Bug#828970: ITP: singularity -- application containerization platform

[Dave Love]

Yaroslav Halchenko  writes:

> Thanks for following up, Dave!  I haven't realized that you are
> maintaining your own fork on github with adjusted debian packaging

It's not very adjusted from what I submitted.

> Before commenting on your points: Do you have intent to maintain
> singularity within Debian?  should we then join the forces? (I am DD so can
> upload)

No, I'm a Debian desktop user, but have to support RHEL-like systems and
package for that (though there seem to be some fundamental problems
using singularity on them and similar ones).

>> The licence is actually BSD-3-Clause-LBNL in SPDX terms.  I think its
>> default licensing clause is a potential trap which Debian might
>> consider.  I've asked for an opinion from Fedora legal about including
>> language to nullify that in a "separate written license agreement".  
>
> well -- for completeness -- it is "without imposing a separate written license
> agreement"

Yes, which is why I added a notice to COPYING.

> and overall paragraph in question is 

[...]

> which I (IANAL) do not see a problem with.  To me it reads as an additional
> clause providing copyleft like license mandating making contributions 
> available
> back publicly or directly to the lab under permissive terms.  But indeed,
> it makes the license not quite just a BSD-3  ;)

It doesn't say the licence is to LBL.  It's definitely not copyleft, as
the purpose of copyleft is to prevent proprietary versions.  (There's an
explanation somewhere on gnu.org.)

> just a note:  problems with information on the website do not directly
> relate to the problems with the source code/packaging, and there all the terms
> are described, right?

It might be a concern if either you worry about LBL's interpretation of
the licence and copyright in general or if it made a package maintainer
unable to contribute "upstream".
>
> oh, where on the website? can't find

In the section on contributing.

> I guess you are talking about rhc54 AKA Ralph Castain ?   But he is not a
> lawyer [1] and not a major contributor to singularity anyways (although
> with sufficiently high privileges apparently on the upstream github repo).  

I know, but he appears to speak for the project and it seems consistent
with what seems to be LBL policy (but not consistent with the Open MPI
contributor agreement, for instance).

> I am really not sure what kind of bad mood (or grappa) could make him say "You
> cannot own" phrase... so I must say, I would just ignore that portion of the
> discussion, and provide concrete pull request suggesting adjustment of the
> wording and make that issue close with that:
> https://github.com/gmkurtzer/singularity/pull/137/files
> and by the time I have finished writing this email Gregory has already
> merged it!  ;)
>
> ut again -- that is not directly related to
> packaging/redistribution in Debian or Fedora.

I know what the licence says, I know what copyright law says, but I've
been around long and widely enough to worry about that being ignored or
mis-interpreted.  I'm just pointing it out and urging caution.

> oh -- thanks for the pointer.  So, if I get it right, you aren't feeling
> like contributing those patches to upstream yourself ATM?  and you would
> reconsider whenever a clarification is made on you retaining the
> copyright to those patches?

Yes.

> or what exactly? (I usually do not really
> care much enough to sweat for claiming my ownership on every line I have
> ever changed git log  keeps the record of the truth! ;) )

You may be OK putting changes in the public domain, but that's not
generally possible, and there's a principle involved.

> So, now we (I or you? or both?) should absorb the changes you have
> accumulated in your clone and/or fedora packaging, within Debian
> package:

Changes I've made are distributed under a BSD3 or BSD2 licence, so you
can take them if they're useful.  I think you should worry about things
that are at least potential security problems with a setuid program, but
there's a lot that potentially needs fixing.  After looking more closely
I decided the package isn't currently in a good enough state for Fedora.
I'd be happy for an expert to assure me that some of it isn't really a
problem, of course.

Bug#828970: ITP: singularity -- application containerization platform

[Mattia Rizzolo]

On Sat, Jul 23, 2016 at 10:37:11AM -0400, Yaroslav Halchenko wrote:
> FWIW -- uploaded 2.1~testing0+git39-g875d469-1  to NEW

yeah, you uploaded it, and luckily it went to new due to
singularity-container...

There is already a src:singularity in debian:
https://tracker.debian.org/pkg/singularity

you actually hijacked it.

I suggest you ask ftpmasters to reject your upload and rename the thing.


The first email was not X-Debbugs-Cc to d-devel@ as it's recommended,
one reason of that reccomandation is to avoid this kind of situation
(not all get caugt, but several are).

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#828970: ITP: singularity -- application containerization platform

[Yaroslav Halchenko]

FWIW -- uploaded 2.1~testing0+git39-g875d469-1  to NEW

For now doesn't include any additional patches -- yet to review and
possibly suggest including upstream those which aren't there yet (if any
left), e.g.  present in fedora packaging or Dave's clone.

Packaging (with a debian/ tag!) was pushed  to debian branch at
http://github.com/yarikoptic/singularity
When/if accepted to Debian I will file a PR against upstream.

-- 
Yaroslav O. Halchenko
Center for Open Neuroscience http://centerforopenneuroscience.org
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834   Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik

Bug#828970: ITP: singularity -- application containerization platform

[Yaroslav Halchenko]

Hi Dave,

NB CCing upstream (Gregory) since discussion is public anyways

Thanks for following up, Dave!  I haven't realized that you are
maintaining your own fork on github with adjusted debian packaging
and just kept plowing through the upstream's debian/ and submitting them
upstream (minor ones so far).

Before commenting on your points: Do you have intent to maintain
singularity within Debian?  should we then join the forces? (I am DD so can
upload)

> [I saw this late as I didn't get a reply to the question about whether
> this was being packaged for Debian.]

> > * License : BSD

> The licence is actually BSD-3-Clause-LBNL in SPDX terms.  I think its
> default licensing clause is a potential trap which Debian might
> consider.  I've asked for an opinion from Fedora legal about including
> language to nullify that in a "separate written license agreement".  

well -- for completeness -- it is "without imposing a separate written license
agreement" and overall paragraph in question is 

You are under no obligation whatsoever to provide any bug fixes, patches, or
upgrades to the features, functionality or performance of the source code
("Enhancements") to anyone; however, if you choose to make your Enhancements
available either publicly, or directly to Lawrence Berkeley National
Laboratory, without imposing a separate written license agreement for such
Enhancements, then you hereby grant the following license: a  non-exclusive,
royalty-free perpetual license to install, use, modify, prepare derivative
works, incorporate into other computer software, distribute, and sublicense
such enhancements or derivative works thereof, in binary and source code 
form.

which I (IANAL) do not see a problem with.  To me it reads as an additional
clause providing copyleft like license mandating making contributions available
back publicly or directly to the lab under permissive terms.  But indeed,
it makes the license not quite just a BSD-3  ;)

> The claim on the web site that it is simply BSD3 is wrong

yes

> but the issue that included that was closed without resolution.  See also 
> below.


just a note:  problems with information on the website do not directly
relate to the problems with the source code/packaging, and there all the terms
are described, right?

> >   Programming Lang: C
> It's compiled C used by a set of Bourne shell scripts.

yeap

> > Package name (singularity) conflicts with a game package last released in
> > 2011 with notable popcon of 300... so I guess I would need to come up with 
> > an
> > alternative name, e.g.

> > singularity-containers

> > Alternative recommendations are welcome!

> It probably doesn't matter much, but the bundled packaging I contributed
> used the singular.

I thought to just stick to the one you chose:

$> git log -p debian/control | grep -e Package -e Author
...
Author: Gregory M. Kurtzer 
+Package: singularity-container


> Debian might want to be circumspect about copyright issues surrounding
> this.  The unresolved issue mentioned above concerned the claim on the
> project web site that copyright doesn't apply at least to "patches" and

oh, where on the website? can't find

(git)hopa:~/deb/perspect/singularity[remotes/origin/gh-pages]git
$> git grep -l patch | grep -v '\.js' | xargs grep patch
content/faq.html:Requires root to run (there is however a submitted patch 
to allow non-root, but it has not been accepted at this point)
content/faq.html:Even with the proposed patch, no mitigation of user 
escalation within the container
content/faq.html:are leveraging any kernel version specific or external 
patches/module
content/home.html:a standing unimplemented patch to RunC (already daemon-less) 
which allows for
content/install.html:Packages for singularity (2.0 plus some patches) have now 
hit the Fedora
content/license.html:You are under no obligation whatsoever to provide any bug 
fixes, patches, or


