scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED
Thorsten Alteholz
alteholz at debian.org
Sun Aug 27 16:48:28 UTC 2017
Hi Tony et al.,
On Sun, 27 Aug 2017, tony mancill wrote:
> I was in fact inferring some special
> (but temporary) dispensation for these packages because my understanding
> is that it won't be possible to build SBT from source until the entire
> set of related packages is in the archive, and SBT is required for some
> of the builds. scala-tools-sbinary is the last of that set.
ok, but this seems to be wrong. If scala-tools-sbinary really is the last
package, it must not contain any binary jar files but could use packages
from the archive, right? So why aren't those other packages uploaded
first? I just had a quick lock at the embedded org.beanshell and didn't
find any dependency on sbt for that tool. So at least this jar file could
be handled better. While talking about beanshell, the sources on github
contain files under a BSD-license. In your debian/copyright you just
mention the Apache license and one copyright holder for it. There seems
to be much room for improvement in your debian/copyright. Luckily bsh
in version 2.04b is already in Debian and the debian/copyright of this
package says it is under LGPL. I am sorry, but your debian/copyright is
a mess and it does not help that there are lots of binary blobs included.
Further there is CVE-2016-2510, which is fixed in 2.0b6 and not in your
embedded version 2.0b4.
> Is the acceptance of scala-tools-sbinary something that the FTP Masters
> would be willing to discuss?
>From my point of view scala-tools-sbinary can not be accepted yet.
Thorsten
More information about the pkg-java-maintainers
mailing list