Control: severity -1 normal Am 21.11.18 um 18:15 schrieb Thorsten Glaser: > Source: jaxrs-api > Version: 2.1.2-2 > Severity: serious > Justification: Policy 2.3, 12.5, possibly 2.1 > > In an internal Java™ project of $dayjob I was checking licences > of updated components and found that javax.ws.rs:javax.ws.rs-api > 2.1.1 has a new, different, licence I am unfamiliar with. I de‐ > cided to see whether it’s in Debian and what its thoughts on it > are. > > The Debian source package for the same component, however, has > still the old licence listed. I looked into the source code, and > lo and behold, it carries the NEW one. (This means that the DD > who uploaded it did not read the diff between the versions care‐ > fully enough). > > Broken copyright information is at least RC and serious. If the > new licence (EPLv2 something) is not DFSG-free this makes it > grave and grounds for archive and snapshot removal.
Further investigation into the issue would have yielded the following: The project is still dual-licensed under EPL-2.0 and GPL-2+-with-class-path-exception. See the NOTICE file. The EPL license is very similar to CDDL. There is also a EPL FAQ that answers most of the common licensing questions: https://www.eclipse.org/legal/epl-2.0/faq.php#h.nmhx2u70socl In any case since it is available under GPL-2+with-class-path-exception we comply with the Debian Policy. Thus I am downgrading the severity to normal because it is a documentation bug and not a serious Policy violation. Markus
signature.asc
Description: OpenPGP digital signature