Reviews for lemonade
All reviews for this package from team members (across all versions).
| Reviewer | Version | Allocated | Started | Status | Completed | Comment | |
|---|---|---|---|---|---|---|---|
| siretart | 9.3.2-2 | 2 months, 5 days ago | 2 months, 5 days ago | rejected | 2 months, 5 days ago | Sorry for the many repeated rejects. This is a hard package to review and get right. Thanks for your hard work and attention to detail on this package! Unfortunately, I found some additional issues: # `docs/assets/logo_512.png` and `docs/favicon.ico` are missing from `debian/copyright` The `debian/copyright` file lists the following files under the Microsoft/Expat stanza: ``` Files: docs/assets/favicon.ico docs/assets/logo.png src/cpp/resources/static/favicon.ico ``` Inspecting `docs/assets/logo.png` and `docs/assets/logo_512.png` visually confirms they are the same Microsoft Fluent Emoji lemon image at different resolutions (128×128 and 512×512 respectively). `NOTICE.md` line 37 explicitly confirms: *"TurnkeyML uses the Microsoft lemon emoji as an icon for the lemonade tool."* Since `logo.png` is already attributed to Microsoft Corporation under the Expat license, `logo_512.png` must receive the same attribution — it is the same artwork. It is currently covered only by the catch-all AMD/Apache-2.0 stanza, which is a misrepresentation. `docs/favicon.ico` is likewise absent from the Microsoft/Expat stanza (the stanza lists `docs/assets/favicon.ico` but not `docs/favicon.ico`, which is a distinct file). Given the consistent use of the Fluent Emoji lemon as the project icon, this file almost certainly has the same provenance. Add both `docs/assets/logo_512.png` and `docs/favicon.ico` to the existing Microsoft/Expat stanza. # `docs/assets/logo_512.png` and `docs/favicon.ico` are missing from `debian/copyright` `docs/self_hosted_runners.md` contains the following footer (lines 154–159): ``` # License [Apache 2.0 License](../LICENSE) Copyright(C) 2024-2025 Advanced Micro Devices, Inc. All rights reserved. SPDX-License-Identifier: MIT ``` The file simultaneously references the Apache 2.0 license and carries an `SPDX-License-Identifier: MIT` tag. The `debian/copyright` catch-all stanza claims it is Apache-2.0. All three cannot be correct. Clarify the intend with upstream and document the responses/conversation. # Section and Priority You chose `Section: python`; This is questionable. The binary packages `lemonade-server` and `lemonade-desktop` are not Python libraries; `lemonade-server` is an `Architecture: linux-any` compiled C++ daemon, and `lemonade-desktop` is a web application. The `python` section is intended for Python packages. A more appropriate section would be `utils` or `net`. Per Debian Policy §2.4, the section must accurately reflect the package's nature. | View |
| siretart | 9.2.0-1 | 2 months, 19 days ago | 2 months, 19 days ago | rejected | 2 months, 18 days ago | Thanks for working on this package. I found two issues in `debian/copyright` that need to be addressed before we can accept it. The `Files: *` stanza includes the line `2023 Groq Inc. (portions derived from TurnkeyML/MLAgility)` in the `Copyright` field. The parenthetical remark is not a copyright statement; it is a clarification about the origin of some code. This belongs in a `Comment` field instead. The `Copyright` field should simply read `2023 Groq Inc.` to match the copyright notice given in NOTICE.md. The favicon stanza references `src/lemonade/tools/server/static/favicon.ico`, but that path does not exist in the source tree. The actual file lives at `src/cpp/resources/static/favicon.ico`. Please update the path accordingly. | View |
| siretart | 9.0.2+dfsg-1 | 3 months, 1 day ago | 3 months, 1 day ago | rejected | 3 months, 1 day ago | requested by maintainer, new verison is in preparation to address found issues | View |
| siretart | 10.3.0-1 | 2 days ago | 2 days ago | rejected | 2 days ago | Thanks for your diligence while working on this package. I've had a look through the source, and while it's mostly there, I have to reject it for now because several of the blockers from the previous 10.0.0-1 rejection have only been partially addressed, and new issues have been introduced. ### Critical Issues (Blockers) 1. **Unresolved Runtime Downloads and Opaque Blobs (DFSG 2)** The `no_fetch_executables` override in `debian/rules` effectively disables the core binary downloader, but some backends bypass this mechanism. Specifically, `WhisperServer` (in `src/cpp/server/backends/whisper_server.cpp:117`) still attempts to download `.rai` compiled NPU caches directly via `HttpClient`, ignoring the global fetch setting. These are opaque, sourceless blobs that cannot be in `main`. Additionally, `FastFlowLMServer` triggers `flm pull`, initiating its own external downloads that lemonade cannot control via its internal flags. 2. **Licensing Contradictions in src/app/** The licensing declaration for the application subdirectory is currently contradicting itself. While `debian/copyright` (line 29) claims the entire `src/app/*` tree is under the `Expat` license, the subproject's own metadata says otherwise: `src/app/package.json` (line 23) explicitly declares the license as `Apache-2.0`. I suspect this is an upstream oversight, but as presented, it requires clarification to ensure the legal status of the application is correctly documented. 3. **Ambiguous Licensing and Non-Free Components (FastFlowLM)** The integration of FastFlowLM is problematic for `main`. Documentation in `docs/assets/install-selector.js:596` indicates that FLM is "free for non-commercial use," which violates DFSG 6. Furthermore, the copyright and licensing terms for FLM appear to be handled only within the runtime logic (not declared in the source or `debian/copyright`), which makes me quite nervous about what terms actually apply. This situation needs to be explicitly clarified and documented in `debian/copyright`. ### Required Fixes - **Patch Out Opaque Blob Fetching**: Completely remove the logic in `src/cpp/server/backends/whisper_server.cpp` that attempts to download compiled NPU caches (`.rai` files). - **Clarify src/app/ Licensing**: Resolve the discrepancy between the `Expat` claim in `debian/copyright` and the `Apache-2.0` declaration in `src/app/package.json`. - **Address FastFlowLM Status**: Clarify the licensing terms for FastFlowLM. If the non-commercial restriction applies, the backend must be removed or the package moved to `contrib`. - **Attribution for Assets**: Please ensure that all icons and banners in `src/cpp/installer/` and `src/app/src-tauri/icons/` are explicitly listed in `debian/copyright` with their appropriate copyright and license statements. -rt | View |
| siretart | 10.0.0-1 | 12 days ago | 12 days ago | rejected | 4 days ago | -email @REJECT.md | View |