[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Copyright notice gives info on source files, not the packaged binaries -is that correct?

On Mon, May 10, 2021 at 2:18 PM Alexander Mazuruk wrote:

> I'm writing this as I've noticed that some packages have copyright file
> filled with records for source code, while the package contains binaries.

Essentially all packages in Debian do this, with a couple of
exceptions where the maintainer thought about this problem already.
For example, for src:libicns I installed different copyright files in
each binary package since the license is different for the library vs
the utilities.

> Shouldn't those package's COPYRIGHT contain info about final license
> that those binaries are distributed with?

In theory yes, in practice, no.

>    * yes. -> should I file a bug report for such packages?

The problem is an archive-wide one that is just left unsolved, not one
to be solved in individual packages.

>    * no -> how can I know what license a package actually has in such
> case? Are there some officially recommended tools?

It is in theory possible to trace the translation from source to
binary, but in practice it is mostly impossible. Even if you ptrace
the full build process (making it much slower), there is no general
way to determine what file is generated from what other file. Fixing
this would involve adding instrumentation to every compiler, build
system, many different tools and probably lots of Debian packaging and
upstream projects. This is a project on the order of magnitude of
Bootstrappable Builds or Reproducible Builds; a multi-decade-long
effort by many different people. There are potentially benefits to
this beyond copyright/license info correctness for binaries too, so it
would be an interesting project, but it would be hard to convince
entire communities of people to work on this.

In practice, shipping the relevant source for the binaries is likely
enough to achieve license compliance, so shipping pedantically correct
copyright/license info for the binaries is not necessary and shipping
source is much easier to do, so that is what Debian tends to do.

> We are trying to do start license compliance for Docker images and are a
> bit stumped on how to proceed with such packages in Debian-based containers.

I suggest you ship source for all the binary packages used, then add
source for all the packages installed during each of their build
processes. Or just ship a full Debian archive containing every source



Reply to: