On 22-03-15 06:39, Riley Baird wrote: > -The upstream tarball contains embedded code copies of the java > version of antlr, which violates Debian policy.
This depends on the license, but in general this statement is not completely true. > You'll need to repack > the tarball and add +ds to the version number, add a dependency on > libantlr-java and possibly modify the build process to accommodate this > change. Indeed, you should not USE the embedded copy if it can be avoided at all (yes, you may have to jump through some hoops). If you are not doing a repack (and certainly if you really can't avoid using the embedded copy), you must notify the security team. However, I would not do a repack only to get rid of the embedded copy. Removing it in the clean target to make sure it doesn't get used is quite acceptable IMHO. Paul
signature.asc
Description: OpenPGP digital signature
