Re: Has Copyright summarizing outlived its usefulness?
Excerpts from Ian Jackson's message of 2017-12-12 15:38:29 +0000:
> The work of reviewing each source file, first by the maintainer, and
> then by ftpmaster when auditing, would still have to be done, I think.
>
> Or do you think we can avoid both the maintainer and then ftpmaster
> looking at every source file ?
>
> Do you think the work of writing down the source-file-by-source-file
> information (ie, the result of the maintainer's copyright review and a
> main input to the ftpmaster review) is wasted ?
>
Until we ask the ftpmasters to review every single source change, or
to spot check non-NEW changes, it is indeed a wasted effort to produce
this report for only the first time a particular source package enters
the archive. It makes very little sense that NEW is this huge hurdle,
but NEW+1 binary uploads are just a gpg signature away from unstable.
I believe we agreed to follow the rules when we became DD's. We also
assert what policy version we build our packages under when we upload
them.
While I do think ftp masters _should_ spot-audit these uploads, I don't
think debian/copyright should be required to be 100% comprehensive. Trying to
make it so for MySQL 5.5 was a huge waste of my time, and I vowed never to do
it again.
An auditor can look for inconsistencies, and gross ambiguities. But if
there's a tarball of source, and a debian/copyright file that asserts the
licenses and any required copyright notices for said files, that should
be enough. A brief check to make sure none of it smells fishy is hopefully
sufficient due-diligence to ensure that Debian is safe to redistribute.
Reply to: