On Sun, May 01, 2011 at 05:53:33PM +0200, Florian Weimer wrote: > > There is no requirement in Debian to track the copyright status of > > the work beyond what's required by statute or by the licenses > > themselves. > If we do not track the copyright status, how can we make sure that the > licensing conditions actually match the requirements of the DFSG? You cannot "make sure" of this with or without maintainers adding verbose copyright detail to debian/copyright. The only way you'll be sure is when someone tells you some of this information is wrong! So this would be a lot of effort for no real benefit AFAICS. Verbosity is no guarantee of correctness, and the more manual work we demand from maintainers in documenting copyright, the lower the average quality of that documentation will be. > > The risk of a hostile entity deliberately injecting code into our > > archive so that they can sue us later for copyright infringement is > > remote - and the sort of hypothetical that we shouldn't be basing > > our policies around. > There is, however, considerable risk that we pick up code from some > upstream where upstream was negligent or has deliberately violated > copyright requirements. This risk will exist anyway. There is never an upper limit to the amount of time, energy, and money you can spend trying to reduce risk. There is, however, a limit to how much good it does you to engage in such risk mitigation. I think trying to manually document the copyright holder of each file in each source package in our archive is definitely past the point of diminishing returns. I submit as evidence of this the fact that Debian has never yet been sued for such unintended copyright infringement. OTOH, I think good tools that help us *automatically* record copyright information in a meaningful way and assist us in auditing the copyright and license status of our packages are a worthy investment. > This risk is unfortunately not remote. People do label pictures taken > by others with the wrong CC license, and those who rely on the > incorrect labeling commit copyright infringement if they make use of > the CC-granted permissions. But including the name of the copyright holder (if upstream even gives us the real name instead of claiming it's their creation) doesn't significantly help us in preventing the labelling with the wrong license. We don't have the resources to conduct an audit over the entire archive by contacting all the copyright holders to verify the licenses; and it would be very easy for some of these copyright holders to become annoyed by such inquiries (and many of them will not bother replying, I'm sure). So what's the point of spending more effort than we already do gathering names of copyright holders if this won't significantly improve our confidence in the correctness of the license statements? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature