Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
Package: debian-policy
Version: 4.1.2.0
Severity: normal

Hi,

as discussed on debian-devel [1] I would like to request that more DFSG
licenses are added to /usr/share/common-licenses and that package
maintainers are allowed to reference them.

License: OFL-1.1
Source: https://opensource.org/licenses/OFL-1.1
Example packages:
https://wiki.debian.org/DFSGLicenses#The_SIL_Open_Font_License

Regards,

Markus

[1] https://lists.debian.org/debian-devel/2017/12/msg00209.html








signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Jonathan Nieder
Markus Koschany wrote:

> as discussed on debian-devel [1] I would like to request that more DFSG
> licenses are added to /usr/share/common-licenses and that package
> maintainers are allowed to reference them.
>
> License: OFL-1.1
> Source: https://opensource.org/licenses/OFL-1.1
> Example packages:
> https://wiki.debian.org/DFSGLicenses#The_SIL_Open_Font_License

Seconded.

Thanks,
Jonathan

> [1] https://lists.debian.org/debian-devel/2017/12/msg00209.html

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Russ Allbery-2
Jonathan Nieder <[hidden email]> writes:
> Markus Koschany wrote:

>> as discussed on debian-devel [1] I would like to request that more DFSG
>> licenses are added to /usr/share/common-licenses and that package
>> maintainers are allowed to reference them.
>>
>> License: OFL-1.1
>> Source: https://opensource.org/licenses/OFL-1.1
>> Example packages:
>> https://wiki.debian.org/DFSGLicenses#The_SIL_Open_Font_License

> Seconded.

license-count says this makes sense:

SIL OFL 1.0              12
SIL OFL 1.1             159

via the historic criteria of more usage than the least popular license
already in common-licenses (GFDL 1.3 at 138 packages).

--
Russ Allbery ([hidden email])               <http://www.eyrie.org/~eagle/>

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Bill Allombert-4
On Wed, Dec 27, 2017 at 01:56:44PM -0800, Russ Allbery wrote:

> Jonathan Nieder <[hidden email]> writes:
> > Markus Koschany wrote:
>
> >> as discussed on debian-devel [1] I would like to request that more DFSG
> >> licenses are added to /usr/share/common-licenses and that package
> >> maintainers are allowed to reference them.
> >>
> >> License: OFL-1.1
> >> Source: https://opensource.org/licenses/OFL-1.1
> >> Example packages:
> >> https://wiki.debian.org/DFSGLicenses#The_SIL_Open_Font_License
>
> > Seconded.
>
> license-count says this makes sense:
>
> SIL OFL 1.0              12
> SIL OFL 1.1             159
>
> via the historic criteria of more usage than the least popular license
> already in common-licenses (GFDL 1.3 at 138 packages).

This is not an entirely reasonnable criterion, though. The GFDL is losing
popularity. At some point there might be zero packages under the
GFDL 1.3, at which point the criterion would dictate that all licenses
should be included.

Also If you look at the license-count email archive, you will see that the
GFDL 1.3 should probably not have been included in the first place
(it was expected that more packages would migrate from 1.2 to 1.3).
So it makes better sense to count GFDL 1.2+1.3 as a single number.

The usual threshold for inclusion was much higher than 138.

Cheers,
--
Bill. <[hidden email]>

Imagine a large red swirl here.

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
Am 28.12.2017 um 11:21 schrieb Bill Allombert:

> On Wed, Dec 27, 2017 at 01:56:44PM -0800, Russ Allbery wrote:
>> Jonathan Nieder <[hidden email]> writes:
>>> Markus Koschany wrote:
>>
>>>> as discussed on debian-devel [1] I would like to request that more DFSG
>>>> licenses are added to /usr/share/common-licenses and that package
>>>> maintainers are allowed to reference them.
>>>>
>>>> License: OFL-1.1
>>>> Source: https://opensource.org/licenses/OFL-1.1
>>>> Example packages:
>>>> https://wiki.debian.org/DFSGLicenses#The_SIL_Open_Font_License
>>
>>> Seconded.
>>
>> license-count says this makes sense:
>>
>> SIL OFL 1.0              12
>> SIL OFL 1.1             159
>>
>> via the historic criteria of more usage than the least popular license
>> already in common-licenses (GFDL 1.3 at 138 packages).
>
> This is not an entirely reasonnable criterion, though. The GFDL is losing
> popularity. At some point there might be zero packages under the
> GFDL 1.3, at which point the criterion would dictate that all licenses
> should be included.
>
> Also If you look at the license-count email archive, you will see that the
> GFDL 1.3 should probably not have been included in the first place
> (it was expected that more packages would migrate from 1.2 to 1.3).
> So it makes better sense to count GFDL 1.2+1.3 as a single number.
>
> The usual threshold for inclusion was much higher than 138.
>
> Cheers,
We really should move away from making a distinction between popular and
non-popular DFSG licenses. Nowadays nobody in the project can tell
within seconds how many DFSG-free licenses there are. Under my original
proposal we would add _all_ licenses which were accepted by the FTP team
to /usr/share/common-licenses.

This has two main advantages. First of all we could easily answer the
question what licenses are accepted by the Debian project and could
encourage other people to use them for their own projects. For a project
which prides itself for its Social Contract and Free Software Guidelines
it is kind of embarrassing that we cannot immediately tell our users and
contributors what licenses we consider to be free. Just by adding them
to /usr/share/common-licenses we could improve the documentation for one
of the legal cornerstones of this project.

