Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Thomas Goirand]

On 05/05/2015 05:05 PM, Michael Krotscheck wrote:

The real question seems to be whether packagers have a disproportionate
amount of power to set development goals, tools, and policy. This is a
common theme that I've encountered frequently, and it leads to no small
amount of tension.

This tension serves no-one, and really just causes all of us stress. How
about we start a separate thread to discuss the roles of package
maintainers in OpenStack?

Michael


Mostly, everyone has been super friendly in the OpenStack community, and 
reactions are almost always very constructive, plus my concerns are 
almost always addressed (and when they are not, either their's a real 
reason why, or it's hard to do). I haven't felt tension so much as 
you're claiming, apart maybe with a very low amount of individuals, but 
that's unavoidable in such large community.


Thomas

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Michael Krotscheck]

On Tue, May 5, 2015 at 1:32 AM Matthias Runge mru...@redhat.com wrote:

 On 05/05/15 04:31, Ian Cordasco wrote:

  Even so, Horizon is deployed in many places, and given the reliability of
  system packages, it’s increasingly deployed from source.

 Ok, I'll bite.

 You surely have a source for your statement, or even better, a proof?


In the interest of open data, I'll answer this, using basic data extracted
from the Paris User Survey. For the sake of simplicity, I'm only going to
focus on production deployments of openstack, and I'm going to make the
assumption that if a tool is referenced, the official openstack version of
it was used. Here's the link, if you'd like to follow along:

http://superuser.openstack.org/articles/openstack-user-survey-insights-november-2014

As of Paris, the following tools were used to deploy openstack-dashboard in
production.  I've called out which of these are actually a source install,
and which of them are not. I've also skipped the two 1%'ers, because I
don't know those tools well enough to figure out if they're source.

ToolPercentageIs Source?Is Package?Puppet45%NoYesChef20%NoYesAnsible21%NoYes
DevStack7%Yes NoPackStack8%NoYesSalt8%NoYesJuju7%NoYes

As you can see, the majority of the tools that we publish install via
packages. Note that this data _cannot_ be used to infer an argument as to
whether source or packages are used more often, for the following reasons:

   1. The actual percentages from the survey add up to 118%.
   2. Install from Source did not appear to be an option.
   3. We are unable to determine the size of the cloud, thus providing a
   'weight' to each install method.
   4. We do not know whether every one of these respondents actually
   install horizon.

In short: We don't have data to support either side of this argument,
though there is a strong case that packages are the de-facto install method.

If I can editorialize for a second and read subtext into what Ian's saying:
The real question seems to be whether packagers have a disproportionate
amount of power to set development goals, tools, and policy. This is a
common theme that I've encountered frequently, and it leads to no small
amount of tension.

This tension serves no-one, and really just causes all of us stress. How
about we start a separate thread to discuss the roles of package
maintainers in OpenStack?

Michael
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Fox, Kevin M]

http://programmers.stackexchange.com/questions/45033/can-i-minify-javascript-that-requires-copyright-notice

Thanks,
Kevin

From: Matthias Runge [mru...@redhat.com]
Sent: Monday, May 04, 2015 11:17 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] 
XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded 
from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED)

On 05/05/15 05:29, Robert Collins wrote:

 Probably, but it's legally wrong (ie: worst case, you can be sued) to leave
 a package which is in direct violation of the license of things it contains.

 So,we shouldn't use angular at all then, because as a js framework its
 distributed to users when they use the website, but the license file
 isn't included in that distribution.
Would be good to get a legal position on this.

If we're not allowed to use angular (and anybody else), I wonder how
anyone could use it (following above logic)

Angular.js is licensed under MIT License [1],[2]:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.


question is, if our use of angular is a substantial portion if this
software.


Matthias

[1] https://angularjs.org/
[2] https://github.com/angular/angular.js/blob/master/LICENSE

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Robert Collins]

On 5 May 2015 at 18:17, Matthias Runge mru...@redhat.com wrote:
 On 05/05/15 05:29, Robert Collins wrote:

 Probably, but it's legally wrong (ie: worst case, you can be sued) to
 leave
 a package which is in direct violation of the license of things it
 contains.


 So,we shouldn't use angular at all then, because as a js framework its
 distributed to users when they use the website, but the license file
 isn't included in that distribution.

 Would be good to get a legal position on this.

 If we're not allowed to use angular (and anybody else), I wonder how anyone
 could use it (following above logic)

Lets take a sensible, pragmatic approach here.

Firstly, upload a new tarball to pypi (a point release, not a postN
release - for uninteresting reasons pbr 0.10 produced postN versions
for local commits, and thus any postN version is not guaranteed to be
unique).

Secondly, reference that in a stable branch update to
global-requirements and horizon. Thats easy enough.

Thirdly, once our users have had time to update to the next point
release of Horizon - say 3 months - delete the file thats missing its
license statement from PyPI: upstream git has a LICENSE file, so we
are clearly not representing them well by distributing a package
without it. There's absolutely no reason to rush: if upstream were
license pedants, they would not have chosen the license they did
(because of its obvious incompatibility with js minification).

The incompatibility that I refer to is potentially serious, since a
license pedant can trivially take the position I put forward above,
but since we can reasonably assume upstream want their code to be
used, I think should be treated as a linter warning, not a fatal
error, and we should take a gentle non-contentious approach to
discussing it with them. angular-bootstrap only! has 190 committers,
angular has 1200 committers:- any rectification, even a simple rider
added to the repo, is likely to take time due to the lovely way
copyright intertwines on these things.

-Rob

-- 
Robert Collins rbtcoll...@hp.com
Distinguished Technologist
HP Converged Cloud

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Matthias Runge]

On 05/05/15 05:29, Robert Collins wrote:


Probably, but it's legally wrong (ie: worst case, you can be sued) to leave
a package which is in direct violation of the license of things it contains.


So,we shouldn't use angular at all then, because as a js framework its
distributed to users when they use the website, but the license file
isn't included in that distribution.

Would be good to get a legal position on this.

If we're not allowed to use angular (and anybody else), I wonder how 
anyone could use it (following above logic)


Angular.js is licensed under MIT License [1],[2]:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.


question is, if our use of angular is a substantial portion if this 
software.



Matthias

[1] https://angularjs.org/
[2] https://github.com/angular/angular.js/blob/master/LICENSE

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Thomas Goirand]

On 05/05/2015 04:31 AM, Ian Cordasco wrote:

Please don’t put words in my
mouth Thomas. You do this frequently.


I don't think I have. Not here, not before. Please assume good faith on 
mailing lists, because it's hard to grasp the feeling on the other end. 
If you want to start an argue and feel like I've been bad with you, 
please do it privately, and I hope we'll get on together better. How 
about having a beer in Vancouver? :)



given the reliability of
system packages, it’s increasingly deployed from source.


WTF?!? In what way are Python packages that I maintain for OpenStack not 
reliable? Could you care to explain?



Are you a lawyer? Do you have a special connection with people from
bootstrap and angular, and they told you so?


Again with trying to put words in my mouth Thomas.


I'm just pointing to the fact that you don't know, just like I don't 
either or anyone else, what the consequences can be to violate a 
license. This is unless you're a lawyer, or if you know upstream for 
Angular. I fail to see where I do put words into your mouth...



I suppose if you used pip, you’d understand why the .post1 suffix is
necessary


I did use pip, but I still don't understand how adding .post1 provides 
more information. Probably I wont be the only one. Could you enlighten me?



but you don’t care about anything other than how this affects
your packages, do you?


I do care that everything done within the OpenStack project is done 
respecting free software licenses. This is more than just packaging in 
Debian, this is also related to ethic.


I'm pointing out the fact that there's a legal issue with the licensing 
and the distribution of a package. The plan described by Robert Collins 
is very accurate, and is just exactly what I thought should be done. 
Let's be constructive, have the issue fixed like Robert described, and 
avoid time loss (with nit-pickings), ok?


On 05/05/2015 05:29 AM, Robert Collins wrote:
 So,we shouldn't use angular at all then, because as a js framework its
 distributed to users when they use the website, but the license file
 isn't included in that distribution.

IANAL, but I don't think minified runtime use of a MIT-licensed 
Javascript has the same legal issues as shipping the source code. So 
far, I haven't seen a case where having a javascript running within your 
browser was considered as redistribution of the source code.


On 05/05/2015 08:17 AM, Matthias Runge wrote:
 If we're not allowed to use angular (and anybody else), I wonder how
 anyone could use it (following above logic)

Exactly my thoughts.

 Angular.js is licensed under MIT License [1],[2]:
 
 The above copyright notice and this permission notice shall be 
included in

 all copies or substantial portions of the Software.
 

 question is, if our use of angular is a substantial portion if this
 software.

I'm convince it is. And I'm convince we *must* ship the above copyright 
notice and this permission notice in our source packages, as the 
license says. If you don't trust me, please do trust the Debian FTP 
masters who are doing this every day.


Cheers,

Thomas Goirand (zigo)

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Matthias Runge]

On 05/05/15 04:31, Ian Cordasco wrote:


Even so, Horizon is deployed in many places, and given the reliability of
system packages, it’s increasingly deployed from source.


Ok, I'll bite.

You surely have a source for your statement, or even better, a proof?

This is wrong in so many ways. It's the same truth as someone could 
claim: neutron doesn't work, so don't use it. (just took neutron as example)


If there is something wrong with system packages, please file bugs. 
Every distribution has a bug tracker.


Matthias

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Robert Collins]

On 5 May 2015 at 11:13, Thomas Goirand z...@debian.org wrote:
 On 05/05/2015 12:15 AM, Ian Cordasco wrote:

 For what it’s worth Thomas and Maxime, removing the old versions from PyPI
 is likely to be a bad idea.


 Probably, but it's legally wrong (ie: worst case, you can be sued) to leave
 a package which is in direct violation of the license of things it contains.

So,we shouldn't use angular at all then, because as a js framework its
distributed to users when they use the website, but the license file
isn't included in that distribution.

-Rob

-- 
Robert Collins rbtcoll...@hp.com
Distinguished Technologist
HP Converged Cloud

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Ian Cordasco]

On 5/3/15, 11:46, Thomas Goirand z...@debian.org wrote:

Hi,

According to Paul Tagliamonte, who is from the Debian FTP master team
(which peer-reviews NEW packages in Debian before they reach the
archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to
Debian because it doesn't include an Expat LICENSE file, which is in
direct violation of the license itself (ie: anything which is shipped
using the MIT / Expat license *must* include the said license). Below is
a copy of reply to me, after the package was rejected.

Maxime, since you're the maintainer of this xstatic package, could you
please include the Expat (aka: MIT) license inside
xstatic-angular-bootstrap, then retag and re-release the package?

Also, when this is done, I would strongly suggest fixing the
global-requirements.txt to force using the correct package, then remove
license infringing version from PyPi. This wont change anything for me
as long as there's a new package which fixes the licensing issue, but
legally, I don't think it's right to leave downloadable what has already
been released.

 Forwarded Message 
Subject: Re: [PKG-Openstack-devel]
python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED
Date: Sat, 2 May 2015 17:21:10 -0400
From: Paul Tagliamonte paul...@debian.org
Reply-To: Tracking bugs and development for OpenStack
openstack-de...@lists.alioth.debian.org
To: Thomas Goirand tho...@goirand.fr
CC: Paul Richards Tagliamonte ftpmas...@ftp-master.debian.org, PKG
OpenStack openstack-de...@lists.alioth.debian.org

On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote:
 Hi Paul!

 First of all, thanks a lot for all the package review. This is simply
 awesome, and helps me really a lot in my work!

np :)

 Well, for all XStatic projects, the habit is to use the same licensing
as
 for the javascript that is packaged as Python module. So in this file:

 xstatic/pkg/angular_bootstrap/__init__.py

 you can see:

 LICENSE = '(same as %s)' % DISPLAY_NAME

 then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the
 header of the file, you may see:

  * angular-ui-bootstrap
  * http://angular-ui.github.io/bootstrap/

  * Version: 0.11.0 - 2014-05-01
  * License: MIT

 So, python-xstatic-angular-bootstrap uses the same Expat license.

 Is this enough?

So, I trust this *is* MIT/Expat licensed, but if you look at the terms
they're granting us::

| Permission is hereby granted, free of charge, to any person obtaining
a copy
| of this software and associated documentation files (the Software),
to deal
| in the Software without restriction, including without limitation the
rights
| to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell
| copies of the Software, and to permit persons to whom the Software is
| furnished to do so, subject to the following conditions:
|
| The above copyright notice and this permission notice shall be included
in
| all copies or substantial portions of the Software.
|
| THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
SHALL THE
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM,
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN
| THE SOFTWARE.

The critical bit here --

| The above copyright notice and this permission notice shall be included
in
| all copies or substantial portions of the Software.

The source distribution is non-complient. They can do that since they
can't infringe on themselves. We would be infringing by distributed the
source tarball.

Just do a DFSG repack and include the license in it. That'll be great
and enough.

 Can I upload again the package? Or should I ask for a more
 clear statement from upstream (which by the way, I have met face to
face,
 and I know how to ping him on Freenode...)?

Cheers,
   Paul

-- 
  .''`.  Paul Tagliamonte paul...@debian.org  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
  `- http://people.debian.org/~paultag/conduct-statement.txt




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

For what it’s worth Thomas and Maxime, removing the old versions from PyPI
is likely to be a bad idea. An increasing number of deployers have stopped
relying on system packages and install either from source or from PyPI. If
they’re creating frozen lists of dependencies, you *will* break them.
While I agree that those distributions are violating the license, I think
it is a mistake that no one 

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Thomas Goirand]

On 05/05/2015 12:15 AM, Ian Cordasco wrote:

For what it’s worth Thomas and Maxime, removing the old versions from PyPI
is likely to be a bad idea.


Probably, but it's legally wrong (ie: worst case, you can be sued) to 
leave a package which is in direct violation of the license of things it 
contains.



An increasing number of deployers have stopped
relying on system packages and install either from source or from PyPI. If
they’re creating frozen lists of dependencies, you *will* break them.


I don't think we have a choice here. Or do you want to push Maxime to 
take the legal risks? I wouldn't do that...


Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's 
safe to say that nothing else but horizon depends on it. So we should be 
fine.



While I agree that those distributions are violating the license, I think
it is a mistake that no one believes is malicious and which no one will
actually chase after you for.


Are you a lawyer? Do you have a special connection with people from 
bootstrap and angular, and they told you so?



If you’re very concerned about it, you can
create updated releases of all of those packages (for PyPI).


Even if you aren't concerned, please do create an updated release on 
PyPi so that it can be uploaded to Debian.



If you have
version 1.2.3, you can release version 1.2.3.post1 to indicate that the
source code itself didn’t exactly change but some metadata was added or
fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over
1.2.3.


There's no need to do this, there's already 4 digits in XStatic 
packages. Just increasing the ultra-micro (ie: the last digit) in the 
version number is fine. I fail to see why one would need to 
over-engineer this with a .post1 suffix.


Cheers,

Thomas Goirand (zigo)

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Ian Cordasco]

On 5/4/15, 18:13, Thomas Goirand z...@debian.org wrote:

On 05/05/2015 12:15 AM, Ian Cordasco wrote:
 For what it’s worth Thomas and Maxime, removing the old versions from
PyPI
 is likely to be a bad idea.

Probably, but it's legally wrong (ie: worst case, you can be sued) to
leave a package which is in direct violation of the license of things it
contains.

Note: I didn’t say it was legally correct. Please don’t put words in my
mouth Thomas. You do this frequently.


 An increasing number of deployers have stopped
 relying on system packages and install either from source or from PyPI.
If
 they’re creating frozen lists of dependencies, you *will* break them.

I don't think we have a choice here. Or do you want to push Maxime to
take the legal risks? I wouldn't do that...

Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's
safe to say that nothing else but horizon depends on it. So we should be
fine.

Have you analyzed all of the dependencies on PyPI? Are you sure Storyboard
doesn’t depend on it? Horizon may be the only project *you* know of that
depends on it. I don’t think, you, Maxime, or I can know that for certain.
Even so, Horizon is deployed in many places, and given the reliability of
system packages, it’s increasingly deployed from source.


 While I agree that those distributions are violating the license, I
think
 it is a mistake that no one believes is malicious and which no one will
 actually chase after you for.

Are you a lawyer? Do you have a special connection with people from
bootstrap and angular, and they told you so?

Again with trying to put words in my mouth Thomas.


 If you’re very concerned about it, you can
 create updated releases of all of those packages (for PyPI).

Even if you aren't concerned, please do create an updated release on
PyPi so that it can be uploaded to Debian.

 If you have
 version 1.2.3, you can release version 1.2.3.post1 to indicate that the
 source code itself didn’t exactly change but some metadata was added or
 fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over
 1.2.3.

There's no need to do this, there's already 4 digits in XStatic
packages. Just increasing the ultra-micro (ie: the last digit) in the
version number is fine. I fail to see why one would need to
over-engineer this with a .post1 suffix.

I suppose if you used pip, you’d understand why the .post1 suffix is
necessary, but you don’t care about anything other than how this affects
your packages, do you?

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Thomas Goirand]

Hi,

According to Paul Tagliamonte, who is from the Debian FTP master team 
(which peer-reviews NEW packages in Debian before they reach the 
archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to 
Debian because it doesn't include an Expat LICENSE file, which is in 
direct violation of the license itself (ie: anything which is shipped 
using the MIT / Expat license *must* include the said license). Below is 
a copy of reply to me, after the package was rejected.


Maxime, since you're the maintainer of this xstatic package, could you 
please include the Expat (aka: MIT) license inside 
xstatic-angular-bootstrap, then retag and re-release the package?


Also, when this is done, I would strongly suggest fixing the 
global-requirements.txt to force using the correct package, then remove 
license infringing version from PyPi. This wont change anything for me 
as long as there's a new package which fixes the licensing issue, but 
legally, I don't think it's right to leave downloadable what has already 
been released.


 Forwarded Message 
Subject: Re: [PKG-Openstack-devel] 
python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED

Date: Sat, 2 May 2015 17:21:10 -0400
From: Paul Tagliamonte paul...@debian.org
Reply-To: Tracking bugs and development for OpenStack 
openstack-de...@lists.alioth.debian.org

To: Thomas Goirand tho...@goirand.fr
CC: Paul Richards Tagliamonte ftpmas...@ftp-master.debian.org, PKG 
OpenStack openstack-de...@lists.alioth.debian.org


On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote:

Hi Paul!

First of all, thanks a lot for all the package review. This is simply
awesome, and helps me really a lot in my work!


np :)


Well, for all XStatic projects, the habit is to use the same licensing as
for the javascript that is packaged as Python module. So in this file:

xstatic/pkg/angular_bootstrap/__init__.py

you can see:

LICENSE = '(same as %s)' % DISPLAY_NAME

then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the
header of the file, you may see:

 * angular-ui-bootstrap
 * http://angular-ui.github.io/bootstrap/

 * Version: 0.11.0 - 2014-05-01
 * License: MIT

So, python-xstatic-angular-bootstrap uses the same Expat license.

Is this enough?


So, I trust this *is* MIT/Expat licensed, but if you look at the terms
they're granting us::

| Permission is hereby granted, free of charge, to any person obtaining 
a copy
| of this software and associated documentation files (the Software), 
to deal
| in the Software without restriction, including without limitation the 
rights

| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
| copies of the Software, and to permit persons to whom the Software is
| furnished to do so, subject to the following conditions:
|
| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.
|
| THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 
SHALL THE

| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 
ARISING FROM,

| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
| THE SOFTWARE.

The critical bit here --

| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.

The source distribution is non-complient. They can do that since they
can't infringe on themselves. We would be infringing by distributed the
source tarball.

Just do a DFSG repack and include the license in it. That'll be great
and enough.


Can I upload again the package? Or should I ask for a more
clear statement from upstream (which by the way, I have met face to face,
and I know how to ping him on Freenode...)?


Cheers,
  Paul

--
 .''`.  Paul Tagliamonte paul...@debian.org  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
 `- http://people.debian.org/~paultag/conduct-statement.txt




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R

[Thomas Goirand]

Hi,

According to Paul Tagliamonte, who is from the Debian FTP master team 
(which peer-reviews NEW packages in Debian before they reach the 
archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to 
Debian because it doesn't include an Expat LICENSE file, which is in 
direct violation of the license itself (ie: anything which is shipped 
using the MIT / Expat license *must* include the said license). Below is 
a copy of reply to me, after the package was rejected.


Maxime, since you're the maintainer of this xstatic package, could you 
please include the Expat (aka: MIT) license inside 
xstatic-angular-bootstrap, then retag and re-release the package?


Also, when this is done, I would strongly suggest fixing the 
global-requirements.txt to force using the correct package, then remove 
license infringing version from PyPi. This wont change anything for me 
as long as there's a new package which fixes the licensing issue, but 
legally, I don't think it's right to leave downloadable what has already 
been released.


 Forwarded Message 
Subject: Re: [PKG-Openstack-devel] 
python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED

Date: Sat, 2 May 2015 17:21:10 -0400
From: Paul Tagliamonte paul...@debian.org
Reply-To: Tracking bugs and development for OpenStack 
openstack-de...@lists.alioth.debian.org

To: Thomas Goirand tho...@goirand.fr
CC: Paul Richards Tagliamonte ftpmas...@ftp-master.debian.org, PKG 
OpenStack openstack-de...@lists.alioth.debian.org


On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote:

Hi Paul!

First of all, thanks a lot for all the package review. This is simply
awesome, and helps me really a lot in my work!


np :)


Well, for all XStatic projects, the habit is to use the same licensing as
for the javascript that is packaged as Python module. So in this file:

xstatic/pkg/angular_bootstrap/__init__.py

you can see:

LICENSE = '(same as %s)' % DISPLAY_NAME

then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the
header of the file, you may see:

 * angular-ui-bootstrap
 * http://angular-ui.github.io/bootstrap/

 * Version: 0.11.0 - 2014-05-01
 * License: MIT

So, python-xstatic-angular-bootstrap uses the same Expat license.

Is this enough?


So, I trust this *is* MIT/Expat licensed, but if you look at the terms
they're granting us::

| Permission is hereby granted, free of charge, to any person obtaining 
a copy
| of this software and associated documentation files (the Software), 
to deal
| in the Software without restriction, including without limitation the 
rights

| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
| copies of the Software, and to permit persons to whom the Software is
| furnished to do so, subject to the following conditions:
|
| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.
|
| THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 
SHALL THE

| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 
ARISING FROM,

| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
| THE SOFTWARE.

The critical bit here --

| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.

The source distribution is non-complient. They can do that since they
can't infringe on themselves. We would be infringing by distributed the
source tarball.

Just do a DFSG repack and include the license in it. That'll be great
and enough.


Can I upload again the package? Or should I ask for a more
clear statement from upstream (which by the way, I have met face to face,
and I know how to ping him on Freenode...)?


Cheers,
  Paul

--
 .''`.  Paul Tagliamonte paul...@debian.org  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
 `- http://people.debian.org/~paultag/conduct-statement.txt




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev