Hi! This came up during debian copyright review of files in sbctl, see https://salsa.debian.org/newgateway-team/reviews/-/issues/30
At least the following binaries are stored in the git repository:
- tests/bzImage
- tests/binaries/test.pecoff
- tests/ovmf/OVMF_VARS.fd
- tests/ovmf/keys/initramfs.cpio
How where they created? What's the licensing terms? Pointers to source code?
I understand this is a boring request, but given xz I think feedback like this have some weight.
Some simple ways to resolve this:
-
Remove the binaries from git, downloading them during self-check phase. Then at least the source repository isn't tainted by these blobs.
-
Move binaries to a separate e.g. sbctl-test repository, and run self-tests there. May be combined with 1).
-
Provide build instructions and source code for re-building those binaries (sounds like work).
-
The debian package shouldn't use upstream source code without filtering these blobs. I suppose this is the simple approach for us, but it just hides the concern which IMHO warrant some upstream consideration.
Thanks,
Simon
Hi! This came up during debian copyright review of files in
sbctl, see https://salsa.debian.org/newgateway-team/reviews/-/issues/30At least the following binaries are stored in the git repository:
How where they created? What's the licensing terms? Pointers to source code?
I understand this is a boring request, but given xz I think feedback like this have some weight.
Some simple ways to resolve this:
Remove the binaries from git, downloading them during self-check phase. Then at least the source repository isn't tainted by these blobs.
Move binaries to a separate e.g. sbctl-test repository, and run self-tests there. May be combined with 1).
Provide build instructions and source code for re-building those binaries (sounds like work).
The debian package shouldn't use upstream source code without filtering these blobs. I suppose this is the simple approach for us, but it just hides the concern which IMHO warrant some upstream consideration.
Thanks,
Simon