On Sun, Jan 19, 2025 at 03:19:14AM -0500, Sandro Tosi wrote: > control: tags -1 +moreinfo > > On Sun, Jan 19, 2025 at 2:30 AM Julian Gilbey <j...@debian.org> wrote: > > > > Package: python3-fastapi > > Version: 0.115.5-3 > > Severity: serious > > what is the policy violation that warranted this severity?
Policy is not (and was never) intended to be exhaustive, but rather to codify practices that are required for packages to interoperate and to work within the Debian ecosystem. There are many things that are "obvious" that are not stated in policy; as an extreme example (which would certainly fail on other criteria), there is no policy statement "you must not include malware in your package". As a minor example not mentioned, "you should ensure that the spelling of words in the package synopsis and extended description is correct". As an in-between example, under which this falls, "you must not include build logs or artefacts of test runs in your binary package (unless they are required for the package to function normally)". In this case, with the artefact lying at the root of the Python dist-modules tree, and therefore having the potential to cause issues for other Python packages now or in the future, it seems that severity "serious" is appropriate. Best wishes, Julian
