Bug#807763: Looking for help to solve licence and third-party issues of the tomahawk-player package
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
> Could you review the tomahawk-player package again? I know, there
> is much more work needs tobedone. It would be great, if you could
> check my answers of the first review and points out what I have to
> do next, which thirdparty code I have to pack separately and which
> code has to be removed because of the dfsg.
here we go.
licensecheck * -r
shows some stuff not mentioned in changelog.
e.g.
src/accounts/hatchet/sip/hatchet_config.hpp: BSD (3 clause)
data/js/cryptojs/hmac-ripemd160.js: BSD (2 clause)
src/libtomahawk/thirdparty/Qocoa/qsearchfield.cpp: MIT/X11 (BSD like)
licensecheck * -r |grep -v GPL |grep -v UNK |wc -l
59
but it might be highly incomplete
all the thirdparty stuff has different licenses, and should be
packaged separately (if possible, or useful outside this package).
./src/tomahawk/sourcetree/items/LovedTracksItem.h: * the Free
Software Foundation; either version 2 of the License, or
./src/tomahawk/sourcetree/items/InboxItem.h: * the Free Software
Foundation, either version 3 of the License, or
even inside src there are different licenses.
./src/libtomahawk/accounts/lastfm/LastFmInfoPlugin.cpp:
QString biography =
lfm["artist"]["bio"]["content"].text().trimmed().replace(
"User-contributed text is available under the Creative Commons By-SA
License and may also be available under the GNU FDL.", "" );
./data/js/cryptojs/sha384.js:code.google.com/p/crypto-js/wiki/License
(and many more from cryptojs)
./data/images/lastfm-icon.svg: <cc:license
./data/images/lastfm-icon.svg:
rdf:resource="http://creativecommons.org/licenses/publicdomain/"; />
./data/images/lastfm-icon.svg: <cc:License
./data/images/lastfm-icon.svg:
rdf:about="http://creativecommons.org/licenses/publicdomain/";>
./data/images/lastfm-icon.svg: </cc:License>
data/fonts/*.ttf <--- please use system Roboto fonts, not any embedded
version.
so, at the end, so much stuff is missing, specially in the copyright
file, and I think so many external libraries have to be packaged
separately or repacked and removed from the source tree
maintaining all this number of embedded libraries will make the
package rejected, and a security nightmare to maintain.
so, please think with upstream about removing all the external libs,
and package them separately (many of them should already be in debian)
cheers,
G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWxIymAAoJEPNPCXROn13ZkQQP/2mH99sXz3nimYNWfR2doqsL
3mZBdAXGMaKF+mSqlfNB8ITTTIR6kMuaTD9Sfv5Or25R8XvbzOWsHpuHuNHux6Uv
gJhMgLXyL0iDCLZrM/9vZbyI0fe34VIVC6cz9yB4iPU6L9HMwc3kxLGSXehf5f/n
kqCWGxZvTAlqv6irnO7EzIcbE7wiU/iFzTPUMkI6epW76XBKROFbnoGdf57aGXaz
4HCY5laAZidvU6d3y9bwzrqEqtYad3NxpLUcGIi8imjx4tjK6uVThVhTqNPjrsW9
ndiQLXk+WApUezu4FOZOojua2fGdY2vHnV0HgNgFXC1PZFWFIdsc1/9qe9nfOssx
56ZQy8zHeCVEhwjlVWBE/9zwhzWBHh4Sgoe2zq1RFjaf/U9bjjafkE8R0+i9fXZi
yKVM3cVHpQc+mu67Q5VOZcx9HCuiLSUpbupIlUoD+R4MPE1EBWbktE7oAC4xmJ2G
VLAsP2WXCLO4bA4PodHmjTc4XtXDGQ4KqjMmLQqmT5sWQOJ6TMBIxtv8yReHF9C4
Oaqyr5vv4z0JPz+QhwpKPvbdDpv5keBKby8tBhUkOyITP7eLxqa4j2kqi7qXK+K1
NSPcQJ5gXUfAax0sXBBUd333XlncmCqor1zaaGl+QP6wOBUTuOMV0zlq9gqV2chw
AqjNKfUN2rWU5yn1bmSw
=7AjV
-----END PGP SIGNATURE-----
Reply to: