This more general problem is very hard to impossible to solve,
since it would mean patching every single build toolchain and
source package [...]
Your analysis is correct, some extra context for this problem:
The problem you have identified applies to other statically linked
languages too, so I have updated the wiki page to link to it.
https://wiki.debian.org/StaticLinking
On Tue, 2023-09-26 at 14:20 -0400, John Thorvald Wodder II wrote:
- bat (In addition to the type of problem discussed above, the source code for
bat has an Apache 2.0 `NOTICE` file, yet this is not included in the .deb >> package.)
Please file a severity serious bug report against bat about the NOTICE
issue, I've mentioned it on the #debian-rust IRC channel though.
https://www.debian.org/Bugs/Reporting
I note that lintian detects the NOTICE issue, so I have requested that
the ftp-master team turn on auto-rejections for the lintian tag.
On 2023 Sep 26, at 20:36, Paul Wise <pabs@debian.org> wrote:
Your analysis is correct, some extra context for this problem:
The problem you have identified applies to other statically linked
languages too, so I have updated the wiki page to link to it.
https://wiki.debian.org/StaticLinking
So was this problem previously known but under-acknowledged, or was it simply not brought up before now? I find it surprising that Debian would allow so many license violations to get this far.
Furthermore, courts are not robots blindly executing code. Seriously,
can you imagine standing in court trying to argue to a judge that this distinction matters and somehow causes you damage‽
Sometimes the best approach to licensing is to take a defensible
position and not to try and find problems.
Is fixing the tooling to handle this
considered a priority? If the author of an uncredited dependency were to complain, would Debian be more likely to focus on fixing the tooling posthaste
or to just pull whatever packages use the dependency in question?
"Mihai" == Mihai Moldovan <ionic@ionic.de> writes:
"Mihai" == Mihai Moldovan <ionic@ionic.de> writes:
Mihai> In this case, we're "just" talking about missing notices for
Mihai> dependencies that are pulled in, which might not be nice, but
Mihai> also, realistically, nobody would really care about or try to
Mihai> enforce it (unless somebody has malicious intent, which
Mihai> indeed did happen in the past).
I agree with your overall conclusion that in practice we are unlikely to
have significant legal liability or cause significant damages here.
However, I disagree on one point. You imply that you believe anyone complaining about a violation here would be malicious.
It is my understanding that when an executable program that depends (directly or indirectly) on libraries licensed under (picking one license here) the MIT license is compiled into a binary that statically links these libraries, and this binary is then distributed to third parties, the binary must be accompanied by the license text & copyright notices for all of the program's direct & indirect MIT-licensed dependencies.
Unfortunately, I've come across some software in the official Debian repositories that do not seem to properly honor these requirements.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 299 |
Nodes: | 16 (2 / 14) |
Uptime: | 37:37:00 |
Calls: | 6,682 |
Files: | 12,222 |
Messages: | 5,343,194 |