Hi Tony et al.,
On Sun, 27 Aug 2017, tony mancill wrote:
I was in fact inferring some special
(but temporary) dispensation for these packages because my understanding
is that it won't be possible to build SBT from source until the entire
set of related packages is in the archive, and SBT is required for some
of the builds. scala-tools-sbinary is the last of that set.
ok, but this seems to be wrong. If scala-tools-sbinary really is the last
package, it must not contain any binary jar files but could use packages
from the archive, right? So why aren't those other packages uploaded
first? I just had a quick lock at the embedded org.beanshell and didn't
find any dependency on sbt for that tool. So at least this jar file could
be handled better. While talking about beanshell, the sources on github
contain files under a BSD-license. In your debian/copyright you just
mention the Apache license and one copyright holder for it. There seems
to be much room for improvement in your debian/copyright. Luckily bsh
in version 2.04b is already in Debian and the debian/copyright of this
package says it is under LGPL. I am sorry, but your debian/copyright is
a mess and it does not help that there are lots of binary blobs included.
Further there is CVE-2016-2510, which is fixed in 2.0b6 and not in your
embedded version 2.0b4.
Is the acceptance of scala-tools-sbinary something that the FTP Masters
would be willing to discuss?
From my point of view scala-tools-sbinary can not be accepted yet.
Thorsten
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
