On Sunday 11 December 2016 12:28:24 Ian Jackson wrote: > Pali Rohár writes ("Re: is igmpproxy dfsg compliant?"): > > Ok, package is already in new queue: > > https://ftp-master.debian.org/new/igmpproxy_0.1-1.html > > Hrm. I didn't spot that. Well, anyway, thanks for your hard work. > > As regards the package I didn't find anything terrible (although I > didn't quite finish everything I wanted to check - in particular I > haven't looked at the github project), but I did find twho things > that's are a slight problem: > > AFAICT you think the overall resulting licence is GPLv2+ (that's > certainly what Johnny Egeland has written, and that's what you've > written in debian/copyright. But there are mentions of contributions > from Carsten Schill under GPLv2-only. Has anyone contacted Carsten > about this ? igmpproxy is derived work from the smcroute 0.92. Carsten Schill is author of smcroute. I checked license of smcroute 0.92 and it specify: ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License as published by ** the Free Software Foundation; either version 2 of the License, or ** (at your option) any later version. So I have not contacted him as he already clarify his work under GPLv2+. In COPYING of igmpproxy is just GPLv2 for his work, but it is probably mistake in COPYING file as I was not able to find any information that smcroute 0.92 was under different license as GPLv2+ in past. > And, there are a couple of files (`install-sh' and `missing') under > the MIT X Licence, which is not mentioned in debian/copyright. That > is a GPL-compatible licence so it's not a big problem, but the > licence should be mentioned in debian/copyright. Ah, I forgot about it because those files were removed from git repository "Remove stuff generated by autotools". > I also had some comments about the way the information was > structured. > > > I don't think it is necessary (or indeed a good idea) to ship all of > the copyrightholders permission emails in debian/copyright. > > The copyright file should IMO contain information about the actual > licence, and not contain out of date pieces of licence, or historical > information. It also does not need to contain records of all the > email communications with the licence holders. > > IMO these should be kept in the source package, in case they are > needed, but they do not need to be in the .deb. The copyright file > should instead summarise the situation. > > So I would suggest you put them in debian/ somewhere. COPYING.emails > or something maybe. The filename doesn't matter very much. Ok, I can do that. > Conversely the source package should contain all the tracing > information we have about who approved what licence when. That > includes the emails I mention above, but also licence statements from > Stanford and OpenBSD etc. > > As regards the Stanford relicensing: you have included two URLs. But > I think we should have the actual text of the relicense. > > The best way to do this would probably be to use wget or curl to > download the HTML from the OpenBSD cvsweb page (which includes Theo > de Raadt's commit message), and maybe also save a copy of the diff > which comes out from this URL: > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/mrouted/LICENS > E.diff?r1=text&tr1=1.1&r2=text&tr2=1.2 > > I looked at the troglobit.com url you mention and I don't think the > text there really provides anything more interesting or useful, > although it might be worth mentioning somewhere in the source package > that that's the upstream. Ok, I can include those files into github repository and will be part of release tarball next time. > And there is some out-of-date information in the source package that > could usefully be qualified: > > The file Stanford.txt in the toplevel is no longer applicable. > Ideally it would be deleted, but our source formats do not support > thta. You should prefix it with a notice saying it does not apply, > and referring to a copy of the Stanford notice. I understood that original mrouted code is dual-licensed: that Stanford.txt and new BSD. > Was the file AUTHORS from mrouted ? I can't tell from the Debian > source package you have provided. I think you may want to patch it > to prefix a statement about its scope. > > In projects now maintained primarily in a VCS and accepting > contributions, such AUTHORS files typically become very out of date. File AUTHORS comes from igmpproxy. In git is now deleted and for release tarballs should be autogenerated from git by some script. > Many of my comments would be worth feeding upstream. Upstream > probably don't want to be distributing this out of date information, > and I'm sure they would like to have a record of the relicensing > approval emails. Yes, relicensing information should go to upstream git. > Finally, the package's debian/control Homepage field refers to > sourceforge but actually it's now on github AFAICT. I put there sourceforge homepage as I took last release of igmpproxy which comes from sourceforge. On github is not new release yet, but there are new commits and patches which are not part of 0.1. Now I'm trying to collect GPLv2+ relicense permissions for those patches... So version on github is not GPLv2+ compatible, but that on sourceforge should be now... Once version on github will be license OK, I could release new version on github and also update debian/control Homepage field. -- Pali Rohár firstname.lastname@example.org
Description: This is a digitally signed message part.