DFSG NEW Queue - Review: nethsm-pkcs11 2.0.0-1

Review: nethsm-pkcs11 2.0.0-1

New Package Report

.changes◂

Source	nethsm-pkcs11
Version	2.0.0-1
Changed-By	Fabian Grünbichler
Architecture	source amd64
Distribution	unstable
Date	Thu, 05 Mar 2026 21:01:24 +0100

Changelog◂

nethsm-pkcs11 (2.0.0-1) unstable; urgency=medium
 .
   [ Tobias Deiminger ]
   * Initial release. (Closes: #1113986)
 .
   [ Fabian Grünbichler ]
   * relax ureq
   * d/rules: add (Static-)Built-Using
   * d/control: drop Priority: optional
   * d/control: drop RRR³ no
   * d/control: update dependencies
   * update Standards-Version to 4.7.3

.dsc◂

Package-List	nethsm-pkcs11 deb libs optional arch=any
Section	libs
Priority	optional
Component	main

debian/copyright◂

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: nethsm-pkcs11
Upstream-Contact: support@nitrokey.com
Source: https://github.com/Nitrokey/nethsm-pkcs11

Files: *
Copyright:
 2015-2016 Brian Smith.
 1998-2011 The OpenSSL Project.  All rights reserved.
 1995-1998 Eric Young (eay@cryptsoft.com)
 2015, Google Inc.
 2015-2016 the fiat-crypto authors
 2023 Nitrokey
License: Apache-2.0

Files:
 pkcs11/src/backend/db/attr.rs
 pkcs11/src/backend/db/mod.rs
 pkcs11/src/backend/db/object.rs
 pkcs11/src/backend/mechanism.rs
 pkcs11/src/utils.rs
Copyright:
 2020-2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2023 Nitrokey
License: Apache-2.0

Files:
 fork-tests/pkcs11.h
Copyright:
 2006-2007 g10 Code GmbH
 2006 Andreas Jellinghaus
 2017 Red Hat, Inc.
License: public-domain
 This file is free software; as a special exception the author gives
 unlimited permission to copy and/or distribute it, with or without
 modifications, as long as this notice is preserved.
 .
 This file is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY, to the extent permitted by law; without even
 the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 PURPOSE.

Files: debian/*
Copyright: 2026 Tobias Deiminger <tobias.deiminger@linutronix.de>
License: Apache-2.0

License: Apache-2.0
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 .
 On Debian systems, the complete text of the Apache License,
 Version 2.0 can be found in '/usr/share/common-licenses/Apache-2.0'.

Review Information

rejected — allocated to awm 6 hours ago, started 6 hours ago, completed 6 hours ago.

Final Comment

For some reason lintian thinks this is an NMU? Is there an issue with
the changelog not matching the version?

Also, see note about public-domain vs CC0, if that's not too onerous to
fix.

Thanks!

Public Notes

6 hours ago ● public

Lintian

Command: lintian -Iiv -L '>=warning' --show-overrides --color=never ../$(basename $PWD)_*.changes
Exit code: 0

N:
W: nethsm-pkcs11 source: no-nmu-in-changelog [debian/changelog:1]
N: 
N:   When you NMU a package, that fact should be mentioned on the first line in
N:   the changelog entry. Use the words "NMU" or "Non-maintainer upload" (case
N:   insensitive).
N:   
N:   Maybe you didn't intend this upload to be a NMU, in that case, please
N:   double-check that the most recent entry in the changelog is byte-for-byte
N:   identical to the maintainer or one of the uploaders. If this is a local
N:   package (not intended for Debian), you can suppress this warning by
N:   putting "local" in the version number or "local package" on the first line
N:   of the changelog entry.
N: 
N:   Please refer to Using the DELAYED/ queue (Section 5.11.3) in the Debian
N:   Developer's Reference for details.
N: 
N:   Visibility: warning
N:   Show-Always: no
N:   Check: nmu
N:   Renamed from: changelog-should-mention-nmu
N: 
N:
W: nethsm-pkcs11 source: source-nmu-has-incorrect-version-number 2.0.0-1 [debian/changelog:1]
N: 
N:   A source NMU should have a Debian revision of "-x.x" (or "+nmuX" for a
N:   native package). This is to prevent stealing version numbers from the
N:   maintainer.
N:   
N:   Maybe you didn't intend this upload to be a NMU, in that case, please
N:   double-check that the most recent entry in the changelog is byte-for-byte
N:   identical to the maintainer or one of the uploaders. If this is a local
N:   package (not intended for Debian), you can suppress this warning by
N:   putting "local" in the version number or "local package" on the first line
N:   of the changelog entry.
N: 
N:   Please refer to NMUs and debian/changelog (Section 5.11.2) in the Debian
N:   Developer's Reference for details.
N: 
N:   Visibility: warning
N:   Show-Always: no
N:   Check: nmu
N: 
N:
N: Rust library yaml-rust too contains the signature string, but is a pure
N: Rust implementation. Reported in #932634. "Fixed" and marked done, but
N: later reverted in lintian.
O: nethsm-pkcs11: embedded-library libyaml [usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so]
N: 
N:   The given ELF object appears to have been statically linked to a library.
N:   Doing this is strongly discouraged due to the extra work needed by the
N:   security team to fix all the extra embedded copies or trigger the package
N:   rebuilds, as appropriate.
N:   
N:   If the package uses a modified version of the given library it is highly
N:   recommended to coordinate with the library's maintainer to include the
N:   changes on the system version of the library.
N: 
N:   Please refer to Embedded code copies (Section 4.13) in the Debian Policy
N:   Manual for details.
N: 
N:   Visibility: error
N:   Show-Always: no
N:   Check: libraries/embedded
N: 
N:
N: Upstream provides no detached tarball signatures; debian/watch uses
N: mode=git,pgpmode=git to verify signed tags instead.
O: nethsm-pkcs11 source: orig-tarball-missing-upstream-signature nethsm-pkcs11_2.0.0.orig.tar.gz
N: 
N:   The packaging includes an upstream signing key but the corresponding .asc
N:   signature for one or more source tarballs are not included in your
N:   .changes file.
N:   
N:   Please ensure a <package>_<version>.orig.tar.<ext>.asc file exists in the
N:   same directory as your <package>_<version>.orig.tar.<ext> tarball prior to
N:   dpkg-source --build being called.
N:   
N:   If you are repackaging your source tarballs for Debian Free Software
N:   Guidelines compliance reasons, ensure that your package version includes
N:   dfsg or similar.
N:   
N:   Sometimes, an upstream signature must be added for an orig.tar.gz that is
N:   already present in the archive. Please include the upstream sources again
N:   with dpkg-genchanges -sa while the signature is also present. Your upload
N:   will be accepted as long as the new orig.tar.gz file is identical to the
N:   old one.
N: 
N:   Please refer to Bug#954743 and Bug#872864 for details.
N: 
N:   Visibility: warning
N:   Show-Always: no
N:   Check: upstream-signature
N:

Back to Dashboard | View all reviews for this package