On Fri, Nov 24, 2017 at 08:21:39PM +0100, Vincent Bernat wrote: > ❦ 24 novembre 2017 17:48 +0100, Nicolas Braud-Santoni > <nico...@braud-santoni.eu> : > > > - include the whole CC0 license in debian/copyright > > (this is already uploaded to mentors.d.n); > > - open a bug against base-files to ship the CC0 in > > /usr/share/common-licences > > - open bugs against concerned packages, to refer to the licence's text > > as installed by base-files; (what should the severity be? I guess > > serious, > > since it is a violation of Debian policy 12.5 [1]) > > > > [0]: https://codesearch.debian.net/search?q=path%3Adebian%2Fcopyright+CC0 > > [1]: https://www.debian.org/doc/debian-policy/#copyright-information > > Any MBF should be discussed first on debian-devel@ first. For me, > this seems a small violation and it would be preferable to stick with > severity normal to not appear too agressive.
Only 8 source packages are concerned (re: not shipping the CC0 text), so I didn't realise that constituted a MBF. Thanks for the advise on the severity, I was under the impression that all policy violations should be `serious` or greater. How should I proceed? > >> You override the debian-watch-may-check-gpg-signature, but you also need > >> to override orig-tarball-missing-upstream-signature. Since the tooling > >> to check signatures the way you need it is not here, an alternative > >> would be to not ship upstream GPG signature. > > > > That's something lintian picks up in the changes file, and there is > > currently > > no way to override those, if I'm not mistaken: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575400 > > Oh, yes, I remember now. On my own packages, I have removed the GPG > signature because of this. I don't know what's the stance of the FTP > masters on this particular problem, so I don't know if it's best to get > rid of the warning or just leave it as is. In your case, I would just > remove the key since it is not used. I would rather keep it there, to make it obvious which signing (sub)key I am trusting for upstream. :) > > Thanks a bunch for the review, > > Looks good. Tell me what you want to do about the remaining lintian > warning. If that's fine by you, I would rather have it uploaded as-is. Thanks, nicoo
signature.asc
Description: PGP signature
