Package: debian-policy
Version: 4.5.0.0
User: debian-policy@packages.debian.org
Usertags: normative discussion
X-debbugs-cc: debian-devel@lists.debian.org, ftpmaster@debian.org
Scott has provided a useful summary of what the FTP Team require when it
comes to copyright information, and as another FTP Team member, I concur
with his assessment of the consensus within the team:
On Thu 26 Mar 2020 at 10:32AM -04, Scott Kitterman wrote:
> I think you assume we're looking for more than we are. We aren't asking
> anyone to research and document undocumented but technically legally
> assertable copyright claims. From an FTP perspective we're after license
> compliance.
>
> If debian/copyright includes all the copyright notices that upstream does (or
> an equivalent), then that's all that's needed (there are exceptions, I have
> reviewed packages where upstream literally wrote that they had copied a bunch
> of code from some other location, changed the copyright owner to themselves,
> and changed the license - that we had a problem with, but it wasn't like we
> went looking for it).
>
> To pick one example, the Expat (MIT) license includes:
>
> The above copyright notice and this permission notice shall be
> included in all copies or substantial portions of the Software.
>
> When we ask for listing copyright holders in debian/copyright, that's what
> we're after. I don't think complying with license requirements is an
> unreasonable thing to ask.
>
> That said, if we can make it easier for everyone, then we should investigate
> that. As mentioned, policy does have a higher bar. It says they all have to
> be listed regardless of license requirements.
>
> To pick another example, Apache-2.0 includes:
>
> (c) You must retain, in the Source form of any Derivative Works
> that You distribute, all copyright, patent, trademark, and
> attribution notices from the Source form of the Work,
> excluding those notices that do not pertain to any part of
> the Derivative Works; and
>
> For something that we distribute based on our rights in the Apache-2.0 license
> and requirement to document all the copyright holders is strictly Debian
> specific based on policy. Personally, I think the policy should be changed so
> we don't require everyone to go beyond the license requirements. Currently I
> think there is consensus within the FTP Team not to reject packages for this.
Policy currently says:
Every package must be accompanied by a verbatim copy of its
copyright information, unless its distribution license explicitly
permits this information to be excluded from distributions of
binaries built from the source. In such cases, a verbatim copy of
its copyright information should normally still be included, but
need not be if creating and maintaining a copy of that information
involves significant time and effort.
We wrote this based on [1], but I now believe it is too conservative,
and does not reflect what the FTP Team require, nor the project's
consensus on what should be in d/copyright. I think we want something
like this:
The copyright information for files in a package must be copied
verbatim into d/copyright when (i) the distribution license for
those files requires that copyright information be included in all
binary distributions; (ii) the files are shipped in the binary
package, either in source or compiled form; and (iii) the form in
which the files are present in the binary package does not include a
plain text version of their copyright notices.
Thus, the copyright information for files in the source package
which are only part of its build process, such as autotools files,
need not be included in d/copyright, because those files do not get
installed into the binary package. Similarly, plain text files
which include their own copyright information and are installed into
the binary package unmodified need not have that copyright
information copied into d/copyright.
However, the copyright notices for any files which are complied into
the object code shipped in the binary package must all be included
in d/copyright when the license requires that copyright information
be included in all binary distributions, as most do.
The point of separating (ii) and (iii) is because the source form of a
file need not be plain text, such as image files, and because even for
plain text files the copyright information may not be included in the
files themselves, but perhaps only in LICENSE.txt or similar.
This is, I believe, the minimum required for license compliance when it
comes to copyright notices. It is significantly weaker than what Policy
currently requires, but I think we have a project consensus that we
should not be requiring more than what is required for license
compliance. Of course, it is still open to maintainers to include more
information in d/copyright.[2]
I think we would want the FTP Team to officially sign off on this rather
than simply relying on what Scott and I think about the team's
consensus; currently, it is not clear that the text of [1] supports
relaxing the requirements as much as this. So we probably need another
d-d-a e-mail from the FTP Team.
The relevant parts of Policy to update are §§ 2.3, 4.5 and 12.5.
N.B. This bug is not about the requirement to provide all *licensing*
information in d/copyright. I think there is still a project consensus
that all licensing information should be available in that file.
[1] https://lists.debian.org/debian-devel-announce/2018/10/msg00004.html
[2] Though, that does tend to slow down NEW review.
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature