Bug#828970: ITP: singularity -- application containerization platform

To: 828970@bugs.debian.org
Subject: Bug#828970: ITP: singularity -- application containerization platform
From: Dave Love <fx@gnu.org>
Date: Thu, 14 Jul 2016 16:06:39 +0100
Message-id: <[🔎] 87wpko6yyo.fsf@pc102091.liv.ac.uk>
Reply-to: Dave Love <fx@gnu.org>, 828970@bugs.debian.org

[I saw this late as I didn't get a reply to the question about whether
this was being packaged for Debian.]

> * License         : BSD

The licence is actually BSD-3-Clause-LBNL in SPDX terms.  I think its
default licensing clause is a potential trap which Debian might
consider.  I've asked for an opinion from Fedora legal about including
language to nullify that in a "separate written license agreement".  The
claim on the web site that it is simply BSD3 is wrong, but the issue
that included that was closed without resolution.  See also below.

>   Programming Lang: C

It's compiled C used by a set of Bourne shell scripts.

> Package name (singularity) conflicts with a game package last released in
> 2011 with notable popcon of 300... so I guess I would need to come up with an
> alternative name, e.g.
> 
> singularity-containers
> 
> Alternative recommendations are welcome!

It probably doesn't matter much, but the bundled packaging I contributed
used the singular.

Debian might want to be circumspect about copyright issues surrounding
this.  The unresolved issue mentioned above concerned the claim on the
project web site that copyright doesn't apply at least to "patches" and
I was subsequently told "You cannot “own” copyright in something you
contribute to a 3-clause BSD project." (despite the project licence
requiring you to grant a licence...).  I find it difficult to believe
that's what LBNL lawyers actually say, but there you are.
<https://github.com/gmkurtzer/singularity/issues/117>

This should be added to the post v2.0 upstream copyright file (if you're
using that and update from 2.0) since obviously Debian doesn't subscribe
to the LBNL copyright theory (see also
<https://github.com/loveshack/singularity>):

  Files: libexec/docker-import.sh
  Copyright: 2016  Dave Love, University of Liverpool
  License: BSD-3-Clause-LBNL

There are potential security issues in the setuid program, with patches
for v2.0 under
<https://pkgs.fedoraproject.org/cgit/rpms/singularity.git>, but it looks
as if more are needed.

Reply to:

Follow-Ups:
- Bug#828970: ITP: singularity -- application containerization platform
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: Bug#745027: Status
Next by Date: Bug#828970: ITP: singularity -- application containerization platform
Previous by thread: Bug#602316: Library Bundling
Next by thread: Bug#828970: ITP: singularity -- application containerization platform
Index(es):
- Date
- Thread