Package: ldap-account-manager
Version: 9.0-1
Severity: wishlist

Dear Maintainer,

a newer upstream release is available. Do you have any plans to upgrade to the most recent upstream version (9.1 at the time of writing) before the
Trixie soft freeze deadline?

Best regards

Peter

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Roland,

On 2025-03-18 16:52:22, Roland Gruber wrote:

please feel free to upload it. My current sponsor might not be able to
upload it in time:

https://www.ldap-account-manager.org/static/debian-packages/

thanks for your prompt reply. I reviewed your work and have the
following comments/questions:

1. The tarball which is available on

https://www.ldap-account-manager.org/static/debian-packages/ldap-account-manager_9.1.orig.tar.bz2

(sha256sum:
e696226bf1ef11a354712c17635e044cf47f094cbdc2fc06d93a4ee53f532b0f)
differs from the tarball which is available from the URL specified in
the watch file or which is available on Github (sha256sum: 9400e2ab3856c0e6b0a3a55cdf2421613336f5fda0dc098d9b3a789a8f4e1440).

What is the reason for that?

2. The copyright documentation in debian/copyright needs more work. Just
by quickly skimming the files I found the following copyright owners
which are not mentioned:

lib/modules/inetOrgPerson.inc:
Copyright (C) 2003 - 2006 Tilo Lutz

lib/modules/posixGroup.inc:
Copyright (C) 2003 - 2006 Tilo Lutz

templates/delete.php:
Copyright (C) 2003 - 2006 Tilo Lutz

lib/schema.inc:
Copyright (C) 2004 David Smith

templates/pdfedit/pdfmain.php:
Copyright (C) 2003 - 2006 Michael Duergner

templates/pdfedit/pdfpage.php:
Copyright (C) 2003 - 2006 Michael Duergner

templates/help.php:
Copyright (C) 2003 - 2006 Michael Duergner

style/500_layout.css:
Copyright (C) 2003 Leonhard Walchshaeusl

There might be even more.

The debian/copyright file also refers to non-existent files, e. g.

lib/3rdParty/composer/duo
style/600_flatpickr.css
templates/lib/cropper*.js

On the other hand there are existing files whose copyright/license is undocumented, e. g.

templates/lib/410_cropper-1.6.2.js

I also found copyright years in debian/copyright to be incomplete and/or outdated.

So I think the package needs a full review of its debian/copyright file
to make sure its data match the copyright/license statements in the
individual files.

One might also use this opportunity to switch to a machine-readable debian/copyright file as documented on [0].

3. You might add a Closes statement to the debian/changelog file for
this wishlist bug such that the Debian archive maintenance software automatically closes it on upload and adds some useful metadata to the bug.

4. Just to satisfy my curiosity: You handle quite some links in
maintainer scripts. Wouldn't it be easier to add a debian/ldap-account-manager.links file and let dh_link handle them? Or
do I miss something which prevents you from doing it?

5. Do you maintain the Debian ldap-account-manager package without
version control system on purpose, e. g. because you or your usual
sponsor do not like it? Or is this just because nobody bothered to set
up a repository so far (e. g. on salsa)? In my opinion reviewing
packages is easier and less time-consuming if the code is under version control, in particular if the review process involves multiple revision
steps.

Best regards

Peter

[0] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Roland,

On 2025-04-01 16:55:26, Roland Gruber wrote:

Hi Peter,

Am 30.03.25 um 21:35 schrieb Peter Wienemann:

2. The copyright documentation in debian/copyright needs more work.
Just by quickly skimming the files I found the following copyright
owners which are not mentioned:

Only main authors are listed in the file. The authors listed by you
did not contribute for about 20 years or more. Therefore, large parts
of the code was already replaced. Also, people who contribute via PRs
are not listed. But we keep their names in the source files to
document the contributions.

Debian Policy 12.5 [0] says:

"A verbatim copy of the package’s copyright information is often
required to be present in /usr/share/doc/PACKAGE/copyright, too; see
Copyright considerations."

Checking the applicable licence for those files (GPL2+) [1], the
licence states:

"You may copy and distribute verbatim copies of the Program's source
code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice
and disclaimer of warranty; keep intact all the notices that refer to
this License and to the absence of any warranty; and give any other
recipients of the Program a copy of this License along with the Program."

My understanding of the above is that a _verbatim_ copy of the
copyright information is required in the cases at hand.

While rereading the respective Debian Policy copyright section I
noticed that another Policy requirement is missing in the copyright file:

"In addition, the copyright file must say where the upstream sources
(if any) were obtained, and should include a name or contact address
for the upstream authors."

can you provide more details what exactly you are missing in the
copyright file? I did some updates, you can find the current version here:

https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/ debian/copyright

sure.

Let me take some examples mentioned in my mail from March 23. Using
DEP-5 format the following could be an excerpt from debian/copyright:

----------------------------------------------------------------------------- [...]

Files: lib/modules/inetOrgPerson.inc
Copyright: 2003 - 2006 Tilo Lutz
2005 - 2025 Roland Gruber
License: GPL2+

Files: lib/modules/posixGroup.inc
Copyright: 2003 - 2006 Tilo Lutz
2007 - 2025 Roland Gruber
License: GPL2+

[...]

License: GPL2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
.
On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in /usr/share/common-licenses/GPL-2. -----------------------------------------------------------------------------

So it contains a verbatim copy of the copyright holders (as claimed in
the original files) and the licence.

Assessing the upstream copyright claims is not the job of a package
maintainer (maybe except in extreme cases). In particular a package
maintainer must not restrict the list to e. g. the main authors or drop copyright holders who have not contributed in recent years.

I hope this helps to make my point clearer.

If you have further questions, do not hesitate to ask.

Best regards

Peter

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)