Re: Built-Using usage question

2017-12-31 Thread Russ Allbery 
Lukas Schwaighofer  writes:

> Ok, I expected as much.  Any suggestions on where to put that?
> /usr/share/doc/syslinux-efi/copyright seems like the obvious place (and
> is mandated by policy §12.5) but if I understand the machine readable
> format correctly, it doesn't support my use-case at all (since there are
> no files in the source package that can be matched).

Yeah, I don't think the machine-readable format really anticipated this.
This might be a good use case for just not using that format for this
package.  But also feel free to open a bug against debian-policy to come
up with some better approach for representing this sort of information.

(This somewhat ties into the long-standing argument over whether
debian/copyright should document the copyright and license of the
artifacts in the binary package, or the files in the source package.)

One interesting alternative approach (although this is not the way this
usually works, so you'll be swimming upstream against the tools) is to
only document the contents of your package in debian/copyright, but
install a separate copyright file into the built binary package that
documents the copyright and license of the artifacts in that package
(including the information for syslinux-efi).

> Also this could also be a more systematic problem.  At least when
> looking quickly at some of the other packages which build-depend on
> gnu-efi, I couldn't see them reproducing the copyright notice in the
> binary package either (I did not check thoroughly though).

My guess is that most people don't think of it, and it's also very
unlikely that anyone is going to sue over it or anything.  But to be fully
in compliance with the license, I do think the resulting binary package
needs a copy of that license.

> Do you think it's possible to apply some sort of automated solution to
> the problem?  I could think of a "built-using" support in debhelper that
> will not only add the built-using header but also copy the (complete)
> copyright file from the included package into the including binary
> package somewhere in /usr/share/doc/$package. While it will waste some
> space (and duplicate files), it will also make sure that we correctly
> follow any copyright changes without requiring the package maintainers
> to manually track them.

Yes, this does seem like a good idea to me.

-- 
Russ Allbery (r...@debian.org)

Re: Built-Using usage question

2017-12-31 Thread Lukas Schwaighofer 
Hi,

On Sat, 30 Dec 2017 19:42:01 -0800
Russ Allbery  wrote:

> I don't think you need to change anything about Built-Using.  That
> seems like exactly the sort of reason anticipated by DFSG
> compliance.  The clarification in Policy is because the previous
> wording would have required literally every program in the archive
> written in C to declare Built-Using against the version of GCC used
> to build them because of the nature of libgcc, and at the request of
> the release team to not use Built-Using for library update purposes.

Thanks for clarifying, I'll leave that as is then.

> > While thinking about the above problem I noticed something else
> > which brings me to my second question:  Parts of gnu-efi are
> > covered by the BSD-3-clause license.  In order to satisfy the
> > second clause (“Redistributions in binary form must reproduce the
> > above copyright notice […]”) do I need to somehow include the
> > debian/copyright file from gnu-efi in the syslinux-efi binary
> > package?  
> 
> Yes, or at least the portions relevant to the code that's being
> statically linked.  The resulting binary is a derivative work of the
> syslinux-efi package, so you need to follow its license.

Ok, I expected as much.  Any suggestions on where to put that?
/usr/share/doc/syslinux-efi/copyright seems like the obvious place (and
is mandated by policy §12.5) but if I understand the machine readable
format correctly, it doesn't support my use-case at all (since there are
no files in the source package that can be matched).


Also this could also be a more systematic problem.  At least when
looking quickly at some of the other packages which build-depend on
gnu-efi, I couldn't see them reproducing the copyright notice in the
binary package either (I did not check thoroughly though).

Do you think it's possible to apply some sort of automated solution to
the problem?  I could think of a "built-using" support in debhelper
that will not only add the built-using header but also copy the
(complete) copyright file from the included package into the
including binary package somewhere in /usr/share/doc/$package . While
it will waste some space (and duplicate files), it will also make sure
that we correctly follow any copyright changes without requiring the
package maintainers to manually track them.

Thanks
Lukas

Re: Built-Using usage question

2017-12-30 Thread Russ Allbery 
Paul Wise  writes:

> Personally, I feel this change to policy is a mistake.

Alternative proposals that achieve the goal of not adding Built-Using
fields to the entire archive are welcome.

-- 
Russ Allbery (r...@debian.org)

Re: Built-Using usage question

2017-12-30 Thread Russ Allbery 
Lukas Schwaighofer  writes:

> The syslinux-efi binary package contains parts of the gnu-efi package
> due to static linking. I believe that, independent of the license
> question, in order to satisfy DFSG §2 (“The program must include source
> code, […]”) I need to keep using the Built-Using control field.
> Especially since it's conceivable that a new version of gnu-efi breaks
> compatibility with some specific efi implementation.  However, on a
> technical level, I don't really see the difference between my case and
> linking against glibc, which according to the debian-policy bug used to
> discuss this change [1] should not use the Built-Using field.

I don't think you need to change anything about Built-Using.  That seems
like exactly the sort of reason anticipated by DFSG compliance.  The
clarification in Policy is because the previous wording would have
required literally every program in the archive written in C to declare
Built-Using against the version of GCC used to build them because of the
nature of libgcc, and at the request of the release team to not use
Built-Using for library update purposes.

> While thinking about the above problem I noticed something else which
> brings me to my second question:  Parts of gnu-efi are covered by the
> BSD-3-clause license.  In order to satisfy the second clause
> (“Redistributions in binary form must reproduce the above copyright
> notice […]”) do I need to somehow include the debian/copyright file from
> gnu-efi in the syslinux-efi binary package?

Yes, or at least the portions relevant to the code that's being statically
linked.  The resulting binary is a derivative work of the syslinux-efi
package, so you need to follow its license.

-- 
Russ Allbery (r...@debian.org)

Re: Built-Using usage question

2017-12-30 Thread Paul Wise 
On Sat, Dec 30, 2017 at 10:49 PM, Lukas Schwaighofer wrote:

> I read the update in policy 4.1.3 and I'm not sure how to handle the
> change / clarification of the Built-Using control field for the
> syslinux package (which I maintain in the debian-cd team).

I suggest you ask this question on the debian-policy list.

Personally, I feel this change to policy is a mistake.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise