I did some more digging. The file in question seems to list two licenses: LGPL versions 2.1 or 3.0 exactly, and the Unicode license that is the subject of this bug. debian/copyright specifies LGPL-2.1+ only (which is wrong on that file AFAICT since it specifies two specific versions and not anything >= 2.1, but that point is not relevant to this bug).
It is unclear to me if Inalogic Inc specifically had permission to relicense the areas covered by Unicode, Inc copyright to LGPL or not. Nor is it clear to me if any code under Unicode, Inc copyright remains in the file. Since this product presumably does support the Unicode Standard, "in the creation of products supporting the Unicode Standard" does appear to apply to us, and therefore we can freely use the information supplied in this file. However, I don't know if this has been modified from the original and whether or not that would be permitted under "use the information supplied in this file". If the answer is that we can, and that this license applies and LGPL does not, then it would appear that we would be in compliance with the license; it is our users who would not be able to benefit from the guarantees that DFSG provide. If so, this would be a matter of Ubuntu's policy, and not a legal compliance issue. We generally accept copyright and license claims provided to us as-is by upstreams, and by Inalogic Inc having added the LGPL 2.1|3.0 license text, perhaps we can take that at face value and therefore consider this acceptable regardless. From a compliance perspective, I think there are enough maybes above that would have to line up precisely that it isn't obvious that this is a license violation. We've been shipping this file for 16 (!) years. I see the same license text in this file in the first upload to Ubuntu of this package: 0.9.4-0ubuntu1 in 2010. I'm not sure that there would be any significantly additional harm to add a further release to this, given that as far as we know nobody has complained or even noticed this previously. Therefore, perhaps it's fine for this not to be a release blocker for us for the Ubuntu Unity team for Resolute, considering that this was discovered by accident weeks before release and it isn't obviously a licensing violation to me based on my analysis above. However, it wouldn't be appropriate for me to speak for Ubuntu alone. I think this needs appropriate input from the relevant Ubuntu governance teams (AA and TB seem relevant), and from Canonical, to make a decision. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2147049 Title: [Policy Violations] nux ships non-free components that are not policy- compliant. BLOCKS: resolute, Unity 26.04 flavor release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nux/+bug/2147049/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
