Bug#725210: embeds multiple libraries, at least two of which undistributable

2013-10-03 Thread Jeremy Lainé 
On 10/02/2013 10:23 PM, Faidon Liambotis wrote:
 Package: asterisk
 Version: 1:11.5.1~dfsg-2
 Severity: serious

 I was surprised and initially happy to see Asterisk 11 uploaded into
 sid. My happiness quickly diminished when I saw that the upload contains
 the embedded pjproject as-is, despite this issue having been flagged for
 months now and being the sole blocker for an upload since the release of
 Asterisk 11 eleven months ago.

 There are several policy violations here:
  - Contains a convenience copy of pjproject under res/pjproject (§4.13)

This is indeed a slip-up, the pjproject source was definitely intended to be 
stripped from
the asterisk tarball, as documented in debian/changelog. I found the commit 
which removed
the pjproject-stripping-code from debian/rules:

http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=commitdiff;h=6148e287cc35d0756785af74fe2bfa6f3148d706

  - pjproject itself contains convenience copies of several libraries
under res/pjproject/third_party/ some of which already packaged in
Debian (§4.13)
  - All of the above are completely undocumented in d/copyright (§12.5)
  - Not only they are undocumented, but it looks like no audit has
happened on them whatsoever. From a very cursory look, at least
res/pjproject/third_party/milenage/  res/pjproject/third_party/g7221/
seem to completely lack license information other than the occasional
All right reserved, which makes them undistributable by Debian or
anyone else. (§2.3)


You may not have noticed, but pjproject has its own package:

http://packages.qa.debian.org/p/pjproject.html

Go take a look at the pjproject packaging and you will find these points have 
been addressed.

 I'm baffled on how a DD could ever upload this into the archive, esp.
 since these issues were widely known and discussed beforehand. Please
 refrain from making such uploads in the future, as it's both a disgrace
 to Debian's standards and a legal risk.

I suggest you have more than a cursory look next time before using this kind of 
tone.

Thanks anyway for the report,
Jeremy


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725210: embeds multiple libraries, at least two of which undistributable

2013-10-02 Thread Faidon Liambotis 

Package: asterisk
Version: 1:11.5.1~dfsg-2
Severity: serious

I was surprised and initially happy to see Asterisk 11 uploaded into
sid. My happiness quickly diminished when I saw that the upload contains
the embedded pjproject as-is, despite this issue having been flagged for
months now and being the sole blocker for an upload since the release of
Asterisk 11 eleven months ago.

There are several policy violations here:
 - Contains a convenience copy of pjproject under res/pjproject (§4.13)
 - pjproject itself contains convenience copies of several libraries
   under res/pjproject/third_party/ some of which already packaged in
   Debian (§4.13)
 - All of the above are completely undocumented in d/copyright (§12.5)
 - Not only they are undocumented, but it looks like no audit has
   happened on them whatsoever. From a very cursory look, at least
   res/pjproject/third_party/milenage/  res/pjproject/third_party/g7221/
   seem to completely lack license information other than the occasional
   All right reserved, which makes them undistributable by Debian or
   anyone else. (§2.3)

I'm baffled on how a DD could ever upload this into the archive, esp.
since these issues were widely known and discussed beforehand. Please
refrain from making such uploads in the future, as it's both a disgrace
to Debian's standards and a legal risk.

Regards,
Faidon


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org