Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-22 Thread Charles Plessy 
Le Sun, Mar 20, 2016 at 03:32:01PM +, Mattia Rizzolo a écrit :
> 
> Still, I think the way the R project distributes MIT-licensed stuff is
> not ok.

Hi Mattia,

the R packages distributed on the Comprehensive R Archive Network (CRAN) are
uploaded there by their own authors, therefore I think that even if the MIT
license text is actually missing from the packages, there is no problem that
CRAN distributes them.

Also, please note that R ships a copy of the MIT license; in Debian it is in
`/usr/share/R/share/licenses/MIT`.  So R users have all the information they
need.

Have a nice day,

Charles

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-22 Thread Ben Finney 
Mattia Rizzolo  writes:

> On Wed, Mar 23, 2016 at 06:10:57AM +1100, Ben Finney wrote:
> > This issue should be resolved by the upstream distributor, as I
> > agree with you that they are not compliant with the conditions of
> > the license. You may want to have that discussion with them.
>
> I wonder how to contact R people, I've never approached R world
> before.

Nor I. You could start by summarising the issue to the Debian R folks
, and perhaps direct them to our
conclusions.

-- 
 \  “I tell you the truth: this generation will certainly not pass |
  `\   away until all these things [the end of the world] have |
_o__)  happened.” —Jesus, c. 30 CE, as quoted in Matthew 24:34 |
Ben Finney

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-22 Thread Mattia Rizzolo 
On Wed, Mar 23, 2016 at 06:10:57AM +1100, Ben Finney wrote:
> This issue should be resolved by the upstream distributor, as I agree
> with you that they are not compliant with the conditions of the license.
> You may want to have that discussion with them.

I wonder how to contact R people, I've never approached R world before.
Furthermore, I currently don't have the time, nor the willing force,
needed to carry on a "legal" discussion with an upstream, much less with
whoever maintains the guidelines of such a big world as CRAN.

> I also agree with Paul Wise, that the Debian source package conforms to
> the license conditions (by always including the required text). So any
> redistributor of Debian, or this component from Debian, will by default
> not violate those conditions.

cool.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-22 Thread Ben Finney 
Mattia Rizzolo  writes:

> On Tue, Mar 22, 2016 at 07:52:18AM +1100, Ben Finney wrote:
> > Mattia Rizzolo  writes:
> > 
> > > What I'm saying is that IMHO the only license requirement (the
> > > second paragraph of it that you reported above, about including
> > > the copyright notice *and* the permission notice in any copy of
> > > the software) is not fulfilled by R packages.
> > 
> > Thanks for clarifying.
> > 
> > Can you point us to a representative source package that you think has
> > this problem?
>
> src:r-cran-praise (as of current version 1.0.0-1) is a good example.

I see. The upstream source does not include the “above copyright notice
and this permission notice” as required by the license conditions.

That is a violation of the license conditions, I agree.

> As also pabs said [1] we should be good enough, but I'd prefer we
> could drop the enough here.
>
> [1] https://lists.debian.org/debian-legal/2016/03/msg00067.html

This issue should be resolved by the upstream distributor, as I agree
with you that they are not compliant with the conditions of the license.
You may want to have that discussion with them.

I also agree with Paul Wise, that the Debian source package conforms to
the license conditions (by always including the required text). So any
redistributor of Debian, or this component from Debian, will by default
not violate those conditions.

-- 
 \   “bash awk grep perl sed, df du, du-du du-du, vi troff su fsck |
  `\ rm * halt LART LART LART!” —The Swedish BOFH, |
_o__)alt.sysadmin.recovery |
Ben Finney

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-22 Thread Mattia Rizzolo 
[you forgot to CC me on this, anyway, I temporarly subscribed d-legal@]

On Tue, Mar 22, 2016 at 07:52:18AM +1100, Ben Finney wrote:
> Mattia Rizzolo  writes:
> 
> > Yes, I see how the MIT license is DFSG-free.  What I'm saying is that
> > IMHO the only license requirement (the second paragraph of it that you
> > reported above, about including the copyright notice *and* the
> > permission notice in any copy of the software) is not fulfilled by R
> > packages.
> 
> Thanks for clarifying.
> 
> Can you point us to a representative source package that you think has
> this problem?

src:r-cran-praise (as of current version 1.0.0-1) is a good example.

As also pabs said [1] we should be good enough, but I'd prefer we could
drop the enough here.

[1] https://lists.debian.org/debian-legal/2016/03/msg00067.html

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-21 Thread Ben Finney 
Mattia Rizzolo  writes:

> Yes, I see how the MIT license is DFSG-free.  What I'm saying is that
> IMHO the only license requirement (the second paragraph of it that you
> reported above, about including the copyright notice *and* the
> permission notice in any copy of the software) is not fulfilled by R
> packages.

Thanks for clarifying.

Can you point us to a representative source package that you think has
this problem?

-- 
 \ “God was invented to explain mystery. God is always invented to |
  `\ explain those things that you do not understand.” —Richard P. |
_o__)Feynman, 1988 |
Ben Finney

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-21 Thread Mattia Rizzolo 
On Mon, Mar 21, 2016 at 04:28:30PM +1100, Ben Finney wrote:
> Mattia Rizzolo  writes:
> > Based on http://opensource.org/licenses/MIT
> >
> > This is a template. Complete and ship as file LICENSE the following 2
> > lines (only)
> >
> > YEAR:
> > COPYRIGHT HOLDER: 
> >
> > and specify as
> >
> > License: MIT + file LICENSE
> >
> > Copyright (c) , 
> 
> I don't think any of the above text implies a *requirement* on the
> recipient of the license.

even if it mayb not be a requirement it is still followed.

> Indeed, the license grant begins at the standard “MIT” (which is
> Expat-equivalent) permission grant:
> >
> 
> > a copy of this software and associated documentation files (the
> > "Software"), to deal in the Software without restriction, including
> > without limitation the rights to use, copy, modify, merge, publish,
> > distribute, sublicense, and/or sell copies of the Software, and to
> > permit persons to whom the Software is furnished to do so, subject to
> > the following conditions:
> >
> > The above copyright notice and this permission notice shall be
> > included in all copies or substantial portions of the Software.
> 
> That alone grants all the DFSG-conformant freedoms. I don't think
> anything else in the text is rightly interpreted to restrict those
> freedoms in any way.

Yes, I see how the MIT license is DFSG-free.  What I'm saying is that
IMHO the only license requirement (the second paragraph of it that you
reported above, about including the copyright notice *and* the
permission notice in any copy of the software) is not fulfilled by R
packages.

> It would be better if the guidelines were more clearly phrased to be
> guidance for *how* to apply the license; as it is, they are terse and
> too easily misread. But I think a careful reading would not imply any
> extra restriction on the license recipient.

I haven't read any extra restriction, what I read is that this "how to
apply the license" breaks the license requirements.

> So in my opinion, this is just a clumsy way to present a page that
> nevertheless is an explicit grant of the standard Expat license
> conditions in a work.
> 
> In short: this does not IMO disqualify the work from conforming to the
> DFSG.

but IMO it disqualifies the work from conforming to the MIT
requirements.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: R packages licensed MIT but not shipping a copy of the MIT license itself, Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-20 Thread Ben Finney 
Mattia Rizzolo  writes:

> So, today I discovered [0] that R-project has some polices regarding
> licenses [1].  In particular they have one regarding the MIT license
> [2].  This needs to go together with their extensions manuals [3].
>
> Read together they say that if you have an R module you want to license
> under MIT (which is really Expat) you have to:

I think the wording is ambiguous.

At the  there are no
requirements, and no license grants at all, for the dozen license names
listed. It simply states that those licenses are “in use” for the code
base.

Then some statements that R and some specific parts are “licensed
under”, or “distributed under”, specific named license conditions. Those
could be taken as grant of license as specified in those texts (the GPL
v2, the GPL v3, the LGPL v2.1), since they all give explicit freedom to
do all the actions needed for DFSG freedom.

