package includes some files that seem to lack sources in prefered forms of modification: src/webdocs/scripts/posteditor.js src/webdocs/scripts/mootools.js According to Debian Free Software Guidelines [1] (DFSG) #2: The program must include source code, and must allow distribution in source code as well as compiled form. In some cases this could also constitute a license violation for some copyleft licenses such as the GNU GPL. (While sometimes the licence allows not to ship the source, the DFSG always mandates source code.) In order to solve this problem, you could: 1. add the source files to debian/missing-sources directory. 2. repack the origin tarball and add the missing source files to it. Both way satisfy the requirement to ship all source code. The second option might be preferable due to the following reasons [2]: - Upstream can do it too and you could even supply a patch to them, thus full filling our social contract [3], see particularly §2. - If source and non-source are in different locations, ftpmasters may miss the source and (needlessly) reject the package. - The source isn't duplicated in every .diff.gz/.debian.tar.* (though this only really matters for larger sources). You could also ask debian...@lists.debian.org or #debian-qa for more guidance. [1] https://www.debian.org/social_contract.en.html#guidelines [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736873#8 [3] https://www.debian.org/social_contract signature.asc Description: This is a digitally signed message part. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#787552: [eclipse-wtp][FTBFS][LICENSE Problem] Multiple distribution problem
Package: eclipse-wtp Severity: serious x-Debbugs-CC: ftpmas...@debian.org According to your todo: Part of source files in org.eclipse.wst.sse.core should be regenerated from JFlex grammar files in directory DevTimeSupport, but they require JFlex 1.2.2 for correct transformation (Debian has newer version). Migration to newer JFlex seems not going to happen very soon in upstream[1] There are still some binary resource files in org.eclipse.wst.jsdt.core (part1.rsc, start1.rsc etc.), but I could not trace their origin and if and how they can be regenerated. Seems the same files are present in jdt parser and also other eclipse plugins. Should be regenerated when possible. [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=296976 According to Debian Free Software Guidelines [1] (DFSG) #2: The program must include source code, and must allow distribution in source code as well as compiled form.. This could also constitute a license violation for some copyleft licenses such as the GNU GPL. In order to solve this problem, you could: 1. repack the origin tarball adding the missing source to it. 2 add the source files to debian/missing-sources directory Both way satisfies the requirement that we ship the source. Second option might be preferable due to the following reasons [2]: - Upstream can do it too and you could even supply a patch to them, thus full filling our social contract [3], see particularly §2. - If source and non-source are in different locations, ftpmasters may miss the source and (needlessly) reject the package. - The source isn't duplicated in every .diff.gz/.debian.tar.* (though this only really matters for larger sources). You could also ask debian...@lists.debian.org or #debian-qa for more guidance. [1] https://www.debian.org/social_contract.en.html#guidelines [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736873#8 [3] https://www.debian.org/social_contract signature.asc Description: This is a digitally signed message part. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#787361: [RC][cc-by-nc-sa] Please clarify license of a few svg files
Package: xhtmlrenderer Version: 0.0~R8-1 Severity: serious user: lintian-ma...@debian.org usertags: license-problem-cc-by-nc-sa Hi, Could you please clarify the license of: demos/svg/xhtml/dat/face-crying.svg claimed on source to be cc-by-nc-sa, thus non free. If it is really a non free image please purge these files. If it is a false positive please override like in http://sources.debian.net/src/freecad/0.14.3702%2Bdfsg-3/debian/source/lintian-overrides/ and add a changelog entry and a full explanation on debian/copyright. You may ask upstream to remove this cc-by-sa-nc tag on the svg file Bastien signature.asc Description: This is a digitally signed message part. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#769698: libspring-java: CVE-2014-3625 Directory Traversal in Spring Framework
Source: libspring-java Version: 3.0.0 Severity: serious Tags: security Justification: must According to https://github.com/spring-projects/spring-framework/commit/3f68cd versions affected include 3.0.0 to 3.2.11 The feature of 'mvc:resources/ ' seems to be introduced in 3.0.4 ( http://docs.spring.io/spring/d... ). Bastien __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.