Re: Consultation on license documents

["Theodore Ts'o" <tytso@mit.edu>]

On Fri, Mar 17, 2023 at 09:09:22PM +0800, 刘涛 wrote:
> Hello, I have the following questions to consult and look forward to your authoritative answers.
> 
> 1. Must various software packages in the Debian community contain a
> license file "license.txt"? Without this file, how does the users
> know about the license usage of the package?

Debian packages have licensing information in /usr/share/doc/<package-name>/copygright.

There is not consensus in the global, upstream open source movement
about where the licensing information should be found in the source
distribution for a open source package.  I will typically look at the
COPYING file, and the README file, and I'd say that most of the time,
I can find the licensing information there.  However, we (the Debian
community) do not have the authority to mandate a standard place for
upstream software packages to place the licensing information.

It is the responsibility of the Debian maintainer when they are
packaging a software package for Debian to find the copyright and
licensing information and then arrange to make sure that when the
package is installed, the licensing information is installed in
/usr/share/doc/<package>/copyright, and in the debian/copyright file
in the Debian source package.

There is a proposed standard being promulgated by the Linux foundation
called SPDX[1], which has been standardized by the Internet
Organization for Standardization (ISO), as ISO/IEC 5962:2021.  This is
a scheme for tagging source files, which is important because very
often lincensing information is very often much more fine-grained that
at the level of a single package.  This is why the Debian copyright
format[2], DEP-5, can also provide copyright information on a
per-source-file basis.

[1] https://spdx.dev/
[2] https://dep-team.pages.debian.net/deps/dep5/

For companies are interested in license compliance, they may find this
particular article, "Open-Source License Compliance in Software Supply
Chains"[3] useful.  It was published in the book Towards Engineering
Free/Libre Open Source Software (FLOSS) Ecosystems for Impact and
Sustainability.

[3] https://dirkriehle.com/publications/2017-selected/license-clearance-in-software-product-governance/

These days, there is a lot of work in people interested in Open Source
supply chains who are now worrying about being able to track libraries
used in products and companies' production code, not just from the
perspective of copyright license compliance, but for security reasons
as well.  For example, at the 2022 Linux Foundation Member Summit[4],
there were four sessions, including two keynotes, on this subject.
Slides and Video for the keynote talks are available; slides are
linked off of the sessions descriptions.  The video of the keynotes
are available here[5].

[4] https://events.linuxfoundation.org/archive/2022/lf-member-summit/program/schedule/
[5] https://www.youtube.com/watch?v=BltvpGfqz14


> 2. I found that each software package has a "Copyleft" document, and
> a lot of license information is also listed in this
> document. Therefore, I would like to ask, when the two documents
> "license.txt" and "Copyleft" exist in the software package at the
> same time, which one should the user take as the basis, and how to
> deal with the situation where the declared license information of
> the two documents is inconsistent, Which shall prevail?

I am not a lawyer, and even if I were a lawyer, I am not *your*
lawyer, so I am not in a position to give legal advice.  If you want
an authoratative opinion, you will need to find a lawyer who is
willing to give you formal legal advice, and they will very ask to be
paid in order to give you that opinion.

Best regards,

					- Ted