Ben Finney <ben+deb...@benfinney.id.au> writes: > The point is that, since we can predict the need for this information, > we have the choice of assuming the information is there when we > distribute and never looking for it until the need arises in the face of > such a threat, or looking for it in advance of distribution and hence in > advance of exposure to that threat. I think it's clear that the latter > option is preferable.
Er, I'm certainly not going to pay any attention who the copyright holders are for various files in something I'm packaging. I care about the license; why should I care in the slightest whether the listed copyright holder is one name or some other name? I certainly don't have the resources to verify personally that the person who is listed as the copyright holder is actually the legal copyright holder or has the legal right to distribute the work under that license. In practice, we basically always do simple checks and react to reported problems and otherwise take upstream at their word. > On that basis, it would be foolish having *already* checked carefully > that the copyright status is accurately known to then discard that > information rather than recording it in a single documented location for > others to verify. Why? Seriously, who cares? Given how rare a legal issue is, I can't imagine ever not going back to the source and reviewing the source files, no matter how debian/copyright is maintained. I don't see how accumulated copyright information in debian/copyright would ever be useful or used in that case. > The only alternatives that seems to be on offer are either not checking > the copyright information is accurate before distributing, I definitely do not check whether the copyright information in source files for my packages is accurate before distributing. I don't know how I could even do such a thing. For example, GNU Backgammon's gtkgame.c file says that it is: * by Gary Wong <g...@gnu.org>, 2000, 2001, 2002. I have absolutely no idea if that is true. I don't, so far as I know, have any way of checking whether that is true or not. If I copy that information into debian/copyright, I'm doing so mechanically. I'm not adding any value to just searching through the source tree for such strings. In fact this particular file does not have a valid copyright notice under US law. I don't see any reason to believe that's a problem (nor do I even see any reason to bother upstream about it -- such notices are recommended when applying the GPL, but they're not required under US law and are largely irrelevant for copyright law). The package as a whole displays a copyright notice on startup: Copyright, 1999-2004 by Gary Wong, 2004-2008 GNU Backgammon is the legal property of its authors. which is, of course, preserved following the requirements of the GPL. > Yes. That only leads to the ludicrous, but entirely real, situation that > we are in: it is incumbent on any distributor of a work to establish > that they have license to do what they're doing from the copyright > holders, which necessarily means knowing who *are* the copyright holders > in the work. See above. I don't believe that we do that except in a few rare cases, and I don't believe anyone else who distributes free software does either. To a first approximation, everyone just takes upstream's word for it. > Collecting copyright notices isn't a requirement under copyright law: > works that are copyright-restricted continue to be so with or without > the notice. But unless we have the information typically contained in > such notices, we are operating completely in the dark as to who is > empowered to restrict distribution or grant it. I fail to see how collecting strings from the source files leaves us any less in the dark about whether the claimed authors are legally empowered to license it. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org