On March 26, 2020 4:57:12 PM UTC, Sean Whitton <spwhit...@spwhitton.name> wrote:
>Package: debian-policy
>Version: 4.5.0.0
>User: debian-pol...@packages.debian.org
>Usertags: normative discussion
>X-debbugs-cc: debian-de...@lists.debian.org, ftpmas...@debian.org
>
>Scott has provided a useful summary of what the FTP Team require when
>it
>comes to copyright information, and as another FTP Team member, I
>concur
>with his assessment of the consensus within the team:
>
>On Thu 26 Mar 2020 at 10:32AM -04, Scott Kitterman wrote:
>
>> I think you assume we're looking for more than we are. We aren't
>asking
>> anyone to research and document undocumented but technically legally
>> assertable copyright claims. From an FTP perspective we're after
>license
>> compliance.
>>
>> If debian/copyright includes all the copyright notices that upstream
>does (or
>> an equivalent), then that's all that's needed (there are exceptions,
>I have
>> reviewed packages where upstream literally wrote that they had copied
>a bunch
>> of code from some other location, changed the copyright owner to
>themselves,
>> and changed the license - that we had a problem with, but it wasn't
>like we
>> went looking for it).
>>
>> To pick one example, the Expat (MIT) license includes:
>>
>> The above copyright notice and this permission notice shall be
>> included in all copies or substantial portions of the Software.
>>
>> When we ask for listing copyright holders in debian/copyright, that's
>what
>> we're after. I don't think complying with license requirements is an
>> unreasonable thing to ask.
>>
>> That said, if we can make it easier for everyone, then we should
>investigate
>> that. As mentioned, policy does have a higher bar. It says they all
>have to
>> be listed regardless of license requirements.
>>
>> To pick another example, Apache-2.0 includes:
>>
>> (c) You must retain, in the Source form of any Derivative Works
>> that You distribute, all copyright, patent, trademark, and
>> attribution notices from the Source form of the Work,
>> excluding those notices that do not pertain to any part of
>> the Derivative Works; and
>>
>> For something that we distribute based on our rights in the
>Apache-2.0 license
>> and requirement to document all the copyright holders is strictly
>Debian
>> specific based on policy. Personally, I think the policy should be
>changed so
>> we don't require everyone to go beyond the license requirements.
>Currently I
>> think there is consensus within the FTP Team not to reject packages
>for this.
>
>Policy currently says:
>
> Every package must be accompanied by a verbatim copy of its
> copyright information, unless its distribution license explicitly
> permits this information to be excluded from distributions of
> binaries built from the source. In such cases, a verbatim copy of
> its copyright information should normally still be included, but
> need not be if creating and maintaining a copy of that information
> involves significant time and effort.
>
>We wrote this based on [1], but I now believe it is too conservative,
>and does not reflect what the FTP Team require, nor the project's
>consensus on what should be in d/copyright. I think we want something
>like this:
>
> The copyright information for files in a package must be copied
> verbatim into d/copyright when (i) the distribution license for
> those files requires that copyright information be included in all
> binary distributions; (ii) the files are shipped in the binary
> package, either in source or compiled form; and (iii) the form in
> which the files are present in the binary package does not include a
> plain text version of their copyright notices.
>
> Thus, the copyright information for files in the source package
> which are only part of its build process, such as autotools files,
> need not be included in d/copyright, because those files do not get
> installed into the binary package. Similarly, plain text files
> which include their own copyright information and are installed into
> the binary package unmodified need not have that copyright
> information copied into d/copyright.
>
> However, the copyright notices for any files which are complied into
> the object code shipped in the binary package must all be included
> in d/copyright when the license requires that copyright information
> be included in all binary distributions, as most do.
>
>The point of separating (ii) and (iii) is because the source form of a
>file need not be plain text, such as image files, and because even for
>plain text files the copyright information may not be included in the
>files themselves, but perhaps only in LICENSE.txt or similar.
>
>This is, I believe, the minimum required for license compliance when it
>comes to copyright notices. It is significantly weaker than what
>Policy
>currently requires, but I think we have a project consensus that we
>should not be requiring more than what is required for license
>compliance. Of course, it is still open to maintainers to include more
>information in d/copyright.[2]
>
>I think we would want the FTP Team to officially sign off on this
>rather
>than simply relying on what Scott and I think about the team's
>consensus; currently, it is not clear that the text of [1] supports
>relaxing the requirements as much as this. So we probably need another
>d-d-a e-mail from the FTP Team.
>
>The relevant parts of Policy to update are ยงยง 2.3, 4.5 and 12.5.
>
>N.B. This bug is not about the requirement to provide all *licensing*
>information in d/copyright. I think there is still a project consensus
>that all licensing information should be available in that file.
>
>[1]
>https://lists.debian.org/debian-devel-announce/2018/10/msg00004.html
>
>[2] Though, that does tend to slow down NEW review.
Thanks for filing this. I think this mostly reflects the current consensus of
the team. I think there's one area that needs to be discussed.
I think for copyright statement inclusion there are only four possible cases:
1. License explicitly requires source and binary inclusion (example: Expat and
BSD variants):. Copyright notices need to be in debian/copyright.
2. License explicitly requires source inclusion only (example: Apache-2.0):
Copyright notices not required in debian/copyright.
3. License explicitly requires binary inclusion only (can't imagine this
existing, but it's in theory possible): Copyright notices required in
debian/copyright.
4. License requires copyright notice but doesn't specify anything about source
or binary (didn't look for an example, but I can totally see this happening): I
think this case is unclear with your revised wording. With the current policy
wording copyright notices would be required in debian/copyright and I think
that's correct. The current wording does seem harsh, so it could probably be
better while not leaving an ambiguity.
Thanks,
Scott K
