You are not logged in.

#1 2019-01-06 16:22:28

dcordonu
Member
Registered: 2014-11-24
Posts: 7

[CLOSED] PKGBUILD Review Request

Hi,

I have pushed a PKGBUILD file alongside with all the necessary files to https://github.com/dcordonu/swgohnet for a package I intend to publish.

The command makepkg creates the package correctly, it installs and works OK. I ask for a review before publishing it to the AUR.

Thanks in advance!

Last edited by dcordonu (2019-02-25 23:38:25)

Offline

#2 2019-01-06 16:42:55

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [CLOSED] PKGBUILD Review Request

If you are pulling from git master you should use git protocol rather than a tarball for the source.  But more importantly if you are pulling from git master via either method, you need to end the packagename with -git (or -devel) and use a pkgver function rather than a static pkgver value.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2019-01-06 17:16:12

dcordonu
Member
Registered: 2014-11-24
Posts: 7

Re: [CLOSED] PKGBUILD Review Request

Trilby wrote:

If you are pulling from git master you should use git protocol rather than a tarball for the source.  But more importantly if you are pulling from git master via either method, you need to end the packagename with -git (or -devel) and use a pkgver function rather than a static pkgver value.

The git repository from where I download the tarball you are mentioning is just a collection of compressed binaries (there is no source code available). I just get the binary for the x86_64 architecture. In spite of that, is it still correct to clone the repository and name the package swgohnet-git?

Offline

#4 2019-01-06 17:31:58

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [CLOSED] PKGBUILD Review Request

It doesn't matter what it contains, what matters is that you are pulling from git master which can change at any time.  If you want to ensure a static file, pull from a specific tag or commit (the source doesn't seem to tag releases but puts version numbers in commit messages) like the following:
https://github.com/r3volved/api-swgohNe … nux.tar.gz

On another note, you can remove two redundant lines from your package function:

package() {
	install -Dm755 "${srcdir}/swgohNet_Client-linux" "${pkgdir}/usr/bin/${pkgname}"
	install -Dm644 swgohnet.service "${pkgdir}/usr/lib/systemd/system/swgohnet.service"
	install -Dm644 swgohnet.conf "${pkgdir}/etc/swgohnet/swgohnet.conf"	
}

You should probably also list the conf file as a backupfile rather than just overwriting it on every upgrade (and then you can get rid of the post_upgrade message).

Lastly, you need to add a license file and list dependencies of glibc and gcc-libs (this last point is occasionally debated: base-devel packages should not need to be listed as dependencies, but these are in base not base-devel) (edit: I suppose both of these are dependencies of gcc, though, which is in base-devel).

On the license, I don't believe it is MIT.  The source doesn't list any license, but running `strings` on the binary reveals many references to MIT licenses, but also to GPL licensed components - so the binary itself cannot be MIT licensed - although this may all be from the GPL boilerplate embeded in the binary due to JSZip being dual licensed as MIT/GPL (which in itself is rather absurd).

Last edited by Trilby (2019-01-06 17:51:29)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2019-01-06 22:09:41

dcordonu
Member
Registered: 2014-11-24
Posts: 7

Re: [CLOSED] PKGBUILD Review Request

Trilby wrote:

you can remove two redundant lines from your package function

Done, thanks.

Trilby wrote:

you need to add a license file

I have asked the repository creator and he really does not know, he mentioned that he usually uses MIT so I took a guess. I will write 'unkown'.

Trilby wrote:

You should probably also list the conf file as a backupfile

That is a good idea, updating it.

Offline

#6 2019-01-06 23:17:12

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [CLOSED] PKGBUILD Review Request

dcordonu wrote:

I have asked the repository creator and he really does not know, he mentioned that he usually uses MIT so I took a guess.

That's pretty horrible at many levels.  I gather the repository creator is not the author of the software then.  He cannot simply chose whichever license he wants for someone else's content.  If there is no known license, then it is not legal to redistribute.  This should not be submitted to the AUR (and should be removed from github, but that's not our problem).

Who is the author of the software?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2019-01-06 23:37:19

dcordonu
Member
Registered: 2014-11-24
Posts: 7

Re: [CLOSED] PKGBUILD Review Request

Trilby wrote:

I gather the repository creator is not the author of the software then

Yes he is. The "problem" is that he does not want to provide access to the source code, so the repository just contains the binary file. That's why neither he nor me are sure about the correct license (I guess that the repository creator should know that, not me; I just have to ask). But he is OK with me submitting it to the AUR. I guess that if there is no known license I can't continue with this. Let me talk to him first. I suppose that the license should be the most restrictive from all the software he has used, am I correct?

Thanks!

Offline

#8 2019-01-06 23:47:35

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [CLOSED] PKGBUILD Review Request

dcordonu wrote:

I suppose that the license should be the most restrictive from all the software he has used, am I correct?

Not quite.  Whatever license he uses must satisfy the requirements of all the licenses of the components he used.  It is quite possible that he used components that make it impossible to (legally) distribute the binary at all.  For example, if he used any GPL components and refuses to make the source code of all of his work available, then he is in violation of the GPL.  If he used any MIT licensed components (which he did) the copyright notices for those components should be included.  The MIT license is a bit vague on how those notices must be provided, just having them buried in an opaque binary would not likely satisfy anyone assessing the case.  If source code is available, then keeping the original copyright notice in the source is sufficient.  If only a binary is distributed, one would generally provide a text file with a list of copyright owners and which components of theirs were used.  Some of that can be extracted from the binary itself, but - again - it would not likely be considered reasonable inclusion of their copyright notice in a generally-non-human-readable form.

He can license his own content any way he sees fit, but just running `strings` on the binary reveals hundreds of different copyright holders with their copyright notice embedded in the binary including google, microsoft, and dozens of named individuals.

If the author is uncertain of the licensing requirements of these components he should definitely not be posting binaries with countless statically linked elements of other people's intellectual property - especially when entites such as microsoft are among those property owners.

Last edited by Trilby (2019-01-06 23:54:43)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#9 2019-01-06 23:53:36

dcordonu
Member
Registered: 2014-11-24
Posts: 7

Re: [CLOSED] PKGBUILD Review Request

Trilby wrote:

if he used any GPL components and refuses to make the source code of all of his work available, then he is in violation of the GPL

OK. In that case, I will talk to him and try to find a solution; I will not submit anything to he AUR until we clarify this.

Offline

#10 2019-01-06 23:56:47

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [CLOSED] PKGBUILD Review Request

Please also note my edit.  Even if all components were permissively licensed, he still needs to include the original copyright owner's claims/notices.

And thanks for taking this seriously.  I am a proponent of permissive licenses, but also quite pedantic when it comes to enforcing copyrights and licenses.  Open source gets a bad reputation whenever open-source people fail to properly respect licenses (even ones we may not like).

Though I suppose the author of this tool is not an open source person ... which actually makes it harder.  When one can provide all their source code it makes it much easier to be compliant with a range of licenses.  In contrast, when one is only willing to distribute a pre-built (especially largely statically linked) binary, license issues can get quite sticky.

Last edited by Trilby (2019-01-07 00:04:55)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#11 2019-01-07 00:04:38

dcordonu
Member
Registered: 2014-11-24
Posts: 7

Re: [CLOSED] PKGBUILD Review Request

Trilby wrote:

he still needs to include the original copyright owner's claims/notices

I have not understood this; does it mean that he should include license files from all the software dependencies he is using?

Trilby wrote:

thanks for taking this seriously

Yeah, although it would be great to have free access and use every library, that doesn't mean we can do it sad

BTW, I'm moving the Github repo to a private one until we clarify this.

Last edited by dcordonu (2019-01-07 00:08:45)

Offline

#12 2019-01-07 00:09:03

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: [CLOSED] PKGBUILD Review Request

If the license says such a notice must be include such as MIT then to be compliant with that license you need to include the notice.
Edit:
Some only need a notice if you include a NOTICE file such as Apache-2.0.
There is also the issue Trilby has noted of a single binary including GPL components but without all the source being released.

Last edited by loqs (2019-01-07 00:15:35)

Offline

#13 2019-01-07 00:13:44

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [CLOSED] PKGBUILD Review Request

dcordonu wrote:

I have not understood this; does it mean that he should include license files from all the software dependencies he is using?

No, not full license files (unless the license requires that, but I don't know of any that do (edit: scratch that, some do, but I don't know of any permissive licenses that do).

The MIT license, for example, requires that the copyright holders statement of copyright remain in tact: in effect, it should be readily available to the end user of the software.  There are two ways of doing this.  First, if I write software that includes someone else's MIT-licensed software, and I distribute all the source code, their copyright notices are readily available in their source files.  But if I only distribute the final binary and no source files, I am required by the other author's MIT license to pass on their copyright notice in some other way.  This would generally be done in a text file or documentation that lists the copyright holders and which components are theirs.

So as an example: I write a program called foobar.  My main source file (that I write from scratch) is foo.c, but I also link to a bar.c written by someone else and licensed under the MIT license.  If I distribute foo.c and bar.c and a Makefile to build foobar, I'm pretty much covered as bar.c's author's copyright is in tact in their source code (I think, but of course IANAL, though this is the common practice).  But if I distribute only the final linked binary foobar, I would also include a text file listing the copyrights of all material used, e.g.:

foo module copyright 2019, me, myself, and I
bar module copyright 2017, so-and-so, recieved under MIT license

Note though that I've never actually done the second one - distributing the source is just much much easier.

EDIT:

dcordonu wrote:

BTW, I'm moving the Github repo to a private one until we clarify this.

That's not really necessary.  Even assuming the worst case that the binary is not legal to distribute, your repo only lists the link to it and does not itself contain problematic material (that said some jurisdictions have tried to claim that any web link pointing to copyrighted material is a violation of the original copyright - however that is absurd under common sense, likely unenforceable under the law, and completely unenforced in practice).

Last edited by Trilby (2019-01-07 00:23:08)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#14 2019-02-25 23:34:28

dcordonu
Member
Registered: 2014-11-24
Posts: 7

Re: [CLOSED] PKGBUILD Review Request

After trying to convince the author to publish the source code and being unable, I have decided not to publish the package and close this thread.

Offline

Board footer

Powered by FluxBB