Hi, u:
That's very interesting. Let's see what happened one by one.
First of all, source code are not been "deleted". It's just a branch
called "rm". If you switch branch to master, code is still been there (
https://github.com/shadowsocks/shadowsocks/tree/master).
Next thing is really interesting. You can find my commit in repository (
https://github.com/shadowsocks/shadowsocks/commit/3b242bee5eb191599a0d051497003127986ea290).
But if you click "Browse files", and pull to the end. It tunes out at the
time I did the packaging job, the repository address is "
https://github.com/clowwindy/shadowsocks/wiki"; (its wiki), and License is
MIT.
Yes, I did the right job at that time. The repository is modified,
translated to someone else, and license changed.
I followed commit logs, and here is the log which license changed. (
https://github.com/shadowsocks/shadowsocks/commit/ce805f0aeaea03646e01b623c4e2185f63a3562f).
The whole project are re-licensed to Apache to protect the name of
contributors. It's happened far after my work, even after Debian accept it.
(according here: https://packages.qa.debian.org/s/shadowsocks.html, it's
2014-09-16) In this situation, I think the old code still can be used under
MIT, and new code can only be used under Apache. So I should use new
license if package new one. But I don't have to update package to follow
the new license.
As you might noticed, shadowsocks is a software which designed to
broken the GFW. So it's not weird that government wanna erase this whole
project. The main author (clowwindy) was found by police, and have a little
conversation. (which we call it "drink tea") He is forbidden to maintain
the project, even talk about it. So I don't trust any commit after that
time. (just before 2015-08-20) Because government might inject something in
it after that time.
Here is the thing I wanna do.
I'll update the package to version 2.8.2 in stretch. (of course, it's
not a "release", because the author never planed to release at the time
been called for "tea". and of course, under Apache License) That will be
the final version. Any "new" version after that time should been review
carefully.
And, I'll remove this project from Debian in next release (after
stretch). Because we should had something new at that time. (Or hopefully,
we can finally get ride of GFW at that time)
Sincerely
Shell.Xu
On Wed, May 18, 2016 at 6:03 PM, u <u...@451f.org> wrote:
> Package: shadowsocks
> Severity: important
>
> Dear Maintainer,
>
> upstream (https://github.com/shadowsocks/shadowsocks) has deleted
> available source code for shadowsocks.
> Thus, it appears to me that this package does not comply with Debian
> Policy anymore.
>
> Also, the "Homepage: https://github.com/clowwindy/shadowsocks"; field in
> debian/control is not correct. Upstream code was available at this
> homepage: https://github.com/shadowsocks/shadowsocks.
>
> The License information provided in debian/copyright (expat) also seems
> incorrect:
>
> https://github.com/shadowsocks/shadowsocks/commit/7c08101ce8a673fafb22477e8ad720aa57114a1f
> .
> Here it is written that this software was released under an Apache license.
>
> It's unclear to me where the 2.1.0 version exactly comes from, it's not
> listed in the releases on
> https://github.com/shadowsocks/shadowsocks/releases.
>
> The latest version of shadowsocks was 2.8.1. So this package is also
> completely outdated.
>
> Cheers!
> u.
>
--
彼節者有間,而刀刃者無厚;以無厚入有間,恢恢乎其於游刃必有餘地矣。
blog: http://shell909090.org/blog/
twitter: @shell909090 <https://twitter.com/shell909090>
about.me: http://about.me/shell909090
