[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debimg 0.0.4 released



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

since you did not care to reply to my previous mail[0] yet, I do hereby
once again inform you that you are still violating the GPL2, clause 3,
and do remind you to take the required actions to resolv the situation.

This mail is CC'ed to the alioth admins so that they are made aware of
it and kept in the loop.

Again, you do violate GPL2 clause 3 in four cases. These are:

CASE 1
======

http://alioth.debian.org/~jak-guest/debimg_0.0.1.tar.gz
MD5:    b0b2fa0f674700fe6a13bd2af5ea6580
SHA1:   21ddb9d2d4536e7127db58f41bdbbbea6eec8cd6
SHA256: a583a930443217926342b757a9ee35d21489e4a8cf0d5867815e53aa56287629

This tarball contains a binary "data/isolinux.bin":

3.36,   build-id Debian-2007-08-30
MD5:    89f62bf55c4b42f4ea88d44b986ea6f5
SHA1:   efa4f380c62e2ba85b7020c5d25f6137632582b6
SHA256: 15a057ab41fe35ef114af1c078f5e4a2c8768b712d465551f680b389b4dbf1d7

This binary was build by syslinux 3.36 sources, the build-id contains
the date of the day when it was build. In Debian, the following complete
list of versions of syslinux 3.36 were uploaded:

3.36-1, build-id Debian-2007-03-05
MD5:    16d055e3b2af857eec7de5bc455e52b5
SHA1:   d9003c3635b9cd0532b520dbaa71b426c15110ea
SHA256: efb6483f451385866ad59e403058cf50dcedf228138774f2b270e7d7fce4e69e
URL:    http://daniel.debian.net/packages/syslinux/3.36-1/

3.36-2, build-id Debian-2007-04-11
MD5:    7e0965385651aa4d145197ebf34453cd
SHA1:   1c0ea1718d2d9b98887f4a00a07bedf86b6de68a
SHA256: 68342d356c2fbcb18921108fb162a9c7fbb7ec62f9583bafd9a68e32117a9098
URL:    http://daniel.debian.net/packages/syslinux/3.36-2/

3.36-3, build-id Debian-2007-05-09
MD5:    1b0e5fda9b9f192cd62fbb370fceae42
SHA1:   16a4e1d0d7a00e18173c1a81de9f3d17869709b1
SHA256: 81e066dbe735843604b9033e13b692573716f4df0832ca11fa55ce6100c7e9f7
URL:    http://daniel.debian.net/packages/syslinux/3.36-3/

3.36-4, build-id Debian-2007-05-12
MD5:    53135b9a14179dc41ec6e3557cacfbb8
SHA1:   08dd859168bb9b6d3ca9cc3e0c1c6cb8ef8bfd48
SHA256: 2ca55a820e8c1a2d06a0deea24235ccb3bee640582a2edf61d2f223a93a72b59
URL:    http://daniel.debian.net/packages/syslinux/3.36-4/

3.36-5, build-id Debian-2007-05-31
MD5:    628b8f85602a5788e962c5150fa9b5cd
SHA1:   287e7587e25182c7b8c7bebb4ab2f46d3c77abaf
SHA256: b54b68db93d076f6b0496b09631f75804d21ec6fe27d520749d6edffe5f74b54
URL:    http://daniel.debian.net/packages/syslinux/3.36-5/

As you can see, the version you are embedding in debimg_0.0.1.tar.gz
does not come from Debian.

Please remove the debimg_0.0.1.tar.gz tarball, or provide the sources of
the custom syslinux build you were using for the isolinux.bin.

CASE 2, 3 and 4
================

http://alioth.debian.org/~jak-guest/debimg_0.0.2.tar.gz
MD5:    8ee12218c41c4ed9f635bdb40075bfab
SHA1:   de17e4284917b5ea97ee4b7a64faf8c3b9b82a28
SHA256: 32b4a698bb4315b11799bdebdd8a937386c6b76a7ad1905882d427445f0a77d8

http://alioth.debian.org/~jak-guest/debimg_0.0.3.tar.gz
MD5:    663f3be243aee33b90720a458446389e
SHA1:   dbc3ec172010fe1b048897a5efc65da7a46746de
SHA256: 224d02eccd764dda7210a14ca97572e95382c65e2d0f48850023217309cd3f02

http://alioth.debian.org/~jak-guest/debimg_0.0.4.tar.gz
MD5:    51a6ada037981516697ec8afcb773539
SHA1:   0786df7075ed5c9a5ce6ef79e4c073894cc6efc0
SHA256: 0a72e62029e659cd719ab57229047eb9becbaaff78b63b76cac9a4fb9ff50a3d

These tarball all contains a binary "data/isolinux.bin":

3.61,   build-id Debian-2008-02-05
MD5:    32d9e5c572e9de9aa7b30683db74af85
SHA1:   a18b017c4775f63364ecfda0342048b26f78ea6c
SHA256: 28bc5c2ff8cc0727b36475f609eb0a95ee27c8d90b97a6a313ba38a8c10ff49c

This binary was build by syslinux 3.61 sources, the build-id contains
the date of the day when it was build. In Debian, the following complete
list of versions of syslinux 3.61 were uploaded:

3.61-1, build-id Debian-2008-02-04
MD5:    26c92aaf2d73c907600309de2682ceba
SHA1:   44ab6b23b71d0a337d7acfd081d4cdbb331db4c1
SHA256: 3272bbda53e4becb6a97fee1a3ea8005a36f406805f63248616449fd929e52dc
URL:    http://daniel.debian.net/packages/syslinux/3.61-1/

3.61+dfsg-1, build-id Debian-2008-02-05
MD5:    32d9e5c572e9de9aa7b30683db74af85
SHA1:   a18b017c4775f63364ecfda0342048b26f78ea6c
SHA256: 28bc5c2ff8cc0727b36475f609eb0a95ee27c8d90b97a6a313ba38a8c10ff49c
URL:    http://daniel.debian.net/packages/syslinux/3.61+dfsg-1/

As you can see, the version you are embedding in debimg_0.0.2.tar.gz,
debimg_0.0.3.tar.gz, and debimg_0.0.4.tar.gz do come from syslinux
3.61+dfsg-1. However, you need to ship sources for that (see below in
'SHIPPING SOURCES').

SHIPPING SOURCES
================

As already told in my original mail[0], I'm summarising again:

There are two parties that you need to satisfy. First, the license of
the upstream author under which you distribute the mentioned software,
and second the Debian policy.

As already said, the Debian policy does not apply to debimg since it is
an unofficial package not included and not distributed within the Debian
distribution. Regardless, you have to comply to the upstream license.

My motivation is three fold: First, as any good citizen of the free and
open source community (and especially as a New Maintainer applicant),
you are entitled to respect upstream licenses under which you obtain
software. Second, you are legally bound to the terms of the upstream
license (which is not at me to legally enforce, though). Third, you are
distributing debimg from official Debian ressources (namely the machine
running alioth.debian.org).

The legal problem you are having is, that you're not complying to GPL2,
clause 3, which regulates the handling of sources when distributing
binaries built from sources that are licensed under the GPL, which is
what you do. To make it as easy as possible to you to understand the
licenses demands, let's have a look at the text, shall we?

| 3. You may copy and distribute the Program (or a work based on it,
| under Section 2) in object code or executable form under the terms of
| Sections 1 and 2 above provided that you also do one of the following:

That means that you are only allowed to distribute binaries, if and only
if you do of the following clauses; otherwise you're not complying to
the license, which means we are falling back to copyright law, and that
do not grant you any right to distribute the software at all. Also see
the clause 4 for explicit termination.

| a) Accompany it with the complete corresponding machine-readable
| source code, which must be distributed under the terms of Sections
| 1 and 2 above on a medium customarily used for software interchange;
| or,

This is what I'm requesting from you, but which you refuse to do up to
now. I still recommend that you do so. Note that the sources must be
*excately* matching - e.g. for debimg_0.0.1.tar.gz you cannot provide
sources by using any of the debian uploads of syslinux 3.36, since your
binary was not taken out of one of these binary packages.

| b) Accompany it with a written offer, valid for at least three
| years, to give any third party, for a charge no more than your
| cost of physically performing source distribution, a complete
| machine-readable copy of the corresponding source code, to be
| distributed under the terms of Sections 1 and 2 above on a medium
| customarily used for software interchange; or,

As said in a previous mail, you can go with paragraph b). your package
is not in the Debian distribution and therefore, the technical
requirements of the Debian policy do not apply. However, going this
route is very unfortunate, especially for the alioth admins. the legal
entity that is distributing the binary (be it you, the alioth admins or
SPI doesn't matter much here) need to *ensure* that you have the sources
 available and can deliver it at any point, up to three years after you
have stopped to distribute the binary.

If you decide to choose this option to comply to clause 3, you need to
put a text file named README.sources, SOURCES or similar into the
package (and probably also to the webspace as such for easier
readability), stating how to contact you to request the sources.

However, please make sure you have the acknowledge of the alioth admin
team, as they probably don't want you to do this wrt/ the legal
implications it could possibly impose to them in case you disappear and
can not respond to source requests in future.

| c) Accompany it with the information you received as to the offer
| to distribute corresponding source code.  (This alternative is
| allowed only for noncommercial distribution and only if you
| received the program in object code or executable form with such
| an offer, in accord with Subsection b above.)

