Re: Why do we list individual copyright holders?

[Robert Collins]

On 23 Dec. 2017 16:54, "Paul Wise"  wrote:

On Sat, Dec 23, 2017 at 9:07 AM, Thomas Goirand wrote:

> (ie: the Apache license doesn't require listing copyright holders).

IANAL, but it seems pretty clear to me that this is not the case, at
least for source packages (see 4.c),


How do you get to enumeration of copyright holders from reproduction of
copyright notices?

Rob

Re: Exclicitly or "implicitly" mark architectures a packages does not build

[Andreas Tille]

Hi,

update on querying BTS for packages that can not build on a certain 
architecture:

On Thu, Dec 21, 2017 at 11:46:53PM +0100, Andreas Tille wrote:
> On Wed, Dec 20, 2017 at 07:24:28PM +, Holger Levsen wrote:
> > On Wed, Dec 20, 2017 at 08:10:19PM +0100, Andreas Tille wrote:
> > > May be I should write an according query and than close all those
> > > bugs ...
> > 
> > please do ;)
> 
> OK, I'm working on this:
> 
>   
> https://anonscm.debian.org/cgit/collab-qa/check_build_depends.git/tree/query_missing_build_depends.sh

As I said in previous mail: I can perfectly reproduce the manual bug
reports for the Debian Med team.  I added a debug option to track down
false positives (which were non currently).   I also checked for
differenzes between different architectures like this (make sure you
add '-m' option to use public mirror if you have no UDD clone on your
local machine!):

   query_missing_build_depends.sh -o i386  > i386
   query_missing_build_depends.sh -o arm64 > arm64
   diff -u i386 arm64

I consider the fact that this script seems to work sufficient reason to
close the according bug reports for the reasons given in the beginning
of this thread.

Kind regards

   Andreas.

-- 
http://fam-tille.de

Re: Why do we list individual copyright holders?

[Russ Allbery]

Paul Wise  writes:

> IANAL, but it seems pretty clear to me that this is not the case, at
> least for source packages (see 4.c), for binary packages we also have to
> distribute any associated NOTICE files (see 4.d, but I guess we violate
> this rule quite a lot), which I would guess usually contain copyright
> information.

> https://www.apache.org/licenses/LICENSE-2.0

I just found a few packages under Apache 2.0 that didn't distribute the
NOTICE file.  It turned out that the same information was in
debian/copyright, but that may not be the case in the future.

I'll file a wishlist bug against Lintian to check for a NOTICE file in
packages that say they're under Apache 2.0 and warn if it's not included
in the binary package.

-- 
Russ Allbery (r...@debian.org)   

Re: Why do we list individual copyright holders?

[Paul Wise]

On Sat, Dec 23, 2017 at 9:07 AM, Thomas Goirand wrote:

> (ie: the Apache license doesn't require listing copyright holders).

IANAL, but it seems pretty clear to me that this is not the case, at
least for source packages (see 4.c), for binary packages we also have
to distribute any associated NOTICE files (see 4.d, but I guess we
violate this rule quite a lot), which I would guess usually contain
copyright information.

https://www.apache.org/licenses/LICENSE-2.0

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#885030: ITP: libnitrokey -- library to communicate with Nitrokey stick devices

[Scott Kitterman]

Package: wnpp
Severity: wishlist
Owner: Scott Kitterman 

* Package name: libnitrokey
  Version : 3.1
  Upstream Author : Nitrokey Team 
* URL : https://github.com/Nitrokey/libnitrokey
* License : LGPL3
  Programming Lang: C++
  Description : library to communicate with Nitrokey stick devices

 library to communicate with Nitrokey Pro and Storage devices in a clean and
 easy manner. Written in C++14, testable with py.test and Catch frameworks,
 with C API, Python access.

 Needed for the newest version of nitrokey-app as well as other Nitrokey
 related software.

 If there is interest, I anticipate setting up a Nitrokey related team and
 maintaining this within that team.

Re: Why do we list individual copyright holders?

[Jonas Smedegaard]

Quoting Thomas Goirand (2017-12-23 01:45:43)
> On 12/20/2017 10:31 AM, Jonas Smedegaard wrote:
>> Quoting Holger Levsen (2017-12-19 22:01:52)
>>> On Tue, Dec 19, 2017 at 06:44:54PM +0100, Jonas Smedegaard wrote:
> What if the author is anonymous then?
 Then who granted the license?
>>>
>>> the anonymous author.
>>
>> Ok. Then (assuming the source mentions only that anonymous _author_ 
>> not who claims to hold _copyright_) you document in debian/copyright 
>> that a) you assume copyright holder to be the stated author, and b) 
>> that the copyright holder is anonymous.
>>
>> ...and see where that leads...
>>
>>
>>  - Jonas
>
> Back to square one, this was to demonstrate that we do *NOT* need the 
> copyright holder name.

No, we are not back to square one:

Square one was that we should not need to list copyright holders in 
debian/copyright file at all.

