[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sponsorship requirements and copyright files

On Sun, 22 Mar 2009 12:56:06 +0100
Joerg Jaspert <joerg@debian.org> wrote:

> First, let me apologize for my last mail in this thread, it had been a
> little too rude/harsh/direct. My fault, sorry. (We all should calm down,
> flaming won't help)

/me calms down too.
> On 11696 March 1977, Russ Allbery wrote:
> > Joerg Jaspert <joerg@debian.org> writes:
> >> We require, and have seen nothing to convince us otherwise, that Debian
> >> maintainers need to do the basic work of listing each copyright holder
> >> in debian/copyright, as seen in the source files and AUTHORS list or
> >> equivalent (if any).
> > So, the question being raised on this thread is why?  What purpose does
> > this work serve?
> Multiple, honestly. One is that there is one place where to look for
> that information. Thats a minor thing, really, but one.

True, minor.

> Then there is following Debians policy.

which can be modified if necessary

> And then we also follow the licenses, especially those that require it.
> Also, keep in mind what Mark wrote elsewhere. He asked the DPL to let
> SPI get us some lawyers input on the question. Thats probably the best course.

So we need clarity on precisely which licences require the list of
copyright holders but we also need clarity on whether such requirements

1. the list of copyright holders that upstream make available in
AUTHORS or similar files, or

2. some wider list that is constantly harvested from the source code by
some means not used by upstream which may or may not include or
duplicate existing information elsewhere in the upstream source, and

3. whether the list must be absolutely and 100% complete at all
times, even if such completeness is not easily achievable.

We also need clarity on why debian/copyright should have a higher level
of scrutiny than the upstream itself. Debian does not hold copyright on
most upstream source packages, why do we second-guess upstream teams?

If there have been instances in the past, do those (presumably few
instances) warrant the imposition of unnecessary work onto all
packages? (Unnecessary in the sense that there is no evidence that the
upstream listings are actually incomplete.)

It is the expectation that debian/copyright be continuously updated
with names and email addresses independent of changes made by upstream
to files like AUTHORS that is irksome.

Is it acceptable to mimic the actual copyright holders and say:
"and anyone else we might have forgotten"? If not, why not?

> > The argument against doing it is that it takes increased time over just
> > verifying the licenses of every file and requires ongoing maintenance that
> > could be spent on tasks more directly related to improving the
> > software.
> You do have to check every file anyway, otherwise you can't be sure
> about your copyright file listing all the licenses your package
> uses. And I sincerely hope noone will contest the need to list the
> various licenses a package uses?

Agreed - except copyright holder details change *far* more frequently
than licences.

That is a key point for me. The entire source package does need to be
checked for LICENCE details, I don't think anyone disputes that. What
does become a problem is *then* requiring that after the licences are
checked, that the entire list of copyright holders is run through a
separate parsing process to work out who isn't listed in which section
of debian/copyright.

It is a separate process - it has to be if debian/copyright is to
remain sane. We can't simply copy the entire copyright section of every
source file, there has to be some form of uniqueness sorting, some
filtering of duplicates and repetition. (Upstreams have a noticeable
tendency to wrap and modify copyright statements in such ways as to
make regular expression matching across the entire set of source
packages in Debian almost impossible and frequently unreliable).

Ally that with the frequent additions of new copyright holders to some
source files and not to others and you have a vast increase in the
workload for subsequent versions, despite absolutely no changes in the
actual licences being used or to the listing of which files use which

> > Is the reason that you feel most licenses require preservation of the
> > copyright notice and it's easier to enforce it uniformly for all copyright
> > files?  Is there some other larger reason why is this important for the
> > project?  (Please note that I'm not assuming that you have no reason.  I
> > just don't understand, from the discussion so far, what it is.  We can't
> > really have a meaningful discussion until we're all on the same page)
> Yes, thats definitely part of the reason. Also, if people would look at
> how NEW had been handled in the past up to now, instead of purely
> exaggerating and taking actions from there, they would have found out
> that we are usually pretty lenient with this enforcement. We do mention
> it when we see it and whenever we do have a reject anyway, like when
> people forgot to mention a license at all. Rejection solely based on
> missing (C) notices might (have) happen(ed), but should be seldom and
> when there are lots of them with a license requiring them.

As long as the licences are correct, is there any reason to exclude
even those occasional cases?

> Also, if just a small set is missing and nothing else would block
> accepting the package, we quite often accept the package and send a
> comment to the maintainer saying that the following couple of lines
> should be added at the next upload.

Isn't that an upstream bug?


Neil Williams

Attachment: pgpOr7JZcrIGf.pgp
Description: PGP signature

Reply to: