This message is in MIME format and has been PGP signed.

Hi Ian,

On Mo 11 Apr 2022 18:51:35 CEST, Ian Jackson wrote:

Another team member identified that there is code in this package
under a number of different licenses other than GPL-3+, but that is
not specified in sufficient detail in d/copyright. That contravenes
both Debian Policy and the terms of those licenses.

My apologies. You are completely correct. I don't understand how I
came to think that the approach I took was sufficient. I guess it is
a long time since I prepared a package with so many different bits and
pieces in it.

sharing some best practice here, feel free to adopt or give feedback on.

For d/copyright maintenance I use my update-copyright.in script [1]. I
run it on the source package's base folder.

The script creates a d/copyright.in file. I keep this file as-is as
part of my debian/ folder and use it for later reference.

When wrapping up a new DEB package, I copy over d/copyright.in to
d/copyright and complete it manually (plus doing some manual checks to
see if the licensecheck tool got things right). Note, that I don't use
file globbing in d/copyright, at all; every source file is listed individually.

This catches 99% of all DFSG licenses on 80-95% of files in the
src:pkg's source tree (depending on upstream being good at using
proper license headers on individual files or not).

Whenever an upstream version bump is due, I import the new upstream
and re-run the update-copyright.in script on the src:pkg's base folder
again. I get a diff between my previous debian/copyright.in version
and the new version. This diff I then work into the actual d/copyright manually and thus have an easy workflow for tracking copyright changes
in upstream projects (on a per individual file basis).

This workflow is esp. helpful on projects where many copyright
holders/years and/or licenses are involved and get updated every year
or maybe with every changeset / new contributor.

Greets,
Mike

[1] https://github.com/sunweaver/MyHomeConfig/blob/master/bin/update-copyright.in






--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIzBAABCgAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmJUiI4ACgkQmvRrMCV3 GzGGuA//TUEwt+lEPsC2KhmOspAor72x6fbjX8ErU3Z68ssQ+Jsm6VxR+KNlmMom 1qPm+ifyBnNF1tGfHebv/oPd3jXPpNDlrT2cJyvNpOBvzMrAj8keRRhgM+dNCMeQ A1koGfhA+fELodGVaXQGF3LfC2m5KcPOEo9telnebT/4MIPIPpbjWEAmParbPOyD h9VHaKtcTKWZTxo5NrzY2+qBzoDvHrUwkpHWjj4hC/ADm39yDK101vlyKDcX2fJj DLpZPkfArU8evKO0epCKQlMD7cwM39ZT+aVfCMnMiqc841KKQEbu02exn+7sB/8J wyOEOLc4zuZnuTArjV6laHQLOjsXfwkCwivXSm2/S9hqN3WaQqjcPfuSvnZZG2lp +LQ7rNY0zPWw7pL19Su9xKJBYnhYrN6AxFV4qjFA7NwySERqOQLmkKYXssVNlzMk rNY/+AVQHRbFqh2oG6BdZ2I3lMhXAomLAUB9tJmg/FAPGv0eVHCcCTKhicprNRXu U+E3rSOCvNaYQV0Rg7+SDuYlSNynusr873EyAfIP5tX8BlK

On 4/11/22 21:59, Mike Gabriel wrote:

Hi Ian,

On  Mo 11 Apr 2022 18:51:35 CEST, Ian Jackson wrote:

Another team member identified that there is code in this package
under a number of different licenses other than GPL-3+, but that is
not specified in sufficient detail in d/copyright.  That contravenes
both Debian Policy and the terms of those licenses.

My apologies.  You are completely correct.  I don't understand how I
came to think that the approach I took was sufficient.  I guess it is
a long time since I prepared a package with so many different bits and
pieces in it.

sharing some best practice here, feel free to adopt or give feedback on.

For d/copyright maintenance I use my update-copyright.in script [1]. I
run it on the source package's base folder.

The script creates a d/copyright.in file. I keep this file as-is as part
of my debian/ folder and use it for later reference.

When wrapping up a new DEB package, I copy over d/copyright.in to d/copyright and complete it manually (plus doing some manual checks to
see if the licensecheck tool got things right). Note, that I don't use
file globbing in d/copyright, at all; every source file is listed individually.

This catches 99% of all DFSG licenses on 80-95% of files in the
src:pkg's source tree (depending on upstream being good at using proper license headers on individual files or not).

Whenever an upstream version bump is due, I import the new upstream and re-run the update-copyright.in script on the src:pkg's base folder
again. I get a diff between my previous debian/copyright.in version and
the new version. This diff I then work into the actual d/copyright
manually and thus have an easy workflow for tracking copyright changes
in upstream projects (on a per individual file basis).

This workflow is esp. helpful on projects where many copyright
holders/years and/or licenses are involved and get updated every year or maybe with every changeset / new contributor.

Greets,
Mike

[1] https://github.com/sunweaver/MyHomeConfig/blob/master/bin/update-copyright.in

Mike,

I'd very much welcome this script within the devscripts package! :)
Thanks for sharing it. I probably will give it a try.

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Mike Gabriel (2022-04-11 21:59:12)

For d/copyright maintenance I use my update-copyright.in script [1]. I
run it on the source package's base folder.

[...]

[1] https://github.com/sunweaver/MyHomeConfig/blob/master/bin/update-copyright.in

You should no longer need licensecheck2dep5 nor iconv - see the
licensecheck examples at https://wiki.debian.org/CopyrightReviewTools


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private --==============35650240242788318=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmJVEuwACgkQLHwxRsGg ASEkSA/8DXz4zIa2I6TuvYws7y3Uh4tWKQpxOYCkHR2Y7sE69TTwf4ub4UhCoqYs cUaJ4iRd5Nz02GSosVBMErW03qNbbfOlghmOVmRnff2dcVu1946U+nQ7Ki6Q0N1i SoZvmxGQXuFeo0Kto5FhVamUOl0IuxhNqzqrXsl7u7n4o+4KZA+KYMr8L7xHWU+C jQq7DgBOBc2YviijODxBlupjfXbEHhvMv8giVmFg9ayJAuyFs/6MNbOAYGtnBZ3k 8/8Mbli4qzzJWxb7YZ0XS+DcKp4sdnMoX/REuFQQcgP3US5voRKzFde76YCZcPj5 h8CT2bFJx3117YmeW/CILzJ2UP8V6pV5VGEgYKAMibgm3IqT+2C0qPzmks8uvVOe M0qwDCz31dAKTBQ4ICHE/Gb1wpFyfQdZVBo7SrpTCJNcJ33sAd2tK6CBbmj5OcHO 1n/Q1tIYNtIGhzUUedvmePViCMHgN4cZVglSFwm/7oCaidw7gBnTZsqfWZU8MEKV 3N2hl4bRtj7FYIyts