Hi Since no one has answered so far, I feel free to chime in. * On 5/12/19 9:39 PM, Jan-Henrik Haukeland wrote: > > We ask Debian to consider removing and stop distributing Seafile packages [1] > due to copyright concerns. [...] First of all, thank you for your in-depth analysis and bringing that issue to the Debian project's attention! Note that this list does not have any legal leverage, however. Most people subscribed to it are just software developers (most of which are more deeply involved in Debian) discussing licensing (and related things), but not actual lawyers. In case of license violations, the proper procedure is to file a bug report against the source package(s) in question. Package maintainers will handle that and request package removal by ftpmaster - the latter of which have the final say in what the archive is made up of (as far as I know). > Summary: > -------------- > > The evidence above demonstrate that there are reasons to be concerned about > the Seafile team's insubstantial dealings in open-source and that the Seafile > team for all practical purposes are conducting copyright infringement and > violating the GPL terms. I have only skimmed the provided examples, but I would generally agree. It's not a blatant, mindless copy of your code, though, which makes things a bit complicated. Most of the referenced functions are rather short. Seafile's DB interface also isn't uncommon for C code that tries to provide a common interface with multiple implementations (i.e., structures with function pointers and forward-declaration). After all, there's only so much you can do to simulate inheritance in a language that doesn't know such concepts natively. This said, I do see a very strong similarity in the code's interface and - more importantly - smaller details like the counter. The question whether interfaces are actually even copyrightable or not is a pretty heated one (c.f., Google vs. Oracle), so I'm wary of taking that into account too much. With all the other details, though, it does sound quite unlikely that this is just another, very similar reimplementation of the interface they already used in the Seafile server code. > It is unclear to me if the Seafile server is part of Debian or if it is > downloaded separately or during the install process and that Debian is only > distributing the client part of Seafile. Now on to the good news. Debian has so far neither shipped the client nor the server in any proper release. The Seafile client is part of buster (current testing branch, although frozen and expected to be released soonish), stretch-backports (an optional repository) and unstable/sid. The timing is good. I'm not a Debian maintainer/DD, but this sounds like something worthy of a release critical status that may result in the packages being evicted from the distribution BEFORE they are packaged as part of a proper release. The other good news is that until now, only the client is part of Debian, which, as you have also mentioned, should not be affected by that issue. > If the latter is the case, I still hope that Debian will make a stand and not > distribute Seafile packages as long as there are copyright concerns > associated with the Seafile Software. Again, please file a bug report. In the worst case, it'll just cause the maintainer a bit of bureaucratic work and be dismissed. It luckily doesn't sound like the issue *actually* affects any packages in the Debian archive, but it generally shows upstream's questionable copyright and license handling. Personally, I'd feel bad maintaining a package that may end up being problematic if audited (since... what other surprises might be lingering in the client?) Trust is a factor, after all. I'd rather remove an untrustworthy package than end up with a surprise. But that's just my very own, personal opinion. Mihai
Attachment:
signature.asc
Description: OpenPGP digital signature