Reviews for syft
All reviews for this package from team members (across all versions).
| Reviewer | Version | Allocated | Started | Status | Completed | Comment | |
|---|---|---|---|---|---|---|---|
| siretart | 1.42.4+ds-1 | 2 months, 4 days ago | 2 months, 4 days ago | rejected | 2 months, 2 days ago | I have reviewed the `syft` source package and it is currently not suitable for inclusion in the Debian archive. **Critical Issues:** * **Excessive Vendoring and Maintainability**: This package currently ships over 340MB of vendored sources, accounting for approximately 88% of the entire source tree. This level of vendoring is a serious concern for maintainability, security tracking, and causes unnecessary bookkeeping and reviewing overhead. **This is a partial review**; a full rescan will be required only after the vendor tree has been significantly reduced by utilizing existing Debian libraries where possible. * **Incomplete DFSG Repack**: The `.orig.tar.gz` contains non-free license text in test fixtures (e.g., NVIDIA/CUDA license). Patching these out is insufficient; they **must be removed from the upstream tarball** using a proper `+ds` repack (e.g., `Files-Excluded` in `debian/copyright`). * **Missing Author Attributions**: A scan identified 64 missing author attributions. Apache, MIT, and BSD licenses require the full reproduction of the copyright notice. Missing authors include: * `WebGPU native developers`, `Mihai Bazon`, `Sam Lantinga`, `David Schultz`, `Emscripten authors`, `Alibaba Cloud`, `Oracle America, Inc`, and many others found in `internal/` and `testdata/`. * **Inaccurate Copyright Declarations**: * `syft/pkg/cataloger/golang/internal/xcoff/*`: Misattributed to Anchore/Apache-2.0 instead of Go Authors/BSD-3-clause. * `vendor/github.com/ProtonMail/go-crypto`: Incomplete entry; missing `Proton AG` and `ProtonTech AG`. * Missing entries: `vendor/github.com/kr/pretty`, `vendor/github.com/kr/text`, and `vendor/cyphar.com/go-pathrs`. Given the complexity and the scale of the Go dependencies, it is essential that you reach out to the **Debian Go Team** (pkg-go-maintainers@lists.alioth.debian.org). This package should ideally be maintained within the Go team to ensure it aligns with team standards for unvendoring and dependency management. Please perform a proper DFSG-clean repack, significantly reduce the vendored code, and ensure all required copyrights are fully reproduced before resubmitting. -rt | View |
| siretart | 1.42.3+ds-1 | 2 months, 17 days ago | 2 months, 17 days ago | rejected | 2 months, 16 days ago | Hi, I have to reject the package due to a DFSG violation regarding copyright attribution. 1. DFSG Violation (Blocker) debian/copyright (L73) states: "Copyright: 2014-2025 The respective authors and contributors". This is insufficient. Permissive licenses (Apache, BSD, MIT) require the verbatim reproduction of upstream copyright and permission notices. A catch-all statement fails to satisfy these license conditions. Please audit the source tree and include the verbatim notices. 2. Packaging & Architecture Review (Feedback) For future uploads, please address the following issues regarding your Go packaging methodology: Vendoring: The package heavily bundles dependencies (e.g., containerd, docker/cli, moby/sys). Debian strictly requires utilizing shared archive packages whenever possible. Vendoring introduces severe security maintenance burdens (CVE tracking across embedded copies) and unnecessary archive bloat. dh-golang integration (debian/rules): override_dh_auto_build: Hardcoding obj-x86_64-linux-gnu breaks cross-compilation and will FTBFS on non-amd64 architectures (e.g., arm64). Rely on standard dh-golang variables. override_dh_auto_test: Disabling the entire test suite degrades build-time QA. Please patch out/skip only the specific network-dependent tests and run the offline test suite. override_dh_golang: Bypassing this target due to go:embed directives causes the build to lose necessary helper functionality. If you require assistance resolving the go:embed or un-vendoring issues, I recommend consulting the pkg-go team on IRC or their mailing list. Regards, | View |