#883966 debian-policy: please add MIT/Expat to common licenses

Package:
debian-policy
Source:
debian-policy
Submitter:
Markus Koschany
Date:
2017-12-29 09:51:07 UTC
Severity:
wishlist
Blocked By:
Bug Title
885698

  77

Update and document criteria for inclusion in /usr/share/common-licenses

important stable testing unstable about 1 month ago

#883966#5
Date:
2017-12-09 20:44:08 UTC
From:
To:
Hi,

as discussed on debian-devel [1] I would like to see that more DFSG
licenses are added to /usr/share/common-licenses and that package
maintainers are just allowed to reference them.

License: MIT / Expat
Source: https://opensource.org/licenses/mit-license.php
Example packages: https://wiki.debian.org/DFSGLicenses#The_MIT_License

Regards,

Markus

[1] https://lists.debian.org/debian-devel/2017/12/msg00209.html

#883966#10
Date:
2017-12-11 03:32:53 UTC
From:
To:
Markus Koschany <apo@debian.org> writes:

I continue to be concerned that adding any version of this license to
common-licenses will create a trap for the unwary.  There are very
frequent wording differences in the exact terms of this license between
different packages, and any version that doesn't exactly match the wording
that we include in common-licenses still legally needs to be reproduced in
the package's copyright file.  And this is an error that's very hard to
find with Lintian.

#883966#15
Date:
2017-12-11 16:00:50 UTC
From:
To:
Am 11.12.2017 um 04:32 schrieb Russ Allbery:

Hi,

I have been working on ~500 packages during the past five years and I
have never seen a package that used a different version of this license.
When upstream mentions the MIT license nowadays it is almost 100 %
certain that they refer to this license. I know there are different
wordings but that should not stop us from including the MIT-Expat
license in Debian. We can never totally eliminate human error but in the
end the maintainer is ultimately responsible for checking whether this
version of the license applies or any other. Of course this is also true
for all other licenses and variants. If the wording differs from the
above license text then the license text must be reproduced verbatim in
debian/copyright. No changes here.

Markus

#883966#20
Date:
2017-12-11 17:44:54 UTC
From:
To:
Markus Koschany <apo@debian.org> writes:

That's surprising, since I maintain a package that has three different
versions just in that one package.  Are you sure that every one of those
500 packages said "THE AUTHORS OR COPYRIGHT HOLDERS" in the last paragraph
and didn't substitute in their names?

Humans will frequently not notice the differences.  I have software that
constructs a debian/copyright file that requires a word-for-word match
with the license statement, so maybe this is more obvious to me?

I understand this desire for longer licenses.  This one is three
paragraphs long.  I really don't get why it's such a problem to reproduce
that in debian/copyright.

#883966#25
Date:
2017-12-11 23:32:23 UTC
From:
To:
Am 11.12.2017 um 18:44 schrieb Russ Allbery:

I quickly checked the three example packages mockito, pyblosxom and
kraptor and they use "THE AUTHORS OR COPYRIGHT HOLDERS". I'm not sure
why your upstream did replace this phrase but I consider this to be a
bug and I would report it.

I don't want to open another can of worms yet but I believe even if
someone changed this phrase and we simply stated MIT as license in
debian/copyright we still wouldn't violate any law because
debian/copyright is something Debian specific which we impose on
ourselves and not required by the license terms itself. The license
simply requires:

"The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software."

This is always satisfied as long as you don't remove the license from
the original file. I would really appreciate it if we could get real
legal advice and a clarification from a professional lawyer for this
issue someday.
packages which are relatively old and stable and don't change anymore.
But if you really start to update ~1 package per day and are even one of
those guys who convert debian/copyright to format 1.0 you will really
appreciate any sort of time saving. There are projects like Minetest
where people tend to license each and every image under a different
license: WTFPL, MIT, LGPL, CC-BY-3.0, CC-BY-SA-3.0, CC-BY-SA-4.0,
CC-BY-4.0, GPL-2+, etc. pp. Or take a look at ufoai and ufoai-data. I
had to write an ufoai_copyright.py script to parse an upstream specific
license file and to convert that into debian/copyright. 5000 files, 12
different licenses. I had to create my own "standalone_licenses" file
[1]. That shouldn't be necessary, really.

Netbeans comes with 80000 files. debian/copyright is > 110kb. I have
recently decided to remove the (unused) demos from src:bullet because I
spent more time on reviewing the debdiff and documenting new copyright
holders and licenses with each new release because of them than it
actually took to refresh the patches and compile the package.

In a nutshell: Every bit of time saving is good. Any bit of
simplification when creating and maintaining debian/copyright is good.

I would also like to see that we can completely give up on stating:

"On Debian systems, the full text of the foo license
 can be found in the file '/usr/share/common-licenses/foo'"

This could be implicit when we change the copyright 1.0 paragraph from

Files: foo.bar
Copyright: 2017, Smith
License: MIT
 "On Debian systems, the full text of the MIT license
 can be found in the file '/usr/share/common-licenses/MIT'"

 to:

Files: foo.bar
Copyright: 2017, Smith
License: [MIT]

Cleaner and shorter and sources.debian.org could parse [MIT] and link to
the complete license text.

I will file another bug report for that later. I will also file more
license requests in the coming days.

Regards,

Markus

[1] https://sources.debian.org/src/ufoai/2.5-3/debian/standalone_licenses/

#883966#30
Date:
2017-12-12 02:39:38 UTC
From:
To:
Markus Koschany <apo@debian.org> writes:

The binaries built from the source code are a "substantial portion of the
Software."  We have to include the license and copyright statement with
the binaries, since they're a derivative work, and those packages don't
contain the source code and the original license notices.

#883966#35
Date:
2017-12-12 13:40:54 UTC
From:
To:
Am 12.12.2017 um 03:39 schrieb Russ Allbery:
We always distribute the source code along with the binary packages.
This condition would still be satisfied. If it works for Red Hat /
Fedora it should work for Debian too.

#883966#40
Date:
2017-12-12 17:39:35 UTC
From:
To:
Markus Koschany <apo@debian.org> writes:
packages and not the source.

This isn't the rule we've followed in the past, and this is well outside
the scope of the Policy team to decide.  We would need a ruling from the
relevant delegate (ftpmaster, or DPL plus outside legal counsel) to make
this change, I think.

In the meantime, Policy should continue to be written assuming the current
rule: we do not treat distribution of the source alongside binary packages
as satisfying requirements to include the license, and every binary
package has to be accompanied by its license or a reference to
common-licenses (because base-files can be assumed to be installed or
easily installable on every system on which any Debian package is
installed).