Re: write-only copyright information

To: debian-devel@lists.debian.org
Subject: Re: write-only copyright information
From: Simon McVittie <smcv@debian.org>
Date: Thu, 10 Feb 2022 13:09:53 +0000
Message-id: <[🔎] YgUOfRh8zN00kiAz@momentum.pseudorandom.co.uk>
In-reply-to: <[🔎] CAKZYK490QtXdwQ+6FC+UBaV72ESHgM=UEA-CAd2kUjMo8fPCjg@mail.gmail.com>
References: <CAKZYK4-v1uZgECozv44aw=U33367vB8rxn0T2OwrERXkU1OTSw@mail.gmail.com> <[🔎] 164433477648.2636895.16922257999934052669@auryn.jones.dk> <[🔎] CAKZYK48HDda1yBZ+wMsT3mG0+h1PCKMGZwGDJPSj_1OuQtLQCw@mail.gmail.com> <[🔎] 87bkzhjg7r.fsf@hope.eyrie.org> <[🔎] CAKZYK490QtXdwQ+6FC+UBaV72ESHgM=UEA-CAd2kUjMo8fPCjg@mail.gmail.com>

On Thu, 10 Feb 2022 at 11:59:11 +0100, Stephan Lachnit wrote:
> No, you don't have to master SPDX! That's the point: you don't
> interact with it at all. It's created by tools, and shipped to satisfy
> the legal obligation to provide copyright information.

So, are you saying this is something you are doing to satisfy the "letter
of the law" for licenses that require copyright notices to be reproduced
alongside binaries, to avoid having that noise reduce the clarity of the
information we are providing for other, arguably more useful reasons?

Obviously it's not my decision to make, but I have never been particularly
convinced by the assertion that we can fulfil the GPL's requirement for
corresponding source to accompany binaries by offering source packages
from the same places that ship binaries, but at the same time we cannot
fulfil various licenses' requirement for copyright notices to accompany
binaries by pointing to those same source packages and saying "it's
all there".

The usual form of words in the licenses that require copying copyright
notices calls for the copyright notice to appear in the "documentation or
other materials"; I think we could reasonably argue that source packages
are a form of extremely comprehensive documentation (they document the
precise behaviour of the binaries!) and they are certainly "other materials".

However, if the ftp team have a problem with that reasoning, then yes,
it seems like there could be value in having an essentially write-only
format for the information that the license requires us to reproduce. That
way, we fulfil the letter of the license by providing the information we
are required to (even though it isn't particularly practically useful
to wade through the list of around 400 potential copyright holders in
a medium-sized package like GTK[1]), and at the same time, fulfil the
spirit of the license by communicating the parts that practically matter
in a more concise form (in the case of GTK, this would be "LGPL-2.1+
and various compatible licenses", which is the information you'll get
from basically any other distribution's GTK packaging).

    smcv

[1] https://tracker.debian.org/media/packages/g/gtk4/copyright-4.6.0ds1-3,
    almost certainly incomplete (but neither the maintainers nor the ftp
    team noticed any omissions, which is as good as we will
    realistically get)

Reply to:

Follow-Ups:
- Re: write-only copyright information
  - From: Stephan Lachnit <stephanlachnit@debian.org>

References:
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Stephan Lachnit <stephanlachnit@debian.org>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Russ Allbery <rra@debian.org>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Stephan Lachnit <stephanlachnit@debian.org>

Prev by Date: Re: LESS copyright, not more!
Next by Date: Re: developers-reference "vs" wiki.debian.org/DebianMaintainer
Previous by thread: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Next by thread: Re: write-only copyright information
Index(es):
- Date
- Thread