Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread Emmanuel Bourg 
Le 27/08/2017 à 18:48, Thorsten Alteholz a écrit :

> ok, but this seems to be wrong. If scala-tools-sbinary really is the
> last package, it must not contain any binary jar files but could use
> packages from the archive, right?

My understanding it that it's actually the last dependency required
before we can start removing the binaries from the other sbt related
packages.


> I just had a quick lock at the embedded org.beanshell
> and didn't find any dependency on sbt for that tool. So at least this
> jar file could be handled better. While talking about beanshell, the
> sources on github contain files under a BSD-license. In your
> debian/copyright you just mention the Apache license and one copyright
> holder for it. There seems to be much room for improvement in your
> debian/copyright. Luckily bsh in version 2.04b is already in Debian and
> the debian/copyright of this package says it is under LGPL. I am sorry,
> but your debian/copyright is a mess and it does not help that there are
> lots of binary blobs included.
> Further there is CVE-2016-2510, which is fixed in 2.0b6 and not in your
> embedded version 2.0b4.

FWIW, the beanshell 2.0b4 vs 2.0b6 issue has been discussed in #700610.
beanshell isn't to blame for the vulnerability, it's a common issue
affecting Java applications deserializing untrusted data without
sanitizing it. sbt is most certainly not affected by this.

That said, I agree the beanshell jar was probably not necessary in the
bootstrap tarball.


> From my point of view scala-tools-sbinary can not be accepted yet.

Assuming we get debian/copyright in a better shape and remove the
binaries already packaged from the tarball, it is ok to upload
scala-tools-sbinary to main to complete the bootstrapping?

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread Thorsten Alteholz 

Hi Tony et al.,

On Sun, 27 Aug 2017, tony mancill wrote:

I was in fact inferring some special
(but temporary) dispensation for these packages because my understanding
is that it won't be possible to build SBT from source until the entire
set of related packages is in the archive, and SBT is required for some
of the builds. scala-tools-sbinary is the last of that set.


ok, but this seems to be wrong. If scala-tools-sbinary really is the last 
package, it must not contain any binary jar files but could use packages 
from the archive, right? So why aren't those other packages uploaded 
first? I just had a quick lock at the embedded org.beanshell and didn't 
find any dependency on sbt for that tool. So at least this jar file could 
be handled better. While talking about beanshell, the sources on github 
contain files under a BSD-license. In your debian/copyright you just 
mention the Apache license and one copyright holder for it. There seems 
to be much room for improvement in your debian/copyright. Luckily bsh 
in version 2.04b is already in Debian and the debian/copyright of this 
package says it is under LGPL. I am sorry, but your debian/copyright is 
a mess and it does not help that there are lots of binary blobs included.
Further there is CVE-2016-2510, which is fixed in 2.0b6 and not in your 
embedded version 2.0b4.



Is the acceptance of scala-tools-sbinary something that the FTP Masters
would be willing to discuss?



From my point of view scala-tools-sbinary can not be accepted yet.


  Thorsten


__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread Thorsten Alteholz 

On Sun, 27 Aug 2017, Emmanuel Bourg wrote:


Would it be ok to target non-free instead of main until the


even in non-free the debian/copyright has to have the correct contents.

bootstrapping is complete and the binaries removed from the source 

tarballs?

Hmm, this will result in sbt being in non-free. How will you proceed to
main? Something in main must not depend on something in non-free, so a
main-sbt can not be build by non-free-sbt.

  Thorsten




__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread Emmanuel Bourg 
Would it be ok to target non-free instead of main until the
bootstrapping is complete and the binaries removed from the source tarballs?

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread tony mancill 
On Sun, Aug 27, 2017 at 06:49:35AM -0700, Chris Lamb wrote:
> Hi Andreas, 
> 
> > > > I'm confused about this package being rejected when a number of other
> > > > packages constructed in exactly the same manner were accepted in April.
> > > 
> > > This could have been a mistake rather than an expression of a policy... 
> > > :) 
> > 
> > As far as I understood it was not done by mistake
> 
> (*I* could have accepted the package by accident so inferring anything from 
> previous processing of packages could be misleading...) 

Hi Chris,

Thank you for your response. I wasn't involved with the initial set of
uploads (but am intending to help get SBT into buster), so I might not
have the complete story. I was in fact inferring some special
(but temporary) dispensation for these packages because my understanding
is that it won't be possible to build SBT from source until the entire
set of related packages is in the archive, and SBT is required for some
of the builds. scala-tools-sbinary is the last of that set.

Once we have the full complement in the archive, we will have the
necessary tool chain to start picking apart the bootstrapdeps
components. Frederic does a better job of describing it here [1].

My apologies (also to Thorsten) if my initial question came across as
testy. The first set of uploads was in mid-April, and
scala-tools-sbinary isn't obviously connected with that set.

Is the acceptance of scala-tools-sbinary something that the FTP Masters
would be willing to discuss?

Cheers,
tony

[1] https://lists.debian.org/debian-java/2017/08/msg00092.html


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread Chris Lamb 
Hi Andreas, 

> > > I'm confused about this package being rejected when a number of other
> > > packages constructed in exactly the same manner were accepted in April.
> > 
> > This could have been a mistake rather than an expression of a policy... :) 
> 
> As far as I understood it was not done by mistake

(*I* could have accepted the package by accident so inferring anything from 
previous processing of packages could be misleading...) 


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-27 Thread Andreas Tille 
Hi Chris and Thorsten,

On Sat, Aug 26, 2017 at 08:47:28PM -0700, Chris Lamb wrote:
> Tony, 
> 
> > I'm confused about this package being rejected when a number of other
> > packages constructed in exactly the same manner were accepted in April.
> 
> This could have been a mistake rather than an expression of a policy... :) 

As far as I understood it was not done by mistake but as a consequence
of previous discussion of the bootstraping process.  Frédéric, could you
please give some pointers to clarify the issue?

Kind regards

  Andreas.

-- 
http://fam-tille.de

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-26 Thread Chris Lamb 
Tony, 

> I'm confused about this package being rejected when a number of other
> packages constructed in exactly the same manner were accepted in April.

This could have been a mistake rather than an expression of a policy... :) 


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-26 Thread tony mancill 
On Sat, Aug 26, 2017 at 11:00:10AM +, Thorsten Alteholz wrote:
> 
> Hi Frédér,
> 
> your package seems to consist mostly of jar files without the corresponding 
> sources. So I am afraid I have to reject it.
> 
>   Thorsten
> 
> 
> 
> ===
> 
> Please feel free to respond to this email if you don't understand why
> your files were rejected, or if you upload new files which address our
> concerns.

Hi Thorsten,

I'm confused about this package being rejected when a number of other
packages constructed in exactly the same manner were accepted in April.
Just a couple examples are [1] and [2], all part of a bootstrapping
effort for SBT [3]. If it helps, Frederic and I were recently
discussing the composition of the packages in [4].  

I believe the packages were accepted by Chris Lamb, although I cannot
find a record of this in the archives. (Is the acceptance of packages in
NEW logged aside from what is visible in the tracker.d.o/news links?)

It would be helpful to get some clarification from the FTP Masters
regarding the guidelines for the bootstrapping of SBT.

Thank you,
tony

[1] https://tracker.debian.org/news/843597
[2] https://tracker.debian.org/news/843599
[3] https://lists.debian.org/debian-java/2017/04/msg00014.html
[4] https://lists.debian.org/debian-java/2017/08/msg00092.html


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED

2017-08-26 Thread Thorsten Alteholz 

Hi Frédér,

your package seems to consist mostly of jar files without the corresponding 
sources. So I am afraid I have to reject it.

  Thorsten



===

Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.


__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.