On Sun, 22 Mar 2015 16:28:08 +0100 Paul Gevers <elbrus@debian.org> wrote: > On 22-03-15 06:39, Riley Baird wrote: > > -The upstream tarball contains embedded code copies of the java > > version of antlr, which violates Debian policy. > > This depends on the license, but in general this statement is not > completely true. Since it's a precompiled version of antlr, without source, does this change anything? > > You'll need to repack > > the tarball and add +ds to the version number, add a dependency on > > libantlr-java and possibly modify the build process to accommodate this > > change. > > Indeed, you should not USE the embedded copy if it can be avoided at all > (yes, you may have to jump through some hoops). If you are not doing a > repack (and certainly if you really can't avoid using the embedded > copy), you must notify the security team. However, I would not do a > repack only to get rid of the embedded copy. Removing it in the clean > target to make sure it doesn't get used is quite acceptable IMHO. I didn't know that, but you're right - policy 4.13 states "Debian packages should not *make use of* these convenience copies" [emphasis mine].
Attachment:
pgpaKx7EdaHJz.pgp
Description: PGP signature