Re: unknown license for package/debian/* in d/copyright in adopted package

2017-06-09 Thread Nicholas D Steeves 
Dear Debian Legal Team,

Thank you very much for your help.  I've read each email in this
thread with care, and at last can consider this issue closed.

On 9 June 2017 at 02:27, Anthony DeRobertis  wrote:
> On 06/08/2017 06:52 PM, Nicholas D Steeves wrote:
>>
>>
>> I'd prefer not to, because Message-ID reveals what I consider private
>> information (IP address or client hostname) to an unbounded audience,
>> and I believe that this is a greater privacy violation than the
>> lintian warning against downloading a hyperlinked image in local [...]
>
>
> That depends on the software that generated the message (e.g., Thunderbird
> seems to do uuid@domain, so avoids the privacy issue—at least it reveals
> less than the From header), but where it does you could just redact the
> hostname (or entire domain). That'd still preserve the ability to reference
> an individual message.
>
> Message-Id:  and
> Message-Id: 
>
> are both pretty clear what you're doing.
>

Anthony, thank you for this solution! :-)  I didn't know that this was allowed.
Ben, now there's a Message-ID field.  I'll upload to experimental as
soon as Sean Whitton grants me DM permissions for src:muse-el.

Sincerely,
Nicholas

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-06-09 Thread Anthony DeRobertis 

On 06/08/2017 06:52 PM, Nicholas D Steeves wrote:


I'd prefer not to, because Message-ID reveals what I consider private
information (IP address or client hostname) to an unbounded audience,
and I believe that this is a greater privacy violation than the
lintian warning against downloading a hyperlinked image in local [...]


That depends on the software that generated the message (e.g., 
Thunderbird seems to do uuid@domain, so avoids the privacy issue—at 
least it reveals less than the From header), but where it does you could 
just redact the hostname (or entire domain). That'd still preserve the 
ability to reference an individual message.


Message-Id:  and
Message-Id: 

are both pretty clear what you're doing.

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-06-08 Thread Nicholas D Steeves 
Hi Ben,

On Wed, Jun 07, 2017 at 10:24:11AM +1000, Ben Finney wrote:
> Nicholas D Steeves  writes:
> 
> > I pushed updates here:
> >
> > https://anonscm.debian.org/git/pkg-emacsen/pkg/muse-el.git/tree/debian/COPYING.emails
> 
> That's a good record. Better than most Debian packages, I'd say :-)

Thank you! :-D

> Can you put the Message-ID field for each message in the header for the
> message? That will make it easier to refer to specific messages later.

I'd prefer not to, because Message-ID reveals what I consider private
information (IP address or client hostname) to an unbounded audience,
and I believe that this is a greater privacy violation than the
lintian warning against downloading a hyperlinked image in local
documentation.  The later only reveals private information to a single
person.  Yes, it can be argued that Debian Developers wave their
privacy by participating in publicly archived forums, like this one;
however, because the contributors chose to privately email me rather
than reply to this this thread, I have chosen to maximally respect
their privacy.

> As it is, I can say I think you need only these ones:
> 
> * Date: Thu, 1 Jun 2017 10:15:58 +1000
>   From: Trent Buck 
> 
> * Date: Wed, 31 May 2017 20:24:01 -0700
>   From: Michael Olson 
> 
> * Date: Thu, 01 Jun 2017 09:57:49 +0200
>   From: Julien Danjou 
> 
> > How important is this updated copyright?
> 
> It's important to include explicit grant of specific license in writing
> from all copyright holders.

I included Mehdi's statement because I believe it is to the affect of
"I am pretty sure that I am not a copyright holder".  That said, is
this record sufficiently complete without digging through bts archives
to find out how to contact anyone who was involved in the NMU he
did...and then contacting them?

> > Do I need to worry about getting it into Stretch?
> 
> I think it can wait until after the release, though I don't speak for
> the release team or FTP masters.

I contacted them but don't expect to receive a reply, knowing how busy
they must be ;-)

Thank you for the help,
Nicholas


signature.asc
Description: Digital signature

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-06-06 Thread Ben Finney 
Nicholas D Steeves  writes:

> I pushed updates here:
>
> https://anonscm.debian.org/git/pkg-emacsen/pkg/muse-el.git/tree/debian/COPYING.emails

That's a good record. Better than most Debian packages, I'd say :-)

Can you put the Message-ID field for each message in the header for the
message? That will make it easier to refer to specific messages later.

