[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sponsorship requirements and copyright files

On Sun, 22 Mar 2009 02:53:51 +0000
Noah Slater <nslater@tumbolia.org> wrote:

> On Sat, Mar 21, 2009 at 09:42:35AM -0500, Manoj Srivastava wrote:
> >         Why do they have to? I know, the ftp team made it up. But there
> >  is no reason in policy or in copyright law for such copying to
> >  occur. But it would be nice to know why it is needed.
> I can think of a few desirable reasons:
>   * To show the FTP masters that they have thoroughly checked the licensing.
>   * To provide concise information for our users.

That does not need a complete list, it merely needs a statement that
this has been done. Either way, the result has to be taken on trust
unless someone else spends the time to verify the result for each
package upload - that is where the workload becomes an issue. People
are complaining because these wishlist problems are being elevated to a
severity higher than RC in packages that have thousands of contributors
and where even upstream probably doesn't know exactly how many exist.
What matters is not missing out any licences, missing out a few names
and email addresses is minor.

How many users are ever going to want this information *duplicating
anything already in the source package*?? How many of those users are
only complaining because it is their name that got left out? Is their
vanity sufficiently important to block acceptance of the entire
package? If there is an AUTHORS file in the source package and the
debian packaging has a clear attribution, why is it necessary to list
everyone else? It's a bug in the source package if it is a problem at
all. (And if anyone files a bug like that against one of my source
packages, it will be wishlist severity and no higher. I may even ignore
it for a few upstream releases just to make the point.)

Besides, various packages already include a statement like "and anyone
else I've forgotten" in the AUTHORS file.

I try to cover everyone in small to medium sized packages - it is just a
nice thing to do but it is no more than that. Being nice to people does
not require listing thousands and having packages REJECTED because one
got missed - that isn't being nice to the maintainer. 

Actually, as this is a signed document verifiable as coming from
me, I might as well state that if any package contains material that
is under my copyright but has left my copyright details out of
debian/copyright by accident or by intent, then that is fine, don't
worry about it. If you feel like adding it later, that's fine by me. I
will not make any list that attempts to be a complete list of projects
in which I may have material under my copyright because I'm not sure I
could remember (but it's not that many). If there is a statement
somewhere in the source to the effect that the copyright includes other
contributors whose names may have been forgotten, then I consider that
as acceptable. However, if any package containing material under my
copyright tries to change the licence or misses out the licence details
or wilfully violates the licence or deliberately removes from the
source code a copyright notice that I have manually inserted at an
earlier date, then I reserve the right to insist on such an issue being

I would expect that a lot of upstream contributors would feel similarly
- retain the listings that the copyright holder has made themselves
but do not assume that the copyright holder requires such attributions
to be duplicated anywhere else.

That is the rub - what matters are licences and licences are only
enforceable by the copyright holders. As long as there is one copyright
holder who is able to pursue licence violations then the list of
copyright holders is sufficient.

So why do we insist on names and email addresses? The only possible
reason I can see is that Debian wants to be able to relicence stuff and
needs to constantly retain an impossibly ambitious list of copyright
holders that is self-evidently incomplete, just in case one of the
thousands of source packages needs to be relicenced and we want to
contact every copyright holder. Ummm, am I the only one who thinks that
is going just a tad too far?

Yes, we had problems with iceweasel, a certain package I won't mention
and possibly other packages over time but those are individual cases
and things get sufficiently involved during those episodes that there
certainly *IS* time to thoroughly review the source code of the entire
package in question in order to ascertain what we can only hope is as
complete a list as we can manage.

IMHO it is about not getting hung up on the process but considering the
reasoning behind the process. AFAICT, there is no good reason to
document every single copyright holder but there are very good reasons
to document every applicable LICENCE.

As a sponsor, I do *not* require that every single copyright holder is
listed in debian/copyright. I *do* require that every file in the
source package has been checked for the applicable LICENCE and that all
such LICENCES are declared in debian/copyright along with clear
identification of which files use which licence. Where there is a clear
division between copyright holders and licences, I would expect that
the sections of debian/copyright dealing with files under that licence
specify that the files are Copyright foo rather than Copyright bar
that applies elsewhere. If some names and / or email addresses fall
through the gaps, so be it.

I've not had problems with this approach with regards to NEW up to this
point in time.
> > > We require, and have seen nothing to convince us otherwise, that Debian
> > > maintainers need to do the basic work of listing each copyright holder in
> > > debian/copyright, as seen in the source files and AUTHORS list or
> > > equivalent (if any).
> >
> >         Why do you think this work is needed? You must have had some
> >  rationale, since you made up this policy.
> Again, to document that they have, in fact, done what they are supposed to.

On what basis and for what gain? Documenting (duplicating) something
merely by rote is a waste of everyone's time. If there is no good
reason other than to document something that has to be taken on trust
anyway, what is the point?

The list of names and email addresses in debian/copyright is
unverifiable without redoing all the work yourself. In large packages,
that is simply pointless. As long as all licences are covered, it would
be insane to reject packages merely because less than 1% of the
possible copyright holders were omitted. Especially when the actual
names and email addresses in the relevant source files is by no means a
complete listing of all copyright holders in the first place.

We can apologise to anyone who is inadvertently left out and who
personally feels that this is an issue - add them at the next upload,
fine. The workload to require this for every single copyright holder,
even ones that are not explicitly listed by upstream, is just mad.


Neil Williams

Attachment: pgpOfR4tHWT_O.pgp
Description: PGP signature

Reply to: