Bug#955005: marked as done (Relax requirements to copy copyright notices into d/copyright)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 17 Nov 2020 00:33:17 +0000
with message-id <E1keovt-000Dxf-JA@fasolo.debian.org>
and subject line Bug#955005: fixed in debian-policy 4.5.1.0
has caused the Debian Bug report #955005,
regarding Relax requirements to copy copyright notices into d/copyright
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
955005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955005
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: Relax requirements to copy copyright notices into d/copyright
• From: Sean Whitton <spwhitton@spwhitton.name>
• Date: Thu, 26 Mar 2020 09:57:12 -0700
• Message-id: <87zhc3qck7.fsf@iris.silentflame.com>
• In-reply-to: <2513716.71VRn2d9Cu@l5580>
• References: <6621155.inLKrcisiX@deblab> <69FB2213-C0F9-42BA-BB95-6058D8B5C7FC@kitterman.com> <c9a221bb-064d-dbd7-93d5-c22de5640f86@debian.org> <2513716.71VRn2d9Cu@l5580>

Package: debian-policy
Version: 4.5.0.0
User: debian-policy@packages.debian.org
Usertags: normative discussion
X-debbugs-cc: debian-devel@lists.debian.org, ftpmaster@debian.org

Scott has provided a useful summary of what the FTP Team require when it
comes to copyright information, and as another FTP Team member, I concur
with his assessment of the consensus within the team:

On Thu 26 Mar 2020 at 10:32AM -04, Scott Kitterman wrote:

> I think you assume we're looking for more than we are.  We aren't asking
> anyone to research and document undocumented but technically legally
> assertable copyright claims.  From an FTP perspective we're after license
> compliance.
>
> If debian/copyright includes all the copyright notices that upstream does (or
> an equivalent), then that's all that's needed (there are exceptions, I have
> reviewed packages where upstream literally wrote that they had copied a bunch
> of code from some other location, changed the copyright owner to themselves,
> and changed the license - that we had a problem with, but it wasn't like we
> went looking for it).
>
> To pick one example, the Expat (MIT) license includes:
>
>     The above copyright notice and this permission notice shall be
>     included in all copies or substantial portions of the Software.
>
> When we ask for listing copyright holders in debian/copyright, that's what
> we're after.  I don't think complying with license requirements is an
> unreasonable thing to ask.
>
> That said, if we can make it easier for everyone, then we should investigate
> that.  As mentioned, policy does have a higher bar.  It says they all have to
> be listed regardless of license requirements.
>
> To pick another example, Apache-2.0 includes:
>
>       (c) You must retain, in the Source form of any Derivative Works
>           that You distribute, all copyright, patent, trademark, and
>           attribution notices from the Source form of the Work,
>           excluding those notices that do not pertain to any part of
>           the Derivative Works; and
>
> For something that we distribute based on our rights in the Apache-2.0 license
> and requirement to document all the copyright holders is strictly Debian
> specific based on policy.  Personally, I think the policy should be changed so
> we don't require everyone to go beyond the license requirements.  Currently I
> think there is consensus within the FTP Team not to reject packages for this.

Policy currently says:

    Every package must be accompanied by a verbatim copy of its
    copyright information, unless its distribution license explicitly
    permits this information to be excluded from distributions of
    binaries built from the source.  In such cases, a verbatim copy of
    its copyright information should normally still be included, but
    need not be if creating and maintaining a copy of that information
    involves significant time and effort.

We wrote this based on [1], but I now believe it is too conservative,
and does not reflect what the FTP Team require, nor the project's
consensus on what should be in d/copyright.  I think we want something
like this:

    The copyright information for files in a package must be copied
    verbatim into d/copyright when (i) the distribution license for
    those files requires that copyright information be included in all
    binary distributions; (ii) the files are shipped in the binary
    package, either in source or compiled form; and (iii) the form in
    which the files are present in the binary package does not include a
    plain text version of their copyright notices.

    Thus, the copyright information for files in the source package
    which are only part of its build process, such as autotools files,
    need not be included in d/copyright, because those files do not get
    installed into the binary package.  Similarly, plain text files
    which include their own copyright information and are installed into
    the binary package unmodified need not have that copyright
    information copied into d/copyright.

    However, the copyright notices for any files which are complied into
    the object code shipped in the binary package must all be included
    in d/copyright when the license requires that copyright information
    be included in all binary distributions, as most do.

The point of separating (ii) and (iii) is because the source form of a
file need not be plain text, such as image files, and because even for
plain text files the copyright information may not be included in the
files themselves, but perhaps only in LICENSE.txt or similar.

This is, I believe, the minimum required for license compliance when it
comes to copyright notices.  It is significantly weaker than what Policy
currently requires, but I think we have a project consensus that we
should not be requiring more than what is required for license
compliance.  Of course, it is still open to maintainers to include more
information in d/copyright.[2]

I think we would want the FTP Team to officially sign off on this rather
than simply relying on what Scott and I think about the team's
consensus; currently, it is not clear that the text of [1] supports
relaxing the requirements as much as this.  So we probably need another
d-d-a e-mail from the FTP Team.

The relevant parts of Policy to update are §§ 2.3, 4.5 and 12.5.

N.B. This bug is not about the requirement to provide all *licensing*
information in d/copyright.  I think there is still a project consensus
that all licensing information should be available in that file.

[1]  https://lists.debian.org/debian-devel-announce/2018/10/msg00004.html

[2]  Though, that does tend to slow down NEW review.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 955005-close@bugs.debian.org
• Subject: Bug#955005: fixed in debian-policy 4.5.1.0
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 17 Nov 2020 00:33:17 +0000
• Message-id: <E1keovt-000Dxf-JA@fasolo.debian.org>
• Reply-to: Sean Whitton <spwhitton@spwhitton.name>

Source: debian-policy
Source-Version: 4.5.1.0
Done: Sean Whitton <spwhitton@spwhitton.name>

We believe that the bug you reported is fixed in the latest version of
debian-policy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 955005@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton <spwhitton@spwhitton.name> (supplier of updated debian-policy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 16 Nov 2020 17:05:43 -0700
Source: debian-policy
Architecture: source
Version: 4.5.1.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Policy Editors <debian-policy@lists.debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Closes: 955005 959909 971023 973491 974911
Changes:
 debian-policy (4.5.1.0) unstable; urgency=medium
 .
   * Policy: Relax requirements on copying copyright notices into d/copyright
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Scott Kitterman <debian@kitterman.com>
     Seconded: Joerg Jaspert <joerg@debian.org>
     Closes: #955005
   * Policy: Forbid vendor-specific series files
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: gregor herrmann <gregoa@debian.org>
     Seconded: Graham Inggs <ginggs@debian.org>
     Closes: #959909
   * Policy: Clarification about colons in version numbers
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Mattia Rizzolo <mattia@debian.org>
     Seconded: Holger Levsen <holger@layer-acht.org>
     Closes: #971023
   * Replace `/usr/share/package/copyright` -> `/usr/share/PACKAGE/copyright`.
     Thanks to Guillem Jover for the suggestion.
   * Fix manpage section in reference to systemd.unit(5) (Closes: #973491).
     Thanks to Martin Schwarz for the report.
   * Makefile: Always use UTC date (Closes: #974911).
     Thanks to Vagrant Cascadian for the patch.
Checksums-Sha1:
 2508f26a0cca6ad3d1e9dec40371c9ff4c112be4 2052 debian-policy_4.5.1.0.dsc
 c8eec77157ba65fb7807793eb0f173ea545ae9f1 542620 debian-policy_4.5.1.0.tar.xz
Checksums-Sha256:
 3c57f6b59396025ded7056da16ddb90cbe0fe4d83a67b3e9d2ad48b65e3cf396 2052 debian-policy_4.5.1.0.dsc
 ec9d45ebedef668aac1c4a35c6123c85826f272f91915f7af8ac462efd75763e 542620 debian-policy_4.5.1.0.tar.xz
Files:
 2eabf77f796c4a40c95b3ad7220578e3 2052 doc optional debian-policy_4.5.1.0.dsc
 615d36bc3cbe6e47d518e96ce6ee5a9c 542620 doc optional debian-policy_4.5.1.0.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAl+zFIUACgkQaVt65L8G
YkCZiw/7BGyNNcUSYEWCNKXCpxXbNgx6IWCzzgF6LA5+rrLCKv8bGBf1W0CQ2f/l
rKqoZsiciR4IJw+zcTUN7ywb5AbX5YGV7ljKF/IURURt8vs2EQQoY7lLR7NYdd74
eUjVZgsSQTtOozlyamMJjvFesKNGp3oYueDRhj2AKo3doCRFwSSb9pvzZRnPLv0/
RA0igbhvOmKvk29Y2F0Vl4ftthe7gDCX/Sqv1u5wl79XvCUghr3rA2ToB9kj+sTO
u3ymW5fd2Wx2aWRyNVcCFOFmDftcANZRY7ptInbSlnCpl5qZI9hlaRF+4hOCl4ir
F0otR/S4aNZ86Km8/sFfiohgyeJvEz8JsRR8Mf5fhTRG4a3S6BY1T1e7VsuQqxvs
J3qivRoHnAtLSy9xTdM7YifG5H8xapqHQcbw5UERMyKp39qnVTc9KVl0fnjHzdZT
Ln0SWUh9g/wsWDKVqHT+zxDeZf4HCD9Oesy4gyJAKzMm6/wXwmk1sr0GV7KB+ZZO
2+f3UH77r+MR48iMo9WO0J3To2uq5uSI+5Y/3LA0xYns026wz4qmseH+ytCmJg21
qNzndc4lFXC+ginMYnZHiaAAuOwQGmYVPLnnMwX845Gt5b9yNhRRCTTSKHj57zrL
6bomZXTUkJKgcrCakYicMhl4r6FH9WSOKhVTaVJptDRTyXDsxDY=
=F2iV
-----END PGP SIGNATURE-----

--- End Message ---