Hello Mo, Le lundi, 30 mars 2020, 07.54:23 h CEST Mo Zhou a écrit : > I think sometimes the DFSG has been over-interpreted. Here I'm talking about > the recent REJECTion of src:smartdns from our NEW queue, where QR code > pictures used for donation have been deemed DFSG non-free . I'm not > satisfied with the explanation, and I think there is over-interpretation on > DFSG. > > I poked ftp-master about this problem: > > <lumin> spwhitton: I'm quite confused about REJECTION of src:smartdns. Why > can the QR code pictures for software author to receive donations be > DFSG-nonfree? > > And I got the following explanations: > > <spwhitton> lumin: IIRC that was not the only reason for REJECT. > Otherwise I would have PRODded. > > <ScottK> lumin: An image of a QR code wouldn't be the preferred form of > modification. They are usually generated from something. If the file it > was generated from isn't present and the tool to generate it isn't in > Debian, then it can't be shipped. Requiring preferred form of modification > is one area where Debian is often stricter than licenses due to DFSG. > > The pictures we're talking about are (…) > > Why are they non-free? They are non-free, because they cannot be rebuilt from their preferred form of modification. > Treating this files as non-free could lead to further problems. > > 1. If I stripped the donation codes from the source. > I believe such behaviour is **unethical**. It's allowed by GPL-3 licensing. Actually, we (Debian) require that this must be possible. But you can't be coerced into doing this (you can always opt to "not package for Debian"). > 2. If I decoded the QR code and replaced them with the underlying URLs. > There is no Chinese user who pay through URL instead of QR code. > > 3. If I stripped the donation codes but re-generated them during the > package build process. > "Oh damn, this QR code does not look like the original one and the > hashsum mismatches. Has the Debian developer forged the QR code to be > evil?" I mean there will be doubt if the distributed QR code is not > byte-to-byte equivalent to the one distributed by upstream author. We're _building_ source code towards binary artifacts all the time. Doing this (and being trusted to be doing it correctly) is one of the defining characteristics of being a "shipping-binaries" Linux distribution. The whole point of this exercise is that our build processes are auditable, and that eventual forgeries can be found, reported, and fixed. If you don't consider the result of your builds trustworthy, "we have a problem". > Is a QR code for donation really DFSG non-free? QR codes are artifacts in binary form, not in their preferred form of modification. By function, QR codes are vehicles of binary information, and can be easily reconstructed from said binary information without loss (of information). Frankly, simple lines like the following in debian/rules would do it: echo "http://donation-url.example.com/?vendor-id" | qrencode -o qr.png > Is DFSG over-interpreted in this case? IANAFM, but I don't think so. > How should package maintainers deal with QR codes ethically? Asking package maintainers to rebuild functionally-equivalent QR-codes during the build-process seems entirely reasonable to me. -- OdyX
Description: This is a digitally signed message part.