Bug#1093960: debian-policy: Strengthen 2.3 "copyright consideration" requirements
On Fri, Jan 24, 2025 at 10:54:53AM +0100, Julian Andres Klode wrote:
> Package: debian-policy
> Version: 4.7.0.2
> Severity: minor
> X-Debbugs-Cc: jak@debian.org, ftpmaster@debian.org
>
> I like to propose roughly the following changes, to bring
> the specification of copyright information closer to the
> reality and make them more useful as some sort of SBOM.
>
> One thing left to do is document that we should not
> make up our own copyright statements, which people
> increasingly more do so and some ftpteam members
> reject packages without copyright notices or with
> vague copyright notices-ish ("Copyright foo contributors")
> even if there are no copyright notices to be preserved.
I admit that the text also isn't optimal. We really need to separate
between copyright notices and license (grants). We want to document
all licenses for all code and not just preserve information about
them.
But we do not want to make up our own copyright statements, or
go to the trouble of expanding "Copyright foo contributors" into
a list of actual foo contributors, as that is not legally required,
and it's not feasible to figure out who legally the contributors
are (e.g. each git author may be the contributor, or they may have
been acting as a part of a corporation who will be considered the
contributor).
It would also make sense to document debian/copyright instead of
the per-package copyright format, as the latter is a very niche
special case of the former.
So you need to say something to the effect of:
The debian/copyright file must contain information about the
licensing of the package. This includes all copyright notices
listed in the source code, as well as license grants specified
in the source code.
As a special exceptions, files that are automatically generated
and not installed into binary packages, or otherwise combined
with inputs installed into binary packages, such as autotools files,
may be excluded from the copyright file.
When no copyright notices are given in the source code, a
sentence to that effect shall be included such as:
Copyright: No copyright notices present in code
These notices may include some hints on the presumed majority
copyright holders, such as:
Copyright: No copyright notices present in code;
likely Foo Bar et al.
Packages must not claim additional copyright notices that
are not present in the code, except for package-specific
files for which debian/copyright is likely the sole source
of copyright and license information.
As opposed to copyright notices, license grants need to
be preserved verbatim if required by the license, or the
license needs to be documented.
The common case is for packages to include a single
debian/copyright file that is copied into each binary
package; alternatively it is possible for each binary
package to ship a copyright file that only includes
information pertaining to the files inside the binary
package.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: