Debian Bug report logs - #907072
lintian: verify AppStream metainfo metadata_license matches debian/copyright

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: lintian: verify AppStream metainfo metadata_license matches debian/copyright

Date: Thu, 23 Aug 2018 14:22:41 -0400

Package: lintian
Version: 2.5.97
Severity: wishlist

Lintian currently has some checks about appstream-metadata (the
AppStream metainfo xml files shipped with some software).  It also has
some checks about debian/copyright.

The AppStream metainfo files have a member named metadata_license, as
documented here:

   https://www.freedesktop.org/software/appstream/docs/chap-Metadata.html#tag-metadata_license

It would be great if lintian could notice that metadata_license
doesn't match the indicated license in debian/copyright.

The gnupg2 source package version 2.2.9-1 has this mismatch because i
was sloppy.  I'll fix it shortly (by relicensing the file to match
what is in d/copyright), but i'd love it if lintian could have helped
me catch my sloppiness earlier :)

           --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                          2.31.1-4
ii  bzip2                             1.0.6-9
ii  diffstat                          1.61-1+b1
ii  dpkg                              1.19.0.5+b1
ii  file                              1:5.34-2
ii  gettext                           0.19.8.1-7
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.34
ii  libarchive-zip-perl               1.62-2
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl                      1.19.0.5
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.08-1
ii  libipc-run-perl                   20180523.0-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.74-1
ii  libxml-simple-perl                2.25-1
ii  libyaml-libyaml-perl              0.72+repack-1
ii  man-db                            2.8.4-2
ii  patchutils                        0.3.4-2
ii  perl [libdigest-sha-perl]         5.26.2-7
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.19.0.5
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.53-1

-- no debconf information

Message #10 received at 907072@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 907072@bugs.debian.org

Subject: Re: Bug#907072: lintian: verify AppStream metainfo metadata_license matches debian/copyright

Date: Fri, 24 Aug 2018 20:20:21 +0100

tags 907072 + moreinfo
thanks

Hi dkg,

> The gnupg2 source package version 2.2.9-1 has this mismatch because i
> was sloppy.

So, debian/copyright contains:

   Files: debian/org.gnupg.scdaemon.metainfo.xml
   Copyright: 2017 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
   Comment: This file is licensed permissively for the sake of AppStream
   License: CC0-1.0

... and debian/org.gnupg.scdaemon.metainfo.xml contains:

   <?xml version="1.0" encoding="UTF-8"?>
   <component>
     <id>org.gnupg.scdaemon</id>
     <metadata_license>GPL</metadata_license>
     <name>scdaemon</name>
     <summary>USB SmartCard Readers</summary>
     <description>
       <p>
         GnuPG's scdaemon provides access to USB tokens and smartcard
         readers that provide cryptographic functionality (e.g. use of
         protected secret keys).
       </p>
     </description>
   [...]

... which is installed to /usr/share/metainfo via debian/
scdaemon.install.

Thus, whilst we can rely on such metadata files existing in /usr/share/
metainfo/*.xml (or similar) we don't know which file in the source tree
this originated from (and thus it's license).

Ideas?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #17 received at 907072@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 907072@bugs.debian.org

Subject: Re: Bug#907072: lintian: verify AppStream metainfo metadata_license matches debian/copyright

Date: Mon, 14 Jan 2019 23:50:47 +0000

Chris Lamb wrote:

> > The gnupg2 source package version 2.2.9-1 has this mismatch because i
> > was sloppy.
> 
> So, debian/copyright contains:
> 
>    Files: debian/org.gnupg.scdaemon.metainfo.xml
>    Copyright: 2017 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
>    Comment: This file is licensed permissively for the sake of AppStream
>    License: CC0-1.0
> 
> ... and debian/org.gnupg.scdaemon.metainfo.xml contains:
> 
>    <?xml version="1.0" encoding="UTF-8"?>
>    <component>
>      <id>org.gnupg.scdaemon</id>
>      <metadata_license>GPL</metadata_license>
>      <name>scdaemon</name>
>      <summary>USB SmartCard Readers</summary>
>      <description>
>        <p>
>          GnuPG's scdaemon provides access to USB tokens and smartcard
>          readers that provide cryptographic functionality (e.g. use of
>          protected secret keys).
>        </p>
>      </description>
>    [...]
> 
> ... which is installed to /usr/share/metainfo via debian/
> scdaemon.install.
> 
> Thus, whilst we can rely on such metadata files existing in /usr/share/
> metainfo/*.xml (or similar) we don't know which file in the source tree
> this originated from (and thus it's license).
> 
> Ideas?

Gentle ping on this? :)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #22 received at 907072@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Chris Lamb <lamby@debian.org>, 907072@bugs.debian.org

Subject: Re: Bug#907072: lintian: verify AppStream metainfo metadata_license matches debian/copyright

Date: Mon, 14 Jan 2019 23:36:04 -0500

On Mon 2019-01-14 23:50:47 +0000, Chris Lamb wrote:
> Chris Lamb wrote:
>
>> > The gnupg2 source package version 2.2.9-1 has this mismatch because i
>> > was sloppy.
>> 
>> So, debian/copyright contains:
>> 
>>    Files: debian/org.gnupg.scdaemon.metainfo.xml
>>    Copyright: 2017 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
>>    Comment: This file is licensed permissively for the sake of AppStream
>>    License: CC0-1.0
>> 
>> ... and debian/org.gnupg.scdaemon.metainfo.xml contains:
>> 
>>    <?xml version="1.0" encoding="UTF-8"?>
>>    <component>
>>      <id>org.gnupg.scdaemon</id>
>>      <metadata_license>GPL</metadata_license>

In unstable, it's  
<metadata_license>CC0-1.0</metadata_license>, which matches the
declaration in d/copyright.

>>      <name>scdaemon</name>
>>      <summary>USB SmartCard Readers</summary>
>>      <description>
>>        <p>
>>          GnuPG's scdaemon provides access to USB tokens and smartcard
>>          readers that provide cryptographic functionality (e.g. use of
>>          protected secret keys).
>>        </p>
>>      </description>
>>    [...]
>> 
>> ... which is installed to /usr/share/metainfo via debian/
>> scdaemon.install.
>> 
>> Thus, whilst we can rely on such metadata files existing in /usr/share/
>> metainfo/*.xml (or similar) we don't know which file in the source tree
>> this originated from (and thus it's license).
>> 
>> Ideas?
>
> Gentle ping on this? :)

Sorry, i'm confused by this question.  The source file
debian/org.gnupg.scdaemon.metainfo.xml itself is what shows up in
/usr/share/metainfo/.  this file states that its own license is CC0-1.0,
as does debian/copyright.  What information is missing?

sorry to be dense,

       --dkg

Message #29 received at 907072-submitter@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 907072-submitter@bugs.debian.org

Subject: Bug #907072 in lintian marked as pending

Date: Thu, 17 Jan 2019 19:40:46 +0000

Control: tag -1 pending

Hello,

Bug #907072 in lintian reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/lintian/lintian/commit/0324556c92bcc74f3c7713c9139c3cf91dbadf6a

------------------------------------------------------------------------
Check for inconsistencies between debian/copyright and the information embedded/duplicated in AppStream metadata files. Thanks to Daniel Kahn Gillmor for the idea. (Closes: #907072)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/907072

Message #34 received at 907072@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 907072@bugs.debian.org

Subject: Re: Bug#907072: lintian: verify AppStream metainfo metadata_license matches debian/copyright

Date: Thu, 17 Jan 2019 19:43:33 +0000

tags 907072 - moreinfo
tags 907072 + pending
thanks

Hi Daniel,

> Sorry, i'm confused by this question.  The source file
> debian/org.gnupg.scdaemon.metainfo.xml itself is what shows up in
> /usr/share/metainfo/.  this file states that its own license is CC0-1.0,
> as does debian/copyright.  What information is missing?
> 
> sorry to be dense,

No, it was me being dense.

I was thinking that because it is somewhat unrealistic for Lintian
to reliably work out where an *installed* XML file came from in the
source tree (dh_install isn't the only way to install files, after
all) then it would be difficult to reverse-map them back and do the
check.

However, this is not required if we simply check all such files.
Implemented in 0324556c2, pending upload.


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Message #39 received at 907072-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 907072-close@bugs.debian.org

Subject: Bug#907072: fixed in lintian 2.5.123

Date: Mon, 21 Jan 2019 21:35:21 +0000

Source: lintian
Source-Version: 2.5.123

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907072@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 21 Jan 2019 18:53:24 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.123
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 lintian    - Debian package checker
Closes: 907072 919162 919604 919740 919839 919979
Changes:
 lintian (2.5.123) unstable; urgency=medium
 .
   * Summary of tag changes:
     + Added:
       - inconsistent-appstream-metadata-license
       - package-contains-python-header-in-incorrect-directory
     + Renamed:
       - package-contains-usr-unmerged-pathnames ->
         package-contains-real-file-outside-usr
 .
   [ Chris Lamb ]
   * Group warnings that only differ on the architecture in the HTML
     reports. (Closes: #919162)
   * Prevent a large number false-positives when checking "new style" init
     scripts that use "#!/usr/bin/env /lib/init/init-d-script" as their
     shebang. (Closes: #919604)
   * Check for packages that ship headers in /usr/include/python3.x.
     (Closes: #919979)
   * Check for inconsistencies between debian/copyright and the information
     embedded/duplicated in AppStream metadata files. Thanks to Daniel Kahn
     Gillmor for the idea. (Closes: #907072)
   * package-contains-usr-unmerged-pathnames tag:
     - Prevent false-positives for leading directories. (Closes: #919839)
     - Rename from package-contains-real-file-outside-usr.
     - Move to "Classification" severity instead of a pedantic/experimental
       combination.
   * Use a verb in the debian-changelog-line-too-short tag description.
   * Use "state cache" vs "state-cache" consistently between source and
     binary packages when printing warnings during report generation.
   * Update added/removed tag summary generation code to match "WIP" now we
     are using gbp-dch(1).
 .
   [ Niels Thykier ]
   * lib/lintian: Do entry removals asynchroniously in temp labs.
   * Lintian::Unpacker:
     * Migrate to use IO::Async.
     * Refactor to extract a "find_next_task"-sub(-generator).
     * Add a simple queue to avoid some overhead.
     * Support prioritizing unpacking by collections.
 .
   [ Felix Lechner ]
   * Template cleanup: (MR: !131)
     - Rename tests-watchfile and tests-pedantic.
     - Use renamed template sets in skeletons for suite tests.
     - Move upstream/metadata from debian-native to debian-extra-non-native.
     - Delete unused template set source-arch-independent.
 .
   [ Mike Miller ]
   * Reword the description of the description-too-long tag to match the
     actual check. (Closes: #919740)
 .
   [ Paul Wise ]
   * Add several spelling corrections.
Checksums-Sha1:
 2371969927e53da8e6aa2f4fceab661d270da042 3568 lintian_2.5.123.dsc
 c7b444577d5ede8cd807f42271201a6da67dd35f 1636528 lintian_2.5.123.tar.xz
 7326894ad57711fda1e75f9fce9a74775cca075b 1187544 lintian_2.5.123_all.deb
 2d6de2ea48f23eafd96135e551cd84432019b0c1 17541 lintian_2.5.123_amd64.buildinfo
Checksums-Sha256:
 12658b17dedbc36cb2358bf051b0f190cbc807fa5ccff32eeee6ee4f112bdfa9 3568 lintian_2.5.123.dsc
 74ab0933f04667b9b78566b1728c6a3bef9d7aa32e621c267edb341565767027 1636528 lintian_2.5.123.tar.xz
 e6d72c623bb9f638f00ca800c0d2e2071dcbfea7f005a0e66fb5da24a97892a5 1187544 lintian_2.5.123_all.deb
 687d93d23e2acba96bb31e586d05b48dd872e0d1247cbc9d4df447724ffc71d4 17541 lintian_2.5.123_amd64.buildinfo
Files:
 b11a978456bd89f7d8cdc1fb80236d6b 3568 devel optional lintian_2.5.123.dsc
 790d2a215e0187e7ad49708e18543327 1636528 devel optional lintian_2.5.123.tar.xz
 de5f4e44d2d6c764f2c61a54c95faada 1187544 devel optional lintian_2.5.123_all.deb
 320347fa0e43362485a97a510bc4a1fd 17541 devel optional lintian_2.5.123_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlxGOV8ACgkQHpU+J9Qx
HlhnQQ//fNumJ+fqCUCzRh7GWF64VNviUh3n5aFNr9L/czUBY93Mlmsrw5PmG2eb
r8x+gLMp58mYCdsGnYpfkmi98j+tvOEe6M9g7H/SleP8ujxHqOhwh1g8MssLFWJ+
SqP5x/UMgzQXas4fYsZufhoNaH+qXtsVRvsMhkyaSOLgvkZaj8oalIYj+O5cabAl
2e16zgXpvKkiupW6/0/r3GMTMABQHgAzJE5Ky54xno1m5XumVlMfaqFGB+YIT1/J
ttx10YOfQM2OrJ/mml2IkpRdF7Z096SLZ3VlmCf7UNZashPgt6zrAR9jVM5oAljU
blzRb0euNo66xp1/XxBnE2m16oUeTzA2lQ3Rz5shZcA3eETukB6bsQk2N3gGNp2F
N+UPvZq5S8u45XnS9WQAovOntBghW4ItMo5dJMsXofCt5EIscs/Q/Sq7gEVOAzxd
gYPAMYD0sKwo7YSwSb7+QE2vLBrKz7oaH7LdvRjrc8/suETYOSYw134aJSyvIsxl
wB6dXf1RWB2RsAg/vTa8dpD2Pp32ZLdFI9iuQXqbnFnAXwJK6ymqZB106Usgz89P
5oY8w6L2eJxluwlWJgq8JhnYIVO6WeO1Dex/OEpguwhtj4t98vZF0i3BG8SjR42O
4+SaxxnUDqB9+sVQuYeJ5xozhysb2HI6J5xBVrZS9uYqm/5a5Q8=
=A2pW
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.