[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CodeIgniter license

On Sun, May 01, 2011 at 05:53:33PM +0200, Florian Weimer wrote:

> > There is no requirement in Debian to track the copyright status of
> > the work beyond what's required by statute or by the licenses
> > themselves.

> If we do not track the copyright status, how can we make sure that the
> licensing conditions actually match the requirements of the DFSG?

You cannot "make sure" of this with or without maintainers adding verbose
copyright detail to debian/copyright.  The only way you'll be sure is when
someone tells you some of this information is wrong!  So this would be a lot
of effort for no real benefit AFAICS.  Verbosity is no guarantee of
correctness, and the more manual work we demand from maintainers in
documenting copyright, the lower the average quality of that documentation
will be.

> > The risk of a hostile entity deliberately injecting code into our
> > archive so that they can sue us later for copyright infringement is
> > remote - and the sort of hypothetical that we shouldn't be basing
> > our policies around.

> There is, however, considerable risk that we pick up code from some
> upstream where upstream was negligent or has deliberately violated
> copyright requirements.

This risk will exist anyway.

There is never an upper limit to the amount of time, energy, and money you
can spend trying to reduce risk.  There is, however, a limit to how much
good it does you to engage in such risk mitigation.  I think trying to
manually document the copyright holder of each file in each source package
in our archive is definitely past the point of diminishing returns.  I
submit as evidence of this the fact that Debian has never yet been sued for
such unintended copyright infringement.

OTOH, I think good tools that help us *automatically* record copyright
information in a meaningful way and assist us in auditing the copyright and
license status of our packages are a worthy investment.

> This risk is unfortunately not remote.  People do label pictures taken
> by others with the wrong CC license, and those who rely on the
> incorrect labeling commit copyright infringement if they make use of
> the CC-granted permissions.

But including the name of the copyright holder (if upstream even gives us
the real name instead of claiming it's their creation) doesn't significantly
help us in preventing the labelling with the wrong license.  We don't have
the resources to conduct an audit over the entire archive by contacting all
the copyright holders to verify the licenses; and it would be very easy for
some of these copyright holders to become annoyed by such inquiries (and
many of them will not bother replying, I'm sure).  So what's the point of
spending more effort than we already do gathering names of copyright holders
if this won't significantly improve our confidence in the correctness of the
license statements?

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: