(Please CC me, I'm not subscribed to debian-devel)

Hi!

I'm currently updating the debian/copyright of my two packages fs-uae-arcade [1] and
fs-uae-launcher [2] as both packages got rejected by the FTP team due to an incomplete
debian/copyright.

Since the packages contain a lot of different licenses, the debian/copyright would be
very long when copying the different license texts verbatim.

However, I stumbled over the fonts-roboto package which resolves this issue by using just
references to the full license texts which are present on any Debian system anyway [3].

I have updated debian/copyright of both fs-uae-* packages to use the "License-Reference"
keyword, however lintian now complains about the missing license texts so I'm wondering
whether this approach - which I like - is actually compliant with the Debian Policy?

Thanks,
Adrian

[1] https://github.com/glaubitz/fs-uae-arcade-debian
[2] https://github.com/glaubitz/fs-uae-launcher-debian
[3] https://salsa.debian.org/fonts-team/fonts-roboto/-/blob/master/debian/copyright

--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting John Paul Adrian Glaubitz (2022-01-16 19:38:25)

(Please CC me, I'm not subscribed to debian-devel)

Hi!

I'm currently updating the debian/copyright of my two packages
fs-uae-arcade [1] and fs-uae-launcher [2] as both packages got
rejected by the FTP team due to an incomplete debian/copyright.

Since the packages contain a lot of different licenses, the
debian/copyright would be very long when copying the different license
texts verbatim.

However, I stumbled over the fonts-roboto package which resolves this
issue by using just references to the full license texts which are
present on any Debian system anyway [3].

I have updated debian/copyright of both fs-uae-* packages to use the "License-Reference" keyword, however lintian now complains about the
missing license texts so I'm wondering whether this approach - which I
like - is actually compliant with the Debian Policy?

License texts are required to be included verbatim.

A few license texts are _already_ included verbatim in the base systems.

What fonts-roboto does is to reference licenses already included.

I firmly believe that it is Policy-compliant to reference files included
with package base-files and installed below /usr/share/common-licenses.
All other license texts must be included verbatim in the
debian/copyright file

Please note, however, that license _grants_ (i.e. the various ways a
copyright holder can state that they grant some _referenced-by-them_
license) need not be included verbatim.

The lintian complaint is discussed in bug#786450.


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private
--============== 11781458888059752=MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmHkaboACgkQLHwxRsGg ASGvdRAAqk1NP8xM5u6claUpTUFieupdW8fii1IpLDdVKjAgm2f/m1Jt0eTjyFTJ 1wnUctxaC3MnWAIcvSNjOSsYTA58sFCli9cPgHWtghAFGWTK11XoSqxmrlRg2NwR 5I4gyr6wodYImuRiuJpGCQGnuwVWoybnlLy4W+0Bzg4DbrOk4q0KyZPV1bjgNgYq RWDokqp+Ma5FeqZ0fbUOgwRlnLxUKoWgLppMS0z3FJpA1WL3ndg9FRWj+qVAlNlP ElNb8pbynl5a/fIfrTVggf+up1xR17Xm7EE0kd1BGE4AposKqoOuOFL3HMGTLyVl s8IHMXIL0wEH75FoHAWkNJcbiFF2bCW/A68Yt2jXOibBgLum4ISykpziOQr4xraV 0tb5v9kg3wdl/ceVXxGiPiCQLzUCOG6jnAc3oe6OOAx2Nou7LpWcQJup8wUPABmk wx9roy+w/2sT1LhSkQALWR3Lnp6vrh1BYxEaA3L/9puJPLg6sFa0ncMINmQ2Z8gc iCcKEGch0/RQ8o4Ni

Quoting Jonas Smedegaard (2022-01-16 19:53:48)

Quoting John Paul Adrian Glaubitz (2022-01-16 19:38:25)

I have updated debian/copyright of both fs-uae-* packages to use the "License-Reference" keyword, however lintian now complains about the missing license texts so I'm wondering whether this approach - which
I like - is actually compliant with the Debian Policy?

[...]

I firmly believe that it is Policy-compliant to reference files
included with package base-files and installed below /usr/share/common-licenses. All other license texts must be included verbatim in the debian/copyright file

Maybe more interesting than what I personally believe might be, that I
use that writing style generally for the about 600 packages that I am
involved in maintaining, and evidently ftpmasters agree with me.

For anyone considering to adopt this pattern, it is quite some time ago
that I helped Vasudev package Roboto fonts, and I have simplified and
extended my writing style to use the shorter field "Reference" and also
use it to reference sources of copyright holders and license grants when
not contained in licensed file itself (with a little special twist of self-referencing canonical statements in debian/copyright).

I use the package ghostscript as my sort-of reference package. Look at
that for my newest inventions on copyright file writing and checking.

See also https://wiki.debian.org/CopyrightReviewTools

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============91243960690505966=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmHkbLwACgkQLHwxRsGg ASFS0Q//ZuW2U3mHmz6uATJ+gDCNWKnHtIED+M9oI5NF73TrWKoFdjZ4jmvnivLp TlHWOSgoEzpA/nvt5Q+hwrOXrMaHMGuorwKgZwasFSIKveptfGMYA/iKF2/pqvIx AgLSbFpqWX79Uo9PVE91tL9sV4DGXSyhBgqsc+MZ5+afXMDNd0/jhMcfEi8m/Jqo ETjjbVpkCDmdAlGDAGRo3xcjgFFzBZ++tagryLw3AFoPa5J2fir46VRJOucnI9OL ZDBB4tsPAJsuq606TJcC0aCkw/H/zbxHp5vrQxnuSWe6dpe4z3uO6aLIozmCBxeF Ul8KZ0ZYmFE3WmK1CCIVhM60Bk7+zU6l2SvtpPidFhwEqB2vmnSSYGPDCYQVrLwp wpUKR0htwIcRI/qHUX2I6MUZX6twg0jpYe95kb0PeVpeGDO8Jj6HncgbOaWzzptb uCYIOqFqJLx2ZglQE9IrD2p8Sv+gyY4NQLCQFVSwIgi3Bx561axI/chxQyODVlkY cLGT1YXqhUlGIk96Z

Hi Jonas!

On 1/16/22 20:06, Jonas Smedegaard wrote:

Quoting Jonas Smedegaard (2022-01-16 19:53:48)

Quoting John Paul Adrian Glaubitz (2022-01-16 19:38:25)

I have updated debian/copyright of both fs-uae-* packages to use the
"License-Reference" keyword, however lintian now complains about the
missing license texts so I'm wondering whether this approach - which
I like - is actually compliant with the Debian Policy?

[...]

I firmly believe that it is Policy-compliant to reference files
included with package base-files and installed below
/usr/share/common-licenses. All other license texts must be included
verbatim in the debian/copyright file

Maybe more interesting than what I personally believe might be, that I
use that writing style generally for the about 600 packages that I am involved in maintaining, and evidently ftpmasters agree with me.

That's a very positive sign that the FTP team will accept the writing style
as well.

For anyone considering to adopt this pattern, it is quite some time ago
that I helped Vasudev package Roboto fonts, and I have simplified and extended my writing style to use the shorter field "Reference" and also
use it to reference sources of copyright holders and license grants when
not contained in licensed file itself (with a little special twist of self-referencing canonical statements in debian/copyright).

I agree it's a great idea as it saves a lot of time. Writing an acceptable debian/copyright file can be quite frustrating so this is a very welcome improvement.

I use the package ghostscript as my sort-of reference package. Look at
that for my newest inventions on copyright file writing and checking.

See also https://wiki.debian.org/CopyrightReviewTools

Thanks, I'll have a look!

Thanks a lot for the quick and detailed response!

Adrian

--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting John Paul Adrian Glaubitz (2022-01-16 20:10:08)

On 1/16/22 20:06, Jonas Smedegaard wrote:

For anyone considering to adopt this pattern, it is quite some time
ago that I helped Vasudev package Roboto fonts, and I have
simplified and extended my writing style to use the shorter field "Reference" and also use it to reference sources of copyright
holders and license grants when not contained in licensed file
itself (with a little special twist of self-referencing canonical statements in debian/copyright).

I agree it's a great idea as it saves a lot of time. Writing an
acceptable debian/copyright file can be quite frustrating so this is a
very welcome improvement.

It is a small step towards a bigger goal: Licensecheck producing
directly usable debian/copyright files.

I use the package ghostscript as my sort-of reference package. Look
at that for my newest inventions on copyright file writing and
checking.

See also https://wiki.debian.org/CopyrightReviewTools

Thanks, I'll have a look!

Thanks a lot for the quick and detailed response!

Thanks for showing interest in my license writing style. Makes me warm
and fuzzy inside to know that others notice my work in arguably one of
the darker corners of our packages.

If you (or others) have a package with particularly tricky licensing,
then please tell me, as a) they might help improve licensecheck, and b)
I might be in the mood to roll up my sleeves and help you out concretely
- not only getting the debian/copyright file done *once* but also make
it actually _maintainable_.


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============r98336859664806717=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmHkf4cACgkQLHwxRsGg ASE81Q//fZPdUlJSGlRZD2cp/tbpQNZIm+aoGs3YWTgkzamvBsw1nyY265GjflGX NdLwbEV2MRhMhRAjOdZSelsFlxUBdazvhCB30kSvgMCW3cvt9ojkYSV191AYLu2J Z91xHHOJIGDGJmdESQiIZPPKQs9Z5hf0BvMt/VtR+M7n7YRQGqKv6N9h9lZ7vG3+ aFSdKeALQmWJirUtQIpMcG1KxsbPxejO2h04p9w+qL13OGFdWYF5fGdY42M5k1M/ Ho0276EtIFiySMT4Ks/lHEc63/zBqASp3LOou1OsWKOvX5tgfDICywrUKIlHlRSd 5DgKSPCfr4dlZyP2h8KHISrmKm9sUhHhy5XFnxohO0UVUmMjO8dbIs8EI4Nyn/lK RptDpHmD2zy2Djpz9KRBzznEF6gEcrLW2JcbFKmVYMwwKU83EPII6Exo5kjnhmyL bD4TKyPFM8D4qDmCtHs3eCdapuYmsGUej8kAT07sT2nbrWFR4gBxfB/GztW/WX/s +0tQVco7KAO/E9P7C

"Jonas" == Jonas Smedegaard <jonas@jones.dk> writes:

Jonas> Please note, however, that license _grants_ (i.e. the various
Jonas> ways a copyright holder can state that they grant some
Jonas> _referenced-by-them_ license) need not be included verbatim.

I suspect we're in agreement. But for completeness. If a copyright
grant simply grants the terms of a referenced license, I don't think we
need to include it verbatim. However, if the grant includes licensing itself--for example additional permissions or even more interestingly restrictions), it's easy for the grant to become more of a license and
to be a license that needs to binclude in its own right.

(I'm aware that many circumstances where a license grant includes a
restriction would be problematic especially say when combined with the
GPL-3. I can think of licenses/situations when such a result would
still be DFSG free though, and in such situations it seems like it would
be important to clearly document in debian/copyright).

I don't think anything I write above is a disagreement with the common
case you're covering. I suspect you already would be, but my advice to
others is to be careful of license grants that include unsual text and
to err on the side of including them in debian/copyright.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Sam Hartman (2022-01-17 03:48:40)

"Jonas" == Jonas Smedegaard <jonas@jones.dk> writes:

Jonas> Please note, however, that license _grants_ (i.e. the various
Jonas> ways a copyright holder can state that they grant some
Jonas> _referenced-by-them_ license) need not be included verbatim.

I suspect we're in agreement. But for completeness. If a copyright
grant simply grants the terms of a referenced license, I don't think
we need to include it verbatim. However, if the grant includes
licensing itself--for example additional permissions or even more interestingly restrictions), it's easy for the grant to become more of
a license and to be a license that needs to binclude in its own right.

(I'm aware that many circumstances where a license grant includes a restriction would be problematic especially say when combined with the GPL-3. I can think of licenses/situations when such a result would
still be DFSG free though, and in such situations it seems like it
would be important to clearly document in debian/copyright).

I don't think anything I write above is a disagreement with the common
case you're covering. I suspect you already would be, but my advice
to others is to be careful of license grants that include unsual text
and to err on the side of including them in debian/copyright.

Yes, we are in agreement.

Thanks for elaborating on that, Sam. I agree that not mentioning it
might give a misleading impression.

What I intended to say (but was not really clear) is that the thing I
place as a License-Grant is text that *only* references another license
text without adding *any* legal clauses (restrictions, permissions, disclaimers) besides those covered in the referenced license text.

What I didn't say previously but maybe helps make sense of it, is that
despite license grants containing no legal _clauses_ they do have that
one important feature of tying things together: A license is in effect
not when it exists in a package but when granted by a copyright holder.

A tarball containing code and a file named LICENSE containing e.g. GPLv2
does not mean that everything in that tarball has been granted the GPLv2 license by its copyright holders. Possibly it does, but the act of
adding a LICENSE file is a very weak way of stating that connection. A
strong way is adding a sentence in each copyright-protected file. And
_that_ is the reason it makes sense to track both grants and fulltexts.

(this is similar to a reason it makes sense to list copyright holders
even though some licenses do not require it: only copyright holders can
grant a license, so identifying them is relevant for _resolving_ license
even if sometimes not required to _comply_ with the license)

I recommend to list *both* license fulltexts *and* license grants in debian/copyright (even though only license fulltexts are required).
Doing that helps helps understand how you concluded a certain license
fulltext is in effect. My writing style is to *only* write license
fulltexts (i.e. legal clauses - what is permitted and required and
disclaimed) in License sections, and add add not-strictly-required
license grants (i.e. purely references to fulltexts with *no* additional
legal clauses) as License-Grant fields in Files sections.

(License-Grant is no an officially defined field, but adding unofficial
fields is explicitly permitted in the copyright file format 1.0)

Here are a few examples (with most of the BSD fulltext snipped for
brevity), from the ghostscript package which I kind-of use as reference
for my writing style:

Files:
Resource/CMap/*
Copyright:
1990-2015 Adobe Systems Incorporated
License: BSD-3-Clause~Adobe

Files:
contrib/pcl3/*
Copyright:
1996-2003 Martin Lottermoser
License-Grant:
pcl3 is free software and can be used
under the terms of the GNU Lesser General Public License (LGPL),
Version 2.1 (February 1999).
License: LGPL-2.1

License: BSD-3-Clause~Adobe
Redistribution and use in source and binary forms,
with or without modification,
are permitted provided that the following conditions are met:
.
Redistributions of source code must retain
[...]
.
Redistributions in binary form must reproduce
[...]
.
Neither the name of Adobe Systems Incorporated
[...]

License: LGPL-2.1
Reference: /usr/share/common-licenses/LGPL-2.1

First Files section above has no License-Grant section - because
BSD-style licenses are typically written in full, not referenced.

First License section contains the full license text *verbatim* - i.e.
not the _generic_ BSD-3-Clause license but a slight deviation which
covers a specific legal entity regardless if they are hold copyright or authored or contributed.

Second Files section contains a *verbatim* copy of the license grant -
i.e. the actual phrase the author used to grant license of their work
using a reusable "general public license". There is no requirement from
the author nor from the license nor from Debian in listing this text -
but regardless it may help ftpmasters process your package faster
because they can easier follow how you concluded that the LGPL-2.1
license was involved. And quite likely future releases of licensecheck
will make use of License-Grant fields too, to help maintain - verify and update - debian/copyright files.

Second sample section above, I deviate from common practice in Debian: I
put as License-Grant field in Files section what is more commonly put in
a License section.

Second License section is essentially what triggered this email thread:
Is it really ok to write such compact License fields?!?

Common practice is to put either license fulltext or license grant in
the License section, mixeded with non-verbatim maintainer-authored notes
- section 7.2 of the copright file format 1.0 specification even makes
an example of putting a grant there and mixing in a custom note.

I find common practice quite confusing - I want the copyright file to
clearly separate provenance - i.e. distinguish who said what. I think
that my introduction of fields License-Grant and Reference helps
disambiguate.

Also for the concern you raise here, Sam, I think it helps to actively
use new fields License-Grant and Reference: If I make a mistake,
treating a text as a license grant not noticing that it contains license clauses on its own, then with common practice of mixing grant, fulltext
and editorial notes together in a License section might hide the
mistake, whereas explicitly stating "I read this as being just a grant" separate from "this is the license text granted by the copyright holder" separate from "over here Debian stores a verbatim copy of this license
text" might help reveal such mistake. By ftpmasters or fellow
maintainers or users or tools.

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============`74939091102615966=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmHlRKEACgkQLHwxRsGg ASFkaBAAhQojZ8Cqmt7+hPwcb0JAIKPD1EFDiYBKYSS99eLvRplM9K9WHctUM5fn XNvZq1Ae18jXyGI3h4WR6eCXskHKApLvUvwo3SDF5lyHLymzMllxPHxj7Pve+33r Pk0oj7rBSSoh8srZpcbgv21m2SenmmRVbo8eqXRdE61UPWoFMEFqBFoURanmVHRJ Gw9EXlUvSvuCQ0HsgpwHoHlpQNXzkI+/kqpPtr3Veza97QL/iSbzbhiFEhTnOo5y h93P25D6w8Cw+aF5rYBjd352L0YamVEL45inz1yLXIZSUMFY6KgUy/Ecz7AbM2ZA 67RNw7tkasOoEGrSTwPG395lvItnsO74kVHm+vaMmNVapKp4Gmqf19PdQFHE17yF 1YTa9I+b+kU/i6QMt3hXU5SkvbY7AYlMHhopFthXPWUXFLeJD3uRnYPqmGMn89/m LP7EgP/8RrlnU8RRFSMxQDaSDphtT211KW9FxiGl0JLTjUuErkUztdij60b3mtXn 83dGxYfmIEcFEznNU