https://bugzilla.redhat.com/show_bug.cgi?id=1933419 --- Comment #3 from Mattias Ellert <mattias.ellert@xxxxxxxxxxxxx> --- (In reply to Silvie Chlupova from comment #2) > Just a few comments, first of all, I would like to thank you for your effort > to get the package into Fedora. > I don't see any dist directory, but you use install -m 644 -p dist/* > %{buildroot}%{_jsdir}/%{jsname}. There is no dist directory in the source tarball. The dist directory and the files in it are created when the package is compiled (by running the command in the %build section). These files are then packaged in the %install section. > See the Rpmlint section, there are 3 warnings. See below. > You also write that jshint has a non-free license, but according to > https://github.com/jshint/jshint/blob/master/LICENSE jshint has an MIT > license, the same as your package. The LICENSE file in external/jshint/LICENSE/LICENSE is incomplete. It reflects license of the sources of jshint itself. However, the jshint.js file contains some bundled source files from other projects with different licenses. The part of jshint that is non-free is the bundled copy of jslint.js, starting at line 52736 in the copy of jshint.js that is included in the upstream sources of jquery-ui. The license for this file (which is included in the bundled copy) contains the condition: "The Software shall be used for Good, not Evil." Which means that the software is not free to use for any purpose, and hence non-free, and therefore not distributable in Fedora. Some might argue that this was not the intention of the author of the code when he wrote the license, but this is the strict legal interpretation of the license text. For more information see here: https://www.techrepublic.com/article/how-jshint-learned-the-hard-way-not-to-use-ethical-source-licensing/ The project did change the license in 2020, but the copy in the jquery-ui source tarball still has the old license. The file is not necessary for building the software, so removing it does no break the source rpm. > Package Review > ============== > > ===== SHOULD items ===== > > Generic: > [!]: SourceX tarball generation or download is documented. > Note: Package contains tarball without URL, check comments > > > Rpmlint > ------- > Checking: js-jquery-ui-1.12.1-1.fc35.noarch.rpm > js-jquery-ui-1.12.1-1.fc35.src.rpm > js-jquery-ui.src: W: strange-permission create-source.sh 755 > js-jquery-ui.src: W: invalid-url Source1: > jquery-ui-1.12.1-node-modules.tar.gz > js-jquery-ui.src: W: invalid-url Source0: jquery-ui-1.12.1.tar.gz > 2 packages and 0 specfiles checked; 0 errors, 3 warnings. Since the source tarballs in the srpm are either modified or generated, there are no URLs from where they can be downloaded. How the sources are created are instead documented by including the script that generates them in the source rpm. See: https://fedoraproject.org/wiki/Packaging:SourceURL#When_Upstream_uses_Prohibited_Code The script is supposed to be executable, so the file permissions are not that strange. Thank you for the review. I hope I have addressed your comments. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
