[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Copyright concerns regarding Seafile



Hi

Since no one has answered so far, I feel free to chime in.


* On 5/12/19 9:39 PM, Jan-Henrik Haukeland wrote:
> 
> We ask Debian to consider removing and stop distributing Seafile packages [1]
> due to copyright concerns. [...]

First of all, thank you for your in-depth analysis and bringing that issue to
the Debian project's attention!

Note that this list does not have any legal leverage, however. Most people
subscribed to it are just software developers (most of which are more deeply
involved in Debian) discussing licensing (and related things), but not actual
lawyers.

In case of license violations, the proper procedure is to file a bug report
against the source package(s) in question. Package maintainers will handle that
and request package removal by ftpmaster - the latter of which have the final
say in what the archive is made up of (as far as I know).


> Summary:
> --------------
>
> The evidence above demonstrate that there are reasons to be concerned about
> the Seafile team's insubstantial dealings in open-source and that the Seafile
> team for all practical purposes are conducting copyright infringement and
> violating the GPL terms.

I have only skimmed the provided examples, but I would generally agree. It's not
a blatant, mindless copy of your code, though, which makes things a bit
complicated. Most of the referenced functions are rather short. Seafile's DB
interface also isn't uncommon for C code that tries to provide a common
interface with multiple implementations (i.e., structures with function pointers
and forward-declaration). After all, there's only so much you can do to simulate
inheritance in a language that doesn't know such concepts natively.

This said, I do see a very strong similarity in the code's interface and - more
importantly - smaller details like the counter. The question whether interfaces
are actually even copyrightable or not is a pretty heated one (c.f., Google vs.
Oracle), so I'm wary of taking that into account too much. With all the other
details, though, it does sound quite unlikely that this is just another, very
similar reimplementation of the interface they already used in the Seafile
server code.


> It is unclear to me if the Seafile server is part of Debian or if it is
> downloaded separately or during the install process and that Debian is only
> distributing the client part of Seafile.

Now on to the good news. Debian has so far neither shipped the client nor the
server in any proper release. The Seafile client is part of buster (current
testing branch, although frozen and expected to be released soonish),
stretch-backports (an optional repository) and unstable/sid.

The timing is good. I'm not a Debian maintainer/DD, but this sounds like
something worthy of a release critical status that may result in the packages
being evicted from the distribution BEFORE they are packaged as part of a proper
release.

The other good news is that until now, only the client is part of Debian, which,
as you have also mentioned, should not be affected by that issue.


> If the latter is the case, I still hope that Debian will make a stand and not
> distribute Seafile packages as long as there are copyright concerns
> associated with the Seafile Software.

Again, please file a bug report. In the worst case, it'll just cause the
maintainer a bit of bureaucratic work and be dismissed.

It luckily doesn't sound like the issue *actually* affects any packages in the
Debian archive, but it generally shows upstream's questionable copyright and
license handling. Personally, I'd feel bad maintaining a package that may end up
being problematic if audited (since... what other surprises might be lingering
in the client?) Trust is a factor, after all. I'd rather remove an untrustworthy
package than end up with a surprise. But that's just my very own, personal opinion.



Mihai

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: