Package: node-lodash Version: 4.17.15+dfsg-1 Severity: serious Justification: Policy 2.1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The source package src:node-lodash states in its debian/copyright file that its upstream source is https://github.com/lodash/lodash $ apt source node-lodash $ cd node-lodash-4.17.15+dfsg $ tree -ad -I .pc . ├── debian │ ├── source │ ├── tests │ └── upstream ├── dist ├── doc ├── fp ├── .github ├── lib │ ├── common │ ├── fp │ │ └── template │ │ ├── doc │ │ └── modules │ └── main ├── lodash-cli │ ├── bin │ ├── lib │ └── template ├── perf │ └── asset ├── test │ └── asset └── vendor ├── backbone │ └── test │ └── setup ├── firebug-lite │ ├── skin │ │ └── xp │ └── src ├── json-js └── underscore └── test 34 directories $ git clone https://github.com/lodash/lodash $ cd lodash $ tree -ad -I '.git*' . ├── .internal └── test 2 directories The tarball distributed as the "source" for the Debian packaging clearly is *not* what upstream considers its source nor is it what is stated in debian/copyright was used as source. - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl2xcaUACgkQLHwxRsGg ASGnLg/+Lsiq8c+vzd/2x9lXH7SwucK3bNiYl8X5QJYpC3Wuh72jEOHjl1gWl5MZ uYBnR9G8h3UQNm0Tn2lgUAudhtV7af3mYJkKxBA6FMfYGEwPvig+8SoX0i0C3sjE +fU01KFebmRsxJ+Of278titobzfgX2MJzWVQtzN5VbIvfAfuaQ4hjun0NCyPdbeM 2GKH5vnfs9Woi6P6ZmixlCvyT3B6bwl71q+x7RCNtAa5NhB8GrBMBG07jehrpCvK gmhYNDnQeFYVQLObS8M5r/bLvT/9K7EuaPZxyhAg73c2bMOxcElwVC/IuZA832IL woRqco6pJVYhLZ59sngrtqP9f/dkUF8IJkkFHCiDSfkcyFv37Vr0tJYSur1q+bWB 2viX9k2Nh4xbQ/P9RrWBhAcjrLRqTh3KD94kIJ6iVVhYxcwqVY/E31p2lwBLZZVx jAGmdb4fYF+3Qgkmv0Hn67rWMEz8cWW0QZocIRMD/PmJJNgOUuTBV8asdF3wLo87 FfLJeeL6B6+taXJKK7lGgPv6cOkgjWamFNh7c4K1xsMWC2jmbQ6nSv23NJh8AwqQ fNvKe2wXYqK0vedy4Z1QwXYXhA2yTGY4FmMvo+nXSuJ8Cp7/hbt0xy/g6N84cybX v2SA5RhlSN8Y7xBvrK1DW1U+bATi6zTiIUSrnElg1tkj1JkcaTs= =kSoi -----END PGP SIGNATURE-----