The second point is: The current Policy punishes maintainers for
maintaining large and diverse packages with fonts, images, data and
media files, multiple contributors and software licenses. IMO we should
value developer time much more than disk space and current popularity of
a license.

Also the criterion of popularity does not take into account that some
licenses are more frequently used in specific fields of endeavor. If you
don't maintain a lot of -data or documentation packages with fonts,
images or other media files, this is probably not an issue for you. But
the current state surely is annoying for contributors who are interested
to develop parts of Debian where the OFL or CC licenses are very popular
and common.

Regards,

Markus


signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Jonathan Nieder
Markus Koschany wrote:
> Am 28.12.2017 um 11:21 schrieb Bill Allombert:
>> On Wed, Dec 27, 2017 at 01:56:44PM -0800, Russ Allbery wrote:
>>> Jonathan Nieder <[hidden email]> writes:

>>>> Seconded.
>>>
>>> license-count says this makes sense:
>>>
>>> SIL OFL 1.0              12
>>> SIL OFL 1.1             159
>>>
>>> via the historic criteria of more usage than the least popular license
>>> already in common-licenses (GFDL 1.3 at 138 packages).
[...]
>> The usual threshold for inclusion was much higher than 138.
[...]
> We really should move away from making a distinction between popular and
> non-popular DFSG licenses. Nowadays nobody in the project can tell
> within seconds how many DFSG-free licenses there are. Under my original
> proposal we would add _all_ licenses which were accepted by the FTP team
> to /usr/share/common-licenses.

I am confident that we lack consensus for that original proposal.

I have some sympathy for moving to a different threshold or a
different criterion for inclusion in common-licenses.  But let me just
say now to avoid wasted time: I am not going to be supportive of
turning base-files into a compendium of all DFSG licenses.  There are
multiple reasons that I don't think that's in users' best interests.
I've already discussed some of them and haven't heard any convincing
new points in response.

> Also the criterion of popularity does not take into account that some
> licenses are more frequently used in specific fields of endeavor. If you
> don't maintain a lot of -data or documentation packages with fonts,
> images or other media files, this is probably not an issue for you. But
> the current state surely is annoying for contributors who are interested
> to develop parts of Debian where the OFL or CC licenses are very popular
> and common.

As I've already said multiple times, if you are using copyright-format
1.0 to maintain multiple packages and it is getting in your way,
please please please, fix your workflow and improve documentation so
others can benefit from the same workflow changes.  Work with upstream
to ensure they have high quality license documentation that you can
use as-is (or that you can use after some mechanical transformations
--- e.g. I've heard of R module packagers having some success with
that approach).  Changing the list of licenses in base-files does not
change this at all.

All that said, I still support including the SIL OFL 1.1 in
common-licenses.  I also agree with you that number of packages is an
imperfect criterion --- the OFL 1.1 is not only used by a large number
of packages but many of those packages are popular, so the resource
savings (archive space in partial mirrors, bandwidth, CD size, etc) is
greater than it might seem at first glance.

Thanks,
Jonathan

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
Am 28.12.2017 um 20:39 schrieb Jonathan Nieder:

> Markus Koschany wrote:
>> Am 28.12.2017 um 11:21 schrieb Bill Allombert:
>>> On Wed, Dec 27, 2017 at 01:56:44PM -0800, Russ Allbery wrote:
>>>> Jonathan Nieder <[hidden email]> writes:
>
>>>>> Seconded.
>>>>
>>>> license-count says this makes sense:
>>>>
>>>> SIL OFL 1.0              12
>>>> SIL OFL 1.1             159
>>>>
>>>> via the historic criteria of more usage than the least popular license
>>>> already in common-licenses (GFDL 1.3 at 138 packages).
> [...]
>>> The usual threshold for inclusion was much higher than 138.
> [...]
>> We really should move away from making a distinction between popular and
>> non-popular DFSG licenses. Nowadays nobody in the project can tell
>> within seconds how many DFSG-free licenses there are. Under my original
>> proposal we would add _all_ licenses which were accepted by the FTP team
>> to /usr/share/common-licenses.
>
> I am confident that we lack consensus for that original proposal.
Agreed. At the moment I would already be happy if we could find
consensus for the few licenses I have filed bugs for.

> I have some sympathy for moving to a different threshold or a
> different criterion for inclusion in common-licenses.  But let me just
> say now to avoid wasted time: I am not going to be supportive of
> turning base-files into a compendium of all DFSG licenses.  There are
> multiple reasons that I don't think that's in users' best interests.
> I've already discussed some of them and haven't heard any convincing
> new points in response.

Maybe this is the reason why we haven't found consensus yet. Why do you
think that adding all DFSG licenses to /usr/share/common-licenses is not
in our users best interests?

I recall the following arguments against this proposal:

1. Waste of disk space (especially for embedded systems)

I think we have already debunked this myth and it appears to me that at
least Sean and you agree that this is actually not an issue for this
specific target group and in fact we would _save_ disk space because
some of those licenses are present in very important and popular packages.

2. A license can only be included when a certain threshold is reached

First of all nobody seems to know what this threshold actually is.
Apparently it is something between gut feeling and the popularity of our
least preferred license in common-licenses. What negative impact is
expected when we just add all DFSG licenses? At least you seem to agree
that "included in number of packages" is an imperfect criterion.

