Source: otrs2 Version: 5.0.6-1 Severity: serious I'm quite shocked to find how badly otrs2 packaging violates DFSG. There are many non-distributrable pre-built (minified) source-less files in orig tarball under "var/httpd/htdocs/js/thirdparty". No attemps to fix this situation has been and some inconvenient lintian warnings (such as "source- contains-prebuilt-javascript-object" and "source-contains-prebuilt-flash- object") are hidden through use of lintian-overrides. Moreover many bundled third party components are not even documented in "debian/copyright". :( :(
Fixing those problems is neigher optional nor hard. To comply with policy sources of minified files can be shipped in "debian/missing-sources". Minified files can be replaced on build time with their uncompressed original files or even with files minified by build srcipts (if you believe in minification). Where appropriate you can certainly use system libjs-* packages and there is already bug for that: #695664. At your convenience you can use "dh_linktree" or "dh_link" helpers to facilitate replacement. New `uscan` functionality allows to do DFSG-repackaging by utilising "copyright/Files-Excluded" field -- you can read more about that in https://wiki.debian.org/UscanEnhancements (Also it might be helpful to add "repacksuffix=+dfsg" to "debian/watch"). Finally you don't have to document copyrights and licenses for files that were dropped from orig.tar. You are not the only maintainer who have to deal with pesky bundled non-DFSG third party components. Just recently yours truly had to fix package "ckeditor" because one of my packages bundles it. Therefore I'm confident that you can replace "ckeditor" bundled to "otrs2" with "ckeditor (>= 4.5.6~)" right now and that it is safe to do so. Please address all those problems ASAP. -- Cheers, Dmitry Smirnov GPG key : 4096R/53968D1B --- Democracy is a pathetic belief in the collective wisdom of individual ignorance. -- H. L. Mencken
signature.asc
Description: This is a digitally signed message part.