Bug#1002053: lintian: false positive inconsistent-appstream-metadata-license (gpl-2.0+ != gpl-2+)
Control: tag -1 + confirmed pending
Hi Nicholas and Soren,
Nicholas D Steeves wrote:
> Gpl-2+ (used in d/copyright) is equivalent to gpl-2.0+ used in
> appstream metadata, so this is a false positive.
Correct, as
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-short-name
(part of the Debian Policy) also states:
»For SPDX compatibility, versions with trailing dot-zeroes are
considered to be equivalent to versions without (e.g., “2.0.0” is
considered equal to “2.0” and “2”).«
> Were GNU to hypothetically release a GPL 2.1, and were upstream to
> switch to it, the onus would be on the Debian maintainer to update
> d/copyright.
Yes, but they'd need to update it in both cases as neither "GPL-2+"
nor "GPL-2.0+" imply "newest version of the GPL 2.x series". :-)
> It also seems wrong to emit this at the warning level for this
> specific case.
Unfortunately the level is hardcoded in the tag. We can't emit a tag
e.g. once at warning and once at pedantic level depending on the found
data. (It also IMHO makes not so much sense semantic-wise.)
> If lintian is encouraging maintainers to use the "gpl-2.0+" notation
> rather than gpl-2+ in d/copyright, then it should emit a different
> (lower severity than warning) tag for that case.
Well, as the Debian Copyright Format Specification 1.0 explicitly
allows both variants, this seems not necessary.
> It seems clear to me that (gpl-2.0+ = gpl-2+), so it looks like the
> correct approach is to use a table of equivalent license notations to
> prevent the false positive.
Yeah, as that list would potentially became rather huge and hard to
maintain, I'd rather use a regexp to filter out such things.
Soren Stoutner wrote:
> The same basic problem also occurs with MIT and Expat licenses.
Ack.
> The specification for the AppStream metadata file only has a few
> options, one of them being MIT and none of them being Expat.
Same for SPDX: Neither https://spdx.org/licenses/ nor
https://spdx.org/licenses/MIT.html mention Expat.
> Debian, of course, prefers the Expat name as it is more precise.
According to
https://wiki.debian.org/Proposals/CopyrightFormat#Differences_between_DEP5_and_SPDX
SPDX does not have the Expat license. They do have though the "MIT
License" (the one and only ;-), so that would imply that they're not
the same license.
And indeed, there are two difference between
https://spdx.org/licenses/MIT.html and
http://www.jclark.com/xml/copying.txt (the Expat license):
* The MIT License starts with a headline "MIT License" (which is
probably less relevant).
* The MIT License contains the following part in its second paragraph
which the Expat license doesn't have: "(including the next
paragraph)". This might make a subtle difference, but IANAL.
> inconsistent-appstream-metadata-license debian/metainfo.xml (mit !=
> expat) [debian/copyright]
So that actually seems a true positive as the licenses differ. They
only differ a bit, but they differ.
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Reply to: