Ben Finney <bign...@debian.org> writes: > Thanks for saying so. To talk with them, though, I would be better > informed if I could say what your position is and know wy; as it is I > feel I would be putting words into your mouth. I don't want to do that, > but that's what I'm left with so far.
Fair, particularly since I misstated part of it in my previous message (I don't disagree with your interpretation of the license, just of Debian Policy). I'll be open about this: I think that there's a deep mismatch between how we like to discuss things, which is why I'm trying to avoid getting into a back and forth. I think you're just trying to be clear and precise, but I find the close textual reading that you're doing in this discussion demoralizing and off-putting. But I can try to write one more message to summarize how I see this overall. After that, I really do need to stop, even if there are further unanswered questions about the specifics, since I truly don't think the specifics that you're calling out are either important or relevant to my argument, and I feel like all I'm doing is restating my original bug report in different words (and way, way more of them...). I have the following relevant goals as a package maintainer: 1. Spend as little time as possible on maintaining the debian/copyright file consistent with the requirements of that file, since this time is generally far less productive than time spent elsewhere on a package in terms of providing utilitarian value for package users (including myself). 2. Minimize the chances that I will not comply with the upstream license. 3. Within the possible bugs I could accidentally introduce under the requirements of the upstream license, minimize the chances that I won't comply with a requirement that upstream truly cares about. The last point requires a bit of explanation. The Apache 2.0 license requires preserving both copyright notices (4c) and the attribution notices in NOTICE (4d). However, my experience tells me that most upstreams do not really care about 4c. Frequently they don't update their copyright notices *themselves*, and even when they do, I have literally never, in my entire time packaging software for Debian, seen an upstream complain about an error in recording a newly-introduced copyright notice. However, these attribution notices in the NOTICE file are something that I have had upstreams care about a lot. They may be required records of funding, they may be important for giving proper credit in ways that upstream cares a lot about, and so forth. This is a unique feature of the Apache 2.0 license, and while mostly people pick the license for other reasons, this may be something that really matters to them. If you follow a packaging model where debian/copyright contains only the copyright and license notices (and the various origin information, which almost never changes), and the NOTICE file is separately installed, this means that the only debian/copyright maintenance I have to do when packaging a new upstream release is to run "git grep Copyright" and update years (or, rarely, add a new upstream copyright holder), and then do a spot check of new files to be sure upstream didn't introduce some other license. If I am transcribing the NOTICE file into debian/copyright, I have to do an additional step. But, more importantly, notice the failure mode: if I forget to do the debian/copyright update, I might fail goal 2 if there are new upstream copyright notices. However, I will never fail goal 3 unless upstream adds a new NOTICE file that didn't previously exist: this is *structurally* ensured by the nature of the packaging. And with this Lintian tag, Lintian will tell me about even that case, so I will *never* fail goal 3. The worst thing that will happen is that I'll fail to update copyright notices, which, again, literally no one has ever actually cared about in any package I maintain in all the time I've worked on Debian. (Well, to be complete, there's *some* chance that I might miss a more serious licensing bug due to a newly-introduced license, but this is quite rare and the chances are small.) If, instead, I copy the NOTICE file into debian/copyright, I have to remember to check it again with each upstream release, and if I don't, I risk failing on both goals 2 and 3. Worse, synchronizing the NOTICE file with debian/copyright is not easily testable. I'd have to write a more complicated test that maps the reformatted debian/copyright text (since I use copyright-format 1.0) to the presentation in the NOTICE file to check all the data is included. By comparison, whether I installed the NOTICE file is trivially testable. All things being equal, I believe in the design principle that you should use the more testable approach over the less testable approach, since humans always make mistakes. The solution proposed in this Lintian tag addresses all goals for me with a minimum of overhead: with a one-time change to the packaging, I eliminate a whole class of update bugs and reduce the amount of work I have to do with each upstream release. Separate from those goals, I also believe the purpose of the debian/copyright file is to primarily record licenses and copyright statements, and secondarily to record the upstream origin information described in Debian Policy. I don't believe the attribution notices of the Apache 2.0 license have any place in debian/copyright because they are none of those things, and I think that file should be kept as succinct as possible given its goals because that achieves goal 1. So, this approach also preserves debian/copyright for copyright and license notices, puts other types of notices in a separate file that I find aesthetically superior, and uses the same file name that is called out in the license with a minimum transform of upstream's files. But those are all secondary points, and other people's aesthetics obviously may disagree. I think those three goals are more widespread. That said, I can also propose a path forward: if you feel strongly about putting NOTICE into debian/copyright, you could write the more complicated test to check that the contents of NOTICE is present in debian/copyright in some form, and if it is, deactivate the tag about installing NOTICE. I dislike that packaging approach on stylistic grounds, but I think it's within reasonable disagreement, and that would avoid any false negatives for my packaging style. So I'd be perfectly content with that. (But I think it would be important to ensure that *all* of the contents of NOTICE is in debian/copyright, since the exact failure mode I'm trying to avoid is upstream adding a new attribution notice to NOTICE between releases and not seeing that or copying it into the installed package files.) That said, as mentioned previously, I'm happy to let the active Lintian maintainers make the final call on this, since I'm not active. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