Above I describe how we can list copyright holders in debian/copyright 
file when copyright holder is anonymous, when their name is omitted 
upstream - e.g. like "the anonymous author of files FOO and BAR who is 
assumed to be the copyright holder".


> The only thing we really need is to make sure about the license of the 
> software. Having a copyright holder name is only *helping* to make 
> sure that we are indeed, in the case of the claimed license (ie: we 
> can hold $name as responsible for a false claim of such a license). 
> But, considering this, the copyright holder name isn't mandatory to 
> distribute said software (unless the license mandates listing the 
> authors or copyright holders).
>
> If the above isn't logic, please explain why.

You seem to argue that names of copyright holders are optional because 
they are optional.

What we need is not only license.  From Debian Policy § 12.5:

> Every package must be accompanied by a verbatim copy of its copyright 
> information and distribution license in the file 
> /usr/share/doc/package/copyright.

We also need copyright information.

Reason we need copyright information, is because only a license granted 
by the copyright holders is of use to us.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Why do we list individual copyright holders?

[Thomas Goirand]

On 12/19/2017 05:33 PM, Jeremy Stanley wrote:
> On 2017-12-19 15:17:56 +0100 (+0100), Thomas Goirand wrote:
> [...]
>> I wish you good luck with that. I attempted *twice* to have the
>> copyright holder information attached to each upstream project on
>> upstream OpenStack, and twice this was a failure. Maybe I'm not good
>> with communication, but I don' think it's the bigger factor. I just
>> think upstream doesn't care, they (wrongly) think that licensing is
>> enough, when clearly, it's not for Debian (we also care the copyright
>> holding part).
> 
> If you can please attempt (again) to clarify what you're looking to
> have included in upstream releases with regard to copyright holder
> information, I'll see what I can whip up.

Considering this thread, it's easy to understand: a list of copyright
holders, so one wont spend hours writing such a list in
debian/copyright, which is built only based on the assumptions that all
copyright holders claiming to be one have at least written their names
in upstream source code files. But it looks like the issue is deeper
than this, and is probably a Debian problem, not an upstream OpenStack,
so I don't dare to ask again. I'm totally on your side with what you
wrote below (ie: the Apache license doesn't require listing copyright
holders).

> It's up to individual
> contributors (authors and reviewers) as to whether a given patch
> makes a significant enough change to a particular file to warrant
> adding a copyright holder or year in it. I can certainly at least
> work on helping standardize them such that they can be scraped
> efficiently and aggregated through automation.
> 
> Also worth noting, the OpenStack community has been operating under
> comments from legal counsel indicating that the Apache Software
> License version 2 doesn't explicitly require a manifest of copyright
> holders.

The issue is: Debian FTP masters do not agree with these "comments from
legal counsel". Or rather, they just reject packages, saying that this
or that copyright holder isn't listed in debian/copyright. I also
strongly feel like it's pointless, but this happened to me *many* times.
Since we get no explanation, or anyone from the FTP master team entering
this thread, it's pointless to even discuss this here, unfortunately... :(

Cheers,

Thomas Goirand (zigo)

Re: Why do we list individual copyright holders?

[Thomas Goirand]

On 12/20/2017 12:46 AM, Russ Allbery wrote:
> The problem with all of these discussions, however, and the reason why I
> largely stopped participating in them (particularly with my Policy Editor
> hat on), is that the rules for what one actually has to do in Debian to
> get a package accepted are a bit confusing and only partly documented, and
> the people who set those requirements basically don't participate in these
> discussions.  As long as the decision-makers aren't participating and we
> don't have clear documentation of the rules, even talking about it is
> pointless.
> 
> I feel like what we really need is a working group that contains members
> with the authority to speak for ftpmaster, along with a good cross-section
> of interested parties, to get together on a public but separate mailing
> list and hash out a concrete proposal for how we think copyright and
> license notices should work in the project.  Then bring that back to the
> project.  Otherwise, we're just going to keep having this discussion every
> three months or so, and nothing is going to really change.

I fully agree with the above, and also strongly feel like we must get
the FTP masters point of view.

See Jeremy Stanley's post in this thread, and you'll understand that
upstream OpenStack, for example, do not agree at all with the view of
FTP masters that we need to list copyright holders. If such a copyright
holder list isn't required by upstream (with even advice from its legal
council), why have I wasted so much time? If I'm spending so much time
on this, I at least would like to understand that it's fully legally
required and/or what are the FTP master team motivations.

Cheers,

Thomas Goirand (zigo)

Re: Why do we list individual copyright holders?

[Thomas Goirand]

On 12/20/2017 10:31 AM, Jonas Smedegaard wrote:
> Quoting Holger Levsen (2017-12-19 22:01:52)
>> On Tue, Dec 19, 2017 at 06:44:54PM +0100, Jonas Smedegaard wrote:
 What if the author is anonymous then?
>>> Then who granted the license?
>>
>> the anonymous author.
> 
> Ok. Then (assuming the source mentions only that anonymous _author_ not 
> who claims to hold _copyright_) you document in debian/copyright that a) 
> you assume copyright holder to be the stated author, and b) that the 
> copyright holder is anonymous.
> 
> ...and see where that leads...
> 
> 
>  - Jonas

Back to square one, this was to demonstrate that we do *NOT* need the
copyright holder name. The only thing we really need is to make sure
about the license of the software. Having a copyright holder name is
only *helping* to make sure that we are indeed, in the case of the
claimed license (ie: we can hold $name as responsible for a false claim
of such a license). But, considering this, the copyright holder name
isn't mandatory to distribute said software (unless the license mandates
listing the authors or copyright holders).

