Acknowledgement sent
to Nicholas D Steeves <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Tue, 21 Dec 2021 01:24:03 GMT) (full text, mbox, link).
Package: lintian
Version: 2.114.0
Severity: normal
Hi,
Gpl-2+ (used in d/copyright) is equivalent to gpl-2.0+ used in
appstream metadata, so this is a false positive. Were GNU to
hypothetically release a GPL 2.1, and were upstream to switch to it,
the onus would be on the Debian maintainer to update d/copyright. It
also seems wrong to emit this at the warning level for this specific
case.
If lintian is encouraging maintainers to use the "gpl-2.0+" notation
rather than gpl-2+ in d/copyright, then it should emit a different
(lower severity than warning) tag for that case.
It seems clear to me that (gpl-2.0+ = gpl-2+), so it looks like the
correct approach is to use a table of equivalent license notations to
prevent the false positive. Apologies if bias has prevented me from
deeper analysis or seeing other solutions.
Thanks!
Nicholas
Acknowledgement sent
to Nicholas D Steeves <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Tue, 12 Apr 2022 21:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Thu, 21 Apr 2022 18:57:02 GMT) (full text, mbox, link).
Hi Nicholas,
> Gentle ping :-)
Thanks for the gentle/direct ping. Unfortunately, however, I am no
longer a Lintian developer, so I won't be able to address this bug for
you. Hope you can get it fixed, though. :)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-
Acknowledgement sent
to Nicholas D Steeves <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Thu, 21 Apr 2022 22:15:03 GMT) (full text, mbox, link).
Hi Chris,
"Chris Lamb" <[email protected]> writes:
> Hi Nicholas,
>
>> Gentle ping :-)
>
> Thanks for the gentle/direct ping. Unfortunately, however, I am no
> longer a Lintian developer, so I won't be able to address this bug for
> you. Hope you can get it fixed, though. :)
>
Thanks for the quick reply, and great to hear from you btw--it's been
ages. Yes, I hope lintian receives fixes soon too, but of course the
longstanding RC one[s] take[s] priority. 'hope you're finding
inspiration in whatever you're working on now!
Take care,
Nicholas
Acknowledgement sent
to Soren Stoutner <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Sat, 14 Jan 2023 21:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Axel Beckert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Mon, 16 Jan 2023 00:21:02 GMT) (full text, mbox, link).
Control: tag -1 + confirmed pending
Hi Nicholas and Soren,
Nicholas D Steeves wrote:
> Gpl-2+ (used in d/copyright) is equivalent to gpl-2.0+ used in
> appstream metadata, so this is a false positive.
Correct, as
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-short-name
(part of the Debian Policy) also states:
»For SPDX compatibility, versions with trailing dot-zeroes are
considered to be equivalent to versions without (e.g., “2.0.0” is
considered equal to “2.0” and “2”).«
> Were GNU to hypothetically release a GPL 2.1, and were upstream to
> switch to it, the onus would be on the Debian maintainer to update
> d/copyright.
Yes, but they'd need to update it in both cases as neither "GPL-2+"
nor "GPL-2.0+" imply "newest version of the GPL 2.x series". :-)
> It also seems wrong to emit this at the warning level for this
> specific case.
Unfortunately the level is hardcoded in the tag. We can't emit a tag
e.g. once at warning and once at pedantic level depending on the found
data. (It also IMHO makes not so much sense semantic-wise.)
> If lintian is encouraging maintainers to use the "gpl-2.0+" notation
> rather than gpl-2+ in d/copyright, then it should emit a different
> (lower severity than warning) tag for that case.
Well, as the Debian Copyright Format Specification 1.0 explicitly
allows both variants, this seems not necessary.
> It seems clear to me that (gpl-2.0+ = gpl-2+), so it looks like the
> correct approach is to use a table of equivalent license notations to
> prevent the false positive.
Yeah, as that list would potentially became rather huge and hard to
maintain, I'd rather use a regexp to filter out such things.
Soren Stoutner wrote:
> The same basic problem also occurs with MIT and Expat licenses.
Ack.
> The specification for the AppStream metadata file only has a few
> options, one of them being MIT and none of them being Expat.
Same for SPDX: Neither https://spdx.org/licenses/ nor
https://spdx.org/licenses/MIT.html mention Expat.
> Debian, of course, prefers the Expat name as it is more precise.
According to
https://wiki.debian.org/Proposals/CopyrightFormat#Differences_between_DEP5_and_SPDX
SPDX does not have the Expat license. They do have though the "MIT
License" (the one and only ;-), so that would imply that they're not
the same license.
And indeed, there are two difference between
https://spdx.org/licenses/MIT.html and
http://www.jclark.com/xml/copying.txt (the Expat license):
* The MIT License starts with a headline "MIT License" (which is
probably less relevant).
* The MIT License contains the following part in its second paragraph
which the Expat license doesn't have: "(including the next
paragraph)". This might make a subtle difference, but IANAL.
> inconsistent-appstream-metadata-license debian/metainfo.xml (mit !=
> expat) [debian/copyright]
So that actually seems a true positive as the licenses differ. They
only differ a bit, but they differ.
Regards, Axel
--
,''`. | Axel Beckert <[email protected]>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Control: tag -1 pending
Hello,
Bug #1002053 in lintian reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/lintian/lintian/-/commit/2348bca39572cc07cd281dd513ba02dc22157cd5
------------------------------------------------------------------------
inconsistent-appstream-metadata-license: Versions with trailing ".0" are equivalent to versions without
Fixes false positives as the Debian Copyright Format 1.0 explicitly
states that versions with trailing dot-zeroes are considered to be
equivalent to versions without.
Closes: #1002053
Relevant documentation:
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-short-name
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1002053
Acknowledgement sent
to Soren Stoutner <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Mon, 16 Jan 2023 18:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Axel Beckert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Mon, 16 Jan 2023 19:51:02 GMT) (full text, mbox, link).
Hi Soren,
Soren Stoutner wrote:
> On Sunday, January 15, 2023 5:17:10 PM MST Axel Beckert wrote:
> > > Debian, of course, prefers the Expat name as it is more precise.
> >
> > According to
> > https://wiki.debian.org/Proposals/CopyrightFormat#Differences_between_DEP5_a
> > nd_SPDX SPDX does not have the Expat license. They do have though the "MIT
> > License" (the one and only ;-), so that would imply that they're not the
> > same license.
>
> Anyone who tells you there is a One And Only MIT License is trolling you. ;)
Seems as if I should used more smileys on that sentence. Consider
having been trolled by myself. ;-)
> https://en.wikipedia.org/wiki/MIT_License#Ambiguity_and_variants
Or said otherwise: I read exactly that page (and
https://www.gnu.org/licenses/license-list.en.html#Expat) before
sending my reply.
> "The name 'MIT License' is potentially ambiguous.
Yes, but IMHO https://spdx.org/licenses/ managed to get quite a good
list on all the variants including unamigous short names for them.
Except that they miss the "Expat license".
Regards, Axel
--
,''`. | Axel Beckert <[email protected]>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Acknowledgement sent
to Soren Stoutner <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>.
(Tue, 17 Jan 2023 04:45:02 GMT) (full text, mbox, link).
Source: lintian
Source-Version: 2.116.0
Done: Axel Beckert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Axel Beckert <[email protected]> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 17 Jan 2023 01:37:56 +0100
Source: lintian
Architecture: source
Version: 2.116.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <[email protected]>
Changed-By: Axel Beckert <[email protected]>
Closes: 9326341002053100663110133141014175101495610161471019235101954110198511024361102516410254361025644102586810269201027323102739910282741028975
Changes:
lintian (2.116.0) unstable; urgency=medium
.
The "Crowd Merging" Release.
.
* Summary of tag changes:
+ Added:
- dbus-policy-in-etc
- homepage-github-url-ends-with-dot-git
- homepage-gitlab-url-ends-with-dot-git
- homepage-salsa-url-ends-with-dot-git
- uses-pdm-cli
- uses-python-distutils
+ Removed:
- init.d-script-needs-depends-on-lsb-base
- old-dpmt-vcs
- old-papt-vcs
- python-teams-merged
.
[ Sebastian Ramacher ]
* Revert "Turn embedded-library into a classification tag. (Closes:
#932634)". The tag embedded-library is used by FTP masters for
automatic rejects. So let's revert this change. First, #932634 has
seen no coordination with FTP masters. Second, it confuses developers
when their packages get rejected for tags that are not emitted
locally.
.
[ Simon McVittie ]
* obsolete-packages: Add some more transitional packages.
* desktop/dbus: Check for dbus policy files installed into /etc/.
(Closes: #1006631)
* Don't emit very-long-line-length-in-source-file for REUSE licenses.
(Closes: #1013314)
.
[ Bastien Roucariès ]
* Run test suite at build time except on Salsa.
* Fix warning: cannot run debian/readme check on
package binary:postgresql-15_15~beta2-2+salsaci_amd64
(Closes: #1014175)
* Refresh data.
* L…/C…/Files/PrivacyBreach.pm: Run lc in sliding windows block.
.
[ Axel Beckert ]
* data/spelling/corrections: Remove valid word "licence".
* Fix typos and add missing changelog items in 2.115.3 release.
* .gitignore: Also ignore debian/*.debhelper files and drop wrong
trailing slash for doc/lintian.html.
* private/refresh-virtual-packages-data: Replace "egrep" with "grep -E".
* Replace "egrep" and "fgrep" in all test suite dummy packages with "grep
-E/-F".
* Add build-dependencies of the test suite.
* Fix test broken by dpatch removal.
* Fix test broken by updating the list of virtual packages.
* Extend spellintian.t to check all listed misspellings against dictionaries.
Add test suite build dependencies on liblist-someutils-perl, wamerican
and wbritish. (Closes: #1019541)
* Make spellintian.t to use the installed corrections list under autopkgtest.
* t/scripts/tags/fields.t: Allow running with just "prove -l".
* Remove spelling corrections which are valid words and now caught by
the new spellintian.t check against English dictionaries.
(Closes: #1019235)
* Remove valid word "tye" from data/spelling/corrections.
* Remove spelling correction for "curren", it's a valid HTML entity.
* Refresh data: Adds Debian Policy 4.6.2 and Loong64 architectures among
other things.
* Declare compliance with Debian Policy 4.6.2.
* Make test for generate-tag-summary more precise and properly cover all
cases.
* out-of-date-/newer-standards-version: Only output the significant
digits of the current policy version.
* Salsa CI: Override the lintian version being used to the just built
version.
* Extend desc-fields.t to only accept known field names, see #1025868.
* Fix singular vs plural field name typo. (Fixes ½ of #1025868)
* debian/copyright: Bump my copyright years to 2023.
* Make "lintian --version" emit versions unique per commit if run from a
git checkout.
* Fix read error with libpath-tiny-perl ≥ 0.142 if debian/templates is a
directory. Thanks to Salvatore Bonaccorso and src:linux. :-)
* Fix arm64 autopkgtest by using a shell script as example instead of a
compiled C binary for testing bin-sbin-mismatch. Also fix that so far
on other architectures there was a bin-sbin-mismatch false negative
accepted by the test suite while the true positive on arm64 hadn't
been accepted by the test suite. (Closes: #1025868)
* inconsistent-appstream-metadata-license:
+ Versions with trailing ".0" are equivalent to versions without
(Closes: #1002053)
+ Normalize comparison (-or-later/+, -only suffix)
+ Tag description: Text improvements; add direct reference to
AppStream metadata_license tag specification. (Closes: #1014956)
* Unpack orig.tar: Ignore warnings about tar ignoring tar ball
peculiarities. (Closes: #1028975)
* Fix error with Path::Tiny ≥ 0.142 when searching for upstream
signatures. (Closes: #1028274)
* license-problem-php-license: Also refer to
https://ftp-master.debian.org/php-license.html
* Delete dangling symlink reporting/harness. (Closes: 1027323)
* spellintian.t: Make sure that no bad spelling is used as good spelling
of another bad spelling. Prompted by #1027399. Add build-dependency on
"libarray-utils-perl <!nocheck>" and autopkgtest dependency for that.
* Fix bad spellings that were used as good spelling for another bad
spelling. (Closes: #1027399)
* Do not emit executable-stack-in-shared-library on MIPS architectures
for now. (Closes: #1025436, see also #1022787)
* run-private-scripts.t:
+ Do not run auto-reject-diff as it requires network access.
+ Skip generate-tag-summary without git.
Thanks Louis-Philippe Véronneau!
.
[ Akbarkhon Variskhanov ]
* debian/control: Bump Standards-Version in Description.
.
[ Simon Quigley ]
* Add "lunar" as a known Ubuntu distribution.
.
[ billchenchina ]
* README.md: use zless for lintian.txt.gz.
.
[ Philip Hands ]
* Accept bpo...+salsaci versions. (Closes: #1024361)
.
[ Aurélien COUDERC ]
* Add SingleMainWindow to known-desktop-keys.
.
[ Johannes Schauer Marin Rodrigues ]
* transitional-package-not-oldlibs-optional: Developer reference section
6.7.7 is now 6.8.7.
* Remove init.d-script-needs-depends-on-lsb-base and add lsb-base to
obsolete-packages. (Closes: #1019851)
.
[ Louis-Philippe Véronneau ]
* missing-prerequisite-for-pyproject-backend: Add support for
pdm-pep517.
* uses-pdm-cli: Create new tag.
* Fix false-positive for missing-build-dependency-for-dh-addon when
using dh-sequence-python3. (Closes: #1016147)
* Add new tag 'uses-python-distutils' to warn people of the Python
distutils deprecation.
* Remove tag 'python-teams-merged', as this transition has been done and
no package in the archive raises it anymore.
