Bug#988484: Bug#974678: ITP: openh264 -- H.264 encoding and decoding
Am 02.06.21 um 17:33 schrieb Tobias Frost: On Fri, 14 May 2021 00:04:52 +0200 Bastian Germann wrote: This is fine. The package must not reside in main. If you plan to release the package (the downloader) under a DFSG-compatible license, please submit it to contrib rather than non-free. I am currently packaging openh264. (I was checking the RFS, thats why I came accross this ITP) I'm confused; is there now a legal patent problem with the library that could affect/hurt Debian? There are H.264 patents that are applicable. I do not know how the existing H.264 implementations in Debian handle this, e.g. x264 or ffmpeg. According to the legal FAQ, these seem to be ignored. For the OpenH264 binaries, Cisco actually pays a license fee so that it can be used by the general public at no cost. The exact license terms are included in the package: https://salsa.debian.org/bage/openh264/-/blob/debian/2.1.1-1/debian/libopenh264-6.copyright The key point for having the library package in contrib and download the library is: "The Cisco-provided binary is separately downloaded to an end user's device, and not integrated into or combined with third party software prior to being downloaded to the end user's device;" Has this been discussed on e.g debian-legal or with the ftp masters beforehand? Not for OpenH264 specifically, but I am including debian-legal now. For the H.264 patents, there is an old thread at https://lists.debian.org/debian-legal/2006/04/msg00286.html Is this RFS package now a downloader or the library itself? It's both. The -dev package is created from the source files and resides in main. The library package contains the downloader as a postinst script, which checks the known SHA256 hashes. There are some example userspace tools available in the package which could potentially be packaged in an additional package. I left this for a later version. There is also a chance that reproducible build might be implemented: https://github.com/cisco/openh264/issues/893 When that works, the package could build the lib, verify the resulting hashes, and throw away the built binary. That way we could be sure not to have any additions to the downloaded library that are not available as source. I think, as Cisco provides the patent license, having the downloader in contrib (for some architectures) is better than having the built library in main (for all compiling architectures). We could also provide both. Any thoughts?
Bug#988484: Bug#974678: ITP: openh264 -- H.264 encoding and decoding
Bastian Germann writes: > Am 02.06.21 um 17:33 schrieb Tobias Frost: >> Is this RFS package now a downloader or the library itself? > > It's both. The -dev package is created from the source files and > resides in main. The library package contains the downloader as a > postinst script, which checks the known SHA256 hashes. > There are some example userspace tools available in the package which > could potentially be packaged in an additional package. I left this > for a later version. > > There is also a chance that reproducible build might be implemented: > https://github.com/cisco/openh264/issues/893 > When that works, the package could build the lib, verify the resulting > hashes, and throw away the built binary. That way we could be sure not > to have any additions to the downloaded library that are not available > as source. > > I think, as Cisco provides the patent license, having the downloader > in contrib (for some architectures) is better than having the built > library in main (for all compiling architectures). We could also > provide both. Any thoughts? As I understand Debian Policy, downloading anything during postinst is discouraged, if not banned. So it would be best to avoid it. In terms of the patent license, I do not think that x264 has any special dispensation. So just directly building and packaging openh264 should not open Debian to any significant additional liability. But as always, the FTP masters will be the final arbiter of that. Cheers, Walter
Bug#988484: Bug#974678: ITP: openh264 -- H.264 encoding and decoding
> "Bastian" == Bastian Germann writes: Bastian> There are H.264 patents that are applicable. I do not know Bastian> how the existing H.264 implementations in Debian handle Bastian> this, e.g. x264 or ffmpeg. According to the legal FAQ, Bastian> these seem to be ignored. I suspect you meant to say that there are H.264 patents that may be applicable and that Debian should evaluate this risk using its normal proocesses and policies for looking at software patents. THOSE PROCESSES DO NOT INVOLVE debian-legal. Discussing patents in a public forum may result in speculative communication--like the assertion above where you said that patents are applicable and where you probably meant to say that the patents may be applicable--being produced in response to allegations of patent infringement. That harms Debian. Thus, we have a policy that we discuss patents only in privileged communication. See https://www.debian.org/legal/patent and if you are concerned about a specific patent risk, write to pate...@debian.org. signature.asc Description: PGP signature