- Package:
- debian-policy
- Source:
- debian-policy
- Submitter:
- Markus Koschany
- Date:
- 2017-12-29 09:51:07 UTC
- Severity:
- wishlist
- Blocked By:
-
Bug Title 885698 77
Update and document criteria for inclusion in /usr/share/common-licenses important stable testing unstable about 1 month ago
Hi, as discussed on debian-devel [1] I would like to see that more DFSG licenses are added to /usr/share/common-licenses and that package maintainers are just allowed to reference them. License: MIT / Expat Source: https://opensource.org/licenses/mit-license.php Example packages: https://wiki.debian.org/DFSGLicenses#The_MIT_License Regards, Markus [1] https://lists.debian.org/debian-devel/2017/12/msg00209.html
Markus Koschany <apo@debian.org> writes: I continue to be concerned that adding any version of this license to common-licenses will create a trap for the unwary. There are very frequent wording differences in the exact terms of this license between different packages, and any version that doesn't exactly match the wording that we include in common-licenses still legally needs to be reproduced in the package's copyright file. And this is an error that's very hard to find with Lintian.
Am 11.12.2017 um 04:32 schrieb Russ Allbery: Hi, I have been working on ~500 packages during the past five years and I have never seen a package that used a different version of this license. When upstream mentions the MIT license nowadays it is almost 100 % certain that they refer to this license. I know there are different wordings but that should not stop us from including the MIT-Expat license in Debian. We can never totally eliminate human error but in the end the maintainer is ultimately responsible for checking whether this version of the license applies or any other. Of course this is also true for all other licenses and variants. If the wording differs from the above license text then the license text must be reproduced verbatim in debian/copyright. No changes here. Markus
Markus Koschany <apo@debian.org> writes: That's surprising, since I maintain a package that has three different versions just in that one package. Are you sure that every one of those 500 packages said "THE AUTHORS OR COPYRIGHT HOLDERS" in the last paragraph and didn't substitute in their names? Humans will frequently not notice the differences. I have software that constructs a debian/copyright file that requires a word-for-word match with the license statement, so maybe this is more obvious to me? I understand this desire for longer licenses. This one is three paragraphs long. I really don't get why it's such a problem to reproduce that in debian/copyright.
Am 11.12.2017 um 18:44 schrieb Russ Allbery: I quickly checked the three example packages mockito, pyblosxom and kraptor and they use "THE AUTHORS OR COPYRIGHT HOLDERS". I'm not sure why your upstream did replace this phrase but I consider this to be a bug and I would report it. I don't want to open another can of worms yet but I believe even if someone changed this phrase and we simply stated MIT as license in debian/copyright we still wouldn't violate any law because debian/copyright is something Debian specific which we impose on ourselves and not required by the license terms itself. The license simply requires: "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software." This is always satisfied as long as you don't remove the license from the original file. I would really appreciate it if we could get real legal advice and a clarification from a professional lawyer for this issue someday. packages which are relatively old and stable and don't change anymore. But if you really start to update ~1 package per day and are even one of those guys who convert debian/copyright to format 1.0 you will really appreciate any sort of time saving. There are projects like Minetest where people tend to license each and every image under a different license: WTFPL, MIT, LGPL, CC-BY-3.0, CC-BY-SA-3.0, CC-BY-SA-4.0, CC-BY-4.0, GPL-2+, etc. pp. Or take a look at ufoai and ufoai-data. I had to write an ufoai_copyright.py script to parse an upstream specific license file and to convert that into debian/copyright. 5000 files, 12 different licenses. I had to create my own "standalone_licenses" file [1]. That shouldn't be necessary, really. Netbeans comes with 80000 files. debian/copyright is > 110kb. I have recently decided to remove the (unused) demos from src:bullet because I spent more time on reviewing the debdiff and documenting new copyright holders and licenses with each new release because of them than it actually took to refresh the patches and compile the package. In a nutshell: Every bit of time saving is good. Any bit of simplification when creating and maintaining debian/copyright is good. I would also like to see that we can completely give up on stating: "On Debian systems, the full text of the foo license can be found in the file '/usr/share/common-licenses/foo'" This could be implicit when we change the copyright 1.0 paragraph from Files: foo.bar Copyright: 2017, Smith License: MIT "On Debian systems, the full text of the MIT license can be found in the file '/usr/share/common-licenses/MIT'" to: Files: foo.bar Copyright: 2017, Smith License: [MIT] Cleaner and shorter and sources.debian.org could parse [MIT] and link to the complete license text. I will file another bug report for that later. I will also file more license requests in the coming days. Regards, Markus [1] https://sources.debian.org/src/ufoai/2.5-3/debian/standalone_licenses/
Markus Koschany <apo@debian.org> writes: The binaries built from the source code are a "substantial portion of the Software." We have to include the license and copyright statement with the binaries, since they're a derivative work, and those packages don't contain the source code and the original license notices.
Am 12.12.2017 um 03:39 schrieb Russ Allbery: We always distribute the source code along with the binary packages. This condition would still be satisfied. If it works for Red Hat / Fedora it should work for Debian too.
Markus Koschany <apo@debian.org> writes: packages and not the source. This isn't the rule we've followed in the past, and this is well outside the scope of the Policy team to decide. We would need a ruling from the relevant delegate (ftpmaster, or DPL plus outside legal counsel) to make this change, I think. In the meantime, Policy should continue to be written assuming the current rule: we do not treat distribution of the source alongside binary packages as satisfying requirements to include the license, and every binary package has to be accompanied by its license or a reference to common-licenses (because base-files can be assumed to be installed or easily installable on every system on which any Debian package is installed).