If the above isn't logic, please explain why.

Cheers,

Thomas Goirand (zigo)

Re: Why do we list individual copyright holders?

[Jeremy Bicha]

On Fri, Dec 22, 2017 at 8:51 AM, Scott Kitterman  wrote:
> I find demands on my time from those who
> aren't frustrating.

Hi, I'm nitpicking here, but that's what this whole thread is about:
demands on the time of Debian maintainers and whether it's necessary
for everyone listed in a Copyright line to always be mentioned in
debian/copyright.

Anyway, I do appreciate your email.

Thanks,
Jeremy Bicha

Re: Why do we list individual copyright holders?

[Ian Jackson]

Scott Kitterman writes ("Re: Why do we list individual copyright holders?"):
> Personally, as a member of the FTP Team (Assistant, not Master), I'm
> reluctant to participate in discussions like this unless I'm highly
> confident that I understand the team policy on such matters
> completely enough to speak totally correctly on the matter because I
> anticipate that regardless of any disclaimers I might put on any
> inputs they will be taken as, more or less, stating the team's
> position on the issue.

I understand what you say and it does make sense, but I'm sorry to say
that I think this ultimately makes matters worse.  When we have a
situation with no-one from the ftp team is willing to say anything in
public without a formal settled internal consensus, the result is (in
the nature of human institutions) nearly no output at all.

And of course in that situation everyone on the outside is reduced to
kremlinology.  _Of course_ such kremlinology means that every
statement by an ftp team member is examined closely - perhaps more
closely than it can bear.

The solution is not to clam up even further; it is to relax and make
more individual contributions.  So:

> I'm going to violate this rule slightly

Thank you very much for violating your rule and please would you - and
other ftp team members - violate it some more :-).

> I intend to work within the FTP Team to get some clarification on
> the team's position on this, but I don't expect it to be quick.  I
> agree we could do with better documentation of what the policy is
> and why.

Thanks.

Ian.

(Disclosure: I'm one of the ftp trainees mentioned.  I have not really
done any ftp review work yet because it's December, so please don't
think I have much inside insight.)

-- 
Ian JacksonThese opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Re: Why do we list individual copyright holders?

[Scott Kitterman]

On Wednesday, December 20, 2017 08:08:04 PM Marc Haber wrote:
> On Tue, 19 Dec 2017 15:46:58 -0800, Russ Allbery 
> 
> wrote:
> >The problem with all of these discussions, however, and the reason why I
> >largely stopped participating in them (particularly with my Policy Editor
> >hat on), is that the rules for what one actually has to do in Debian to
> >get a package accepted are a bit confusing and only partly documented, and
> >the people who set those requirements basically don't participate in these
> >discussions.  As long as the decision-makers aren't participating and we
> >don't have clear documentation of the rules, even talking about it is
> >pointless.
> 
> I must mention that this is most often the case with one quite
> powerful group in Debian, and it has been that way for more than a
> decade.
> 
> And I get beaten up for mentioning this every time I do.

Personally, as a member of the FTP Team (Assistant, not Master), I'm reluctant 
to participate in discussions like this unless I'm highly confident that I 
understand the team policy on such matters completely enough to speak totally 
correctly on the matter because I anticipate that regardless of any 
disclaimers I might put on any inputs they will be taken as, more or less, 
stating the team's position on the issue.

I'm going to violate this rule slightly and say I don't think the issue is as 
simple as some people make it out to be.

I intend to work within the FTP Team to get some clarification on the team's 
position on this, but I don't expect it to be quick.  I agree we could do with 
better documentation of what the policy is and why.

Marc, I don't want you to take this as me beating up on you, because that's 
not my intent, but I find your tone frustrating.  The FTP Team is not a closed 
cabal.  There are regular calls for volunteers (there is a new set of FTP 
Trainees learning about the job right now), so anyone who's willing and able 
to do the work is welcome to help.  I find demands on my time from those who 
aren't frustrating.

Scott K
Speaking for myself only (really)

signature.asc
Description: This is a digitally signed message part.

Re: glibc-2.24-11+deb9u2 from s-p-u already in debian/dists/stretch/main/source/Sources.xz?

[Philipp Hahn]

Hello Emilio,

Am 21.12.2017 um 12:34 schrieb Emilio Pozuelo Monfort:
> It's listed as
> 
> Extra-Source-Only: yes
> 
> So yes, it's normal for it to be there, as another package has Built-Using on
> that glibc version, so we need to ship the source.

Thanks Emilio, that was the missing link.

Philipp