Bug#807074: fbreader: includes files with unclear DFSG-freeness and/or copyright status
Control: reopen -1 On Sat, 23 Jan 2016 11:17:49 +0100 Eugene V. Lyubimkin wrote: > On 09.01.2016 12:51, Francesco Poli wrote: > > FTP Masters are often very busy, and in some cases they do not have > > time to reply to queries of this kind. Hence, we should *not* > > interpret their silence as if they were saying that everything is OK. > > > > I am consequently reopening the bug report. > > Francesco, we have a technical disagreement. Re-opening a bug won't change my > opinion. To overrule, please refer to > usual authorities: archive masters or tech-ctte or DAMs. The FTP Masters continue to be silent, but there's a new fact. I've been pointed out that the fbreader package not only includes OASIS files based on ISO files which do not grant permission to modify and only grant a limited permission to copy and distribute (as I originally reported), but also directly includes ISO files under the problematic license. These are the three files fbreader/data/formats/xhtml/*.ent These files are non-free: they do not grant permission to modify (thus failing DFSG#3) and only grant a limited permission to copy and use, restricting the field of endeavor to conforming SGML systems and applications as defined in ISO 8879 (thus failing DFSG#6). As an aside, they are not documented in the debian/copyright file, thus making them harder to spot... While the OASIS files have an unclear legal status, the ISO files are more clearly unfit for Debian main, as stated by FTP Assistant Paul Tagliamonte in: https://lists.debian.org/debian-legal/2015/12/msg0.html I am therefore reopening the bug report. Please investigate and fix the issue. Thanks for your time. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpz4nu7kH_Ar.pgp Description: PGP signature
Bug#807074: fbreader: includes files with unclear DFSG-freeness and/or copyright status
Control: reopen -1 On Wed, 16 Dec 2015 22:00:43 +0100 Francesco Poli wrote: > On Tue, 15 Dec 2015 21:00:00 +0100 Eugene V. Lyubimkin wrote: > > > On 14.12.2015 22:56, Francesco Poli wrote: [...] > > > Please note that, as I have previously said, one FTP Assistant > > > confirmed that files under the ISO license are not fit for Debian main: > > > https://lists.debian.org/debian-legal/2015/12/msg0.html > > > > I don't read that as something I can directly apply for things > > under OASIS copyright. Of course I might be wrong, that's > > why I invited Debian archive masters to the loop. No reason > > for us to argue any longer, let's just wait for what they > > think. > [...] > > OK, let's wait for a response from the FTP Masters, but please > investigate the legal status of the OASIS files in the meanwhile. FTP Masters are often very busy, and in some cases they do not have time to reply to queries of this kind. Hence, we should *not* interpret their silence as if they were saying that everything is OK. I am consequently reopening the bug report. Please investigate the legal status of the OASIS files in order to properly solve this issue. Thanks for your time. Bye. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpuKJlOzLIir.pgp Description: PGP signature
Bug#807074: fbreader: includes files with unclear DFSG-freeness and/or copyright status
On Tue, 15 Dec 2015 21:00:00 +0100 Eugene V. Lyubimkin wrote: > On 14.12.2015 22:56, Francesco Poli wrote: [...] > > Hence, they basically say that some OASIS files (that they distribute > > under DFSG-free terms) are derived, in part, from some ISO files which > > do *not* grant any permission to modify. > > > > Without any additional explanation, this sounds like a copyright > > violation. > > Here our interpretations diverge then. Indeed it's always allowed to > suspect, but I'd much prefer that a RC bug is filed after those > suspects are confirmed. Well, but it's not just that I *suspect* that the OASIS files are derived from some ISO files which do not grant any permission to modify. It's written in the OASIS files themselves that this is the case! Hence, in the absence of an explanation of how this was legally allowed, it really seems that something is wrong. Hence the bug report... > > >> If they say 'yes', how one is > >> supposed to verify that they really do? > > > > A simple "yes" answer would not suffice: they need to provide a > > convincing explanation... > > Out of curiosity, what can that be? I have already mentioned some examples of possible explanations. If one such explanation holds, then everything is fine. Please note that I assume good faith on the OASIS side: probably they have an explanation (but they forgot to clearly document it) or they violated the ISO copyright by mistake... Other scenarios are possible, of course, but I think they are less likely to be the case. > > > Dropping the OASIS files from package fbreader is the last resort > > solution, assuming that those files are not strictly needed for the > > package to provide significant functionality. > > If a violation is present, this will be my first resort, otherwise > fbreader will disappear from testing very quickly. > Between absense of fbreader and worse DocBook format support in > fbreader, I choose second. If