* Remove tags 'old-dpmt/papt-vcs', as this transition has been done and
no package in the archive raises them anymore.
* Rework the 'package-is-team-maintained' tag.
* Mark 'very-long-line-length-in-source-file' as experimental, because
of the high number of false-positives.
* Update known autopkgtest restrictions to add 'needs-sudo'.
* Mark the 'update-debian-copyright' tag as experimental.
(Closes: #1025644)
* Fix false-positive for missing-prerequisite-for-pyproject-backend when
the backend is specified as a Build-Depends-Indep. (Closes: #1025164)
* missing-prerequisite-for-pyproject-backend: Add support for hatchling.
* Add 'autopkgtest-pkg-pybuild' as known autopkgtest testsuite.
* Make sure pybuild-plugin-pyproject is registered as a valid
prerequisite for dh-python3.
.
[ Edward Betts ]
* spelling: Add a correction.
* dh-sequence-vim-addon pulls in dh-vim-addon.
* GitHub, GitLab and Salsa URLs shouldn't end with ".git" in Homepage
header.
.
[ Fatih Altun ]
* Add "yirmiuc" as a known Pardus distribution.
.
[ William Desportes ]
* data: Register .{dbf,shp,shx,sbx,sbn,qix} ESRI file extensions.
* Fix false positive for license-problem-php-license for pear.php.net
source code.
.
[ Luca Boccassi ]
* missing-systemd-service-for-init.d-script: Mention future deprecation
of generator.
.
[ Christoph Biedl ]
* Lintian::Index::FileTypes: Call "file" with "--raw" to unbreak test
suite with file/libmagic ≥ 5.42. (Closes: #1026920)
Checksums-Sha1:
a5dbcda81046ff5765a19dd6d12630158a2d9598 3922 lintian_2.116.0.dsc
1f2ebc2c65eaa335d2f5e85b5d6cda1f70b79939 2227640 lintian_2.116.0.tar.xz
e4c3a5668770ceac2d2331d1a3e32d3494371d02 27997 lintian_2.116.0_source.buildinfo
Checksums-Sha256:
3cbffca1d1854cfe68e3d80abe053865fe197da4ad9220a9655cbcebdb684618 3922 lintian_2.116.0.dsc
d13fa5b1c4aec49869de87188d798f1e35b909610a5057fdf4a078fce120c219 2227640 lintian_2.116.0.tar.xz
c92093030995e536bf383016964e51e32285baca9618dde814c196e08d0e27c4 27997 lintian_2.116.0_source.buildinfo
Files:
8a048fe7d62d592292111fb5f4ce317b 3922 devel optional lintian_2.116.0.dsc
91643467ccf12437d2ab00aa6b9949af 2227640 devel optional lintian_2.116.0.tar.xz
ba332d868ee926076c6ce51a2463e7e7 27997 devel optional lintian_2.116.0_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAmPGORQACgkQa+Zjx1o1
yXWxBhAAw1DZHens4Mhoe5zHVYxboi6/OuMltpBMB14yTSq2dvzA6XpvykYsGSPR
xxVYYmxGYLwjTFnQ7T/M2MRLX4E8WJS445OUB399jIYeJHIyn+fn4ujfxTdciJjY
pdDb4KX7cfJ7eHNcl2EXOf7+UPptxQBupgAQ7b8yyXQwLPqp64siUA6bzSFWipE7
vUruqrkcw2plkvTukGXJ5b5i1pK8173AgzHFW1gExeE6xTFkJ5YHq54TPYDsoWfQ
H6GFresuhSOPRHm0vKdJbDCLliZoqXibisnjSd6IO/83gwdz0EpSVEiXtoLXWc2B
whX2j12lmsaYGlLHBhocLrFRrOq6slV4HV4cDTQO5vhPdkP7VplL/Kh1bvA1qBs3
2cegJxpIHHSUT9GDIHkxy4NU4JIz//kuUy+vX2yxXXYlcxpURaaXDm3r08IIwNbk
x5y0CfBXvnJ9QggXqpXzb7pnOUwVKRhmUS/W6bfFQ/qJiD/wfU7S/dTnEhQD5xBO
46nlio7Z1VofFQ1V39w4KY0S3nz8/+od17L7mnxaw/AfiRef22xyhuByy/Twrgu3
AdtpDRqAz//1pBMyO/VICSSDsggdRq5wPRaCwUj5u/rAlddQ302KCSALjQAERpXT
8OpY5GnyKtzXvktrzGe4vxzHbiYHbK0ykK6y1SfZJpbaX8Z3obU=
=SW6x
-----END PGP SIGNATURE-----
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.