On Sun, 22 Mar 2009 02:53:51 +0000 Noah Slater <nsla...@tumbolia.org> wrote:
> On Sat, Mar 21, 2009 at 09:42:35AM -0500, Manoj Srivastava wrote: > > Why do they have to? I know, the ftp team made it up. But there > > is no reason in policy or in copyright law for such copying to > > occur. But it would be nice to know why it is needed. > > I can think of a few desirable reasons: > > * To show the FTP masters that they have thoroughly checked the licensing. > > * To provide concise information for our users. That does not need a complete list, it merely needs a statement that this has been done. Either way, the result has to be taken on trust unless someone else spends the time to verify the result for each package upload - that is where the workload becomes an issue. People are complaining because these wishlist problems are being elevated to a severity higher than RC in packages that have thousands of contributors and where even upstream probably doesn't know exactly how many exist. What matters is not missing out any licences, missing out a few names and email addresses is minor. How many users are ever going to want this information *duplicating anything already in the source package*?? How many of those users are only complaining because it is their name that got left out? Is their vanity sufficiently important to block acceptance of the entire package? If there is an AUTHORS file in the source package and the debian packaging has a clear attribution, why is it necessary to list everyone else? It's a bug in the source package if it is a problem at all. (And if anyone files a bug like that against one of my source packages, it will be wishlist severity and no higher. I may even ignore it for a few upstream releases just to make the point.) Besides, various packages already include a statement like "and anyone else I've forgotten" in the AUTHORS file. I try to cover everyone in small to medium sized packages - it is just a nice thing to do but it is no more than that. Being nice to people does not require listing thousands and having packages REJECTED because one got missed - that isn't being nice to the maintainer. Actually, as this is a signed document verifiable as coming from me, I might as well state that if any package contains material that is under my copyright but has left my copyright details out of debian/copyright by accident or by intent, then that is fine, don't worry about it. If you feel like adding it later, that's fine by me. I will not make any list that attempts to be a complete list of projects in which I may have material under my copyright because I'm not sure I could remember (but it's not that many). If there is a statement somewhere in the source to the effect that the copyright includes other contributors whose names may have been forgotten, then I consider that as acceptable. However, if any package containing material under my copyright tries to change the licence or misses out the licence details or wilfully violates the licence or deliberately removes from the source code a copyright notice that I have manually inserted at an earlier date, then I reserve the right to insist on such an issue being fixed. I would expect that a lot of upstream contributors would feel similarly - retain the listings that the copyright holder has made themselves but do not assume that the copyright holder requires such attributions to be duplicated anywhere else. That is the rub - what matters are licences and licences are only enforceable by the copyright holders. As long as there is one copyright holder who is able to pursue licence violations then the list of copyright holders is sufficient. So why do we insist on names and email addresses? The only possible reason I can see is that Debian wants to be able to relicence stuff and needs to constantly retain an impossibly ambitious list of copyright holders that is self-evidently incomplete, just in case one of the thousands of source packages needs to be relicenced and we want to contact every copyright holder. Ummm, am I the only one who thinks that is going just a tad too far? Yes, we had problems with iceweasel, a certain package I won't mention and possibly other packages over time but those are individual cases and things get sufficiently involved during those episodes that there certainly *IS* time to thoroughly review the source code of the entire package in question in order to ascertain what we can only hope is as complete a list as we can manage. IMHO it is about not getting hung up on the process but considering the reasoning behind the process. AFAICT, there is no good reason to document every single copyright holder but there are very good reasons to document every applicable LICENCE. As a sponsor, I do *not* require that every single copyright holder is listed in debian/copyright. I *do* require that every file in the source package has been checked for the applicable LICENCE and that all such LICENCES are declared in debian/copyright along with clear identification of which files use which licence. Where there is a clear division between copyright holders and licences, I would expect that the sections of debian/copyright dealing with files under that licence specify that the files are Copyright foo rather than Copyright bar that applies elsewhere. If some names and / or email addresses fall through the gaps, so be it. I've not had problems with this approach with regards to NEW up to this point in time. > > > We require, and have seen nothing to convince us otherwise, that Debian > > > maintainers need to do the basic work of listing each copyright holder in > > > debian/copyright, as seen in the source files and AUTHORS list or > > > equivalent (if any). > > > > Why do you think this work is needed? You must have had some > > rationale, since you made up this policy. > > Again, to document that they have, in fact, done what they are supposed to. On what basis and for what gain? Documenting (duplicating) something merely by rote is a waste of everyone's time. If there is no good reason other than to document something that has to be taken on trust anyway, what is the point? The list of names and email addresses in debian/copyright is unverifiable without redoing all the work yourself. In large packages, that is simply pointless. As long as all licences are covered, it would be insane to reject packages merely because less than 1% of the possible copyright holders were omitted. Especially when the actual names and email addresses in the relevant source files is by no means a complete listing of all copyright holders in the first place. We can apologise to anyone who is inadvertently left out and who personally feels that this is an issue - add them at the next upload, fine. The workload to require this for every single copyright holder, even ones that are not explicitly listed by upstream, is just mad. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
pgpEODWdEzXoy.pgp
Description: PGP signature