you mean that dropping the troublesome files from the package will be your first *temporary* course of action, while attempting to find a better solution, then I totally agree with you. What I meant is that I would consider the *permanent* removal of the files as a last resort solution, if all else fails. I hope you agree with me. [...] > > Please note that, as I have previously said, one FTP Assistant > > confirmed that files under the ISO license are not fit for Debian main: > > https://lists.debian.org/debian-legal/2015/12/msg0.html > > I don't read that as something I can directly apply for things > under OASIS copyright. Of course I might be wrong, that's > why I invited Debian archive masters to the loop. No reason > for us to argue any longer, let's just wait for what they > think. [...] OK, let's wait for a response from the FTP Masters, but please investigate the legal status of the OASIS files in the meanwhile. Thanks for your time and patience. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpAuDAleq02u.pgp Description: PGP signature
Bug#807074: fbreader: includes files with unclear DFSG-freeness and/or copyright status
On 14.12.2015 22:56, Francesco Poli wrote: > Well, they themselves say that one of the files under consideration is > > | Derived, in part, from: > | > |* iso-pub.gml > | > |Copyright (C) 1986 International Organization for Standardization > |Permission to copy in any form is granted for use with > |conforming SGML systems and applications as defined in > |ISO 8879, provided this notice is included in all copies. > > and similarly for other files. > > Hence, they basically say that some OASIS files (that they distribute > under DFSG-free terms) are derived, in part, from some ISO files which > do *not* grant any permission to modify. > > Without any additional explanation, this sounds like a copyright > violation. Here our interpretations diverge then. Indeed it's always allowed to suspect, but I'd much prefer that a RC bug is filed after those suspects are confirmed. >> If they say 'yes', how one is >> supposed to verify that they really do? > > A simple "yes" answer would not suffice: they need to provide a > convincing explanation... Out of curiosity, what can that be? > Dropping the OASIS files from package fbreader is the last resort > solution, assuming that those files are not strictly needed for the > package to provide significant functionality. If a violation is present, this will be my first resort, otherwise fbreader will disappear from testing very quickly. Between absense of fbreader and worse DocBook format support in fbreader, I choose second. Ad plug: should anyone see a better action course, fbreader is open for adoption. > Please note that, as I have previously said, one FTP Assistant > confirmed that files under the ISO license are not fit for Debian main: > https://lists.debian.org/debian-legal/2015/12/msg0.html I don't read that as something I can directly apply for things under OASIS copyright. Of course I might be wrong, that's why I invited Debian archive masters to the loop. No reason for us to argue any longer, let's just wait for what they think. If those files are unfree, there were in the archive for 7+ years and can wait few days I presume. signature.asc Description: OpenPGP digital signature
Bug#807074: fbreader: includes files with unclear DFSG-freeness and/or copyright status
On Mon, 14 Dec 2015 21:07:40 +0100 Eugene V. Lyubimkin wrote: > Hi Francesco and all, Hello Eugene, hello FTP Masters, > > Thanks for your interest. You're welcome. Thanks to you for replying! > > > I cannot fully understand how those files could be derived from > > the ISO files in the first place, if the ISO files are not legally > > modifiable. > > Maybe OASIS obtained a special permission from ISO, but this does > > not seem to be documented. > > I am afraid I don't get it. > > OASIS say [...] they are the copyright holder and their license is > DFSG-free. You suspect OASIS breaches copyright of ISO, > and the source for this suspect is license headers written by OASIS > themselves? Well, they themselves say that one of the files under consideration is | Derived, in part, from: | |* iso-pub.gml | |Copyright (C) 1986 International Organization for Standardization |Permission to copy in any form is granted for use with |conforming SGML systems and applications as defined in |ISO 8879, provided this notice is included in all copies. and similarly for other files. Hence, they basically say that some OASIS files (that they distribute under DFSG-free terms) are derived, in part, from some ISO files which do *not* grant any permission to modify. Without any additional explanation, this sounds like a copyright violation. Maybe it's not, but there has to be some explanation of how it can avoid being a copyright violation... Perhaps the ISO files have been assessed to not be copyrighted? but this is not documented! Perhaps ISO granted some permission to re-license the ISO files? but this is not documented, either! And so forth... Or maybe it is indeed a copyright violation done by OASIS by oversight... Maybe OASIS will promptly act to fix this issue (for instance, by persuading ISO to re-license the ISO files...). > > You propose we contact OASIS and ask whether they have right to > distribute those files? One possible solution is seeking clarification from OASIS: maybe they have a perfectly valid and convincing explanation and it just needs to be documented properly! > If they say 'yes', how one is > supposed to verify that they really do? A simple "yes" answer would not suffice: they need to provide a convincing explanation... > In what circumstances they could say 'no'? For example, in case they violated the ISO copyright by mistake. > > Or you propose we contact ISO and ask whether OASIS breaches their > copyright? Another possible strategy is getting in touch with ISO and persuade them to re-license the ISO files in a DFSG-free and permissive manner. The new license should be a simple permissive non-copyleft one, compatible with pretty everything. As I have already said, one more possible solution is finding DFSG-free replacements for the ISO files and asking OASIS to base their files on those DFSG-free replacements, in stead of the ISO files. > > > The files in question (fbreader/fbreader/data/formats/docbook/*) > didn't change, at least, after 2009. Since that time, > fbreader has been gone through NEW queue at least in 2010 [...] > and in 2015 [...] With all due respect for the FTP Masters, mistakes *can* happen. It would not be the first time that a package with non-free (or even undistributable) content gets accepted in Debian main, by oversight. > > > Given above, I am going to assume, for now, that those files are fine. > Dear archive masters (To'ed), please re-open this > bug if they are not, and in that case files will be not included. Dropping the OASIS files from package fbreader is the last resort solution, assuming that those files are not strictly needed for the package to provide significant functionality. Please note that, as I have previously said, one FTP Assistant confirmed that files under the ISO license are not fit for Debian main: https://lists.debian.org/debian-legal/2015/12/msg0.html Hence, I do *not* agree that this bug report should have been closed simply assuming that everything is fine. Please reopen the bug report and investigate the issue. Thanks for your time. Bye. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpVeMGuKjzGG.pgp Description: PGP signature
Bug#807074: fbreader: includes files with unclear DFSG-freeness and/or copyright status
Package: fbreader Version: 0.10.7dfsg-4 Severity: serious Justification: Policy 2.2.1 Hello Eugene and thanks for maintaining FBReader in Debian! I noticed something awkward in the debian/copyright file: [...] | Html entity files (fbreader/data/formats/docbook/*.ent) with | these licenses: | | | | [...] The problem is: among these two licenses, the first one is non-free, as it does not grant permission to modify (thus failing DFSG#3) and only grants a limited permission to copy and use, restricting the field of endeavor to conforming SGML systems and applications as defined in ISO 8879 (thus failing DFSG#6). The second license is instead fine for Debian main. By only reading the debian/copyright file, it was not clear to me whether both licenses apply (which would mean that these files are non-free in fbreader) or, instead, whether the recipient may choose which of the two licenses will apply (which would mean that we can choose the second license and everything is fine for fbreader). This freeness issue has been discussed on the debian-legal mailing list: https://lists.debian.org/debian-legal/2015/11/msg00048.html https://lists.debian.org/debian-legal/2015/11/msg00049.html During that debian-legal thread, I was pointed out that the licensing of those files in fbreader is a bit different from what is documented in the fbreader debian/copyright file: https://lists.debian.org/debian-legal/2015/11/msg00050.html And indeed, the files under consideration include that permission grant, saying that the DFSG-free license applies, but that the files are derived, in part, from files (copyrighted by ISO) which grant no permission to modify. As I said in https://lists.debian.org/debian-legal/2015/11/msg00051.html I cannot fully understand how those files could be derived from the ISO files in the first place, if the ISO files are not legally modifiable. Maybe OASIS obtained a special permission from ISO, but this does not seem to be documented. Otherwise, this looks like a copyright violation, which, if confirmed, would result in undistributable files. An FTP Assitant confirmed that files under the ISO license under consideration are not fit for Debian main: https://lists.debian.org/debian-legal/2015/12/msg0.html Please investigate and clarify and/or fix this issue. Possible solutions I can think of: A) clarify the licensing status of those files and find out that they are distributable under DFSG-free terms; explain and document why this is the case B) get in touch with the copyright holder (ISO) and persuade them to re-license the ISO files in a DFSG-free manner C) find DFSG-free replacements for the non-free files D) drop the non-free files from the package, assuming they are not strictly needed for the package to provide significant functionality Thanks for your time!