Re: Copyright and License Guidelines
Replying to both Jeremiah and Damyan here:
On Tue, Mar 22, 2011 at 5:39 AM, Jeremiah Foster
> Stating this policy clearly in pod, even if it is redundant, is good as long as it doesn't
> stray from the DFSG or try to reword already established Debian policies on copyright
> and licensing.
I don't think a friendly reminder about Debian's social contract and
free software guidelines is a bad thing, particularly since I would
submit the most active members of our group are not (yet) Debian
> Are there legal implications if you do not have the year of the copyright attribution?
> Is the copyright assignment weaker if it lacks a date?
Technically, a copyright statement is not actually a *must*, only
licensing is. However, I worded that harshly because I want to be
strict -- moving forward, we need to have somewhere we can point
authors to tell them that we *certainly* must have copyright
information. Here's why:
Without an explicit copyright statement, the burden is on the packager
to determine the appropriate copyright. Who holds the copyright, you
ask? Whoever has worked on the package, submitted code, etc. It may be
difficult or impossible to determine who has contributed, particularly
for team-maintained packages or where authors accept patches (without
a CLA as mentioned).
If you start a project, and I submit a patch to that project, in the
absence of a copyright statement and a CLA, it can be assumed that I
retain copyright on my work (that is, the patch I submitted to you).
Now I hold partial copyright to the project (the parts that I
contributed). You are no longer free to relicense things (as you would
have been able to do before, since you had the agreement of all
copyright owners -- that is, yourself :-)
There are probably other implications I am not aware of. I disagree
with Damyan on a philosophical note and do not believe the Contributor
License Agreements are a bad thing.
>> (BTW, good luck converting this to DEP5 :D)
If there are issues with the DEP5 format, I believe the issue should
be raised before making it a standard. DEP5 is already in CANDIDATE
>> Updating copyright information is easy. Examine the diff when
>> upgrading the upstream sources and be patient. Relying on external
>> sources seems like a easy workaround that may lead to wrong results.
This seems to neglect the fact that copyright information should
already be in the upstream package -- we are merely putting it in a
machine-readable format. The copyright/license details will always
accompany the source -- we are not stripping out upstream LICENSE
files or clauses in order to *replace* them with the DEP5 copyright
file. We are merely supplementing them.
> I think there is no viable alternative aside from correctness. I don't see how we can distribute
> software without confidence in copyright.
And we cannot have confidence in copyright without upstream giving us
the details. At the very least, if copyright information is incorrect,
then upstream will be liable -- not us.
>> This violates the Debian policy.
>> No. I can download the package off the web (without any dependencies).
>> Failure to mention copyright holders in such a package would mean
>> license breach (at least for GPL).
See above comment, copyright information always accompanies the