Hi Roland,
On 2025-03-25 08:15:16, Roland Gruber wrote:
Hi Peter,
thanks a lot for the feedback.
Am 23.03.25 um 20:52 schrieb Peter Wienemann:
1. The tarball which is available on
differs from the tarball which is available from the URL specified in
the watch file or which is available on Github
What is the reason for that?
The download package on Github contains minified JavaScript files. The
Debian tar.bz2 contains the source files instead and minifies them
during Debian package build. Both packages are produced in one build
step based on the same source code.
thanks for the clarification. Maybe it is worth mentioning this in
debian/README.Debian. It also means that the watch file looks in the
wrong place.
2. The copyright documentation in debian/copyright needs more work.
Just by quickly skimming the files I found the following copyright
owners which are not mentioned:
Only main authors are listed in the file. The authors listed by you did
not contribute for about 20 years or more. Therefore, large parts of the
code was already replaced. Also, people who contribute via PRs are not
listed. But we keep their names in the source files to document the
contributions.
Debian Policy 12.5 [0] says:
"A verbatim copy of the package’s copyright information is often
required to be present in /usr/share/doc/PACKAGE/copyright, too; see
Copyright considerations."
Checking the applicable licence for those files (GPL2+) [1], the licence
states:
"You may copy and distribute verbatim copies of the Program's source
code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice
and disclaimer of warranty; keep intact all the notices that refer to
this License and to the absence of any warranty; and give any other
recipients of the Program a copy of this License along with the Program."
My understanding of the above is that a _verbatim_ copy of the copyright
information is required in the cases at hand.
While rereading the respective Debian Policy copyright section I noticed
that another Policy requirement is missing in the copyright file:
"In addition, the copyright file must say where the upstream sources (if
any) were obtained, and should include a name or contact address for the
upstream authors."
[0] https://www.debian.org/doc/debian-policy/ch-docs.html#s-copyrightfile
[1] https://spdx.org/licenses/GPL-2.0-or-later.html
The debian/copyright file also refers to non-existent files, e. g.
lib/3rdParty/composer/duo
style/600_flatpickr.css
templates/lib/cropper*.js
Thanks, will check and fix that.
I also found copyright years in debian/copyright to be incomplete and/
or outdated.
So I think the package needs a full review of its debian/copyright
file to make sure its data match the copyright/license statements in
the individual files.
One might also use this opportunity to switch to a machine-readable
debian/copyright file as documented on [0].
4. Just to satisfy my curiosity: You handle quite some links in
maintainer scripts. Wouldn't it be easier to add a debian/ldap-
account- manager.links file and let dh_link handle them? Or do I miss
something which prevents you from doing it?
True, will check that.
5. Do you maintain the Debian ldap-account-manager package without
version control system on purpose, e. g. because you or your usual
sponsor do not like it?
The files are versioned here:
https://github.com/LDAPAccountManager/lam/tree/develop/lam-packaging/debian
Thanks for the pointer. Unfortunately this repository does not have
signed Debian release tags created and pushed by the respective uploader.
Best regards
Peter