3. Very short licenses should not be included

This was mentioned by Russ for the MIT and zlib licenses because it
"adds indirection to no real purpose and won't really save maintainers
significant time."

Why do we add the BSD license to common-licenses but not MIT and zlib?
At the moment we have a situation where we can reference some licenses
but have to quote others verbatim. I believe this is the real
indirection here. It would be much simpler (and more natural) to
introduce a rule to reference every DFSG license text than requiring to
check whether a license is a so called common license or not.

>> Also the criterion of popularity does not take into account that some
>> licenses are more frequently used in specific fields of endeavor. If you
>> don't maintain a lot of -data or documentation packages with fonts,
>> images or other media files, this is probably not an issue for you. But
>> the current state surely is annoying for contributors who are interested
>> to develop parts of Debian where the OFL or CC licenses are very popular
>> and common.
>
> As I've already said multiple times, if you are using copyright-format
> 1.0 to maintain multiple packages and it is getting in your way,
> please please please, fix your workflow and improve documentation so
> others can benefit from the same workflow changes.  Work with upstream
> to ensure they have high quality license documentation that you can
> use as-is (or that you can use after some mechanical transformations
> --- e.g. I've heard of R module packagers having some success with
> that approach).  Changing the list of licenses in base-files does not
> change this at all.
I don't understand what you mean by changing my workflow. Bill also
suggested that I just should not use copyright format 1.0. What would
that change? I still have to quote license texts verbatim. The only
"advantage" of the old format is that I can format d/copyright more
freely but the same information must be present anyway. It is simply not
feasible to educate all upstreams in existence to write a Debian-like
copyright file. They rightly say that it is not their problem how
downstreams process and treat their copyright information.

Though if you allowed to reference a license text on the local system
instead of quoting it verbatim this would allow myself and others to
save time in producing the Debian specific copyright file. In no way is
this related to upstream.

> All that said, I still support including the SIL OFL 1.1 in
> common-licenses.  I also agree with you that number of packages is an
> imperfect criterion --- the OFL 1.1 is not only used by a large number
> of packages but many of those packages are popular, so the resource
> savings (archive space in partial mirrors, bandwidth, CD size, etc) is
> greater than it might seem at first glance.

Yes, I'm happy that you support the inclusion of SIL OFL 1.1.

> Thanks,
> Jonathan

Regards,

Markus




signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Jonathan Nieder
Hi,

Markus Koschany wrote:

>              I still have to quote license texts verbatim. The only
> "advantage" of the old format is that I can format d/copyright more
> freely but the same information must be present anyway. It is simply not
> feasible to educate all upstreams in existence to write a Debian-like
> copyright file. They rightly say that it is not their problem how
> downstreams process and treat their copyright information.

This may be the source of my confusion.  I am used to upstreams being
cooperative when I ask them for a clear LICENSE file, especially when I
provide them with a patch to do so.

Some licenses even require that.  Upstream has to follow the license,
too, when they incorporate code from third parties.  Even in a
situation where they wrote all the code themselves, making license
compliance easy for downstream users helps adoption of their code.

In other words, I have almost never experienced the kind of resistance
you are talking about.

Even a package that adopts copyright-format 1.0 does not need to put
per-file license information in debian/copyright.  It is perfectly
okay to have a single 'Files: *' paragraph with the project's license.
Some maintainers prefer to maintain per-file license information since
they think it makes their lives easier.

Thanks,
Jonathan

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Russ Allbery-2
In reply to this post by Markus Koschany-2
Markus Koschany <[hidden email]> writes:

> Why do we add the BSD license to common-licenses but not MIT and zlib?

I'm not sure why the BSD license was included in common-licenses
originally.  My theory was that it was to include all the licenses
mentioned by name in the DFSG.  However, the version in common-licenses is
specific to code whose copyright is held by the University of California,
so it's not very useful.  Including it there in that form was probably a
mistake.

We found multiple packages in Debian that referred to the common-licenses
version of the BSD license but weren't actually released under that
license.  That's why Policy now says to not reference the version of the
BSD license in common-licenses.

We haven't removed it because it's very hard to do that.  There are still
quite a few packages in the archive that reference it (many possibly
incorrectly).

See https://bugs.debian.org/284340.

--
Russ Allbery ([hidden email])               <http://www.eyrie.org/~eagle/>

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
In reply to this post by Jonathan Nieder
Am 28.12.2017 um 22:19 schrieb Jonathan Nieder:

> Hi,
>
> Markus Koschany wrote:
>
>>              I still have to quote license texts verbatim. The only
>> "advantage" of the old format is that I can format d/copyright more
>> freely but the same information must be present anyway. It is simply not
>> feasible to educate all upstreams in existence to write a Debian-like
>> copyright file. They rightly say that it is not their problem how
>> downstreams process and treat their copyright information.
>
> This may be the source of my confusion.  I am used to upstreams being
> cooperative when I ask them for a clear LICENSE file, especially when I
> provide them with a patch to do so.
>
> Some licenses even require that.  Upstream has to follow the license,
> too, when they incorporate code from third parties.  Even in a
> situation where they wrote all the code themselves, making license
> compliance easy for downstream users helps adoption of their code.
>
> In other words, I have almost never experienced the kind of resistance
> you are talking about.
>
> Even a package that adopts copyright-format 1.0 does not need to put
> per-file license information in debian/copyright.  It is perfectly
> okay to have a single 'Files: *' paragraph with the project's license.
> Some maintainers prefer to maintain per-file license information since
> they think it makes their lives easier.
With a grin here: You must be a very lucky maintainer or you maintain
neither Java packages or games. :)

Sure there are nice upstreams and I have certainly encountered more
helpful than obnoxious ones in the past. But you have to consider the
following: The more packages you (team-)maintain the more likely it is
that your scenario becomes less and less ideal. A few examples:

freeorion: [1]

Rather sophisticated game GPL-2 licensed but with various contributions
/ incorporations under different licenses. So I can't just write Files:
* -> GPL-2. I have to list all licenses with separate paragraphs and
there is no way to change that without sacrificing accuracy. But
d/copyright would be a lot more readable if I did not have to quote some
of those licenses verbatim.

bullet: [2]

C++ library under a permissive license with various contributions
licensed under different licenses. I became fed up with checking the
data and examples directories with each upstream release because of the
various licenses and copyright holders in those directories. Fortunately
we don't need those for a functioning library but it would have been
nice for someone who wants to build demos and examples on a local
system. -> forced trade-off between usefulness, d/copyright and my
maintenance time. Nothing upstream could help us with.

ufoai-maps: [3]

~5000 files, a lot of CC licensed files. Only manageable because
upstream provides a copyright file in their own format. I had to write
my own little parser to make it suitable for d/copyright. Checking this
all by hand would be a nightmare. Nothing upstream could help us with.
From their point of view they have provided all legally required
information.

netbeans: [4]

~80000 files with dozens of licenses and hundreds of contributors. This
is only maintainable copyright-wise because I remove lots of files when
repacking the tarball.

From my perspective every simplification of d/copyright helps. If you
think my workflow is to blame here, I'm all ears now how I could be more
efficient in maintaining just these four packages. ;)

Regards,

Markus



[1]
http://metadata.ftp-master.debian.org/changelogs/main/f/freeorion/unstable_copyright
[2]
http://metadata.ftp-master.debian.org/changelogs/main/b/bullet/unstable_copyright
[3]
http://metadata.ftp-master.debian.org/changelogs/main/u/ufoai-maps/unstable_copyright
[4]
http://metadata.ftp-master.debian.org/changelogs/main/n/netbeans/unstable_copyright


signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Jonathan Nieder
Markus Koschany wrote:

> freeorion: [1]
>
> Rather sophisticated game GPL-2 licensed but with various contributions
> / incorporations under different licenses. So I can't just write Files:
> * -> GPL-2. I have to list all licenses with separate paragraphs and
> there is no way to change that without sacrificing accuracy. But
> d/copyright would be a lot more readable if I did not have to quote some
> of those licenses verbatim.

Using 'Files: *' when different files are under different licenses
sacrifices precision, but it doesn't sacrifice accuracy.  You can say

 Files: *
 License: GPL-2 and Permissive-License-1 and Permissive-License-2 and ...

Or you can even write

 Files: *
 License: Freeorion

and clarify what the terms are in the license text.  At least that was
my understanding of the intent behind copyright-format.

Looking at the latest clarifications to copyright-format, I see

 Files: *
 Copyright: 1975-2010 Ulla Upstream
 License: GPL-2+

 In this example, copyright in all files is held by the upstream, and
 that copyright holder grants license under the GPL, version 2 or
 later.

which I fear is ambiguous.  If the copyright field names multiple
copyright holders, do all files have to be copyright by all of them,
or can the copyright to some files be held by some of them and to
others by the other?  The latter is the only tenable way this can work
in practice but the text could use some clarification (in a separate
bug).

> bullet: [2]
>
> C++ library under a permissive license with various contributions
> licensed under different licenses. I became fed up with checking the
> data and examples directories with each upstream release because of the
> various licenses and copyright holders in those directories. Fortunately
> we don't need those for a functioning library but it would have been
> nice for someone who wants to build demos and examples on a local
> system. -> forced trade-off between usefulness, d/copyright and my
> maintenance time. Nothing upstream could help us with.

Can't upstream help by hosting a LICENSE file that you and other
distributors share the work of maintaining?

If they prefer to treat the data and examples directories as
independent components, they can put a LICENSE file in each, so that
all that would be left on the Debian side to do is (1) concatenate
them and (2) remove any directories that don't have a LICENSE file
yet.

> ufoai-maps: [3]
>
> ~5000 files, a lot of CC licensed files. Only manageable because
> upstream provides a copyright file in their own format. I had to write
> my own little parser to make it suitable for d/copyright. Checking this
> all by hand would be a nightmare. Nothing upstream could help us with.
> From their point of view they have provided all legally required
> information.

copyright-format 1.0 is not mandatory.  Why not ship upstream's
copyright file as is?

> netbeans: [4]
>
> ~80000 files with dozens of licenses and hundreds of contributors. This
> is only maintainable copyright-wise because I remove lots of files when
> repacking the tarball.

*nod* This is a similar case to bullet.  Upstream is likely not
interested in creating a LICENSE file but they could be interested in
accepting it as a contribution, especially if you set them up with a
licensecheck-like workflow to keep it from bitrotting.

> From my perspective every simplification of d/copyright helps. If you
> think my workflow is to blame here, I'm all ears now how I could be more
> efficient in maintaining just these four packages. ;)

Some of the pain is essential pain due to the way copyright works and
the complexity of conveying authors' wishes.  But other parts are
self-imposed.  I agree with your goal of removing self-imposed pain. :)

Thanks,
Jonathan

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Jonathan Nieder
Jonathan Nieder wrote:
> Markus Koschany wrote:

>> freeorion: [1]
>>
>> Rather sophisticated game GPL-2 licensed but with various contributions
>> / incorporations under different licenses. So I can't just write Files:
>> * -> GPL-2. I have to list all licenses with separate paragraphs
[...]

> Looking at the latest clarifications to copyright-format, I see
>
>  Files: *
>  Copyright: 1975-2010 Ulla Upstream
>  License: GPL-2+
>
>  In this example, copyright in all files is held by the upstream, and
>  that copyright holder grants license under the GPL, version 2 or
>  later.
>
> which I fear is ambiguous.  If the copyright field names multiple
> copyright holders, do all files have to be copyright by all of them,
> or can the copyright to some files be held by some of them and to
> others by the other?

Fortunately [1] says

  Not all copyright notices may apply to every individual file

so a pointer to there might be enough to remove the ambiguity for the
Copyright field.

[2] says

  This field should include all text needed in order to fulfill both
  Debian Policy's requirement for including a copy of the software's
  distribution license (12.5), and any license requirements to include
  warranty disclaimers or other notices with the binary package.

but doesn't speak to what to do when e.g. license requirements or
warranty disclaimers vary between files matching the file pattern.

Thanks,
Jonathan

[1] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#copyright-field
[2] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-field

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Sean Whitton
In reply to this post by Jonathan Nieder
Hello Jonathan,

On Thu, Dec 28 2017, Jonathan Nieder wrote:

> Using 'Files: *' when different files are under different licenses
> sacrifices precision, but it doesn't sacrifice accuracy.  You can say
>
>  Files: * License: GPL-2 and Permissive-License-1 and
>  Permissive-License-2 and ...
>
> Or you can even write
>
>  Files: * License: Freeorion
>
> and clarify what the terms are in the license text.  At least that was
> my understanding of the intent behind copyright-format.
There's a long thread on d-devel right now where it has been pointed out
that the ftp-masters frequently reject packages that summarise in this
way, which I suspect the reason why Markus isn't considering this
feature of the copyright format helpful in addressing his concerns.

--
Sean Whitton

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
In reply to this post by Jonathan Nieder
Am 29.12.2017 um 00:06 schrieb Jonathan Nieder:
[...]

> Using 'Files: *' when different files are under different licenses
> sacrifices precision, but it doesn't sacrifice accuracy.  You can say
>
>  Files: *
>  License: GPL-2 and Permissive-License-1 and Permissive-License-2 and ...
>
> Or you can even write
>
>  Files: *
>  License: Freeorion
Hi,

Ok I can see the misunderstanding now. The above statement would be
incorrect for freeorion because it translates to:

You are allowed to use the files under GPL-2 and Permissive-License-1
and Permissive-License-2 and ...

But this is not true. Not all files are dual/triple/-licensed. Actually
no file is even dual-licensed.

Even in the old format you would have to write something like this:

All code is covered by the GPL-2 license. The full license text can be
found in /usr/share/common-licenses/GPL-2. Exceptions are noted below:

bla.png
foo.ogg
licensed under CC-BY-SA-3.0 (must be quoted verbatim)

example.ogg
licensed under CC-BY-3.0 (must be quoted verbatim)

bar.xyz
licensed under MIT/Expat (must be quoted verbatim)

etc.


> and clarify what the terms are in the license text.  At least that was
> my understanding of the intent behind copyright-format.
>
> Looking at the latest clarifications to copyright-format, I see
>
>  Files: *
>  Copyright: 1975-2010 Ulla Upstream
>  License: GPL-2+
>
>  In this example, copyright in all files is held by the upstream, and
>  that copyright holder grants license under the GPL, version 2 or
>  later.
>
> which I fear is ambiguous.  If the copyright field names multiple
> copyright holders, do all files have to be copyright by all of them,
> or can the copyright to some files be held by some of them and to
> others by the other?> The latter is the only tenable way this can work
> in practice but the text could use some clarification (in a separate
> bug).
The above license paragraph translates to: All files are Copyright
1975-2010 Ulla Upstream licensed under the GPL-2 (or at your option any
later version)

If there are multiple copyright holders who have licensed their work
under the same license then you can just extend the Copyright field.

Files: *
Copyright: 1975-2010 Ulla Upstream
           2002, Ulf Upstream
           2007, Uli Upstream
License: GPL-2+

But if there is even one file which is differently licensed like

Files: src/parser.c
Copyright: 2009, John Jay
License: Expat

you have to mention that in d/copyright. Otherwise your copyright file
would be incomplete/incorrect under the current Policy requirements.
This is reject-worthy.

However upstream could simply state that all software is GPL-2+ licensed
because the Expat license grants them the right to sublicense parser.c.
As long as they don't remove the grant in parser.c they are in
compliance with the license. Adopting a Debian style copyright file
would simply increase their workload and they don't like to maintain that.