> I was subsequently told "You cannot “own” copyright in something you
> contribute to a 3-clause BSD project." (despite the project licence
> requiring you to grant a licence...).  I find it difficult to believe
> that's what LBNL lawyers actually say, but there you are.
> 

I guess you are talking about rhc54 AKA Ralph Castain ?   But he is not a
lawyer [1] and not a major contributor to singularity anyways (although
with sufficiently high privileges apparently on the upstream github repo).  

I am really not sure what kind of bad mood (or grappa) could make him say "You
cannot own" phrase... so I must say, I would just ignore that portion of the
discussion, and provide concrete pull request suggesting adjustment of the
wording and make that issue close with that:
https://github.com/gmkurtzer/singularity/pull/137/files
and by the time I have finished writing this email Gregory has already
merged it!  ;)

ut again -- that is not directly related to

Bug#828970: ITP: singularity -- application containerization platform

[Dave Love]

[I saw this late as I didn't get a reply to the question about whether
this was being packaged for Debian.]

> * License : BSD

The licence is actually BSD-3-Clause-LBNL in SPDX terms.  I think its
default licensing clause is a potential trap which Debian might
consider.  I've asked for an opinion from Fedora legal about including
language to nullify that in a "separate written license agreement".  The
claim on the web site that it is simply BSD3 is wrong, but the issue
that included that was closed without resolution.  See also below.

>   Programming Lang: C

It's compiled C used by a set of Bourne shell scripts.

> Package name (singularity) conflicts with a game package last released in
> 2011 with notable popcon of 300... so I guess I would need to come up with an
> alternative name, e.g.
> 
> singularity-containers
> 
> Alternative recommendations are welcome!

It probably doesn't matter much, but the bundled packaging I contributed
used the singular.

Debian might want to be circumspect about copyright issues surrounding
this.  The unresolved issue mentioned above concerned the claim on the
project web site that copyright doesn't apply at least to "patches" and
I was subsequently told "You cannot “own” copyright in something you
contribute to a 3-clause BSD project." (despite the project licence
requiring you to grant a licence...).  I find it difficult to believe
that's what LBNL lawyers actually say, but there you are.


This should be added to the post v2.0 upstream copyright file (if you're
using that and update from 2.0) since obviously Debian doesn't subscribe
to the LBNL copyright theory (see also
):

  Files: libexec/docker-import.sh
  Copyright: 2016  Dave Love, University of Liverpool
  License: BSD-3-Clause-LBNL

There are potential security issues in the setuid program, with patches
for v2.0 under
, but it looks
as if more are needed.

Bug#828970: ITP: singularity -- application containerization platform

[Yaroslav Halchenko]

Package: wnpp
Severity: wishlist

* Package name: singularity
  Version : 2.0
  Upstream Author : Gregory M. Kurtzer
* URL : http://singularity.lbl.gov
* License : BSD
  Programming Lang: C
  Description : application containerization platform


Singularity is a container platform focused on supporting "Mobility of Compute".
.
Mobility of Compute encapsulates the development to compute model where
developers can work in an environment of their choosing and creation and when
the developer needs additional compute resources, this environment can easily
be copied and executed on other platforms. Additionally as the primary use case
for Singularity is targeted towards computational portability, many of the
barriers to entry of other container solutions do not apply to Singularity
making it an ideal solution for users (both computational and
non-computational) and HPC centers.

Package name (singularity) conflicts with a game package last released in
2011 with notable popcon of 300... so I guess I would need to come up with an
alternative name, e.g.

singularity-containers

Alternative recommendations are welcome!