Debian Bug report logs - #636148
smarty3: Smarty3 source package does not contain source code

version graph

Package: smarty3; Maintainer for smarty3 is Mike Gabriel <sunweaver@debian.org>; Source for smarty3 is src:smarty3.

Reported by: Thue Janus Kristensen <thuejk@gmail.com>

Date: Sun, 31 Jul 2011 18:00:02 UTC

Severity: serious

Found in versions smarty3/3.0.8-1, smarty3/3.0~rc1-1

Fixed in version smarty3/3.1.8-1

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thierry Randrianiriana <thierry@debian.org>:
Bug#636148; Package smarty3. (Sun, 31 Jul 2011 18:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thue Janus Kristensen <thuejk@gmail.com>:
New Bug report received and forwarded. Copy sent to Thierry Randrianiriana <thierry@debian.org>. (Sun, 31 Jul 2011 18:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thue Janus Kristensen <thuejk@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: smarty3: Smarty3 source package does not contain source code
Date: Sun, 31 Jul 2011 19:49:11 +0200
Package: smarty3
Version: 3.0.8-1
Severity: normal

As far as I can tell, the Smarty3 source package does not actually
contain the smarty3 source code.

For example, I wrote the file
http://smarty-php.googlecode.com/svn/trunk/development/lexer/smarty_internal_configfileparser.y
which is the source code for the file 
http://smarty-php.googlecode.com/svn/trunk/distribution/libs/sysplugins/smarty_internal_templateparser.php
which is included in the Debian Smarty3 package.

As the GPL states, "The “source code” for a work means the preferred
form of the work for making modifications to it.". So since the .y
files is obviously the preferred form,
smarty_internal_configfileparser.y should be distributed in the Debian
source package, to be in compliance with the GNU LGPL.

Regards, Thue

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages smarty3 depends on:
ii  php5-cli                      5.3.6-13   command-line interpreter for the p

smarty3 recommends no packages.

smarty3 suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#636148; Package smarty3. (Mon, 01 Aug 2011 06:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thierry Randrianiriana <thierry@debian.org>:
Extra info received and forwarded to list. (Mon, 01 Aug 2011 06:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 636148@bugs.debian.org (full text, mbox):

From: Thierry Randrianiriana <thierry@debian.org>
To: 636148@bugs.debian.org
Subject: .y not included in the tarball
Date: Mon, 1 Aug 2011 09:05:01 +0300
Hi,

The .y files aren't in the tarball from the download page, could you
include them in the next release ? I'll upload them with pleasure.
I'll ask directly the smarty developers also.

Best Regards,

--
Thierry Randrianiriana




Information forwarded to debian-bugs-dist@lists.debian.org, Thierry Randrianiriana <thierry@debian.org>:
Bug#636148; Package smarty3. (Mon, 01 Aug 2011 12:33:36 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thue Janus Kristensen <thuejk@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thierry Randrianiriana <thierry@debian.org>. (Mon, 01 Aug 2011 12:33:52 GMT) Full text and rfc822 format available.

Message #15 received at 636148@bugs.debian.org (full text, mbox):

From: Thue Janus Kristensen <thuejk@gmail.com>
To: 636148@bugs.debian.org
Subject: Location of the smarty 3 source code
Date: Mon, 1 Aug 2011 14:29:14 +0200
[Message part 1 (text/plain, inline)]
>
> The .y files aren't in the tarball from the download page, could
> you include them in the next release ?


I am not actually a "real" smarty developer, I just contributed some code,
and then left :).

But for example the source code for the 3.0.8 release is available from svn,
using the command

> svn export http://smarty-php.googlecode.com/svn/tags/Smarty_3_0_8/


There is a simple Makefile in Smarty_3_0_8/development/Makefile . A "make
all" will compile all files, and copy the compiled files into the correct
place in Smarty_3_0_8/distribution .

Regards, Thue
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thierry Randrianiriana <thierry@debian.org>:
Bug#636148; Package smarty3. (Thu, 04 Aug 2011 10:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julian Andres Klode <jak@debian.org>:
Extra info received and forwarded to list. Copy sent to Thierry Randrianiriana <thierry@debian.org>. (Thu, 04 Aug 2011 10:00:09 GMT) Full text and rfc822 format available.

Message #20 received at 636148@bugs.debian.org (full text, mbox):

From: Julian Andres Klode <jak@debian.org>
To: Thue Janus Kristensen <thuejk@gmail.com>, 636148@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#636148: smarty3: Smarty3 source package does not contain source code
Date: Thu, 4 Aug 2011 11:56:06 +0200
[Message part 1 (text/plain, inline)]
severity 636148 serious
found 636148 3.0~rc1-1
thanks

On Sun, Jul 31, 2011 at 07:49:11PM +0200, Thue Janus Kristensen wrote:
> Package: smarty3
> Version: 3.0.8-1
> Severity: normal
> 
> As far as I can tell, the Smarty3 source package does not actually
> contain the smarty3 source code.

That's a violation of policy and release-critical. It also applies to
the version ins stable.

The problem here is that upstream is distributing created code 
without corresponding source code on their website. In short,
given that Smarty does not require copyright assignment, they
are violating the license of 3rd party contributions, and cause
all redistributors to be in violation as well, which formally
speaking, terminates the rights to distribute Smarty 3 of
everyone distributing it, as per Section 8 of the license.
-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
[Message part 2 (application/pgp-signature, inline)]

Severity set to 'serious' from 'normal' Request was from Julian Andres Klode <jak@debian.org> to control@bugs.debian.org. (Thu, 04 Aug 2011 10:00:11 GMT) Full text and rfc822 format available.

Bug Marked as found in versions smarty3/3.0~rc1-1. Request was from Julian Andres Klode <jak@debian.org> to control@bugs.debian.org. (Thu, 04 Aug 2011 10:00:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thierry Randrianiriana <thierry@debian.org>:
Bug#636148; Package smarty3. (Tue, 09 Aug 2011 12:32:32 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thue Janus Kristensen <thuejk@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thierry Randrianiriana <thierry@debian.org>. (Tue, 09 Aug 2011 12:32:35 GMT) Full text and rfc822 format available.

Message #29 received at 636148@bugs.debian.org (full text, mbox):

From: Thue Janus Kristensen <thuejk@gmail.com>
To: Julian Andres Klode <jak@debian.org>, Thue Janus Kristensen <thuejk@gmail.com>, 636148@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#636148: smarty3: Smarty3 source package does not contain source code
Date: Tue, 9 Aug 2011 14:29:14 +0200
[Message part 1 (text/plain, inline)]
2011/8/4 Julian Andres Klode <jak@debian.org>
>
> On Sun, Jul 31, 2011 at 07:49:11PM +0200, Thue Janus Kristensen wrote:
> [...]
> The problem here is that upstream is distributing created code
> without corresponding source code on their website. In short,
> given that Smarty does not require copyright assignment, they
> are violating the license of 3rd party contributions, and cause
> all redistributors to be in violation as well, which formally
> speaking, terminates the rights to distribute Smarty 3 of
> everyone distributing it, as per Section 8 of the license.
>

svn with the source code is available from the smarty download page. So IMO,
smarty is distributing the source code from the "same place" (the smarty
download page) as the tarballs, as required by the GPL.

Regards, Thue
[Message part 2 (text/html, inline)]

Reply sent to Thierry Randrianiriana <thierry@debian.org>:
You have taken responsibility. (Sat, 17 Sep 2011 21:36:24 GMT) Full text and rfc822 format available.

Notification sent to Thue Janus Kristensen <thuejk@gmail.com>:
Bug acknowledged by developer. (Sat, 17 Sep 2011 21:36:24 GMT) Full text and rfc822 format available.

Message #34 received at 636148-close@bugs.debian.org (full text, mbox):

From: Thierry Randrianiriana <thierry@debian.org>
To: 636148-close@bugs.debian.org
Subject: Bug#636148: fixed in smarty3 3.1.0-1
Date: Sat, 17 Sep 2011 21:11:19 +0000
Source: smarty3
Source-Version: 3.1.0-1

We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive:

smarty3_3.1.0-1.debian.tar.gz
  to main/s/smarty3/smarty3_3.1.0-1.debian.tar.gz
smarty3_3.1.0-1.dsc
  to main/s/smarty3/smarty3_3.1.0-1.dsc
smarty3_3.1.0-1_all.deb
  to main/s/smarty3/smarty3_3.1.0-1_all.deb
smarty3_3.1.0.orig.tar.gz
  to main/s/smarty3/smarty3_3.1.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 636148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thierry Randrianiriana <thierry@debian.org> (supplier of updated smarty3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Sep 2011 21:22:11 +0300
Source: smarty3
Binary: smarty3
Architecture: source all
Version: 3.1.0-1
Distribution: experimental
Urgency: low
Maintainer: Thierry Randrianiriana <thierry@debian.org>
Changed-By: Thierry Randrianiriana <thierry@debian.org>
Description: 
 smarty3    - Template engine for PHP
Closes: 636148
Changes: 
 smarty3 (3.1.0-1) experimental; urgency=low
 .
   * New upstream release (rev. 4284)
   * Used the code source from subversion (Closes: #636148)
   * debian/copyright:
     + added LexerGenerator copyright
     + added ParserGenerator copyright
   * Fixed security holes:
     + multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
       CVE-2010-4722, CVE-2010-4724, CVE-2010-4726)
     + not consider the umask value when setting the permissions of files
       (CVE-2009-5054)
     + not prevent access to the dynamic and private object members of an
       assigned object (CVE-2010-4723)
     + not properly handle an on value of the asp_tags option in the php.ini file
       (CVE-2010-4725)
     + not properly handle the <?php and ?> tags (CVE-2010-4727)
Checksums-Sha1: 
 cdd7e0e3a6ba4ab751f63100006fa57f29db7662 1030 smarty3_3.1.0-1.dsc
 2aca69a794b671b22dc71b83c3b566b7f2830899 1612474 smarty3_3.1.0.orig.tar.gz
 b7420077660eb70ea69e03d778c1fab42a164d45 2332 smarty3_3.1.0-1.debian.tar.gz
 f0c120c114086eb480a2777a86878e03e6c2e3f7 193894 smarty3_3.1.0-1_all.deb
Checksums-Sha256: 
 fa4b0f47c1e4e42a0ecb01514605add22d9438996de77771f0340703eaa18bf6 1030 smarty3_3.1.0-1.dsc
 2325326250ed702ae9d204231025d5790ac225fd14490971697d933664f572e6 1612474 smarty3_3.1.0.orig.tar.gz
 3b49a427a0fc15819d31f3411dd3f9df10bcd67f121a94890903bb1e246183ae 2332 smarty3_3.1.0-1.debian.tar.gz
 ea12d76a9f4a3308da0fdee4da7de486e27943c65e5d716fac29c3b2b2bf6327 193894 smarty3_3.1.0-1_all.deb
Files: 
 c6235199d6b9b95bcf0383d0f1513fd3 1030 web optional smarty3_3.1.0-1.dsc
 a35b60713f86c2fec13fbdfb4c309b09 1612474 web optional smarty3_3.1.0.orig.tar.gz
 d448b6be1f8e5df94e4931310e03e787 2332 web optional smarty3_3.1.0-1.debian.tar.gz
 5e7c8a2fbc390ee39965c3220ba878c5 193894 web optional smarty3_3.1.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk50+RwACgkQ+JKYG2JYYpqj7wCfalzG7ieHIupYqGHFX6+r+chO
fWQAn0cmYGAYjS2b84UnTmTMEYrQmMRO
=kxE9
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Thierry Randrianiriana <thierry@debian.org>:
Bug#636148; Package smarty3. (Mon, 19 Sep 2011 18:15:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thue Janus Kristensen <thuejk@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thierry Randrianiriana <thierry@debian.org>. (Mon, 19 Sep 2011 18:15:24 GMT) Full text and rfc822 format available.

Message #39 received at 636148@bugs.debian.org (full text, mbox):

From: Thue Janus Kristensen <thuejk@gmail.com>
To: 636148@bugs.debian.org
Subject: Better, but still not perfect
Date: Mon, 19 Sep 2011 20:10:54 +0200
[Message part 1 (text/plain, inline)]
According to http://www.debian.org/doc/debian-policy/ch-source.html ,
section "4.14 Source package handling: debian/README.source":

If running dpkg-source -x on a source package doesn't produce the source of
> the package, ready for editing, and allow one to make changes and run
> dpkg-buildpackage to produce a modified package without taking any
> additional steps, creating a debian/README.source documentation file is
> recommended.


So since you need to run the Smarty_3_x_x/development/Makefile after
modifying the .y file, the current package is lacking (there is no
debian/README.source file either).

IMO, the debian/rules "build" rule should run
the Smarty_3_x_x/development/Makefile to compile the .y and .plex files ,
even though smarty SVN comes with a compiled version. That way you are also
sure that the installed compiled version of these files actually corresponds
to the source version.

Regards, Thue
[Message part 2 (text/html, inline)]

Bug No longer marked as fixed in versions smarty3/3.1.0-1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 19 Sep 2011 18:18:38 GMT) Full text and rfc822 format available.

Reply sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
You have taken responsibility. (Thu, 10 May 2012 09:21:04 GMT) Full text and rfc822 format available.

Notification sent to Thue Janus Kristensen <thuejk@gmail.com>:
Bug acknowledged by developer. (Thu, 10 May 2012 09:21:11 GMT) Full text and rfc822 format available.

Message #46 received at 636148-close@bugs.debian.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 636148-close@bugs.debian.org
Subject: Bug#636148: fixed in smarty3 3.1.8-1
Date: Thu, 10 May 2012 09:18:12 +0000
Source: smarty3
Source-Version: 3.1.8-1

We believe that the bug you reported is fixed in the latest version of
smarty3, which is due to be installed in the Debian FTP archive:

smarty3_3.1.8-1.debian.tar.gz
  to main/s/smarty3/smarty3_3.1.8-1.debian.tar.gz
smarty3_3.1.8-1.dsc
  to main/s/smarty3/smarty3_3.1.8-1.dsc
smarty3_3.1.8-1_all.deb
  to main/s/smarty3/smarty3_3.1.8-1_all.deb
smarty3_3.1.8.orig.tar.gz
  to main/s/smarty3/smarty3_3.1.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 636148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated smarty3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 10 May 2012 10:44:55 +0200
Source: smarty3
Binary: smarty3
Architecture: source all
Version: 3.1.8-1
Distribution: experimental
Urgency: low
Maintainer: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Description: 
 smarty3    - Template engine for PHP
Closes: 636148 657385 668200
Changes: 
 smarty3 (3.1.8-1) experimental; urgency=low
 .
   * New upstream release (rev. 4611).
   * New package maintainer (closes: #668200).
   * Add watch file (closes: #657385).
   * Add Vcs-* lines to control file.
   * Add README.source that explains how we obtain code from
     upstream SVN. Make sure all upstream source files are
     shipped with the Debian source package (closes: #636148).
Checksums-Sha1: 
 a0649e933eb684c8582dcfd9f6f1c0e257e4e2b4 1893 smarty3_3.1.8-1.dsc
 3050e2c5bd0bcc74a69d56f0b21b78550f707236 1637808 smarty3_3.1.8.orig.tar.gz
 2b6020fdbf5e20ef1c3bf9b56e4af06ed1343bae 2713 smarty3_3.1.8-1.debian.tar.gz
 dfe4a9000b303b83b44a33d7631ae68d8494f283 205122 smarty3_3.1.8-1_all.deb
Checksums-Sha256: 
 0c664de66df408bf9ba0129f1d94d4ed9b246e3fceaa2916ed4048a1b63b106c 1893 smarty3_3.1.8-1.dsc
 0257a1827e9cb32687dc0726b329987dcc21d9bf161a11ea189e5bc41b53f504 1637808 smarty3_3.1.8.orig.tar.gz
 010c99992e91c4ba3b2d42b23e573d20d250f96fafb35d10f026653bda21a07c 2713 smarty3_3.1.8-1.debian.tar.gz
 c7f356c7f3feb8d8bf561954cdbebe4dd10facca664de277287742146734565c 205122 smarty3_3.1.8-1_all.deb
Files: 
 cbb8c706e2e96871742fe2c2025bb72d 1893 web optional smarty3_3.1.8-1.dsc
 c79dff3b5a7250de20093ea7d2bf01b1 1637808 web optional smarty3_3.1.8.orig.tar.gz
 6787843d709e3af6e3e746c2cad44393 2713 web optional smarty3_3.1.8-1.debian.tar.gz
 1073f8406d04b4fa02409fb5767621cc 205122 web optional smarty3_3.1.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJPq4QgAAoJEOYZBF3yrHKa/6UQANIHBddpX0V2spBeffpMWJmP
Lhj0iElaYVK4Zj1wvGU1S2GFU7xn/P6EjuVTc6JIF5PfTrfHlh37yyisO7GBjocn
ueqsgi8LBEOGv7IyCLjcBi2JrOdLGN5G17zjuMFG2uiooQyEgN1vbQHzSfSDrnMl
MFXBZtE1pfloaALDadEryHJ0D0M8SwEgncD+hBpOZ3kRfIyaDZGblevJPBcAUPux
sJg1xqDGxV94SXu9xBQ3WjMDztLphwl617NVqyakddBCaiHazZmRjCDu7HAs4oHS
KEFm3a5uzPHTdeZWWrdEUILGX+nBpnQK06X4tyYdStB6BrfrI4pHhUMdE8xx0r3D
Aw4fzkh5XTw9AMZLJZC2AU3dHcgia1kDic7oa+lDUGDc6HIU2PesgaQ0Z0+yKEdm
TFYeDVpjtnGWWFpIsAIWJtx/t+cnoonHBxMFzC+B9SabDRewV+lRC2VMusdTCBq+
fGqts2uzdedRwN5g6uIZWmwph20jdQPSzJHY9qJStm293VUHFttAo3ChWg++lY9o
7hO0ftafJ/sLFboLmc0ivQP8yp5ETLGSYbOc1rXBzhufhChyWBhzPqRlCbgds+th
amkF4nrQdPLDZ1r7GLNFFeKaD+Xge0q4VUeWUoxCZvG8NWeMRdHrCd06rNlChsGs
baKCW9oF4bUz4MWYjMk8
=cBrG
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:58:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:14:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.