>> bullet: [2]
>>
>> C++ library under a permissive license with various contributions
>> licensed under different licenses. I became fed up with checking the
>> data and examples directories with each upstream release because of the
>> various licenses and copyright holders in those directories. Fortunately
>> we don't need those for a functioning library but it would have been
>> nice for someone who wants to build demos and examples on a local
>> system. -> forced trade-off between usefulness, d/copyright and my
>> maintenance time. Nothing upstream could help us with.
>
> Can't upstream help by hosting a LICENSE file that you and other
> distributors share the work of maintaining?
>
> If they prefer to treat the data and examples directories as
> independent components, they can put a LICENSE file in each, so that
> all that would be left on the Debian side to do is (1) concatenate
> them and (2) remove any directories that don't have a LICENSE file
> yet.
Provided that upstream would accept such a LICENSE file I would be in
charge for all the maintenance work upstream from now on. I can't
imagine that there is someone else in this world who would voluntarily
maintain such license information. The idea is charming but I fear in
the end I would just do the work elsewhere and nothing would be gained
from it.

>> ufoai-maps: [3]
>>
>> ~5000 files, a lot of CC licensed files. Only manageable because
>> upstream provides a copyright file in their own format. I had to write
>> my own little parser to make it suitable for d/copyright. Checking this
>> all by hand would be a nightmare. Nothing upstream could help us with.
>> From their point of view they have provided all legally required
>> information.
>
> copyright-format 1.0 is not mandatory.  Why not ship upstream's
> copyright file as is?
Here is the file:

https://sources.debian.org/src/ufoai-maps/2.5-1/LICENSES/

I had to split the game into four digestible pieces (which are in total
1.2 GB large). My original idea was to duplicate the copyright file for
all three data packages but back then this proposal has been harshly
rejected on debian-mentors (when I wasn't a DD yet) because the
copyright file would have mentioned files which are not part of a
specific source package. So I had to write this program

https://sources.debian.org/src/ufoai/2.5-3/debian/ufoai_copyright.py/

to match the current files in the source package with the correct license.

Maybe the package would have been accepted if I just had copied the
LICENSES file and all non-common-licenses verbatim in d/copyright. I
don't know. The reality is that it depends on some DD whether your
package is uploaded to Debian or not. As a mere contributor you either
have to swallow that or give up.

>> netbeans: [4]
>>
>> ~80000 files with dozens of licenses and hundreds of contributors. This
>> is only maintainable copyright-wise because I remove lots of files when
>> repacking the tarball.
>
> *nod* This is a similar case to bullet.  Upstream is likely not
> interested in creating a LICENSE file but they could be interested in
> accepting it as a contribution, especially if you set them up with a
> licensecheck-like workflow to keep it from bitrotting.
Yup. Same case as bullet. I'm positive that it would have been even more
difficult to educate upstream (Oracle) about the LICENSE file in this case.

Regards,

Markus







signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
In reply to this post by Russ Allbery-2
Am 28.12.2017 um 23:10 schrieb Russ Allbery:

> Markus Koschany <[hidden email]> writes:
>
>> Why do we add the BSD license to common-licenses but not MIT and zlib?
>
> I'm not sure why the BSD license was included in common-licenses
> originally.  My theory was that it was to include all the licenses
> mentioned by name in the DFSG.  However, the version in common-licenses is
> specific to code whose copyright is held by the University of California,
> so it's not very useful.  Including it there in that form was probably a
> mistake.
>
> We found multiple packages in Debian that referred to the common-licenses
> version of the BSD license but weren't actually released under that
> license.  That's why Policy now says to not reference the version of the
> BSD license in common-licenses.
>
> We haven't removed it because it's very hard to do that.  There are still
> quite a few packages in the archive that reference it (many possibly
> incorrectly).
>
> See https://bugs.debian.org/284340.
I see. Thanks for your explanation.

Apparently including more DFSG-licenses is a recurring theme. It is
telling that this even goes back to 2004. One faction would like to see
BSD/MIT/zlib aka permissive short-licenses included, the other side
believes this could be ambiguous and mistakes are inevitable.

*sigh*

This is like prohibiting cars for transportation because they could be
used as weapons or football matches because someone could get hurt. I
believe we make life for us more difficult than necessary. Well, I guess
it can't be helped...





signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Russ Allbery-2
In reply to this post by Markus Koschany-2
Markus Koschany <[hidden email]> writes:

> Ok I can see the misunderstanding now. The above statement would be
> incorrect for freeorion because it translates to:

> You are allowed to use the files under GPL-2 and Permissive-License-1
> and Permissive-License-2 and ...

> But this is not true. Not all files are dual/triple/-licensed. Actually
> no file is even dual-licensed.

That's not what "and" means.  That would be "or".  "and" means you have to
follow all of those licenses when using a work composed of those files,
which sounds correct to me.

It's not correct if you take one of the files from the group in isolation;
in that case, you probably only have to follow one of the licenses.  But
that gets back to the question of just what we're supposed to be
documenting in debian/copyright.

> But if there is even one file which is differently licensed like

> Files: src/parser.c
> Copyright: 2009, John Jay
> License: Expat

> you have to mention that in d/copyright. Otherwise your copyright file
> would be incomplete/incorrect under the current Policy requirements.
> This is reject-worthy.

Policy does not require that.  ftpmaster might, which is not quite the
same thing.

> However upstream could simply state that all software is GPL-2+ licensed
> because the Expat license grants them the right to sublicense parser.c.

The Expat license grants *anyone* the right to do that, so the Debian
package maintainer can do this just as easily as upstream can.

--
Russ Allbery ([hidden email])               <http://www.eyrie.org/~eagle/>

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Markus Koschany-2
Am 29.12.2017 um 23:35 schrieb Russ Allbery:

> Markus Koschany <[hidden email]> writes:
>
>> Ok I can see the misunderstanding now. The above statement would be
>> incorrect for freeorion because it translates to:
>
>> You are allowed to use the files under GPL-2 and Permissive-License-1
>> and Permissive-License-2 and ...
>
>> But this is not true. Not all files are dual/triple/-licensed. Actually
>> no file is even dual-licensed.
>
> That's not what "and" means.  That would be "or".  "and" means you have to
> follow all of those licenses when using a work composed of those files,
> which sounds correct to me.
Of course. My bad! Still in the case of freeorion Jonathan's suggestion
would be incorrect. Nobody is obliged to adhere to _all_ license
conditions for _all_ files. If there are images licensed under CC-BY,
then I certainly don't have to follow all license conditions of the GPL
when I create a derivative work based on those images.

> It's not correct if you take one of the files from the group in isolation;
> in that case, you probably only have to follow one of the licenses.  But
> that gets back to the question of just what we're supposed to be
> documenting in debian/copyright.
>
>> But if there is even one file which is differently licensed like
>
>> Files: src/parser.c
>> Copyright: 2009, John Jay
>> License: Expat
>
>> you have to mention that in d/copyright. Otherwise your copyright file
>> would be incomplete/incorrect under the current Policy requirements.
>> This is reject-worthy.
>
> Policy does not require that.  ftpmaster might, which is not quite the
> same thing.
That's a bold claim.

"Every package must be accompanied by a verbatim copy of its copyright
information and distribution license in the file
/usr/share/doc/package/copyright"

Experience tells me that packages are rejected if they don't mention
_each and every_ copyright information.

I'm absolutely certain this warrants rejects by the FTP team. In my
opinion Policy should always be in sync with ftpmasters decisions. I
understand that this is not always easy to achieve but if your statement
is true, it is kind of shocking because it means the ftpmasters are
above Policy.

>> However upstream could simply state that all software is GPL-2+ licensed
>> because the Expat license grants them the right to sublicense parser.c.
>
> The Expat license grants *anyone* the right to do that, so the Debian
> package maintainer can do this just as easily as upstream can.

This is correct and sounds completely sensible to me. From my personal
experience I can say this is not the reality though. We are required to
mention public-domain licensed files and very permissive licensed files
in d/copyright too. I can't just write the package is licensed under the
GPL-2. I have to mention _all_ the different licenses in one package,
otherwise my package gets rejected.

Perhaps this should be clarified. I would really like to see this happen.

Markus



signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Russ Allbery-2
Markus Koschany <[hidden email]> writes:
> Am 29.12.2017 um 23:35 schrieb Russ Allbery:

>> Policy does not require that.  ftpmaster might, which is not quite the
>> same thing.

> That's a bold claim.

> "Every package must be accompanied by a verbatim copy of its copyright
> information and distribution license in the file
> /usr/share/doc/package/copyright"

I think there's an active project debate of the meaning of just about
every word in that sentence, and most of those debates have gone on for
years.  For example, does "verbatim" mean that collapsing multiple
copyright statements into one as allowed by copyright-format 1.0 is a
Policy violation, since that makes the copy not "vertabim"?

Anyway, the point that I was trying to make is that Policy says you have
to copy the copyright information and distribution license.  There's
nothing in there that says this means every license in the source package;
even ftpmaster doesn't require the licenses in, say, configure and
Makefile.in be copied.  An equally valid interpretation is that this is
the license under which the package is distributed, which is probably the
most restrictive of the set of licenses that cover the material that went
into the derivative work, or the union of them, depending on the exact
wording of the licenses.

In other words, if you have a few public domain files, a few GPL-2+ files,
and a few GPL-3+ files, there's nothing in Policy right now that says you
can't just put the GPL-3 into /usr/share/doc/package/copyright of the
resulting binary package and be done with it, since that's the effective
distribution license for the binary package.  However, that's not the
current ftpmaster policy, and ftpmaster both predates Policy and is the
decision-making body in Debian responsible for this.

That means Policy is at best horribly ambiguous and at worst wrong and
should be fixed to state the actual requirements, which I think everyone
agrees on.  Fixed to say *what* is the problem.

> Experience tells me that packages are rejected if they don't mention
> _each and every_ copyright information.

> I'm absolutely certain this warrants rejects by the FTP team. In my
> opinion Policy should always be in sync with ftpmasters decisions. I
> understand that this is not always easy to achieve but if your statement
> is true, it is kind of shocking because it means the ftpmasters are
> above Policy.

We would love to bring Policy in sync with ftpmaster decisions as soon as
we can figure out how to describe them.  That sounds flippant, but it's
the essence of the current situation: Policy says the bare minimum (and
the same thing it's said for years) because we don't have a more accurate
description of the actual requirements that everyone has signed off on.

This isn't ftpmaster's fault, in that I don't think they have a concrete
guide either.  It's more an apprenticeship and tradition thing, which
doesn't seem to be standardized sufficiently to turn into Policy language.
I feel like that would be a good goal for the project, but this has also
been something we've all wanted for years and years now.  It's clearly
quite hard to achieve, and I'm not sure the right path that would get us
there.

