On Thu, Oct 24, 2019 at 11:40, Jonas Smedegaard <d...@jones.dk> wrote:
Package: node-lodash
Version: 4.17.15+dfsg-1
Severity: serious
Justification: Policy 2.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The source package src:node-lodash states in its debian/copyright file
that its upstream source is <https://github.com/lodash/lodash>
What I found relevant here is
If running dpkg-source -x on a source package doesn’t produce the
source of the package, ready for editing, and allow one to make changes
and run dpkg-buildpackage to produce a modified package without taking
any additional steps, creating a debian/README.source documentation
file is recommended.
https://www.debian.org/doc/debian-policy/ch-source.html#source-package-handling-debian-readme-source
I don't think even this requirement is not applicable here, as apt
source does the required things and uscan does the right thing when
updating to new upstream release.
