Control: tags -1 - moreinfo 在 2018年2月2日星期五 CST 下午11:25:11,Tobias Frost 写道: > But two things escaped your eyes: > - Left-tover "Comments:" on line 69 > - license-reconsile finds that in the libqxt is BSD-licensed (eg. > qxt/qxtglobal.cpp) OK. Fixed now. > > > - don't install README.md -- it does not have extra information beyond > > > > > > a package description and compilation instructions (which are useless > > > for the users of the binary package) > > > There is also a slight bug in it: The URLs at the bottom seems > > > outdated, they will forward to the github project from the watch file. > > > Maybe at least report that to upstream.) > > > > Done. The typo was forwarded upstream and got fixed in trunk code. > > Ok. You should reflect this in the dep3 header though. > Forwarded: no is not what you want, the measning for this field is > when it is a Debian specific patch (value not-needed) or if you did not > bother to forward it (yet) -- then it is "no", > Here You Want(tm) "Applied-Upstream" > followed by either the commit-id or the URL pointing to it. > (see the dep3 spec for details)) > > (This is also valid for the other patches you mentioned below) I updated those patches and replaced the Forwarded: field with Applied- Upstream: field as decribed in dep3. > > > - The embedded libqxt -- can you use the Debian packaged version? > > > > Sorry but nope -- If we take a look into libqxt in Debian, #875027 says > > that libqxt is unmaintained upstream and will be removed from Debian > > archive soon. Upstream git repository also suggested that all projects > > previously using libqxt should either migrate away from libqxt or embed > > part of its code to fit their own need. [1] That is exactly what > > qstardict > > upstream is doing, > > see also the GitHub issue [2]. > > > > [1] https://bitbucket.org/libqxt/libqxt/wiki/Home > > [2] https://github.com/a-rodin/qstardict/issues/16 > > Well, this is not exactly how we deal with embedded code copies. > When a library is gonna be removed from Debian this is not a valid excuse to > have an embedded code copy of the same in another package. So the right > thing is (as you've done already) to bring it to upstreams' attention to > get that fixed before QT4 will be removed within this development cycle. > In this case the effort is probably not required to patch the buildsystem to > use the packaged version, as long as available, but when you follow the > instructions here: https://wiki.debian.org/EmbeddedCodeCopies > Keep me CC in the mail you send the notice to the security team. After some investigation, I found that embedded libqxt is becoming a general problem thus here the post is: https://lists.debian.org/debian-security-tracker/2018/02/msg00019.html > OK, round 2 done :) > Its almost good, let me know when done! I've updated the git repository on Salsa as well as its source package on mentors.debian.net . -- Thanks, Boyuan Yang
Attachment:
signature.asc
Description: This is a digitally signed message part.