Sign me up Login

Details about package debsbom

Name:	debsbom
Uploader:	Felix Moessbauer <felix.moessbauer@siemens.com> (Debian QA page)
Description:	debsbom - SBOM generator for Debian-based distributions (tool) python-debsbom-doc - SBOM generator for Debian-based distributions (documentation)

Package uploads

Upload #2

Information

Version:	0.6.1-1
Uploaded:	2026-01-28 07:58
Source package:	debsbom_0.6.1-1.dsc
Distribution:	unstable
Section:	python
Priority:	optional
Homepage:	https://github.com/siemens/debsbom
Vcs-Browser:	https://github.com/siemens/debsbom
Vcs-Git:	https://github.com/siemens/debsbom -b main
Closes bugs:	#1122577

Changelog

 debsbom (0.6.1-1) unstable; urgency=medium
 .
   * Initial release (Closes: #1122577)

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13

–

A watch file is present but doesn't work

Warnings:

debian/watch is an obsolete version 1 watch file;
please upgrade to a higher version
(see uscan(1) for details).
debian/watch is an obsolete version 1 watch file;
please upgrade to a higher version
(see uscan(1) for details).
debian/watch is an obsolete version 1 watch file;
please upgrade to a higher version
(see uscan(1) for details).
debian/watch is an obsolete version 1 watch file;
please upgrade to a higher version
(see uscan(1) for details).
debian/watch is an obsolete version 1 watch file;
please upgrade to a higher version
(see uscan(1) for details).
there appears to be a version 2 format line in
the version 1 watch file debian/watch;
Have you forgotten a 'version=2' line at the start, perhaps?
Skipping the line: Version: 5

there appears to be a version 2 format line in
the version 1 watch file debian/watch;
Have you forgotten a 'version=2' line at the start, perhaps?
Skipping the line: Source: https://github.com/siemens/debsbom.git

there appears to be a version 2 format line in
the version 1 watch file debian/watch;
Have you forgotten a 'version=2' line at the start, perhaps?
Skipping the line: Matching-Pattern: refs/tags/v([\d\.]+)

there appears to be a version 2 format line in
the version 1 watch file debian/watch;
Have you forgotten a 'version=2' line at the start, perhaps?
Skipping the line: Mode: git

there appears to be a version 2 format line in
the version 1 watch file debian/watch;
Have you forgotten a 'version=2' line at the start, perhaps?
Skipping the line: Pgpmode: gittag

–
Package is not native

Format: 3.0 (quilt)
–
"Maintainer" email is the same as the uploader
–
Package has lintian warnings
debsbom source
- W missing-debian-watch-file-standard
  - [debian/watch]
- I built-using-field-on-arch-all-package
  - (in section for python-debsbom-doc) Built-Using ${sphinxdoc:Built-Using}, [debian/control:62]
- I unused-override
  - debian-watch-file-pubkey-file-is-missing [debian/source.lintian-overrides:4]
- P spelling-error-in-patch-description
  - depedency dependency [debian/patches/upstream-fix-declare-license-expression-uncond.patch]
- X upstream-metadata-file-is-missing
- X very-long-line-length-in-source-file
  - 1144 > 512 [tests/root/apt-sources/var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_source_Sources:9]
  - 801 > 512 [tests/root/dependency/var/lib/dpkg/status:15]
  - 801 > 512 [tests/root/tree/var/lib/dpkg/status:107]
  - 920 > 512 [docs/source/design-decisions.rst:204]
–
Package closes ITP bug
- debsbom:
  - #1122577 (Wishlist, ITP): ITP: debsbom -- Software Bill of Materials generator for distributions based on Debian
–
Package is not in Debian
–
Upstream-Contact missing from d/copyright

Upstream Contact: None

Licenses: Expat

Comments

if i run decopy, i get these things about the tests:

Files: tests/data/apt-copyright
       tests/root/copyright/usr/*
Copyright: 2006, Alexander Dymo <adymo@kdevelop.org>
           2000, Ben Collins <bcollins@debian.org>
           1998, Ben Gertzfield <che@debian.org>
           2018-2019, Canonical Ltd
           2002-2019, Free Software Foundation, Inc
           1997-1999, Jason Gunthorpe and others
           2009-2016, Julian Andres Klode <jak@debian.org>
License: BSD-3-clause or Expat or GPL-2+

Files: tests/data/vim-tiny-copyright
Copyright: <year> by <author's name or designee>. This material may be
           2019, Agilent Technologies, Inc
           Andy Cedilnik <andy.cedilnik@kitware.com>
           2014-2020, Apple Inc. and the Swift project authors
           2006, Benji Fisher <benji@member.ams.org>
           2001, Bohdan Vlasyuk <bohdan@vstu.edu.ua>
           1988-2022, Bram Moolenaar <Bram@vim.org>
           2012-2016, Carlo Baldassi
           1999-2021, Charles E. Campbell, Jr <drchip@campbellfamily.biz>
           2004, Chris Larson
           2015, Christian Brabandt
           2000, Compaq Computer Corporation
           2022, Daiderd Jordan
           2014, David Necas (Yeti)
           2003-2016, Davide Libenzi, Johannes E. Schindelin
           Dimitri Merejkowsky <d.merej@gmail.com>
           2002, E. I. DuPont de Nemours and Company, Inc
           Eric Pruitt <eric.pruitt@gmail.com>
           2003-2022, Ernest Adrogué <eadrogue@gmx.net>
           2017, Eugene Ciurana
           2003, Fred Barnes
           1989-1995, GROUPE BULL
           Gerfried Fuchs <alfie@ist.org>
           2008, Google Inc
           2012, Hong Xu
           2021, Izhak Jakov
           2022, James Fleming
           2013, Jeroen Ruigrok van der Werven, Eli Parra
           2001, Joerg Ziefle <joerg.ziefle@gmx.de>
           Joseph Hager <ajhager@gmail.com>
           1993, Juergen Weigert <jnweiger@immd4.informatik.uni-erlangen.de>
           1990-1998, Juergen Weigert <jnweiger@informatik.uni-erlangen.de>
           2015-2017, K.Takata
           Karthik Krishnan <kartik.krishnan@kitware.com>
           2017, Ken Takata
           2005-2010, Kevin Patrick Scannell <kscanne@gmail.com>
           2001-2022, MURAOKA Taro <koron.kaoriya@gmail.com>
           2003, Mario Schweigler
           2006, Martin Krischik
           2021, Matthew T. Ihlenfield
           2004-2008, Michael Geddes
           1993, Michael Schroeder <mlschroe@immd4.informatik.uni-erlangen.de>
           1997, Olaf Seibert
           1987, Oliver Laumann
           Pablo Ariel Kohan
           2008, Paul Evans <leonerd@leonerd.org.uk>
           1996, Paul Slootman
           2005-2021, Peter Provost
           2008, Ricardo Salveti
           2009-2013, Steven Oliver
           2009, The Go Authors
           1989-1993, The Regents of the University of California
           2015, The Rust Project Developers
           1986, University of Toronto
           1987-1994, X Consortium
           laws and international treaties. Your use of the Software
           2016, rhysd
           to each Open Publication is owned by its author(s) or designee
License: BSD-3-clause or GPL-1+ or LGPL-2.1+ or Spencer-86 or Vim or X11 or public-domain

Files: tests/data/libcap2-copyright
Copyright: 1997, Aleph One
           1997-2008, Andrew G. Morgan <morgan@kernel.org>
           1997-2016, Andrew G. Morgan <morgan@linux.kernel.org>
           1997, Andrew Main <zefram@dcs.warwick.ac.uk>
           2011, Andrew Straw <strawman@astraw.com>
           2008, Chris Friedhoff <chris@friedhoff.org>
           2014-2022, Christian Kastner <ckk@debian.org>
           2014, Daniel Baumann <mail@daniel-baumann.ch>
           1998, Finn Arne Gangstad <finnag@guardian.no>
           2015, Helmut Grohne <helmut@subdivi.de>
           2006, Matt Kern <matt.kern@undue.org>
           2011, Scott Schaefer <saschaefer@neurodiverse.org>
           2010, Serge Hallyn <serue@us.ibm.com>
           2011, Zhi Li <lizhi1215@gmail.com>
License: BSD-3-clause or GPL-2+

Needs work Alex Myczko at Jan. 28, 2026, 9:36 a.m.

either you say, i don't want to write copyright for that, and drop tests from orig.tar.gz, repackaging upstream with +ds

or you just update d/copyright

installation worked for me, and it runs as expected otherwise...

Alex Myczko at Jan. 28, 2026, 9:37 a.m.

The copyright thingy has been discussed in https://github.com/siemens/debsbom/pull/157#discussion_r2613569854. Listing the authors is IMHO questionable, as it is very unlikely that the copyright file itself is written by these authors (we don't ship any data from the referenced packages, but only the copyright file).

However according to debian policy the glob "*" also applies to the copyright file itself, right? By that, I'm also fine with just taking what is provided by the upstream package and adding this data to the copyright file.

If the copyright file itself does not fall under the "*" glob, or is excepted otherwise, we don't need to reference them, right?

Felix Moessbauer at Jan. 28, 2026, 9:47 a.m.

the problem is it's part of the orig.tar.gz, debian source packages are shipped. i'll read the URL now, but if you want to just drop tests, fine for me, then it is not shipped. it's not if it's shipped in the binary package or not, it's part of the source package. not everyone installs the source packages, most don't. but it's part of the debian distribution. have it in, declare it in d/copyright, remove it, forget it. (i wish this system had notifications, are you on IRC?)

Alex Myczko at Jan. 28, 2026, 10:56 a.m.

I'm available at #debian-mentors on OFTC. As I'm also upstream maintainer of the package, I prefer to rework the test data so we don't have this complicated copyright situation. Still, I'm unsure which copyright applies to the copyright file itself.

Felix Moessbauer at Jan. 28, 2026, 11:10 a.m.

Upload #1

Information

Version:	0.6.1-1
Uploaded:	2026-01-27 13:58
Distribution:	UNRELEASED
Section:	python
Priority:	optional
Homepage:	https://github.com/siemens/debsbom
Vcs-Browser:	https://github.com/siemens/debsbom
Vcs-Git:	https://github.com/siemens/debsbom -b main
Closes bugs:	#1122577

Changelog

 debsbom (0.6.1-1) UNRELEASED; urgency=medium
 .
   * Initial release (Closes: #1122577)

QA information

–
Package uploaded for the UNRELEASED distribution
–
Package uses debhelper-compat

Debhelper compatibility level 13

–

A watch file is present but doesn't work

Warnings:

–
Package is not native

Format: 3.0 (quilt)
–
"Maintainer" email is the same as the uploader
–
Package has lintian warnings
debsbom source
- W missing-debian-watch-file-standard
  - [debian/watch]
- I built-using-field-on-arch-all-package
  - (in section for python-debsbom-doc) Built-Using ${sphinxdoc:Built-Using}, [debian/control:62]
- I unreleased-changelog-distribution
  - [debian/changelog:1]
- I unused-override
  - debian-watch-file-pubkey-file-is-missing [debian/source.lintian-overrides:4]
- P spelling-error-in-patch-description
  - depedency dependency [debian/patches/upstream-fix-declare-license-expression-uncond.patch]
- X upstream-metadata-file-is-missing
- X very-long-line-length-in-source-file
  - 1144 > 512 [tests/root/apt-sources/var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_source_Sources:9]
  - 801 > 512 [tests/root/dependency/var/lib/dpkg/status:15]
  - 801 > 512 [tests/root/tree/var/lib/dpkg/status:107]
  - 920 > 512 [docs/source/design-decisions.rst:204]
–
Package closes ITP bug
- debsbom:
  - #1122577 (Wishlist, ITP): ITP: debsbom -- Software Bill of Materials generator for distributions based on Debian
–
Package is not in Debian
–
Upstream-Contact missing from d/copyright

Upstream Contact: None

Licenses: Expat

Comments

```
Hi Felix

Mind fixing the UNRELEASED?
```
Needs work Alex Myczko at Jan. 28, 2026, 5:44 a.m.

> Mind fixing the UNRELEASED?

Done. Last time I uploaded here, I was asked to not do the release.

Ready Felix Moessbauer at Jan. 28, 2026, 8:15 a.m.

Strange, don't know, who would tell that? Maybe it was really for salsa to keep it UNRELEASED there, but not here?

Alex Myczko at Jan. 28, 2026, 9:34 a.m.

Maybe, but I can't find it anymore. I did not yet push the unstable upload to salsa yet. Once everything is fine here, I'll push it.

PS: I also noticed that the linitan on mentor disagrees with my lintian on sid (mine is OK).

Felix Moessbauer at Jan. 28, 2026, 9:37 a.m.

Upstream Contact:	None
Licenses:	Expat

Upstream Contact:	None
Licenses:	Expat