Re: [lintian] 01/01: Check for Apache 2.0 packages that do not distribute their accompanying "NOTICE" files. (Closes: #885042)

2017-12-23 Thread Mattia Rizzolo 
A comment:

On Sat, Dec 23, 2017 at 04:07:12PM +, Chris Lamb wrote:
> +Tag: missing-notice-file-for-apache-license
> +Severity: serious
> +Certainty: possible
> +Info: The package appears to be licensed under the Apache 2.0 license and
> + a NOTICE file exists in the source tree. However, no files called
> + NOTICE are installed in any of the binary packages.
> + .
> + The Apache 2.0 license requires distributing of such files:
> + .
> +  (d) If the Work includes a "NOTICE" text file as part of its
> +  distribution, then any Derivative Works that You distribute must
> +  include a readable copy of the attribution notices contained
> +  within such NOTICE file [..]
> + .
> + Please include the file in your package, for example by adding
> + path/to/NOTICE to a debian/package.install file.

Given that I think in most cases (including your own example you made up
for the testsuite!) that file probably should be in /usr/share/doc/pkg/,
what about recommending to put it in the debian/package.docs file
instead?

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

[lintian] 01/01: Check for Apache 2.0 packages that do not distribute their accompanying "NOTICE" files. (Closes: #885042)

2017-12-23 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit 6110e0f1185e26d903dd0ed8a7a8edaae14cf905
Author: Chris Lamb 
Date:   Sat Dec 23 16:06:23 2017 +

Check for Apache 2.0 packages that do not distribute their accompanying 
"NOTICE" files. (Closes: #885042)
---
 checks/source-copyright.desc   | 18 +++
 checks/source-copyright.pm | 27 +-
 debian/changelog   |  3 +++
 .../debian/NOTICE  |  1 +
 .../debian/debian/copyright| 23 ++
 ...ng-notice-file-for-apache-license-unrel.install |  1 +
 .../desc   |  5 
 .../tags   |  0
 .../debian/NOTICE  |  1 +
 .../debian/debian/copyright| 23 ++
 .../debian/subdir/NOTICE   |  1 +
 .../debian/unrel/NOTICE|  1 +
 .../desc   |  5 
 .../tags   |  1 +
 14 files changed, 109 insertions(+), 1 deletion(-)

diff --git a/checks/source-copyright.desc b/checks/source-copyright.desc
index 336..b0fd57e 100644
--- a/checks/source-copyright.desc
+++ b/checks/source-copyright.desc
@@ -324,3 +324,21 @@ Info: A file specified in the Files-Excluded 
header in
  .
  mk-origtargz(1) is typically responsible for removing such files. Support
  in git-buildpackage is being tracked in #812721.
+
+Tag: missing-notice-file-for-apache-license
+Severity: serious
+Certainty: possible
+Info: The package appears to be licensed under the Apache 2.0 license and
+ a NOTICE file exists in the source tree. However, no files called
+ NOTICE are installed in any of the binary packages.
+ .
+ The Apache 2.0 license requires distributing of such files:
+ .
+  (d) If the Work includes a "NOTICE" text file as part of its
+  distribution, then any Derivative Works that You distribute must
+  include a readable copy of the attribution notices contained
+  within such NOTICE file [..]
+ .
+ Please include the file in your package, for example by adding
+ path/to/NOTICE to a debian/package.install file.
+Ref: /usr/share/common-licenses/Apache-2.0
diff --git a/checks/source-copyright.pm b/checks/source-copyright.pm
index a5f66db..b7494a9 100644
--- a/checks/source-copyright.pm
+++ b/checks/source-copyright.pm
@@ -59,7 +59,7 @@ my %dep5_renamed_fields= (
 );
 
 sub run {
-my (undef, undef, $info) = @_;
+my (undef, undef, $info, undef, $group) = @_;
 my $debian_dir = $info->index_resolved_path('debian/');
 return if not $debian_dir;
 my $copyright_path = $debian_dir->child('copyright');
@@ -81,6 +81,7 @@ sub run {
 
 if ($copyright_path->is_open_ok) {
 _check_dep5_copyright($info, $copyright_path);
+_check_apache_notice_files($info, $group, $copyright_path);
 }
 return;
 }
@@ -148,6 +149,30 @@ sub _find_dep5_version {
 return;
 }
 
+sub _check_apache_notice_files {
+my ($info, $group, $copyright_path) = @_;
+
+my @procs = $group->get_processables('binary');
+return if not @procs;
+return if $copyright_path->file_contents !~ m/apache[-\s]+2\./i;
+
+my @notice_files = grep {
+  $_->basename eq 'NOTICE'
+  and $_->is_open_ok
+  and $_->file_contents =~ m/apache/i
+} $info->sorted_index;
+return if not @notice_files;
+
+foreach my $binpkg (@procs) {
+my @files = $binpkg->info->sorted_index;
+return if any { $_->basename =~ m/^NOTICE(\.gz)?$/} @files;
+}
+
+tag 'missing-notice-file-for-apache-license', join(' ', @notice_files);
+
+return;
+}
+
 sub _check_dep5_copyright {
 my ($info, $copyright_path) = @_;
 my $contents = $copyright_path->file_contents;
diff --git a/debian/changelog b/debian/changelog
index f6b5704..a488d7b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,9 @@ lintian (2.5.66) UNRELEASED; urgency=medium
   timewarp-standards-version warnings if the date parts are identical
   (ie. "2017-11-30 < 2017-11-30"). Thanks to Andrea Bolognani
   e...@kiyuko.org> for the report.  (Closes: #884785)
+  * checks/source-copyright.{desc,pm}:
++ [CL] Check for Apache 2.0 packages that do not distribute their
+  accompanying "NOTICE" files.  (Closes: #885042)
 
   * data/debhelper/compat-level:
 + [MR] Bump the experimental debhelper compat level to 12.
diff --git 
a/t/tests/source-copyright-missing-notice-file-for-apache-license-unrel/debian/NOTICE
 
b/t/tests/source-copyright-missing-notice-file-for-apache-license-unrel/debian/NOTICE
new file mode 100644
index 000..2a74156
--- /dev/null
+++