Sign me up Login

Details about package python-lib4sbom

Name:	python-lib4sbom
Uploader:	Eugene Kaddo <arduinum628@gmail.com> (Debian QA page)
Description:	python3-lib4sbom - C library for Software Bill of Materials processing

Package uploads

Upload #1

Information

Version:	0.8.8+dfsg-1
Uploaded:	2026-04-28 16:51
Source package:	python-lib4sbom_0.8.8+dfsg-1.dsc
Distribution:	unstable
Section:	python
Priority:	optional
Homepage:	https://github.com/anthonyharrison/lib4sbom
Closes bugs:	#1135168

Changelog

 python-lib4sbom (0.8.8+dfsg-1) unstable; urgency=medium
 .
   * Initial release (Closes: #1135168)

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13

–

Newer upstream version available

Local:	0.8.8+dfsg
Upstream:	0.10.4
Url:	https://github.com/anthonyharrison/lib4sbom/archive/refs/tags/v0.10.4.tar.gz

–
Package is not native

Format: 3.0 (quilt)
–
"Maintainer" email is the same as the uploader
–
Package has lintian warnings
python-lib4sbom source
- W newer-standards-version
  - 4.7.4 (current is 4.7.3)
- I missing-explanation-for-repacked-upstream-tarball
  - [debian/copyright:1]
- P trailing-whitespace
  - [debian/control:14]
- X debian-watch-does-not-check-openpgp-signature
  - [debian/watch]
- X prefer-uscan-symlink
  - filenamemangle s%.*/v?(\d[\d.]*)\.tar\.gz%python-lib4sbom-$1.tar.gz% [debian/watch:8]
- X update-debian-copyright
  - 2025 vs 2026 [debian/copyright:79]
- X upstream-metadata-file-is-missing
- X very-long-line-length-in-source-file
  - 2971 > 512 [README.md:378]
  - 711 > 512 [test/data/spdx_test.spdx:244]
–
Package closes ITP bug
- python-lib4sbom:
  - #1135168 (Wishlist, ITP): ITP: python-lib4sbom -- Python library for Software Bill of Materials processing
–
No VCS field present
–
Package is not in Debian
–
d/copyright is in DEP5 format

Upstream Contact: Anthony Harrison

Licenses: Apache-2.0

Comments

# uscan -dd --repack
Newest version of python-lib4sbom on remote site is 0.10.4, local version is 0.8.8+dfsg
       (mangled local version is 0.8.8)
 => Newer package available from:
        => https://github.com/anthonyharrison/lib4sbom/archive/refs/tags/v0.10.4.tar.gz
Successfully repacked ../python-lib4sbom-0.10.4.tar.gz as ../python-lib4sbom_0.10.4.orig.tar.xz.

Bump version?

Needs work Alexander Ermakov at April 29, 2026, 1:22 a.m.

Extra empty line in d/сopyright:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: https://github.com/anthonyharrison/lib4sbom
Upstream-Name: lib4sbom
Upstream-Contact: Anthony Harrison
Files-Excluded:
 lib4sbom/license_data/text/json.html
...
 examples/*
 tools/*

Needs work Alexander Ermakov at April 29, 2026, 1:30 a.m.

After repacking tests fails:

================================= test session starts =================================
platform linux -- Python 3.14.4, pytest-9.0.3, pluggy-1.6.0
rootdir: /v/result/_temp
plugins: typeguard-4.4.4
collected 162 items / 7 errors / 62 deselected / 100 selected                         

======================================= ERRORS ========================================
_ ERROR collecting .pybuild/cpython3_3.14_lib4sbom/build/test/test_cyclonedx_generator.py _
ImportError while importing test module '/v/result/_temp/.pybuild/cpython3_3.14_lib4sbom/build/test/test_cyclonedx_generator.py'.
Hint: make sure your test modules/packages have valid Python names.
Traceback:
/usr/lib/python3.14/importlib/__init__.py:88: in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
test/test_cyclonedx_generator.py:3: in <module>
    from lib4sbom.cyclonedx.cyclonedx_generator import CycloneDXGenerator as test_module
lib4sbom/cyclonedx/cyclonedx_generator.py:9: in <module>
    from lib4sbom.data.identifier import SBOMIdentifier
lib4sbom/data/identifier.py:4: in <module>
    from packageurl import PackageURL
E   ModuleNotFoundError: No module named 'packageurl'

Needs work Alexander Ermakov at April 29, 2026, 1:33 a.m.

=============================== short test summary info ===============================
ERROR test/test_cyclonedx_generator.py
ERROR test/test_cyclonedx_parser.py
ERROR test/test_generator.py
ERROR test/test_parser.py
ERROR test/test_purl.py
ERROR test/test_spdx_generator.py
ERROR test/test_spdx_parser.py
!!!!!!!!!!!!!!!!!!!!!!! Interrupted: 7 errors during collection !!!!!!!!!!!!!!!!!!!!!!!

Needs work Alexander Ermakov at April 29, 2026, 1:34 a.m.

Hold at 0.8.8 to maintain compatibility with cve-bin-tool 3.4.

Ready Eugene Kaddo at April 29, 2026, 4:54 p.m.

The reason they passed on my side is that my debian/rules file was explicitly configured to skip the exact tests that failed for you. This was done using like this:

#!/usr/bin/make -f


export PYBUILD_NAME=lib4sbom
export PYBUILD_DESTDIR=$(CURDIR)/debian/python3-lib4sbom
export PYBUILD_INSTALL_ARGS=--install-lib=/usr/lib/python3/dist-packages
export PYBUILD_TEST_PYTEST=1
export TESTS_TO_EXCLUDE=not test_spdx_parser and \
not test_spdx_generator and \
not test_get_type and \
not test_get_files and \
not test_get_packages and \ 
not test_get_relationships and \ 
not test_output and \
not test_generator and \
not test_file and \
not test_parse and \
not test_parse_cyclonedx_json and \ 
not test_cyclonedx_generator and \
not test_package

export PYBUILD_TEST_ARGS=test -k "${TESTS_TO_EXCLUDE}"
export DH_ALWAYS_EXCLUDE=test


%:
dh $@ --buildsystem=pybuild --with=python3

Ready Eugene Kaddo at April 29, 2026, 5:51 p.m.

> Hold at 0.8.8 to maintain compatibility with cve-bin-tool 3.4.

Then I suggest you create TWO packages:
- src:python-lib4sbom     -> bin:python3-lib4sbom     (0.10.4);
- src:python-lib4sbom-0.8 -> bin:python3-lib4sbom-0.8 (0.8.8).

Needs work Alexander Ermakov at April 30, 2026, 2:25 a.m.

Upstream Contact:	Anthony Harrison
Licenses:	Apache-2.0