The Debian NEW review of syft 1.42.3+ds-1 has been completed. Decision: REJECTED Reviewer: Reinhard Tartler
Review comment: Hi, I have to reject the package due to a DFSG violation regarding copyright attribution. 1. DFSG Violation (Blocker) debian/copyright (L73) states: "Copyright: 2014-2025 The respective authors and contributors". This is insufficient. Permissive licenses (Apache, BSD, MIT) require the verbatim reproduction of upstream copyright and permission notices. A catch-all statement fails to satisfy these license conditions. Please audit the source tree and include the verbatim notices. 2. Packaging & Architecture Review (Feedback) For future uploads, please address the following issues regarding your Go packaging methodology: Vendoring: The package heavily bundles dependencies (e.g., containerd, docker/cli, moby/sys). Debian strictly requires utilizing shared archive packages whenever possible. Vendoring introduces severe security maintenance burdens (CVE tracking across embedded copies) and unnecessary archive bloat. dh-golang integration (debian/rules): override_dh_auto_build: Hardcoding obj-x86_64-linux-gnu breaks cross-compilation and will FTBFS on non-amd64 architectures (e.g., arm64). Rely on standard dh-golang variables. override_dh_auto_test: Disabling the entire test suite degrades build-time QA. Please patch out/skip only the specific network-dependent tests and run the offline test suite. override_dh_golang: Bypassing this target due to go:embed directives causes the build to lose necessary helper functionality. If you require assistance resolving the go:embed or un-vendoring issues, I recommend consulting the pkg-go team on IRC or their mailing list. Regards, Full review details: https://dfsg-new-queue.debian.org/reviews/syft
