Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
Hi, On 22/05/14 14:00, Thorsten Alteholz wrote: Some js-files are licensed under MIT, GPL or Apache-2. These licenses are not mentioned in debian/copyright. Please also remove all minified js-files where no sources are provided. Right, I understand the problem now, and I'd like some advice, please, before proceeding. libowasp-antisamy-java (hereafter antisamy) comes with a test suite, which we don't use during the build process, as that would involve creating a policy file just for the build-time tests, and I don't think that's worth the pain right now. Part of that test suite is a performance test ( src/test/java/org/owasp/validator/html/test/AntiSamyPerformanceTest.java ) which uses some larger items previously downloaded by upstream from the internet ( src/test/resources/s ); it's those that contain the minified js of uncertain license. I can see 3 ways forward: i) leave tarball as-is, since the test data aren't used in the build process ii) rm src/test/resources/s and leave a note in README saying the tests won't work even if you write a policy file because of the missing data iii) remove the entire test suite code What would you prefer? i) has the advantages of leaving the source as upstream have it in their SVN ; ii) is perhaps the right compromise option; iii) seems too extreme. Thanks, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
On 30/05/14 10:32, Emmanuel Bourg wrote: Le 30/05/2014 11:11, Matthew Vernon a écrit : What would you prefer? i) has the advantages of leaving the source as upstream have it in their SVN ; ii) is perhaps the right compromise option; iii) seems too extreme. IMHO if the minified JavaScript files are only test objects they should be left as is (assuming they are available under an appropriate license). It's difficult to determine what license they might be covered by; AFAICT they are the result of pointing something like wget at a bunch of sites, namely: cnn.com, deadspin.com, fark.com, google.com, microsoft.com, slashdot.org They're used for testing the performance of the library; the library is aimed at letting you handle user-supplied HTML/CSS safely (i.e. avoiding XSS etc.) [see https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project for more on the purpose of antisamy] Regards, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
Le 30/05/2014 11:11, Matthew Vernon a écrit : What would you prefer? i) has the advantages of leaving the source as upstream have it in their SVN ; ii) is perhaps the right compromise option; iii) seems too extreme. IMHO if the minified JavaScript files are only test objects they should be left as is (assuming they are available under an appropriate license). If the purpose of a library is to process a prebuilt binary we should allow the binaries used for testing purposes to remain in the source package. For example there are Java libraries that process .jar files, and in these cases the binary objects processed by the tests are preserved in the source packages. Emmanuel Bourg __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
Le 30/05/2014 11:37, Matthew Vernon a écrit : It's difficult to determine what license they might be covered by; AFAICT they are the result of pointing something like wget at a bunch of sites, namely: cnn.com, deadspin.com, fark.com, google.com, microsoft.com, slashdot.org In this case I don't think we are allowed to distribute them. libjsoup-java also had HTML pages from Google, Yahoo and The New York Times, and we replaced them with pages from Wikipedia. Emmanuel Bourg __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Re: libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
On 30/05/14 10:47, Emmanuel Bourg wrote: Le 30/05/2014 11:37, Matthew Vernon a écrit : It's difficult to determine what license they might be covered by; AFAICT they are the result of pointing something like wget at a bunch of sites, namely: cnn.com, deadspin.com, fark.com, google.com, microsoft.com, slashdot.org In this case I don't think we are allowed to distribute them. libjsoup-java also had HTML pages from Google, Yahoo and The New York Times, and we replaced them with pages from Wikipedia. Right, I think then the answer is to remove the src/test/resources/s directory. Thanks, Matthew __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
libowasp-antisamy-java_1.5.3-1_amd64.changes REJECTED
Dear Maintainer, unfortunately I have to reject your package. Some js-files are licensed under MIT, GPL or Apache-2. These licenses are not mentioned in debian/copyright. Please also remove all minified js-files where no sources are provided. Thanks! Thorsten === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.