Hello Emmanuel, first of all, I want to thank you a lot for your courage and efforts to work in the new DFSG team! This has been a major bottleneck in the past few years. I've tried to get cockpit-files into Debian since July 2024, so I'm really happy to see some progress! 🎉
Emmanuel Arias [2026-01-30 20:59 +0000]:
> - Please mention dpkg/lib/cockpit-components-checkbox-select.tsx is Expat
> - Please mention pkg/lib/cockpit-components-multi-typeahead-select.tsx is
> Expat
> - Please mention pkg/lib/cockpit-components-simple-select.tsx is Expat
> - Please mention pkg/lib/cockpit-components-typeahead-select.tsx is Expat
> - Please mention test/common/pixeldiff.html is Expat
> - Please add a paragraph for debian/* files
> - If it is possible, please add the Upstream-Contact
> - Please also mention Copyright 2010-2020 Python Software Foundation. and
> 2020 argparse.js authors for node/argparse/argparse.js
> - Only files in /node/resolve/test/resolver/nested_symlinks/mylib are
> Lincense ISC.
Good catches! I fixed all of these in [0]. They affect all our projects, i.e.
also cockpit{,-machines,-podman} which are already in Debian. So fixing them in
the central project first, as the others share the copyright building script.
> - Please detail that node/@bufbuild/protobuf/dist/esm/wire/varint.js and
> node/@bufbuild/protobuf/dist/cjs/wire/varint.js are BSD-3-Clause
This is the troublesome item. Note that all the node/* entries in
debian/copyright are autogenerated from [1] by replacing `#NPM#` with actual
contents through [2]. I.e. IMHO in the long run it is more useful to actually
keep this file up to date automatically with added/removed/updated node
modules, and sacrifice a little precision and editorial "niceness" for that.
protobuf's package.json [3] directly says
> "license": "(Apache-2.0 AND BSD-3-Clause)",
and there are no sub-packages in there which would further differentiate
between which code is covered under which license (unlike for the "resolve"
module, that part is fixed in [0]).
Dissecting node package licenses by individual files automatically is error
prone, complicated, and cannot really be correct either -- these files are
written by humans which are notoriously bad at adding license statements to new
files, or keeping copyright years up to date etc. I can probably find some
quirk/special-case, but it would make the copyright generation script even more
complicated and error prone.
It seems to me that this "Apache-2.0 AND BSD-3-Clause" statement is "correct
enough", and that this is the best balance between long-term correctness
through automation and short-term "good enough" correctness.
Does that change your opinion about the bufbuild paragraph, or still want me to
special-case this?
Thanks, and all the best!
Martin
[0] https://github.com/cockpit-project/cockpit/pull/22837
[1]
https://github.com/cockpit-project/cockpit/blob/main/tools/debian/copyright.template#L30
[2]
https://github.com/cockpit-project/cockpit/blob/main/tools/build-debian-copyright
[3]
https://github.com/cockpit-project/cockpit/blob/main/tools/build-debian-copyright
signature.asc
Description: PGP signature
_______________________________________________ Pkg-utopia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
