The Debian Policy Manual on https://www.debian.org/doc/debian-policy/ch-docs.html#s-copyrightfile
says: 12.5 Copyright information [...] In addition, the copyright file must say where the upstream sources (if any) were obtained, and should name the original authors. But I wonder whether it is a good idea to promote only non-secure URL's to the source (at least if there are no associated signtures), as some packages do. One may also wonder whether the package maintainer has used such a URL to download upstream's source. For instance, for libc6, /usr/share/doc/libc6/copyright contains: -------- It was put together by the GNU Libc Maintainers <[email protected]> from <svn://svn.eglibc.org> -------- -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
