On Fri, Apr 06, 2018 at 08:15:17PM +0800, Yanhao Mo wrote: > * Package name : deepin-music > Version : 3.1.8-1 > Upstream Author : Deepin Technology Co., Ltd. > * URL : https://github.com/linuxdeepin/deepin-music > * License : GPL-3+ > Section : sound > > It builds those binary packages: > > deepin-music - Awesome music player with brilliant and tweakful UI
Hi! I'm afraid the copyright file lacks the vast majority of licenses and copyright holders. However, all parts not by Deepin are inside the vendor/ subdir, and don't seem to be used during the build (you properly use system libraries instead of those so-called "convenience copies"). Thus, I think it'd be a lot better to, instead of painstakingly documenting every bit in that dir, remove it (for example via "Files-Excluded" in the watch file to automatically repack upstream tarballs). This would also make the Security Team like you a lot more, as such "convenience copies" make their life hard as every problem requires searching the whole archive for copies of a library that needs to be updated. And these days, sometimes packages get outright rejected, turning what used to be merely "best practice" to fully mandatory. The only other issue is a nitpick: the short description shouldn't be capitalized unless you mean something named "Awesome". You might also tone down the wording a wee bit. Looks good otherwise! 喵! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ ... what's the frequency of that 5V DC? ⠈⠳⣄⠀⠀⠀⠀