So the issue you raise would turn on what restrictions are implied by
the earlier listed license pages.

For the “MIT License” page, we have:

> Based on http://opensource.org/licenses/MIT
>
> This is a template. Complete and ship as file LICENSE the following 2
> lines (only)
>
> YEAR:
> COPYRIGHT HOLDER: 
>
> and specify as
>
> License: MIT + file LICENSE
>
> Copyright (c) , 

I don't think any of the above text implies a *requirement* on the
recipient of the license.

Indeed, the license grant begins at the standard “MIT” (which is
Expat-equivalent) permission grant:
>

> a copy of this software and associated documentation files (the
> "Software"), to deal in the Software without restriction, including
> without limitation the rights to use, copy, modify, merge, publish,
> distribute, sublicense, and/or sell copies of the Software, and to
> permit persons to whom the Software is furnished to do so, subject to
> the following conditions:
>
> The above copyright notice and this permission notice shall be
> included in all copies or substantial portions of the Software.

That alone grants all the DFSG-conformant freedoms. I don't think
anything else in the text is rightly interpreted to restrict those
freedoms in any way.

It would be better if the guidelines were more clearly phrased to be
guidance for *how* to apply the license; as it is, they are terse and
too easily misread. But I think a careful reading would not imply any
extra restriction on the license recipient.

So in my opinion, this is just a clumsy way to present a page that
nevertheless is an explicit grant of the standard Expat license
conditions in a work.

In short: this does not IMO disqualify the work from conforming to the
DFSG.

Thank you for taking software freedom seriously for Debian recipients.

-- 
 \“If it ain't bust don't fix it is a very sound principle and |
  `\  remains so despite the fact that I have slavishly ignored it |
_o__) all my life.” —Douglas Adams |
Ben Finney

Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-20 Thread Ben Finney 
Mattia Rizzolo  writes:

> [ please CC me as I'm not in d-legal@ ]

Done.

> So, today I discovered [0] that R-project has some polices regarding
> licenses [1].  In particular they have one regarding the MIT license
> [2].  This needs to go together with their extensions manuals [3].

Thanks for raising our attention to those.

For reference, so that we can see the text in the context of this
discussion, here is the text in question.

At  is the following text:

=
R Licenses

The following licenses are in use for R or associated software such as
packages.

The “GNU Affero General Public License” version 3
The “Artistic License” version 2.0
The “BSD 2-clause License”
The “BSD 3-clause License”
The “GNU General Public License” version 2
The “GNU General Public License” version 3
The “GNU Library General Public License” version 2
The “GNU Lesser General Public License” version 2.1
The “GNU Lesser General Public License” version 3
The “MIT License”
The “Creative Commons Attribution-ShareAlike International License”
version 4.0

R as a package is licensed under GPL-2 | GPL-3. File doc/COPYING is the
same as GPL-2.

Some files are licensed under ‘GPL (version 2 or later)’, which includes
GPL-3. See the comments in the files to see if this applies.

Some header files are distributed under LGPL-2.1: see file COPYRIGHTS
(on the SVN server).
=

Each of the named licenses is a link to another page.

At “MIT License” is a link to 
which reads:

=
Based on http://opensource.org/licenses/MIT

This is a template. Complete and ship as file LICENSE the following 2
lines (only)

YEAR:
COPYRIGHT HOLDER: 

and specify as

License: MIT + file LICENSE

Copyright (c) , 

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
=

-- 
 \  “What I have to do is see, at any rate, that I do not lend |
  `\  myself to the wrong which I condemn.” —Henry Thoreau, _Civil |
_o__)Disobedience_ |
Ben Finney

Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-20 Thread Mattia Rizzolo 
On Sun, Mar 20, 2016 at 12:07:06PM -0400, Paul R. Tagliamonte wrote:
> FWIW, I've been rejecting them where I see them. Mind filing serious bugs
> on those 11?

Incidentally I have sponsored one of those this morning (assuming it was
fine given that I found so many examples in the archive), and there are
2 more in the RFS queue.

Do you mind rejecting it in this case?  source is r-cran-r6 (please
write something meaningful on the reject notice, so that the sponsoree
(which is the same of the other 2) will get some more background).

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-20 Thread Paul R. Tagliamonte 
FWIW, I've been rejecting them where I see them. Mind filing serious bugs
on those 11?

Paul
On Mar 20, 2016 11:32 AM, "Mattia Rizzolo"  wrote:

> [ please CC me as I'm not in d-legal@ ]
>
> So, today I discovered [0] that R-project has some polices regarding
> licenses [1].  In particular they have one regarding the MIT license
> [2].  This needs to go together with their extensions manuals [3].
>
> Read together they say that if you have an R module you want to license
> under MIT (which is really Expat) you have to:
>
> * Add a line with "License: MIT + file LICENSE" in the DESCRIPTION file
> * Add a LICENSE file with only (and they are explicit on the "only") 2
>   lines:
> YEAR: 
> COPYRIGHT HOLDER: 
>
> period.
>
> Now, the Expat/MIT license (in particular the one present at [2] have
> quite a clear statement:
>
> The above copyright notice and this permission notice shall be
> included in all copies or substantial portions of the Software.
>
> that requires the whole MIT license to be reported verbatim in every
> release and copy of code covered by it.
> But according to the R policy, R extensions do not, and the only
> reference to the MIT license is the single word "MIT" in the DESCRIPTION
> file.
>
> This seems to have been accepted by the ftp-masters, as there are at
> least 11 packages [4] in this condition already in the archive.  I
> should admin that with our packaging the distribution of these piece of
> software is ok, as we add a copy of license in the debian copyright
> file.
>
> Still, I think the way the R project distributes MIT-licensed stuff is
> not ok.
>
> What do you think?  Am I seeing a problem that actually isn't?
>
> Thanks in advance.
>
>
>
> [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818622#25
> [1] https://www.r-project.org/Licenses/
> [2] https://www.r-project.org/Licenses/MIT
> [3] https://cran.r-project.org/doc/manuals/r-release/R-exts.html#Licensing
> [4] found by looking up 'path:debian/copyright License: MIT' in
> codesearch.d.n and grepping the results for packages named /r-cran/
>
> --
> regards,
> Mattia Rizzolo
>
> GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
> more about me:  http://mapreri.org  : :'  :
> Launchpad user: https://launchpad.net/~mapreri  `. `'`
> Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
>

R packages licensed MIT but not shipping a copy of the MIT license itself

2016-03-20 Thread Mattia Rizzolo 
[ please CC me as I'm not in d-legal@ ]

So, today I discovered [0] that R-project has some polices regarding
licenses [1].  In particular they have one regarding the MIT license
[2].  This needs to go together with their extensions manuals [3].

Read together they say that if you have an R module you want to license
under MIT (which is really Expat) you have to:

* Add a line with "License: MIT + file LICENSE" in the DESCRIPTION file
* Add a LICENSE file with only (and they are explicit on the "only") 2
  lines:
YEAR: 
COPYRIGHT HOLDER: 

period.

Now, the Expat/MIT license (in particular the one present at [2] have
quite a clear statement:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

that requires the whole MIT license to be reported verbatim in every
release and copy of code covered by it.
But according to the R policy, R extensions do not, and the only
reference to the MIT license is the single word "MIT" in the DESCRIPTION
file.

This seems to have been accepted by the ftp-masters, as there are at
least 11 packages [4] in this condition already in the archive.  I
should admin that with our packaging the distribution of these piece of
software is ok, as we add a copy of license in the debian copyright
file.

Still, I think the way the R project distributes MIT-licensed stuff is
not ok.

What do you think?  Am I seeing a problem that actually isn't?

Thanks in advance.



[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818622#25
[1] https://www.r-project.org/Licenses/
[2] https://www.r-project.org/Licenses/MIT
[3] https://cran.r-project.org/doc/manuals/r-release/R-exts.html#Licensing
[4] found by looking up 'path:debian/copyright License: MIT' in
codesearch.d.n and grepping the results for packages named /r-cran/

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature