-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
> Could you review the tomahawk-player package again? I know, there > is much more work needs tobedone. It would be great, if you could > check my answers of the first review and points out what I have to > do next, which thirdparty code I have to pack separately and which > code has to be removed because of the dfsg. here we go. licensecheck * -r shows some stuff not mentioned in changelog. e.g. src/accounts/hatchet/sip/hatchet_config.hpp: BSD (3 clause) data/js/cryptojs/hmac-ripemd160.js: BSD (2 clause) src/libtomahawk/thirdparty/Qocoa/qsearchfield.cpp: MIT/X11 (BSD like) licensecheck * -r |grep -v GPL |grep -v UNK |wc -l 59 but it might be highly incomplete all the thirdparty stuff has different licenses, and should be packaged separately (if possible, or useful outside this package). ./src/tomahawk/sourcetree/items/LovedTracksItem.h: * the Free Software Foundation; either version 2 of the License, or ./src/tomahawk/sourcetree/items/InboxItem.h: * the Free Software Foundation, either version 3 of the License, or even inside src there are different licenses. ./src/libtomahawk/accounts/lastfm/LastFmInfoPlugin.cpp: QString biography = lfm["artist"]["bio"]["content"].text().trimmed().replace( "User-contributed text is available under the Creative Commons By-SA License and may also be available under the GNU FDL.", "" ); ./data/js/cryptojs/sha384.js:code.google.com/p/crypto-js/wiki/License (and many more from cryptojs) ./data/images/lastfm-icon.svg: <cc:license ./data/images/lastfm-icon.svg: rdf:resource="http://creativecommons.org/licenses/publicdomain/"; /> ./data/images/lastfm-icon.svg: <cc:License ./data/images/lastfm-icon.svg: rdf:about="http://creativecommons.org/licenses/publicdomain/";> ./data/images/lastfm-icon.svg: </cc:License> data/fonts/*.ttf <--- please use system Roboto fonts, not any embedded version. so, at the end, so much stuff is missing, specially in the copyright file, and I think so many external libraries have to be packaged separately or repacked and removed from the source tree maintaining all this number of embedded libraries will make the package rejected, and a security nightmare to maintain. so, please think with upstream about removing all the external libs, and package them separately (many of them should already be in debian) cheers, G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWxIymAAoJEPNPCXROn13ZkQQP/2mH99sXz3nimYNWfR2doqsL 3mZBdAXGMaKF+mSqlfNB8ITTTIR6kMuaTD9Sfv5Or25R8XvbzOWsHpuHuNHux6Uv gJhMgLXyL0iDCLZrM/9vZbyI0fe34VIVC6cz9yB4iPU6L9HMwc3kxLGSXehf5f/n kqCWGxZvTAlqv6irnO7EzIcbE7wiU/iFzTPUMkI6epW76XBKROFbnoGdf57aGXaz 4HCY5laAZidvU6d3y9bwzrqEqtYad3NxpLUcGIi8imjx4tjK6uVThVhTqNPjrsW9 ndiQLXk+WApUezu4FOZOojua2fGdY2vHnV0HgNgFXC1PZFWFIdsc1/9qe9nfOssx 56ZQy8zHeCVEhwjlVWBE/9zwhzWBHh4Sgoe2zq1RFjaf/U9bjjafkE8R0+i9fXZi yKVM3cVHpQc+mu67Q5VOZcx9HCuiLSUpbupIlUoD+R4MPE1EBWbktE7oAC4xmJ2G VLAsP2WXCLO4bA4PodHmjTc4XtXDGQ4KqjMmLQqmT5sWQOJ6TMBIxtv8yReHF9C4 Oaqyr5vv4z0JPz+QhwpKPvbdDpv5keBKby8tBhUkOyITP7eLxqa4j2kqi7qXK+K1 NSPcQJ5gXUfAax0sXBBUd333XlncmCqor1zaaGl+QP6wOBUTuOMV0zlq9gqV2chw AqjNKfUN2rWU5yn1bmSw =7AjV -----END PGP SIGNATURE-----
