The Debian NEW review of python-tinytag 2.2.1-1 has been completed. Decision: REJECTED Reviewer: Reinhard Tartler
Review comment: Thanks for your work on python-tinytag. I've taken a look at the source for DFSG compliance and copyright accuracy. Overall, the package looks very clean, but I noticed a few discrepancies in the documentation that should be addressed before it goes into the archive. The debian/copyright file currently lists everything under the MIT (Expat) license. However, the upstream source includes a REUSE.toml in tinytag/tests/samples/ which explicitly identifies all files in that directory as being under the CC0-1.0 license. Since CC0 is more permissive than Expat, this isn't a freeness issue, but it is an inaccuracy in the documentation. You should add a separate stanza for tinytag/tests/samples/* with the CC0-1.0 license and include the full license text in debian/copyright. Regarding the copyright holders, the LICENSE file and several source headers (like tinytag/tinytag.py) mention "Tom Wallroth, Mat (mathiascode), et al." or "tinytag Contributors". The current debian/copyright only lists the two main authors. It would be better to include "tinytag Contributors" or "et al." to more accurately reflect the upstream copyright statement. I also noticed that some of the test samples (e.g., vbri.mp3, chinese_id3.mp3) contain very short snippets (less than 0.5 seconds) of recognizable copyrighted music. While these are likely acceptable in the main archive as "de minimis" test data (used only to verify metadata parsing), the upstream claim that they are CC0-1.0 is legally questionable for the musical content itself. It might be worth adding a brief note in debian/copyright or debian/README.Debian clarifying that these are tiny fragments used for testing purposes. Finally, just a small detail: the SVG files in tinytag/icons/ also have their own SPDX headers. While they are MIT licensed and covered by your current Files: * stanza, they specify "2024 tinytag Contributors" as the copyright holder, which reinforces the need to include the contributor group in your documentation. Aside from these documentation tweaks, the package seems DFSG-free and well-structured. -rt Full review details: https://dfsg-new-queue.debian.org/reviews/python-tinytag