This is the option you have deliberately choosen at:

http://alioth.debian.org/~jak-guest/README.source
MD5:    79b6d83124152d10d9703fd58f178b76
SHA1:   a011118032d3a4993241420b27b3cceabc943201
SHA256: da1b99852f59daf093f6f2ec3fdc3145f77c29d4d11c414eb8a45708ee967912

with the following content:

- ------------------------------------------------------------------------
The source for isolinux.bin can be found at
http://snapshot.debian.net/package/syslinux/
The version used is 3.61+dfsg-1

http://snapshot.debian.net/archive/2008/02/05/debian/pool/main/s/syslinux/syslinux_3.61+dfsg-1.dsc
http://snapshot.debian.net/archive/2008/02/05/debian/pool/main/s/syslinux/syslinux_3.61+dfsg.orig.tar.gz
http://snapshot.debian.net/archive/2008/02/05/debian/pool/main/s/syslinux/syslinux_3.61+dfsg-1.diff.gz
- ------------------------------------------------------------------------

However, as the parantheses explains, this option to fulfil clause 3 is
only valid if you have recieved the binary distributed with sources
under clause 3, parapgraph b). This is not the case, you have recieved
the binary under clause 3, paragraph a) from the Debian archive,
therefore the README.source is meaningless and does not apply to fulfil
clause 3.

Also, your reply[2] pointing at debian-cd is nul, debian-cd does it
wrong too.

Unrelated to that: Even if it would, it's fundamenally broken since it
does not list which tarball uses which syslinux version (and not all
tarballs are using a binary from 3.36+dfsg-1).

Following on to your reply[2], you also pointed to the following
explicationary paragraph of clause 3:

| If distribution of executable or object code is made by offering
| access to copy from a designated place, then offering equivalent
| access to copy the source code from the same place counts as
| distribution of the source code, even though third parties are not
| compelled to copy the source along with the object code.

This just allows you to split binaries and sources into individual
packages or tarballs, it doesn't have to be all in one fat tarball;
nothing more.

*Iff* you could choose to distribute syslinux binaries build from the
Debian source packages of syslinux under GPL3, you would also gain the
additional right that you not even don't require to put all sources and
binaries into one package/tarball (as GPL2 already grants you, quoted
above), but also, as you correctly referenced in your reply[2] to
additionally distribute the sources on a different network server than
the binaries. Therefore, snapshot.debian.net would qualify as a valid
source distribution point, but *only* in this case.

However, you cannot distribute the debian sources under GPL3, since
everything before version 3.70+dfsg-1 has licensed its debian/* under
GPL2 only, not GPL2+. This makes using syslinux under GPL3 impossible if
you build the binaries from the debian package, as the build system and
the sources itself need to be compatible wrt/ source distribution (or in
other words: you cannot apply GPL3 clause 6, paragraph d to the debian/*
 files of the syslinux source package, and thus not apply it to it as a
whole).

Unrelated to that: For future usage (any version later than
3.70+dfsg-1), you will be able to choose GPL3. But if you indeed choose
to distribute under GPL3, you need to clearly mark it that you do so,
both in the debimg tarballs, and you should also first get the
acknowledge from the alioth admins regarding reasons already listed in
commentary to GPL2 clause 3, paragraph b).

SOLUTION
========

To resolv the situation, the best would be, if you:

  * either remove debimg_0.0.1.tar.gz completely if you're unable to
    provide sources under clause 3, paragraph a),

  * or upload the sources to an additional tarball to accompany
    debimg_0.0.1.tar.gz in case you have the matching sources.

Repackaging debimg_0.0.1.tar.gz wouldn't be neat, since
first you're changing released tarballs, and second it would be
legally cleaner to just deliver source code (lately) for
debimg_0.0.1.tar.gz, rather than stopping to distribute
debimg_0.0.1.tar.gz without ever had provided sources for it, and at
the same time to start distributing a new tarball
(debimg_0.0.1+fixed.tar.gz or similar).

Regards,
Daniel

[0] http://lists.debian.org/debian-cd/2008/09/msg00016.html
[1] https://nm.debian.org/nmstatus.php?email=jak%40jak-linux.org
[2] http://lists.debian.org/debian-cd/2008/09/msg00015.html

- --
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjHlZQACgkQ+C5cwEsrK540GgCbBhabE0qEySm2WTtAFXJyCank
5MYAoMU6MNc/cmLBO2c1pC+7IMoy5ebI
=ikYy
-----END PGP SIGNATURE-----


Reply to: