DFSG NEW Queue - Review: sigsum-c 0.0~git20260420.0003fa6-1

Review: sigsum-c 0.0~git20260420.0003fa6-1

New Package Report

.changes◂

Changed-By	Simon Josefsson
Architecture	source amd64
Distribution	experimental
Date	Tue, 21 Apr 2026 09:27:52 +0200
Source	sigsum-c
Version	0.0~git20260420.0003fa6-1

Changelog◂

sigsum-c (0.0~git20260420.0003fa6-1) experimental; urgency=medium
 .
   * Initial release (Closes: #1120561)

.dsc◂

Component	main
Package-List	libsigsum-dev deb libdevel optional arch=any libsigsum0 deb libs optional arch=any sigsum-c deb devel optional arch=any
Section	libdevel
Priority	optional

debian/copyright◂

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: sigsum-c
Source: https://git.glasklar.is/sigsum/core/sigsum-c

Files: *
Copyright: 2025, The Sigsum Project Authors
License: BSD-2-Clause

Files: aclocal.m4
Copyright: 2008-2026 Free Software Foundation, Inc.
           2026 Glasklar Teknik AB.
License: BSD-2-clause and FSFULLR

Files: debian/*
Copyright: 2026 Simon Josefsson <simon@josefsson.org>
License: BSD-2-Clause
Comment: Debian packaging is licensed under the same terms as upstream

License: FSFULLR
 This file is free software; the Free Software Foundation
 gives unlimited permission to copy and/or distribute it,
 with or without modifications, as long as this notice is preserved.
 This file is offered as-is, without any warranty.

License: BSD-2-Clause
 All rights reserved.
 .
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 .
 1. Redistributions of source code must retain the above copyright notice, this
    list of conditions and the following disclaimer.
 .
 2. Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions and the following disclaimer in the documentation
    and/or other materials provided with the distribution.
 .
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Review Information

accepted — allocated to siretart 9 days ago, started 9 days ago, completed 9 days ago.

Final Comment

sigsum-c

Public Notes

9 days ago ● public

Missed Author Check

Command: dnq author-check -prepare
Exit code: 0

Author check: scanned 62 files.

Result: ALL SOURCE AUTHORS LISTED IN debian/copyright

9 days ago ● public

copyright-grep

Command: rg -i '(licen[cs]e|copyr|©|\(c\))' --heading
Exit code: 0

LICENSE
BSD 2-Clause License
Copyright (c) 2025, The Sigsum Project Authors
1. Redistributions of source code must retain the above copyright notice, this
2. Redistributions in binary form must reproduce the above copyright notice,
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE

tools/sigsum-c-verify.c
    switch (c)

aclocal.m4
dnl Copyright (C) 2008-2026 Free Software Foundation, Inc.
dnl Copyright (C) 2026 Glasklar Teknik AB.
dnl 1. Redistributions of source code must retain the above copyright notice, this
dnl 2. Redistributions in binary form must reproduce the above copyright notice,
dnl THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
dnl DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE

debian/copyright
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Copyright: 2025, The Sigsum Project Authors
License: BSD-2-Clause
Copyright: 2008-2026 Free Software Foundation, Inc.
License: BSD-2-clause and FSFULLR
Copyright: 2026 Simon Josefsson <simon@josefsson.org>
License: BSD-2-Clause
Comment: Debian packaging is licensed under the same terms as upstream
License: FSFULLR
License: BSD-2-Clause
 1. Redistributions of source code must retain the above copyright notice, this
 2. Redistributions in binary form must reproduce the above copyright notice,
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE

debian/salsa-ci.yml
  SALSA_CI_DISABLE_LICENSERECON: 0

debian/lrc.config
# It seems licensecheck cannot figure out this is an AND condition

README.md
The Sigsum C library itself is licensed under the permissive BSD
2-clause license, see the LICENSE and AUTHORS files.
is not subject only to the BSD 2-clause license, but also to the
licence conditions of Nettle and GMP. There are several options for
code under a GPL-compatible license, or link dynamically to Nettle and

AUTHORS
The copyright on the Sigsum C library is held by the respective
Unless file-specific copyright headers say otherwise, Sigsum is
permissively licensed according to the BSD 2-Clause License (see the
LICENSE file).
For contributions where copyrights are held by an organization, e.g.,
the author's employer, the copyright holder should be identified by
File-specific copyright headers should be used when necessary to
other sources, or governed by different license requirements.

9 days ago ● public

duck - check URL redirections

Command: duck
Exit code: 1

E: debian/control: Vcs-Git: https://salsa.debian.org/debian/libsigsum-c.git: ERROR (Certainty:certain)
   remote: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped. See https://salsa.debian.org/help/topics/git/troubleshooting_git.md#error-on-git-fetch-http-basic-access-denied
   fatal: Authentication failed for 'https://salsa.debian.org/debian/libsigsum-c.git/'

9 days ago ● public

License Detector

Command: license-detector .
Exit code: 0

.
	99%	BSD-2-Clause
	83%	BSD-3-Clause
	81%	BSD-2-Clause-Views

9 days ago ● public

licensecheck

Command: licensecheck -r . | grep -v 'No copyright'
Exit code: 0

./AUTHORS: BSD 2-Clause License
./LICENSE: BSD 2-Clause License
./aclocal.m4: BSD 2-Clause License and/or FSF Unlimited License (with License Retention)
./debian/copyright: BSD 2-Clause License and/or FSF Unlimited License (with License Retention)

Back to Dashboard | View all reviews for this package