That's why I've been arguing in debian-devel in favor of a working group
to try to analyze this and produce a written policy we can get consensus
on.  Then we can put that into Policy and hopefully everyone will finally
be on the same page.

>> The Expat license grants *anyone* the right to do that, so the Debian
>> package maintainer can do this just as easily as upstream can.

> This is correct and sounds completely sensible to me. From my personal
> experience I can say this is not the reality though. We are required to
> mention public-domain licensed files and very permissive licensed files
> in d/copyright too. I can't just write the package is licensed under the
> GPL-2. I have to mention _all_ the different licenses in one package,
> otherwise my package gets rejected.

Yes, I know, but this is not coming from Policy.  Policy is basically
silent on this.

Please note: I'm not saying Policy *contradicts* ftpmaster either.  I'm
saying that Policy basically doesn't document the requirements for
debian/copyright.

--
Russ Allbery ([hidden email])               <http://www.eyrie.org/~eagle/>

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Simon McVittie-7
In reply to this post by Markus Koschany-2
On Fri, 29 Dec 2017 at 22:24:23 +0100, Markus Koschany wrote:

> Am 29.12.2017 um 00:06 schrieb Jonathan Nieder:
> > Using 'Files: *' when different files are under different licenses
> > sacrifices precision, but it doesn't sacrifice accuracy.  You can say
> >
> >  Files: *
> >  License: GPL-2 and Permissive-License-1 and Permissive-License-2 and ...
> >
> > Or you can even write
> >
> >  Files: *
> >  License: Freeorion
>
> Ok I can see the misunderstanding now. The above statement would be
> incorrect for freeorion because it translates to:
>
> You are allowed to use the files under GPL-2 and Permissive-License-1
> and Permissive-License-2 and ...
>
> But this is not true. Not all files are dual/triple/-licensed. Actually
> no file is even dual-licensed.

I think you're confusing this with a disjunction (dual/multi-license),
which is "GPL-2 or Permissive-License-1 or ..." in copyright-format.

"License: GPL-2 and Permissive-License-1 and Permissive-License-2 ..."
means you can only redistribute the file(s) in question if
you simultaneously do everything GPL-2 requires, everything
Permissive-License-1 requires, everything Permissive-License-2 requires,
and so on. In the case of the GPL, in practice that collapses into
"everything GPL-2 requires", unless the file is a GPL violation due to
the other licenses being non-GPL-compatible - but my understanding is
that the ftp team still require us to quote all the licenses, even if
they have no practical effect.

There are a couple of real-world examples of the "and" syntax in
src:darkplaces, where permissively-licensed code was copied into a
GPL-2+ project, resulting in files that are partly GPL-2+ and partly
some permissive license.

> I had to split the game into four digestible pieces (which are in total
> 1.2 GB large). My original idea was to duplicate the copyright file for
> all three data packages but back then this proposal has been harshly
> rejected on debian-mentors (when I wasn't a DD yet) because the
> copyright file would have mentioned files which are not part of a
> specific source package.

For what it's worth, when I discussed splitting openarena-data with the
ftp team (and then uploaded the split parts through NEW), they didn't
object to the copyright files being identical, with each source package
listing some copyright holders and licenses that actually only exist
in the other source packages from the same group.

However, I can see that d-mentors wouldn't like that: people sponsoring
random packages (that they themselves aren't necessarily involved or
interested in) will tend to assume that this particular package doesn't
deserve to be a special case, because 95% of the time it doesn't. Making
pragmatic decisions like "this is not what I'd usually do, but in this
case it makes more sense" requires enough context to understand the
costs and benefits that apply.

    smcv

Reply | Threaded
Open this post in threaded view
|

Bug#884228: debian-policy: please add OFL-1.1 to common licenses

Tobias Frost-3
On Sat, Dec 30, 2017 at 12:24:19AM +0000, Simon McVittie wrote:

> On Fri, 29 Dec 2017 at 22:24:23 +0100, Markus Koschany wrote:
> > Am 29.12.2017 um 00:06 schrieb Jonathan Nieder:
> > I had to split the game into four digestible pieces (which are in total
> > 1.2 GB large). My original idea was to duplicate the copyright file for
> > all three data packages but back then this proposal has been harshly
> > rejected on debian-mentors (when I wasn't a DD yet) because the
> > copyright file would have mentioned files which are not part of a
> > specific source package.
>
> For what it's worth, when I discussed splitting openarena-data with the
> ftp team (and then uploaded the split parts through NEW), they didn't
> object to the copyright files being identical, with each source package
> listing some copyright holders and licenses that actually only exist
> in the other source packages from the same group.
>
> However, I can see that d-mentors wouldn't like that: people sponsoring
> random packages (that they themselves aren't necessarily involved or
> interested in) will tend to assume that this particular package doesn't
> deserve to be a special case, because 95% of the time it doesn't. Making
> pragmatic decisions like "this is not what I'd usually do, but in this
> case it makes more sense" requires enough context to understand the
> costs and benefits that apply.

Yes, cost/benefit should be considered (and was in this case).  But
please, one should not only evaulate _their_ cost but also the cost this
creates on other parties. The goal should be to reduce the overall
cost-sum.

For example, this particular issue was causing literally thouesands of
lintian stuff, so basically rasing the noise level far above the signal.
And it would have been easily fixed, as d/copyright was script-generated
and the script could have a check implemented to filter the output to
the respective packages.

>     smcv
>

12