Re: License violations for dependencies of Rust and Go programs?
* John Thorvald Wodder, II:
> It is my understanding that when an executable program that depends (directly
> or indirectly) on libraries licensed under (picking one license here) the MIT
> license is compiled into a binary that statically links these libraries, and
> this binary is then distributed to third parties, the binary must be
> accompanied by the license text & copyright notices for all of the program's
> direct & indirect MIT-licensed dependencies.
Based on my understanding of copyright law, this is correct.
Nevertheless, there seems to be an emerging consensus throughout the
industry that (for example) mentioning the “MIT” SPDX license
identifier is sufficient to meet the notification requirement inherent
to the MIT license.
> Unfortunately, I've come across some software in the official Debian
> repositories that do not seem to properly honor these requirements.
This conclusion is incorrect for Debian, I would say. In Debian's
case, notification requirements are primarily met by shipping full
source code for the entire distribution. I'm aware of heroic efforts
to maintain debian/copyright files, but as you point out, they are
incomplete when viewed in isolation because they only reflect a
source-only view.
Personally, I do not think this is an issue. Debian does not need to
enable binary-only redistribution in cases where licenses may permit
it (Of course, there are plenty of cases where binary-only
distribution is not allowed by applicable licenses anyway.) I don't
see how it furthers Debian's goals, and it only helps a tiny subset of
Debian users.
Reply to: