I would like to request to take the next available DEP number (17 as
of today). It is about using the SPDX specification as an alternative
to the machine-readable debian/copyright (previously DEP-5). An
initial discussion was started on debian-devel [1], and since there
have been no large objections I would like to formalize it.

For now, am I the only driver of this DEP. I would like to maintain
the DEP in the DEP Team's repository [2].

The header for the DEP:

Title: Usage of SDPX documents in debian/copyright
DEP: 17
State: DRAFT
Date: 2021-02-08
Drivers: Stephan Lachnit <stephanlachnit@debian.org>
URL: http://dep.debian.net/deps/dep17
Source: https://salsa.debian.org/dep-team/deps/-/blob/master/web/deps/dep17.mdwn
License: https://spdx.org/licenses/MIT.html
Abstract:
Accept SPDX documents as format for debian/copyright to use upstream copyright
and licensing information, reducing manual copyright review labor.

Once the DEP number is confirmed, I will upload an initial draft in
the following days.

Regards,
Stephan

[1] https://lists.debian.org/debian-devel/2022/01/msg00309.html
[2] https://salsa.debian.org/dep-team/deps

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Stephan Lachnit <stephanlachnit@debian.org> writes:

I would like to request to take the next available DEP number (17 as of today). It is about using the SPDX specification as an alternative to
the machine-readable debian/copyright (previously DEP-5). An initial discussion was started on debian-devel [1], and since there have been no large objections I would like to formalize it.

Thank you very much for working on this! I've been looking at adopting
this for all the packages for which I'm upstream, and really appreciate
other people also looking at it so that we can figure out the best
approach.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Stephan Lachnit (2022-02-08 16:02:20)

I would like to request to take the next available DEP number (17 as
of today). It is about using the SPDX specification as an alternative
to the machine-readable debian/copyright (previously DEP-5). An
initial discussion was started on debian-devel [1], and since there
have been no large objections I would like to formalize it.

Sorry that I initially missed it - I have now shared my objection to the
idea at that thread: https://lists.debian.org/164433477648.2636895.16922257999934052669@auryn.jones.dk

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============)62965785509571348=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmICmd0ACgkQLHwxRsGg ASE3PRAAm0uU33alvihEQEV8U6HRF1tx7g/C8uctbHtePgcZGSB6EQ6nVYuOaQhX G4QbCLvo2AXZ0nzFpmrOSexlAcQhLYI6Lzu4wKokJ2k5jcpX9QbmKj1KoTJQwOhT MFAl1czQoBBA/n6DEqCH6QzIyNWMhZUSp0CaxrapZKhj/RqtTnVESZ1kzlR3mH/F KmZAGhyFQtSwTTAyrKHNyDpPCSd+QjBDzbdRGOSMTzSWXNliFk4mczaLpy5Lz0v8 r+NhkOehH9+zIS9Xv7sZrYkKRtRIBqMfNy69hYQpbwUAdJDI2aDnajB6Q60IFq4v UV0VzWUf16SOm68Iayh1ALpvuKWPhyYFTjeboH2w9FIPD2xvYxOS95sTcXRu9etV wo4XUs2q9+jPE5A5oNWUlwAwGOOHISRRUdoa23bemEN69gCrE5Shg0bNvU1FHb6P aohNCkGdF56DUE2FLZYSzQA7yz8ty7+varvpb0xootyvW5XYdZycsDvPGHVv7R6K zORar0Q+xGXMQ9oCa

Jonas Smedegaard <dr@jones.dk> writes:

Quoting Stephan Lachnit (2022-02-08 16:02:20)

I would like to request to take the next available DEP number (17 as of
today). It is about using the SPDX specification as an alternative to
the machine-readable debian/copyright (previously DEP-5). An initial
discussion was started on debian-devel [1], and since there have been
no large objections I would like to formalize it.

Sorry that I initially missed it - I have now shared my objection to the
idea at that thread: https://lists.debian.org/164433477648.2636895.16922257999934052669@auryn.jones.dk

The point, as I understand it, of the SPDX specification is to be even
more machine-readable, which implies to me that we could generate the
current debian/copyright format from it, and possibly vice versa. I think
the best way to move forward with compatibility with SPDX may be to
improve our side so that we can consume that format and capture all of the
same information (think JSON and YAML interoperability), which would allow
us to use tools from their ecosystem while still producing the same output files that people are used to today.

This is a hindsight is 20/20 sort of thing, and I was among the people who resisted doing the right thing at the time (mea culpa), but we kind of
shot ourselves in the foot with the current debian/copyright format. No
one uses our RFC-2822-style thing except us, and no one has tools for it,
so people are understandably quite reluctant to adopt it. In hindsight,
it really should have been (a restricted subset of) YAML or something else
that everyone else knows how to use; if it had been, I'm not sure we'd be
in a situation where the rest of the industry is going in a different direction. But that's where we're at, and I think we're at significant
risk of ending up in a dead end and thus not being able to take advantage
of a ton of licensing work that's being done upstream but is in a format
that we don't use, requiring us to tediously recreate that work instead.

My goal in this discussion is to avoid that. I don't really care that
much about what the canonical output format is because, if done properly,
I think we should be able to generate multiple output formats from the
same data with minimum effort. My hope is that we can reuse standard data
in a format that upstreams will start supplying, thus reducing the amount
of Debian-specific work we need to do.

To make that concrete, I want to ship structured copyright and license information with all of my upstream packages. I'm currently doing that in Debian's format, but Debian's format is not useful to anyone other than
Debian. I plan on switching to SPDX or REUSE or something similar because
then someone else has a hope of being able to consume that data. The
thought of then having to do additional work when packaging to cater to
Debian is very unappealing; I want to be able to fully automate generating
the debian/copyright file from the data that I'm already maintaining
upstream.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Russ Allbery (2022-02-08 18:22:46)

Jonas Smedegaard <dr@jones.dk> writes:

Quoting Stephan Lachnit (2022-02-08 16:02:20)

I would like to request to take the next available DEP number (17 as of
today). It is about using the SPDX specification as an alternative to
the machine-readable debian/copyright (previously DEP-5). An initial
discussion was started on debian-devel [1], and since there have been
no large objections I would like to formalize it.

Sorry that I initially missed it - I have now shared my objection to the idea at that thread: https://lists.debian.org/164433477648.2636895.16922257999934052669@auryn.jones.dk

The point, as I understand it, [...]

Are we dicussing the request to take DEP-17 for a 3rd copyright file
format, or more generally how to best integrate SPDX in copyright files,
or something else?

Are we discussing one (or more) of those topics here or at d-devel, or
both?!?

I tried to encourage keeping the broader discussion at d-devel by only pointing towards it from here, but perhaps that was wrong/silly...


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============v75792377839778852=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmICrcQACgkQLHwxRsGg ASHDSw/+MBEEjtE7NoLsj+TOjVsB1WPER5zh0llM6TWxtBHZiwesPHByvw8gSlMU U9ktah6YPD5s22buFNe9jCspLegvE3AsFEkU01quLEweJpo7RdW2gpsgmdlq5I0Y VGKYXxPnBdw5wr0PSj2AHPpSsarS7X3puP9zjVhtUrMfcZ9MqIwvn8jb7egSIb7L JlM9wFSCkhquiTbPJyMG2KKB8cA19NFzZ0Hj6TEgTLKgVzV3HonLROXzzAQyXn1C iJA9TYQeVnG7Q9Uke+jANws7niWBgVY3Ap91rYi1EfDeBZ69v7s+qzOAeM/CBpUJ T+gCY8I1k66qxFpcZwdcIiRmrR0hGADX8RxfFK4sFHpRPYnBuaNWcQlBWxc9Azf5 iK8tx+O4fockVmHVNORa4rTvjadbPht0Uxd06+cX3CBESggkww3logrMV7hgOT53 i6vQLk+1OnfheIptDzHAsUeKa0rtmv2rZTd7Mh0kFWtKIyhsBYcc5+ATat3yk4QG lXS6Lz7JAURHDRI/9

Hi,

On Tue, Feb 8, 2022 at 9:31 AM Russ Allbery <rra@debian.org> wrote:

No one uses our RFC-2822-style thing except us, and no one has tools
for it, so people are understandably quite reluctant to adopt it.

I agree with that assessment.

As far as I understand the situation of DEP-5 tooling, I may now have (reluctantly) implemented in Lintian the most commonly used—and
therefore the authoritative—parser for the DEP-5 format. [1] I am only
aware of one other relevant implementation. [2]

it really should have been (a restricted subset of) YAML

The issue with DEP-5 is not merely one of format. The standard is also
not fully specified. [3]

My hope is that we can reuse standard data
in a format that upstreams will start supplying, thus reducing the amount
of Debian-specific work we need to do.

There is an opinion, possibly a minority, that the purpose of the
d/copyright file is to supply license information only for installable packages. [4] For sources, there are other mechanisms, such as
comments or COPYRIGHT files, that are unlikely to be replaced by this
or other efforts.

Some folks even ship different copyright files with installables
generated from the same sources. [5]

Kind regards,
Felix Lechner

[1] https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Check/Debian/Copyright/Dep5.pm
[2] https://bugs.debian.org/1000319
[3] https://bugs.debian.org/969541
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672284#31
[4] https://bugs.debian.org/672284

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Feb 8, 2022 at 6:55 PM Jonas Smedegaard <dr@jones.dk> wrote:

Are we dicussing the request to take DEP-17 for a 3rd copyright file
format, or more generally how to best integrate SPDX in copyright files,
or something else?

Are we discussing one (or more) of those topics here or at d-devel, or both?!?

I tried to encourage keeping the broader discussion at d-devel by only pointing towards it from here, but perhaps that was wrong/silly...

To answer this quickly: the former one is my plan. But plans won't
always work, so I will also look at the latter option (i.e. REUSE ->
SPDX -> DEP5). Note that DEP5 -> SPDX is afaik not possible
standalone, but REUSE essentially is already a DEP5 -> SPDX converter
if given the source files.

Regards,
Stephan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

No one uses our RFC-2822-style thing except us, and no one has tools for it

Well, then they should just apt install them.

I failed to understand SPDX until today (with the exception of the license specifiers), which is mostly due to the quadrillion different formats SPDX data can come in.

I am totally for aligning the License: field with SPDX licence specifications, but that's it. For everything else, SPDX is a PITA.

-nik

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jonas Smedegaard <dr@jones.dk> writes:

Are we discussing one (or more) of those topics here or at d-devel, or both?!?

Sorry, I for some reason thought the DEP discussion was moving here and
had it stuck in my head that debian-project was where DEPs are discussed.
I'll discuss this in debian-devel instead.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le Tue, Feb 08, 2022 at 04:02:20PM +0100, Stephan Lachnit a écrit :

I would like to request to take the next available DEP number (17 as
of today). It is about using the SPDX specification as an alternative
to the machine-readable debian/copyright (previously DEP-5). An
initial discussion was started on debian-devel [1], and since there
have been no large objections I would like to formalize it.

For now, am I the only driver of this DEP. I would like to maintain
the DEP in the DEP Team's repository [2].

Dear Stephan,

thank you for your initiative.

I just added you to the dep-team/deps project on Salsa. Please open
issues if you have technical problems while adding DEP17.

Have a nice week-end,

Charles

--
Charles Plessy Nagahama, Yomitan, Okinawa, Japan
Debian Med packaging team http://www.debian.org/devel/debian-med Tooting from work, https://mastodon.technology/@charles_plessy Tooting from home, https://framapiaf.org/@charles_plessy

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEc0cUmcxg7Z7ugFlGxb1sjyKV1QIFAmIHbnUACgkQxb1sjyKV 1QIO2Q/8DiB4kLG/HlAJ4vpnCoFm7+qZv8/GeDjtIQ+U6nszLo7Mg6eahR+3RBFp MhF8KAOM+pkcw2lPYSnkQvcxuNQe76Q3jnfdtwWAVjaLBXUQmhgbsXCfTgmmPEJC 93dvcZ+JEHCh3cgXxZn+8o2NOl95dBHvGASvbBQkRjsUJ0kbYaQa/Ad3Pub3nPdl LkpFdSUti4Iw5/pIYex3BzarwnmQkhququH3QhpDnh3bDjcPIEFOPaPkfKENUuOM lD6nz1zyCuNE01L7+tlsw2crKvbpZ9wWK/CBePEbfmhfS7iBEWXC+EF8bY2me1wb zb5padZOATmUU2QoRFDGmaBl98xD6X1/rHnIK1CxT1b02kaDqn/HV9P4jE2AJS/3 ryv22LzTWCaRzpzTqzis3VePV88sQZDA5LSyJLY45kaUGSgOv0av8Foln6+eqfbL 7puCv8tEyto/6J10sUY/P+tZJ1HhFLXCB1VxAWtC3wPGcUmkUfE22NTzV7zGVvCX K03cWhAQwdn3aQUeM3Qe9Pe/al+5tFKHIdsuTR1YdLObIQJHowVvfZm4yUAI1bdn sD+i/1UPSt5TuZDE+a0HtJHyzVYV