Alexander> I wanted to get some clarification as I couldnt find this
Alexander> info via googling/debian pages (but I might've missed
Alexander> something obvious, if so - I'd appreciate pointing me in
Alexander> right direction on what should i read)

Under section 2.4 of debian policy, any distribution license that you
are required to comply with needs to be placed in the copyright file in
the binary package. We do tend to organize license and copyright
information by source because that is convenient to us. But based on
policy, if you comply with all of the licenses listed in the copyright
file for a given binary package when dealing with binaries in that
package, that would be a conservative approach to take.

In particular if because of a build dependency a binary required
additional license restrictions to be followed beyond the licenses of
its source, my reading of policy is that needs to be mentioned in debian/copyright.
Failing to do so sounds like a bug to me.

Admittedly, that corner case sounds like one we didn't consider
thoroughly in our machine-readable copyright file spec.

Obviously there are cases where by interpreting the copyright in a finer
grain manner, you could discover situations where your license
compliance obligations are less.
As an example, if only some of the binary packages built from a given
source package are under a copyleft license, handling modifications
might be easier.

It's true that our current approach to managing license information does
not make that easy to discover.
That's not a bug, although obviously you could discuss whether improving
that would be a welcome feature change.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, May 10, 2021 at 2:18 PM Alexander Mazuruk wrote:

I'm writing this as I've noticed that some packages have copyright file filled with records for source code, while the package contains binaries.

Essentially all packages in Debian do this, with a couple of
exceptions where the maintainer thought about this problem already.
For example, for src:libicns I installed different copyright files in
each binary package since the license is different for the library vs
the utilities.

Shouldn't those package's COPYRIGHT contain info about final license
that those binaries are distributed with?

In theory yes, in practice, no.

* yes. -> should I file a bug report for such packages?

The problem is an archive-wide one that is just left unsolved, not one
to be solved in individual packages.

* no -> how can I know what license a package actually has in such
case? Are there some officially recommended tools?

It is in theory possible to trace the translation from source to
binary, but in practice it is mostly impossible. Even if you ptrace
the full build process (making it much slower), there is no general
way to determine what file is generated from what other file. Fixing
this would involve adding instrumentation to every compiler, build
system, many different tools and probably lots of Debian packaging and
upstream projects. This is a project on the order of magnitude of Bootstrappable Builds or Reproducible Builds; a multi-decade-long
effort by many different people. There are potentially benefits to
this beyond copyright/license info correctness for binaries too, so it
would be an interesting project, but it would be hard to convince
entire communities of people to work on this.

In practice, shipping the relevant source for the binaries is likely
enough to achieve license compliance, so shipping pedantically correct copyright/license info for the binaries is not necessary and shipping
source is much easier to do, so that is what Debian tends to do.

We are trying to do start license compliance for Docker images and are a
bit stumped on how to proceed with such packages in Debian-based containers.

I suggest you ship source for all the binary packages used, then add
source for all the packages installed during each of their build
processes. Or just ship a full Debian archive containing every source
package.

--
bye,
pabs

https://wiki.debian.org/PaulWise

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)