Re: unknown license for package/debian/* in d/copyright in adopted package
Dear Debian Legal Team, Thank you very much for your help. I've read each email in this thread with care, and at last can consider this issue closed. On 9 June 2017 at 02:27, Anthony DeRobertiswrote: > On 06/08/2017 06:52 PM, Nicholas D Steeves wrote: >> >> >> I'd prefer not to, because Message-ID reveals what I consider private >> information (IP address or client hostname) to an unbounded audience, >> and I believe that this is a greater privacy violation than the >> lintian warning against downloading a hyperlinked image in local [...] > > > That depends on the software that generated the message (e.g., Thunderbird > seems to do uuid@domain, so avoids the privacy issue—at least it reveals > less than the From header), but where it does you could just redact the > hostname (or entire domain). That'd still preserve the ability to reference > an individual message. > > Message-Id: and > Message-Id: > > are both pretty clear what you're doing. > Anthony, thank you for this solution! :-) I didn't know that this was allowed. Ben, now there's a Message-ID field. I'll upload to experimental as soon as Sean Whitton grants me DM permissions for src:muse-el. Sincerely, Nicholas
Re: unknown license for package/debian/* in d/copyright in adopted package
On 06/08/2017 06:52 PM, Nicholas D Steeves wrote: I'd prefer not to, because Message-ID reveals what I consider private information (IP address or client hostname) to an unbounded audience, and I believe that this is a greater privacy violation than the lintian warning against downloading a hyperlinked image in local [...] That depends on the software that generated the message (e.g., Thunderbird seems to do uuid@domain, so avoids the privacy issue—at least it reveals less than the From header), but where it does you could just redact the hostname (or entire domain). That'd still preserve the ability to reference an individual message. Message-Id:and Message-Id: are both pretty clear what you're doing.
Re: unknown license for package/debian/* in d/copyright in adopted package
Hi Ben, On Wed, Jun 07, 2017 at 10:24:11AM +1000, Ben Finney wrote: > Nicholas D Steeveswrites: > > > I pushed updates here: > > > > https://anonscm.debian.org/git/pkg-emacsen/pkg/muse-el.git/tree/debian/COPYING.emails > > That's a good record. Better than most Debian packages, I'd say :-) Thank you! :-D > Can you put the Message-ID field for each message in the header for the > message? That will make it easier to refer to specific messages later. I'd prefer not to, because Message-ID reveals what I consider private information (IP address or client hostname) to an unbounded audience, and I believe that this is a greater privacy violation than the lintian warning against downloading a hyperlinked image in local documentation. The later only reveals private information to a single person. Yes, it can be argued that Debian Developers wave their privacy by participating in publicly archived forums, like this one; however, because the contributors chose to privately email me rather than reply to this this thread, I have chosen to maximally respect their privacy. > As it is, I can say I think you need only these ones: > > * Date: Thu, 1 Jun 2017 10:15:58 +1000 > From: Trent Buck > > * Date: Wed, 31 May 2017 20:24:01 -0700 > From: Michael Olson > > * Date: Thu, 01 Jun 2017 09:57:49 +0200 > From: Julien Danjou > > > How important is this updated copyright? > > It's important to include explicit grant of specific license in writing > from all copyright holders. I included Mehdi's statement because I believe it is to the affect of "I am pretty sure that I am not a copyright holder". That said, is this record sufficiently complete without digging through bts archives to find out how to contact anyone who was involved in the NMU he did...and then contacting them? > > Do I need to worry about getting it into Stretch? > > I think it can wait until after the release, though I don't speak for > the release team or FTP masters. I contacted them but don't expect to receive a reply, knowing how busy they must be ;-) Thank you for the help, Nicholas signature.asc Description: Digital signature
Re: unknown license for package/debian/* in d/copyright in adopted package
Nicholas D Steeveswrites: > I pushed updates here: > > https://anonscm.debian.org/git/pkg-emacsen/pkg/muse-el.git/tree/debian/COPYING.emails That's a good record. Better than most Debian packages, I'd say :-) Can you put the Message-ID field for each message in the header for the message? That will make it easier to refer to specific messages later. As it is, I can say I think you need only these ones: * Date: Thu, 1 Jun 2017 10:15:58 +1000 From: Trent Buck * Date: Wed, 31 May 2017 20:24:01 -0700 From: Michael Olson * Date: Thu, 01 Jun 2017 09:57:49 +0200 From: Julien Danjou > How important is this updated copyright? It's important to include explicit grant of specific license in writing from all copyright holders. > Do I need to worry about getting it into Stretch? I think it can wait until after the release, though I don't speak for the release team or FTP masters. -- \ Eccles: “I just saw the Earth through the clouds!” Lew: “Did | `\ it look round?” Eccles: “Yes, but I don't think it saw me.” | _o__)—The Goon Show, _Wings Over Dagenham_ | Ben Finney
Re: unknown license for package/debian/* in d/copyright in adopted package
On Wed, May 31, 2017 at 02:54:57PM +1000, Ben Finney wrote: > Ian Jacksonwrites: > > > Do you agree that my mail exchange as found in the sympathy package is > > a good example of how to ask these questions, and how to record the > > answers ? > > Ian Jackson writes: > > > I meant this, which I provided a link to earlier: > > https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails > > Yes, that's a good record of the conversation. > > It'd be better IMO if it included each message's Message-ID field, or > some other URI for each message so that the parties in the conversation > can later verify that it matches their own record of the discussion. > > Are there messages in that file that could be removed? I typically try > to get a single message from the copyright holder, that contains an > explicit and unambiguous grant of a specific license. > > Often that isn't forthcoming as clearly as we might like, because of how > the correspondence unfolds. I appreciate that you pressed for that in > the discussion for ‘sympathy’. Maybe that's just an example of a case > where no one message will clearly show the grant of license, and the > whole set needs to be examined. Dear Ian and Ben, Thank you for resuming this conversation! I had forgotten to finish work on this issue and it exactly the reminder I needed. I pushed updates here: https://anonscm.debian.org/git/pkg-emacsen/pkg/muse-el.git/tree/debian/COPYING.emails https://anonscm.debian.org/cgit/pkg-emacsen/pkg/muse-el.git/ How important is this updated copyright? Do I need to worry about getting it into Stretch? When Feb 5th blew by I thought "minor, not very popular package that isn't worse than it was before" so didn't worry about it and I thought the issue wasn't worth hassling someone for an unblock. Sincerely, Nicholas signature.asc Description: Digital signature
Re: unknown license for package/debian/* in d/copyright in adopted package
Ian Jackson <ijack...@chiark.greenend.org.uk> writes: > Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright > in adopted package"): > > Are there messages in that file that could be removed? I typically > > try to get a single message from the copyright holder, that contains > > an explicit and unambiguous grant of a specific license. > > I think it is better not to bother upstream with pointless > administrivia. Given an appropriate definition of “pointless administrivia”, of course I agree with that. I'm responding (belatedly) to your request for feedback on the *existing* record of correspondence :-) -- \“… no testimony can be admitted which is contrary to reason; | `\ reason is founded on the evidence of our senses.” —Percy Bysshe | _o__)Shelley, _The Necessity of Atheism_, 1811 | Ben Finney
Re: unknown license for package/debian/* in d/copyright in adopted package
Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright in adopted package"): > Are there messages in that file that could be removed? I typically try > to get a single message from the copyright holder, that contains an > explicit and unambiguous grant of a specific license. I think it is better not to bother upstream with pointless administrivia. Ian.
Re: unknown license for package/debian/* in d/copyright in adopted package
Ian Jacksonwrites: > Do you agree that my mail exchange as found in the sympathy package is > a good example of how to ask these questions, and how to record the > answers ? Ian Jackson writes: > I meant this, which I provided a link to earlier: > https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails Yes, that's a good record of the conversation. It'd be better IMO if it included each message's Message-ID field, or some other URI for each message so that the parties in the conversation can later verify that it matches their own record of the discussion. Are there messages in that file that could be removed? I typically try to get a single message from the copyright holder, that contains an explicit and unambiguous grant of a specific license. Often that isn't forthcoming as clearly as we might like, because of how the correspondence unfolds. I appreciate that you pressed for that in the discussion for ‘sympathy’. Maybe that's just an example of a case where no one message will clearly show the grant of license, and the whole set needs to be examined. -- \“If it ain't bust don't fix it is a very sound principle and | `\ remains so despite the fact that I have slavishly ignored it | _o__) all my life.” —Douglas Adams | Ben Finney
Re: unknown license for package/debian/* in d/copyright in adopted package
Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright in adopted package"): > As to how to record the information, I would expect to find it in the > ‘debian/copyright’ file, and I don't see what you're referring to at > <URL:https://sources.debian.net/src/sympathy/1.2.1%2Bwoking%2Bcvs%2Bgit20161222/debian/copyright/>. > > So, if you can point to what you mean, I may be able to better respond :-) I meant this, which I provided a link to earlier: https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: unknown license for package/debian/* in d/copyright in adopted package
On Wed, 04 Jan 2017 at 02:16:10 +, Ian Jackson wrote: > This benefit IMO far outweighs the risk that at some point someone > will abuse our goodwill to make Debian-format source packages out of > proprietary software. No-one, not even evil people, would want to do > that. As a consultant mostly working on Debian derivatives, I wouldn't agree with that. Various non-evil[1] people make Debian-format source packages whose upstream part is partially or entirely proprietary software, with either Free packaging (common in Debian non-free), proprietary packaging (which I seem to remember seeing in at least Maemo), or packaging with no explicit license at all (which I've seen in at least Raspbian). Putting a copyleft license on your favourite package's packaging is not going to prevent that: Debian packaging is not difficult to write from scratch, and even if it wasn't, there are plenty of permissively-licensed packages available to base a proprietary package on. This also assumes that the parts of the packaging that might be copied are even sufficiently creative to be eligible for copyright, which might be doubtful in simple cases (in particular, maximally-declarative packaging with dh). I think a much more serious risk is that an insufficiently permissive license results in inadvertent copyright infringement, avoidable duplicated work, or avoidable bugs, in Free Software whose author is trying to do the right thing. When a licensed work represents an investment of time/effort/money that is difficult or expensive to redo - most visibly, the Linux kernel - copyleft is a valuable tool to encourage the production of more Free Software. However, when an independent reimplementation of the work only has a cost comparable to the time spent worrying about licensing questions, copyleft is at best neutral, often an annoyance, and at worst an active barrier to re-use. I wonder how many debian/ directories the participants in this thread could have written between us, under licenses of our choice, in the time it took to discuss this? S [1] assuming for the sake of avoiding tautology that you do not consider proprietary software to be inherently evil
Re: unknown license for package/debian/* in d/copyright in adopted package
Ian Jackson <ijack...@chiark.greenend.org.uk> writes: > Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright > in adopted package"): > > The principle is to consider what a hypothetical future package > > maintainer, or FTP master or recipient, will need to have to verify > > the copyright holder does in fact grant the stated license. > > > > […] > > > > The important thing is that the grant be explicit, specific as to > > which work and which license terms, and that it all be clearly in > > writing. > > Do you agree that my mail exchange as found in the sympathy package is > a good example of how to ask these questions, and how to record the > answers ? As to how to record the information, I would expect to find it in the ‘debian/copyright’ file, and I don't see what you're referring to at <URL:https://sources.debian.net/src/sympathy/1.2.1%2Bwoking%2Bcvs%2Bgit20161222/debian/copyright/>. So, if you can point to what you mean, I may be able to better respond :-) -- \ “Faith is the determination to remain ignorant in the face of | `\ all evidence that you are ignorant.” —Shaun Mason | _o__) | Ben Finney
Re: unknown license for package/debian/* in d/copyright in adopted package
Ben Finney writes ("Re: unknown license for package/debian/* in d/copyright in adopted package"): > Ian Jackson <ijack...@chiark.greenend.org.uk> writes: > > I would encourage everyone who does packaging to explictly licence > > your debian/* with some very permissive licence (eg, MIT). > > I default to grating “GPLv3 or later” for mine; often I'll change > that to match the upstream work's license grant. > > I don't see any special reason to prefer lax license grants for Debian > packaging, so I default to copyleft. It is often useful to copy Debian packaging snippets from one package to another. That requires that the packaging of the first package have a licence which is compatible with the upstream licence of the second. In practice that means a permissive licence. This benefit IMO far outweighs the risk that at some point someone will abuse our goodwill to make Debian-format source packages out of proprietary software. No-one, not even evil people, would want to do that. In practice no-one except Debian and its free software derivatives makes Debian-format source packages; everyone else has an ad-hoc build script that spits out some .debs. > The principle is to consider what a hypothetical future package > maintainer, or FTP master or recipient, will need to have to verify the > copyright holder does in fact grant the stated license. > > I agree that having the message be cryptographically signed is not > necessary, but it is good to have if feasible. > > The important thing is that the grant be explicit, specific as to which > work and which license terms, and that it all be clearly in writing. Do you agree that my mail exchange as found in the sympathy package is a good example of how to ask these questions, and how to record the answers ? Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: unknown license for package/debian/* in d/copyright in adopted package
Ian Jacksonwrites: > Nicholas D Steeves writes ("unknown license for package/debian/* in > d/copyright in adopted package"): > > I'm adopting src:muse-el, and the old d/copyright file does not > > state which license the old debian/* uses. > > This kind of thing is quite annoying. Agreed. The Debian packaging should have an explicit grant of license, recorded in ‘debian/copyright’ specifically for the ‘debian/*’ pattern so that if upstream's licensing changes the Debian packaging license continues to be clear. > I would encourage everyone who does packaging to explictly licence > your debian/* with some very permissive licence (eg, MIT). I default to grating “GPLv3 or later” for mine; often I'll change that to match the upstream work's license grant. I don't see any special reason to prefer lax license grants for Debian packaging, so I default to copyleft. > > I was recently able to contact Michael Olson. Would a signed email > > from Michael Olson certifying that his contributions to debian/* > > were of either GPL-2, GPL-2+, or MIT be sufficient to allow an > > update to src:muse-el/debian/copyright? If so, to whom should I ask > > him to send that email? > > The mail does not have to be signed. The principle is to consider what a hypothetical future package maintainer, or FTP master or recipient, will need to have to verify the copyright holder does in fact grant the stated license. I agree that having the message be cryptographically signed is not necessary, but it is good to have if feasible. The important thing is that the grant be explicit, specific as to which work and which license terms, and that it all be clearly in writing. -- \ “I may disagree with what you say, but I will defend to the | `\death your right to mis-attribute this quote to Voltaire.” | _o__) —Avram Grumer, rec.arts.sf.written, 2000-05-30 | Ben Finney
Re: unknown license for package/debian/* in d/copyright in adopted package
Nicholas D Steeves writes ("unknown license for package/debian/* in d/copyright in adopted package"): > I'm adopting src:muse-el, and the old d/copyright file does not state > which license the old debian/* uses. This kind of thing is quite annoying. I would encourage everyone who does packaging to explictly licence your debian/* with some very permissive licence (eg, MIT). > I was recently able to contact Michael Olson. Would a signed email > from Michael Olson certifying that his contributions to debian/* were > of either GPL-2, GPL-2+, or MIT be sufficient to allow an update to > src:muse-el/debian/copyright? If so, to whom should I ask him to send > that email? The mail does not have to be signed. (It seems you're confident you have the right email correspondent.) Although there is no harm in it being signed, asking for a signature might make it more inconvenient for Michael, or cause delay. You can ask Michael to send the mail to you. He could also post it here, if he feels like it. If he sends the mail to you privately, do not publish his new email address without his permission. Put a copy of the email, with the headers heavily redacted, in the package. As an example of how to do this for some upstream contributions, I offer this: https://browse.dgit.debian.org/sympathy.git/tree/COPYING.emails > The bug associated with this ITA is #844184. By now it's kind of a > long read ;-) I haven't read it :-). Good luck. Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.