Quoting Ian Jackson (2022-04-11 18:51:35)

For transparency, I am CCing this reply to debian-devel, and quoting
the whole of the REJECTED mail. There does not seem to be anything in
here that ought to be private. Please let me know if there is
somewhere better. (I considered -legal but it didn't seem
appropriate.)

Since you ask: Seems to me that more suitable would be to file an ITP bugreport and post followups like this to that bugreport.

Filing an ITP would also serve as an invitation for ftpmasters to post
their followup to that bugreport on their own.


Kind regards,

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============e50673048348519771=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmJUX4cACgkQLHwxRsGg ASEBsxAAo+Bp6v5g/kjys6/fQIObZSXtx5cfuikHNlEVw+YerqOM3fuV2wISSyFz v1uYphUG973gSFoODZmsQppxYT9v5IxGHbruSzYhQDDlQ7Iok/kFcvTCd6MIUBdS qf9Puy7m39RofR8L027OSy3+nGMeaNbf+SjiIv12q+OEi8Y6iwhUL94NfA0FKrnv qkDJDkd2zO/pkFSsj/D4cFOmPF5b/7Evr3mePlto4UqjEoFlEsn9LHl43BYOJttm qGQLeufOKM8s94CzElTgCmlw2edBcwMmjMAhzynlB8JpcP52hMVpOU2T7qj740f1 RZrRNCSQfbTkMHVAwMlRgTzZfWP4UN6bzJ/WJG+sgW/Nzlo7hsHS2IDFDvRJ3oZ6 aw3785kXTfHxLV2iPFUPZU90RXzrrP2JrijvRB/yPmtTylXVHBcFKONNBpCvBvDg GhzL1vvcUYtHoNDKP3y9UKPh0cPglnIe3k3TP30/Dsc/0WmVza2GR4KjS8YigFS5 9whgf4HpE0ccogp/G

Firstly, thanks to ftpmaster for your thorough review of this package.

For transparency, I am CCing this reply to debian-devel, and quoting
the whole of the REJECTED mail. There does not seem to be anything in
here that ought to be private. Please let me know if there is
somewhere better. (I considered -legal but it didn't seem
appropriate.)

FTAOD, I am not, with this mail, asking -devel for a peer review of my package's licensing status, nor of the ftpmaster decision; just using
-devel as a catch-all list.

Sean Whitton writes ("secnet_0.6.2_multi.changes REJECTED"):

+----------------------+
| REJECT reasoning |
+----------------------+

Another team member identified that there is code in this package
under a number of different licenses other than GPL-3+, but that is
not specified in sufficient detail in d/copyright. That contravenes
both Debian Policy and the terms of those licenses.

My apologies. You are completely correct. I don't understand how I
came to think that the approach I took was sufficient. I guess it is
a long time since I prepared a package with so many different bits and
pieces in it.

They also pointed out that there is some code from StackOverflow,
which is not GPL-3+.

I think this is not right? I think you are referring to `argparseactionnoyes.py`. As I documented in the file header, it is
part of StackOverflow's TOS that contributors grant a CC-BY-SA 4.0
licence for the snippets they upload, which would make the
contributions GPL3+-compatible. My file comment gives the relevant
references. [1]

It seems to me that StackOverflow have chosen this approach (making
the upload licence part of the TOS) precisely to enable people to copy
code fragments out of StackOverflow into their own projects. ISTM
that in (unless it appears that the posting StackOverflow user did not
write the code in question), we should be able to rely on that.

Can you please confirm whether the opinion of the ftpmaster team, that
is not sufficient? If it is not sufficent, I guess I will find
someone to write a clean room implementation of this 22-line class.

I noticed that b91dec.{php,awk} have no license information at all.

As you observe, these files as provided by upstream do not themselves
contain licence information. But the file base91-c/README (which is
provided by upstream) says, amongst other things:

All source code in this package is released under the terms of the BSD license.
See the file LICENSE for copying permission.

And these files were (according to their copyright notice) written by
the same author and clearly part of the base91-c project. I think
this licence therefore applies also to the files b91dec.{php,awk}.

+----------------------+
| Other comments |
+----------------------+

Your changelog mentions changes to comply with modern Policy, so please consider upgrading the standards-version too.

Thank you. I appear to have omitted to do this when doing my
standards update review.

Shouldn't subdirmk be a separate package?

Well. It is designed to be "git-subtree"'d into one's package. That
is the way the upstream package uses it.

It would be possible to make it a separate package and build-depend on
it, at the cost of some additional work. The upside would be a very
small amount of disk space saving, and largely theoretical saving of
work in case of a need to do a security update for subdirmk (which
seems unlikely to be critical since it's build system software which
is designed to execute its input) - and that all only in the case
where a second package in Debian uses subdirmk.

It seemed me best to me to defer this work until subdirmk becomes more
widely used.

Thanks,
Ian.

[1] https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=blob;f=argparseactionnoyes.py;h=a7eef77771c46345be27eaa90a17858bc52a3f60;hb=HEAD

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 4/11/22 19:04, Jonas Smedegaard wrote:

Quoting Ian Jackson (2022-04-11 18:51:35)

For transparency, I am CCing this reply to debian-devel, and quoting
the whole of the REJECTED mail. There does not seem to be anything in
here that ought to be private. Please let me know if there is
somewhere better. (I considered -legal but it didn't seem
appropriate.)

Since you ask: Seems to me that more suitable would be to file an ITP bugreport and post followups like this to that bugreport.

Filing an ITP would also serve as an invitation for ftpmasters to post
their followup to that bugreport on their own.

Kind regards,

- Jonas

I'd approve if the FTP masters were doing this by default. I wouldn't
mind if my (licensing or others) mistakes were discussed publicly.

So now I wonder what's the FTP team members (and other DDs) opinion
about this. Maybe it'd be nicer to have an opt-in for it, but then
that'd be very annoying for the FTP team to know when to do what (with
possible mistakes).

Any idea how we could automate the Reply-To: thingy in a REJECTED
action, depending on uploader's preference? (not: I'm not volunteering,
just trowing a piece of idea... :)

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2022-04-11 at 23:34 +0200, Thomas Goirand wrote:

Any idea how we could automate the Reply-To: thingy in a REJECTED
action, depending on uploader's preference? (not: I'm not
volunteering, just trowing a piece of idea... :)

Here is an idea I posted on IRC a while back that should work and
would solve the issues with not every package in NEW having an ITP:

#debian-ftp:

<pabs> random unpolished idea for NEW: instead of rejects, while the
package is in NEW, dak could export the Source/Maintainer/Uploaders to
the BTS but not the package itself, then ftp-masters would file RC
issues against the "NEW" package, which would get closed by new
revisions of the package uploaded to NEW
<spwhitton> pabs: if the BTS knew about NEW packages that would be
great. I have to make notes to file bugs the next day etc.
* pabs asked about feasibility in #debbugs

#debbugs:

<pabs> dondelelcaro: wondering about the feasibility of the BTS side of
this idea from #debian-ftp:
<pabs> <pabs> random unpolished idea for NEW: instead of rejects, while
the package is in NEW, dak could export the Source/Maintainer/Uploaders
to the BTS but not the package itself, then ftp-masters would file RC
issues against the "NEW" package, which would get closed by new
revisions of the package uploaded to NEW
<dondelelcaro> pabs: I'm OK with that in principle; we'd need to figure
out the right way to share that data, but the BTS basically only needs
the information from the .changes anyway
<pabs> dondelelcaro: how about debbugs downloads the deb822 for NEW? https://ftp-master.debian.org/new.822
<pabs> it is almost the same as Sources files
<pabs> hmm, no Uploaders though
<pabs> IIRC debbugs doesn't look at that though
<pabs> the rest of the info in it seems similar to .changes
<dondelelcaro> hrm; that could work. the bit that we're missing is the .versions file for NEW which lists the changelogs
<dondelelcaro> but maybe that's not super important for things in NEW <dondelelcaro> since presuambly there'd only be a few bugs, and they'd
be RC, so someone could just manually fix them up if they weren't
properly versioned after the package completes NEW
<pabs> hmm ok. might be possible to get dak to export the .versions
somehow too
<pabs> anyway, just an idea at this stage. thanks for clarifying it is reasonable and potentially feasible

--
bye,
pabs

https://wiki.debian.org/PaulWise

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmJU1QAACgkQMRa6Xp/6 aaOi1xAAgKFbXPNl74Hfe8vl+OlrVQutKUGB4RPAmDSS2UlINg5gz+HcmLba/9bS K7dvm6vJiccd4WQvThOCWlqZyhFo3xDHflaEKE3hE3fKc5iP/tFVTzbfLQr2Uk05 XG++RPLRkx4F1x2ysMROJ40aOaP6cDHKrI2I3NOgDzaLvNECrJR62CT/PldcL8Fr rGUyzGs7fXsS+2V6coT2H3HKOe06tLqB3r4puR2MLxvXa9yosxxBUSWW4hgd36IS uXxph76Oq1LNF70iGb+oWUkA6B6wOBRfwJXuVLG1Lvg8giG4r7qmVOnJy5dl2gST fVWP6WNsFLKNnf6g0kggC4Yk4BSVkcqHZs0Am2YKLtxVcGDSIoOD3ZjYGzyPu19L 7TjZU7Gknv/vDE5jF9BgcMs9qjFn4zoSY2PQnkwa66YN1mg7FLAfnxXnqsKOvqoY JRLHGFh6uT+de6l2xLACHmM86sXOXoPBZgtRo7zlDozW9WC62wz8al7B69132wFo 1sOfw8LwS03/r/W5inAdWu0VTHbEC7h7ejiyb1xr3FGv5SnkVqqKgkX6+jZJQkzY wenLrRGwIuEXoe6Po/hWtefAvO0p0ViVFr/3zZY7K71MA2NBzt7UrgJIZn7RhVz1 CcY7LUC4kIyEPCjHWzqz8xCERLzngALxtypGOYgWrQ05SGfC/sc=
=xQX3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Mon 11 Apr 2022 at 05:51PM +01, Ian Jackson wrote:

They also pointed out that there is some code from StackOverflow,
which is not GPL-3+.

I think this is not right? I think you are referring to `argparseactionnoyes.py`. As I documented in the file header, it is
part of StackOverflow's TOS that contributors grant a CC-BY-SA 4.0
licence for the snippets they upload, which would make the
contributions GPL3+-compatible. My file comment gives the relevant references. [1]

It seems to me that StackOverflow have chosen this approach (making
the upload licence part of the TOS) precisely to enable people to copy
code fragments out of StackOverflow into their own projects. ISTM
that in (unless it appears that the posting StackOverflow user did not
write the code in question), we should be able to rely on that.

Can you please confirm whether the opinion of the ftpmaster team, that
is not sufficient? If it is not sufficent, I guess I will find
someone to write a clean room implementation of this 22-line class.

In this case, I believe I was just passing on the other team member's
comment. What you say seems fine, though it should be documented in d/copyright -- the code does not become GPL-3+ by being GPL-3-compatible.

I noticed that b91dec.{php,awk} have no license information at all.

As you observe, these files as provided by upstream do not themselves
contain licence information. But the file base91-c/README (which is
provided by upstream) says, amongst other things:

All source code in this package is released under the terms of the BSD license.
See the file LICENSE for copying permission.

And these files were (according to their copyright notice) written by
the same author and clearly part of the base91-c project. I think
this licence therefore applies also to the files b91dec.{php,awk}.

Sounds like I was just being confused by directory structure, then.

Shouldn't subdirmk be a separate package?

Well. It is designed to be "git-subtree"'d into one's package. That
is the way the upstream package uses it.

It would be possible to make it a separate package and build-depend on
it, at the cost of some additional work. The upside would be a very
small amount of disk space saving, and largely theoretical saving of
work in case of a need to do a security update for subdirmk (which
seems unlikely to be critical since it's build system software which
is designed to execute its input) - and that all only in the case
where a second package in Debian uses subdirmk.

It seemed me best to me to defer this work until subdirmk becomes more
widely used.

Cool. Just wanted to raise the question.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmJkeJoZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQEeoEACyaRVjsoZxoxqB7za78Lqw Ot2eKEk1hLcdfvQtXcr/NywR+kjV7yQfTHGOT3T4ISXQxbFVTpIPGwVRUd9bZ53Y OqzQt4aTTBmpaJW6nlnvrnIH4MMUozFLRofpQq5Sv2TRoerBcipUdfXAR8/brEbD L0aie1I2koocYA0kpCkcBVqQI480gmcMlYbmvDPmvvWeA1gTlbK2JevqCGnT2kSP c22d8o7/PW1lo/eyfijkIayUcL96VgBUR5gbeslwqmwEym30q4TkdVdwIZJ9iFE9 S35Tpb0ykRgRNrCSMVJnsfP+NRfHftcjNdYJBlJC+L2JquflwVXvEADGBWEoXOA0 D8w/lTVywvdSWv4gPvqcaAWubgnQECXzWhJZG/ZXRlvlih8mGbuFzNkaPpdEPuUE Gb/r60Qf9BJPNdAeOAS04Tlgx8wIwEzIwM4T6FU7Ja9X63KXjayn39d609kZ0ITi qVyzG/LmuXB2K8zbjKcVb//K/f+mtWffl6NtMBvMpXMBnsMZC088zIQiEnCduCK4 74/+VRQs9O1O1sx6Qddix1MLfqpj2u0WAmIA7QL33QjrxiOTDirNmCvGohccIlJt 8t3NOZ6QmpWCUtxG5pGUMTdbkm4uN1+7O4CMxHWxyEDVMyE+MZ5pWRMPLJ494ERs S7F0H69akTl3wPp7glJy0g==OHBD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us