• Copyright notice gives info on source files, not the packaged binar

    From Sam Hartman@21:1/5 to All on Mon May 10 17:20:01 2021
    Alexander> I wanted to get some clarification as I couldnt find this
    Alexander> info via googling/debian pages (but I might've missed
    Alexander> something obvious, if so - I'd appreciate pointing me in
    Alexander> right direction on what should i read)

    Under section 2.4 of debian policy, any distribution license that you
    are required to comply with needs to be placed in the copyright file in
    the binary package. We do tend to organize license and copyright
    information by source because that is convenient to us. But based on
    policy, if you comply with all of the licenses listed in the copyright
    file for a given binary package when dealing with binaries in that
    package, that would be a conservative approach to take.

    In particular if because of a build dependency a binary required
    additional license restrictions to be followed beyond the licenses of
    its source, my reading of policy is that needs to be mentioned in debian/copyright.
    Failing to do so sounds like a bug to me.

    Admittedly, that corner case sounds like one we didn't consider
    thoroughly in our machine-readable copyright file spec.

    Obviously there are cases where by interpreting the copyright in a finer
    grain manner, you could discover situations where your license
    compliance obligations are less.
    As an example, if only some of the binary packages built from a given
    source package are under a copyleft license, handling modifications
    might be easier.

    It's true that our current approach to managing license information does
    not make that easy to discover.
    That's not a bug, although obviously you could discuss whether improving
    that would be a welcome feature change.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to All on Tue May 11 01:00:02 2021
    On Mon, May 10, 2021 at 2:18 PM Alexander Mazuruk wrote:

    I'm writing this as I've noticed that some packages have copyright file filled with records for source code, while the package contains binaries.

    Essentially all packages in Debian do this, with a couple of
    exceptions where the maintainer thought about this problem already.
    For example, for src:libicns I installed different copyright files in
    each binary package since the license is different for the library vs
    the utilities.

    Shouldn't those package's COPYRIGHT contain info about final license
    that those binaries are distributed with?

    In theory yes, in practice, no.

    * yes. -> should I file a bug report for such packages?

    The problem is an archive-wide one that is just left unsolved, not one
    to be solved in individual packages.

    * no -> how can I know what license a package actually has in such
    case? Are there some officially recommended tools?

    It is in theory possible to trace the translation from source to
    binary, but in practice it is mostly impossible. Even if you ptrace
    the full build process (making it much slower), there is no general
    way to determine what file is generated from what other file. Fixing
    this would involve adding instrumentation to every compiler, build
    system, many different tools and probably lots of Debian packaging and
    upstream projects. This is a project on the order of magnitude of Bootstrappable Builds or Reproducible Builds; a multi-decade-long
    effort by many different people. There are potentially benefits to
    this beyond copyright/license info correctness for binaries too, so it
    would be an interesting project, but it would be hard to convince
    entire communities of people to work on this.

    In practice, shipping the relevant source for the binaries is likely
    enough to achieve license compliance, so shipping pedantically correct copyright/license info for the binaries is not necessary and shipping
    source is much easier to do, so that is what Debian tends to do.

    We are trying to do start license compliance for Docker images and are a
    bit stumped on how to proceed with such packages in Debian-based containers.

    I suggest you ship source for all the binary packages used, then add
    source for all the packages installed during each of their build
    processes. Or just ship a full Debian archive containing every source



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)