As it is, I can say I think you need only these ones:

* Date: Thu, 1 Jun 2017 10:15:58 +1000
  From: Trent Buck 

* Date: Wed, 31 May 2017 20:24:01 -0700
  From: Michael Olson 

* Date: Thu, 01 Jun 2017 09:57:49 +0200
  From: Julien Danjou 

> How important is this updated copyright?

It's important to include explicit grant of specific license in writing
from all copyright holders.

> Do I need to worry about getting it into Stretch?

I think it can wait until after the release, though I don't speak for
the release team or FTP masters.

-- 
 \   Eccles: “I just saw the Earth through the clouds!”  Lew: “Did |
  `\  it look round?”  Eccles: “Yes, but I don't think it saw me.” |
_o__)—The Goon Show, _Wings Over Dagenham_ |
Ben Finney

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-06-06 Thread Nicholas D Steeves 
On Wed, May 31, 2017 at 02:54:57PM +1000, Ben Finney wrote:
> Ian Jackson  writes:
> 
> > Do you agree that my mail exchange as found in the sympathy package is
> > a good example of how to ask these questions, and how to record the
> > answers ?
> 
> Ian Jackson  writes:
> 
> > I meant this, which I provided a link to earlier:
> >   https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails
> 
> Yes, that's a good record of the conversation.
> 
> It'd be better IMO if it included each message's Message-ID field, or
> some other URI for each message so that the parties in the conversation
> can later verify that it matches their own record of the discussion.
> 
> Are there messages in that file that could be removed? I typically try
> to get a single message from the copyright holder, that contains an
> explicit and unambiguous grant of a specific license.
> 
> Often that isn't forthcoming as clearly as we might like, because of how
> the correspondence unfolds. I appreciate that you pressed for that in
> the discussion for ‘sympathy’. Maybe that's just an example of a case
> where no one message will clearly show the grant of license, and the
> whole set needs to be examined.

Dear Ian and Ben,

Thank you for resuming this conversation!  I had forgotten to finish
work on this issue and it exactly the reminder I needed.

I pushed updates here:

https://anonscm.debian.org/git/pkg-emacsen/pkg/muse-el.git/tree/debian/COPYING.emails
https://anonscm.debian.org/cgit/pkg-emacsen/pkg/muse-el.git/

How important is this updated copyright?  Do I need to worry about
getting it into Stretch?  When Feb 5th blew by I thought "minor, not
very popular package that isn't worse than it was before" so didn't
worry about it and I thought the issue wasn't worth hassling someone
for an unblock.

Sincerely,
Nicholas


signature.asc
Description: Digital signature

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-05-31 Thread Ben Finney 
Ian Jackson <ijack...@chiark.greenend.org.uk> writes:

> Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright 
> in adopted package"):
> > Are there messages in that file that could be removed? I typically
> > try to get a single message from the copyright holder, that contains
> > an explicit and unambiguous grant of a specific license.
>
> I think it is better not to bother upstream with pointless
> administrivia.

Given an appropriate definition of “pointless administrivia”, of course
I agree with that.

I'm responding (belatedly) to your request for feedback on the
*existing* record of correspondence :-)

-- 
 \“… no testimony can be admitted which is contrary to reason; |
  `\   reason is founded on the evidence of our senses.” —Percy Bysshe |
_o__)Shelley, _The Necessity of Atheism_, 1811 |
Ben Finney

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-05-31 Thread Ian Jackson 
Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright in 
adopted package"):
> Are there messages in that file that could be removed? I typically try
> to get a single message from the copyright holder, that contains an
> explicit and unambiguous grant of a specific license.

I think it is better not to bother upstream with pointless
administrivia.

Ian.

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-05-30 Thread Ben Finney 
Ian Jackson  writes:

> Do you agree that my mail exchange as found in the sympathy package is
> a good example of how to ask these questions, and how to record the
> answers ?

Ian Jackson  writes:

> I meant this, which I provided a link to earlier:
>   https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails

Yes, that's a good record of the conversation.

It'd be better IMO if it included each message's Message-ID field, or
some other URI for each message so that the parties in the conversation
can later verify that it matches their own record of the discussion.

Are there messages in that file that could be removed? I typically try
to get a single message from the copyright holder, that contains an
explicit and unambiguous grant of a specific license.

Often that isn't forthcoming as clearly as we might like, because of how
the correspondence unfolds. I appreciate that you pressed for that in
the discussion for ‘sympathy’. Maybe that's just an example of a case
where no one message will clearly show the grant of license, and the
whole set needs to be examined.

-- 
 \“If it ain't bust don't fix it is a very sound principle and |
  `\  remains so despite the fact that I have slavishly ignored it |
_o__) all my life.” —Douglas Adams |
Ben Finney

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-01-04 Thread Ian Jackson 
Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright in 
adopted package"):
> As to how to record the information, I would expect to find it in the
> ‘debian/copyright’ file, and I don't see what you're referring to at
> <URL:https://sources.debian.net/src/sympathy/1.2.1%2Bwoking%2Bcvs%2Bgit20161222/debian/copyright/>.
> 
> So, if you can point to what you mean, I may be able to better respond :-)

I meant this, which I provided a link to earlier:

  https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails

Ian.  

-- 
Ian Jackson <ijack...@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-01-04 Thread Simon McVittie 
On Wed, 04 Jan 2017 at 02:16:10 +, Ian Jackson wrote:
> This benefit IMO far outweighs the risk that at some point someone
> will abuse our goodwill to make Debian-format source packages out of
> proprietary software.  No-one, not even evil people, would want to do
> that.

As a consultant mostly working on Debian derivatives, I wouldn't agree
with that. Various non-evil[1] people make Debian-format source packages
whose upstream part is partially or entirely proprietary software, with
either Free packaging (common in Debian non-free), proprietary packaging
(which I seem to remember seeing in at least Maemo), or packaging with
no explicit license at all (which I've seen in at least Raspbian).

Putting a copyleft license on your favourite package's packaging is
not going to prevent that: Debian packaging is not difficult to
write from scratch, and even if it wasn't, there are plenty of
permissively-licensed packages available to base a proprietary
package on.

This also assumes that the parts of the packaging that might be copied
are even sufficiently creative to be eligible for copyright, which might
be doubtful in simple cases (in particular, maximally-declarative
packaging with dh).

I think a much more serious risk is that an insufficiently permissive
license results in inadvertent copyright infringement, avoidable duplicated
work, or avoidable bugs, in Free Software whose author is trying to do
the right thing.

When a licensed work represents an investment of time/effort/money that
is difficult or expensive to redo - most visibly, the Linux kernel -
copyleft is a valuable tool to encourage the production of more Free
Software. However, when an independent reimplementation of the work
only has a cost comparable to the time spent worrying about licensing
questions, copyleft is at best neutral, often an annoyance, and at worst
an active barrier to re-use.

I wonder how many debian/ directories the participants in this thread
could have written between us, under licenses of our choice, in the time
it took to discuss this?

S

[1] assuming for the sake of avoiding tautology that you do not consider
proprietary software to be inherently evil

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-01-03 Thread Ben Finney 
Ian Jackson <ijack...@chiark.greenend.org.uk> writes:

> Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright 
> in adopted package"):
> > The principle is to consider what a hypothetical future package
> > maintainer, or FTP master or recipient, will need to have to verify
> > the copyright holder does in fact grant the stated license.
> > 
> > […]
> > 
> > The important thing is that the grant be explicit, specific as to
> > which work and which license terms, and that it all be clearly in
> > writing.
>
> Do you agree that my mail exchange as found in the sympathy package is
> a good example of how to ask these questions, and how to record the
> answers ?

As to how to record the information, I would expect to find it in the
‘debian/copyright’ file, and I don't see what you're referring to at
<URL:https://sources.debian.net/src/sympathy/1.2.1%2Bwoking%2Bcvs%2Bgit20161222/debian/copyright/>.

So, if you can point to what you mean, I may be able to better respond :-)

-- 
 \   “Faith is the determination to remain ignorant in the face of |
  `\ all evidence that you are ignorant.” —Shaun Mason |
_o__)  |
Ben Finney

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-01-03 Thread Ian Jackson 
Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright in 
adopted package"):
> Ian Jackson <ijack...@chiark.greenend.org.uk> writes:
> > I would encourage everyone who does packaging to explictly licence
> > your debian/* with some very permissive licence (eg, MIT).
> 
> I default to grating “GPLv3 or later” for mine; often I'll change
> that to match the upstream work's license grant.
> 
> I don't see any special reason to prefer lax license grants for Debian
> packaging, so I default to copyleft.

