Bug#979098: Legally problematic GPL-3+ readline dependency
Control: severity -1 wishlist * Bastian Germann [2021-10-06 22:41:33 CEST]: > Control: severity -1 minor > > Am 06.10.21 um 22:30 schrieb Rhonda D'Vine: > >> "All files in this distribution are released under GNU GENERAL PUBLIC > >> LICENSE. See COPYING for details." > > > > Right. It doesn't specify a version. And this is the core point, and > > the reference to the COPYING file is clear on that grounds too. > > The COPYING file specifically does have the "or later" clause in it. > > The COPYING file is the standard GPLv2. Yes, in the license template at > the end it specifies "or later" but that is a suggestion how to apply > the license. In the TERMS AND CONDITIONS no. 9, it says : "If the > Program does not specify a version number of this License, you may > choose any version ever published by the Free Software Foundation." Exactly that: The program didn't choose a version number. This isn't even ambigious, this is a very clear case covered in the license. So I am a bit worried in how you managed to interpret that as a license violation in the first place. > So it does not specify "or later" but also no version. Combined with the > few imported files that are GPL-2+, it is fair to say, the complete > program is GPL-2+. But that is not a trivial derivation. But it is. No version means any. Which is compatible with GPL-2+ work. Which makes the whole work GPL-2+. > No specific agenda, just keeping Debian on the legally distributable > side. So, just keep the libreadline. It always was legally distributable as it is. Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los|
Bug#979098: Legally problematic GPL-3+ readline dependency
Control: severity -1 minor Am 06.10.21 um 22:30 schrieb Rhonda D'Vine: > Hi again. > > * Bastian Germann [2021-10-06 23:58:41 CEST]: >> Am 06.10.21 um 21:34 schrieb Rhonda D'Vine: >>> Are you reading the debian/copyright file correct? Yes, it says >>> "License: GPL-2" but AIUI that is just a reference indicator, and the >>> long paragraph below that is the relevant one. And that clearly states >>> "or later", and it's the only explenation for the GPL-2 tag in there. >> >> Where in the upstream source do you take the "or later" clause from? >> There are some files that have this in the license header but these are >> all files that stem from other projects, e.g. the getopt* files. >> >> The original abook files do not specify a GPL version in their headers >> and the README says: >> >> "All files in this distribution are released under GNU GENERAL PUBLIC >> LICENSE. See COPYING for details." > > Right. It doesn't specify a version. And this is the core point, and > the reference to the COPYING file is clear on that grounds too. > >> Since COPYING is version 2 there is no reason to assume an "or later" >> clause applies to the project in its entirety. > > The COPYING file specifically does have the "or later" clause in it. The COPYING file is the standard GPLv2. Yes, in the license template at the end it specifies "or later" but that is a suggestion how to apply the license. In the TERMS AND CONDITIONS no. 9, it says : "If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation." So it does not specify "or later" but also no version. Combined with the few imported files that are GPL-2+, it is fair to say, the complete program is GPL-2+. But that is not a trivial derivation. > >>> I understand where you are coming from, and I agree, it can be improved >>> to directly read GPL-2+ -- but to the best of my understanding the >>> copyright file is clear on that. >> >> The outcome should be removing "or later", not adding "+". > > So your preferred outcome is to misinterpret what is in there and > interpret it as being an issue without knowing the upstream > developer(s), while things speak about something different, and always > have? What is your agenda with this? No specific agenda, just keeping Debian on the legally distributable side. So, just keep the libreadline.
Bug#979098: Legally problematic GPL-3+ readline dependency
Hi again. * Bastian Germann [2021-10-06 23:58:41 CEST]: > Am 06.10.21 um 21:34 schrieb Rhonda D'Vine: > > Are you reading the debian/copyright file correct? Yes, it says > > "License: GPL-2" but AIUI that is just a reference indicator, and the > > long paragraph below that is the relevant one. And that clearly states > > "or later", and it's the only explenation for the GPL-2 tag in there. > > Where in the upstream source do you take the "or later" clause from? > There are some files that have this in the license header but these are > all files that stem from other projects, e.g. the getopt* files. > > The original abook files do not specify a GPL version in their headers > and the README says: > > "All files in this distribution are released under GNU GENERAL PUBLIC > LICENSE. See COPYING for details." Right. It doesn't specify a version. And this is the core point, and the reference to the COPYING file is clear on that grounds too. > Since COPYING is version 2 there is no reason to assume an "or later" > clause applies to the project in its entirety. The COPYING file specifically does have the "or later" clause in it. > > I understand where you are coming from, and I agree, it can be improved > > to directly read GPL-2+ -- but to the best of my understanding the > > copyright file is clear on that. > > The outcome should be removing "or later", not adding "+". So your preferred outcome is to misinterpret what is in there and interpret it as being an issue without knowing the upstream developer(s), while things speak about something different, and always have? What is your agenda with this? Thanks, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los|
Bug#979098: Legally problematic GPL-3+ readline dependency
Am 06.10.21 um 21:34 schrieb Rhonda D'Vine: > Are you reading the debian/copyright file correct? Yes, it says > "License: GPL-2" but AIUI that is just a reference indicator, and the > long paragraph below that is the relevant one. And that clearly states > "or later", and it's the only explenation for the GPL-2 tag in there. Where in the upstream source do you take the "or later" clause from? There are some files that have this in the license header but these are all files that stem from other projects, e.g. the getopt* files. The original abook files do not specify a GPL version in their headers and the README says: "All files in this distribution are released under GNU GENERAL PUBLIC LICENSE. See COPYING for details." Since COPYING is version 2 there is no reason to assume an "or later" clause applies to the project in its entirety. > I understand where you are coming from, and I agree, it can be improved > to directly read GPL-2+ -- but to the best of my understanding the > copyright file is clear on that. The outcome should be removing "or later", not adding "+". > Thus wishlist, I will add the + in there for making it extra clear, but > the way it currently is _is_ already "gpl-2 or later" licensed, so this > is clearly not of release-critical severity, rather a cosmetic thing.
Bug#979098: Legally problematic GPL-3+ readline dependency
Severity: wishlist * Bastian Germann [2021-10-06 19:38:07 CEST]: > Severity: serious Please don't severity bump this, specifically since I don't see how you want to justify it. > On Sat, 2 Jan 2021 18:46:04 +0100 Bastian Germann > wrote: > > Package: abook > > Severity: important > > > > This package depends on libreadline8 which is GPL-3+ licensed. According > > to debian/copyright parts of your package are GPL-2-only licensed. If > > that is also (transitively) the case for the binaries that link with > > libreadline.so.8 it might be legally problematic (see > > https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). > > > > There is an easy solution to the problem: Replacing the build dependency > > libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ > > licensed older version. However, that is orphaned in Debian, so > > libeditreadline-dev should be preferred, which does not compile with > > your package without any patch. It links with the BSD-licensed libedit > > library which is a readline replacement. > > Please fix the dependency or fix the d/copyright file if the "or later" > clause applies to all the GPL-2 files. Are you reading the debian/copyright file correct? Yes, it says "License: GPL-2" but AIUI that is just a reference indicator, and the long paragraph below that is the relevant one. And that clearly states "or later", and it's the only explenation for the GPL-2 tag in there. I understand where you are coming from, and I agree, it can be improved to directly read GPL-2+ -- but to the best of my understanding the copyright file is clear on that. Thus wishlist, I will add the + in there for making it extra clear, but the way it currently is _is_ already "gpl-2 or later" licensed, so this is clearly not of release-critical severity, rather a cosmetic thing. Thanks, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los|
Bug#979098: Legally problematic GPL-3+ readline dependency
Severity: serious On Sat, 2 Jan 2021 18:46:04 +0100 Bastian Germann wrote: Package: abook Severity: important This package depends on libreadline8 which is GPL-3+ licensed. According to debian/copyright parts of your package are GPL-2-only licensed. If that is also (transitively) the case for the binaries that link with libreadline.so.8 it might be legally problematic (see https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). There is an easy solution to the problem: Replacing the build dependency libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ licensed older version. However, that is orphaned in Debian, so libeditreadline-dev should be preferred, which does not compile with your package without any patch. It links with the BSD-licensed libedit library which is a readline replacement. Please fix the dependency or fix the d/copyright file if the "or later" clause applies to all the GPL-2 files.
Bug#979098: Legally problematic GPL-3+ readline dependency
Package: abook Severity: important This package depends on libreadline8 which is GPL-3+ licensed. According to debian/copyright parts of your package are GPL-2-only licensed. If that is also (transitively) the case for the binaries that link with libreadline.so.8 it might be legally problematic (see https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). There is an easy solution to the problem: Replacing the build dependency libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ licensed older version. However, that is orphaned in Debian, so libeditreadline-dev should be preferred, which does not compile with your package without any patch. It links with the BSD-licensed libedit library which is a readline replacement.