It is often useful to copy Debian packaging snippets from one package
to another.  That requires that the packaging of the first package
have a licence which is compatible with the upstream licence of the
second.  In practice that means a permissive licence.

This benefit IMO far outweighs the risk that at some point someone
will abuse our goodwill to make Debian-format source packages out of
proprietary software.  No-one, not even evil people, would want to do
that.  In practice no-one except Debian and its free software
derivatives makes Debian-format source packages; everyone else has an
ad-hoc build script that spits out some .debs.

> The principle is to consider what a hypothetical future package
> maintainer, or FTP master or recipient, will need to have to verify the
> copyright holder does in fact grant the stated license.
> 
> I agree that having the message be cryptographically signed is not
> necessary, but it is good to have if feasible.
> 
> The important thing is that the grant be explicit, specific as to which
> work and which license terms, and that it all be clearly in writing.

Do you agree that my mail exchange as found in the sympathy package is
a good example of how to ask these questions, and how to record the
answers ?

Ian.

-- 
Ian Jackson <ijack...@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Re: unknown license for package/debian/* in d/copyright in adopted package

2017-01-01 Thread Ben Finney 
Ian Jackson  writes:

> Nicholas D Steeves writes ("unknown license for package/debian/* in 
> d/copyright in adopted package"):
> > I'm adopting src:muse-el, and the old d/copyright file does not
> > state which license the old debian/* uses.
>
> This kind of thing is quite annoying.

Agreed. The Debian packaging should have an explicit grant of license,
recorded in ‘debian/copyright’ specifically for the ‘debian/*’ pattern
so that if upstream's licensing changes the Debian packaging license
continues to be clear.

> I would encourage everyone who does packaging to explictly licence
> your debian/* with some very permissive licence (eg, MIT).

I default to grating “GPLv3 or later” for mine; often I'll change that
to match the upstream work's license grant.

I don't see any special reason to prefer lax license grants for Debian
packaging, so I default to copyleft.

> > I was recently able to contact Michael Olson. Would a signed email
> > from Michael Olson certifying that his contributions to debian/*
> > were of either GPL-2, GPL-2+, or MIT be sufficient to allow an
> > update to src:muse-el/debian/copyright? If so, to whom should I ask
> > him to send that email?
>
> The mail does not have to be signed.

The principle is to consider what a hypothetical future package
maintainer, or FTP master or recipient, will need to have to verify the
copyright holder does in fact grant the stated license.

I agree that having the message be cryptographically signed is not
necessary, but it is good to have if feasible.

The important thing is that the grant be explicit, specific as to which
work and which license terms, and that it all be clearly in writing.

-- 
 \ “I may disagree with what you say, but I will defend to the |
  `\death your right to mis-attribute this quote to Voltaire.” |
_o__)   —Avram Grumer, rec.arts.sf.written, 2000-05-30 |
Ben Finney

Re: unknown license for package/debian/* in d/copyright in adopted package

2016-12-30 Thread Ian Jackson 
Nicholas D Steeves writes ("unknown license for package/debian/* in d/copyright 
in adopted package"):
> I'm adopting src:muse-el, and the old d/copyright file does not state
> which license the old debian/* uses.

This kind of thing is quite annoying.  I would encourage everyone who
does packaging to explictly licence your debian/* with some very
permissive licence (eg, MIT).

> I was recently able to contact Michael Olson.  Would a signed email
> from Michael Olson certifying that his contributions to debian/* were
> of either GPL-2, GPL-2+, or MIT be sufficient to allow an update to
> src:muse-el/debian/copyright?  If so, to whom should I ask him to send
> that email?

The mail does not have to be signed.  (It seems you're confident you
have the right email correspondent.)  Although there is no harm in it
being signed, asking for a signature might make it more inconvenient
for Michael, or cause delay.

You can ask Michael to send the mail to you.  He could also post it
here, if he feels like it.  If he sends the mail to you privately, do
not publish his new email address without his permission.  Put a copy
of the email, with the headers heavily redacted, in the package.

As an example of how to do this for some upstream contributions, I
offer this:
  https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails

> The bug associated with this ITA is #844184.  By now it's kind of a
> long read ;-)

I haven't read it :-).

Good luck.

Ian.

-- 
Ian Jackson    These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.