Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 05/05/2015 05:05 PM, Michael Krotscheck wrote: The real question seems to be whether packagers have a disproportionate amount of power to set development goals, tools, and policy. This is a common theme that I've encountered frequently, and it leads to no small amount of tension. This tension serves no-one, and really just causes all of us stress. How about we start a separate thread to discuss the roles of package maintainers in OpenStack? Michael Mostly, everyone has been super friendly in the OpenStack community, and reactions are almost always very constructive, plus my concerns are almost always addressed (and when they are not, either their's a real reason why, or it's hard to do). I haven't felt tension so much as you're claiming, apart maybe with a very low amount of individuals, but that's unavoidable in such large community. Thomas __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On Tue, May 5, 2015 at 1:32 AM Matthias Runge mru...@redhat.com wrote: On 05/05/15 04:31, Ian Cordasco wrote: Even so, Horizon is deployed in many places, and given the reliability of system packages, it’s increasingly deployed from source. Ok, I'll bite. You surely have a source for your statement, or even better, a proof? In the interest of open data, I'll answer this, using basic data extracted from the Paris User Survey. For the sake of simplicity, I'm only going to focus on production deployments of openstack, and I'm going to make the assumption that if a tool is referenced, the official openstack version of it was used. Here's the link, if you'd like to follow along: http://superuser.openstack.org/articles/openstack-user-survey-insights-november-2014 As of Paris, the following tools were used to deploy openstack-dashboard in production. I've called out which of these are actually a source install, and which of them are not. I've also skipped the two 1%'ers, because I don't know those tools well enough to figure out if they're source. ToolPercentageIs Source?Is Package?Puppet45%NoYesChef20%NoYesAnsible21%NoYes DevStack7%Yes NoPackStack8%NoYesSalt8%NoYesJuju7%NoYes As you can see, the majority of the tools that we publish install via packages. Note that this data _cannot_ be used to infer an argument as to whether source or packages are used more often, for the following reasons: 1. The actual percentages from the survey add up to 118%. 2. Install from Source did not appear to be an option. 3. We are unable to determine the size of the cloud, thus providing a 'weight' to each install method. 4. We do not know whether every one of these respondents actually install horizon. In short: We don't have data to support either side of this argument, though there is a strong case that packages are the de-facto install method. If I can editorialize for a second and read subtext into what Ian's saying: The real question seems to be whether packagers have a disproportionate amount of power to set development goals, tools, and policy. This is a common theme that I've encountered frequently, and it leads to no small amount of tension. This tension serves no-one, and really just causes all of us stress. How about we start a separate thread to discuss the roles of package maintainers in OpenStack? Michael __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
http://programmers.stackexchange.com/questions/45033/can-i-minify-javascript-that-requires-copyright-notice Thanks, Kevin From: Matthias Runge [mru...@redhat.com] Sent: Monday, May 04, 2015 11:17 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED) On 05/05/15 05:29, Robert Collins wrote: Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains. So,we shouldn't use angular at all then, because as a js framework its distributed to users when they use the website, but the license file isn't included in that distribution. Would be good to get a legal position on this. If we're not allowed to use angular (and anybody else), I wonder how anyone could use it (following above logic) Angular.js is licensed under MIT License [1],[2]: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. question is, if our use of angular is a substantial portion if this software. Matthias [1] https://angularjs.org/ [2] https://github.com/angular/angular.js/blob/master/LICENSE __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 5 May 2015 at 18:17, Matthias Runge mru...@redhat.com wrote: On 05/05/15 05:29, Robert Collins wrote: Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains. So,we shouldn't use angular at all then, because as a js framework its distributed to users when they use the website, but the license file isn't included in that distribution. Would be good to get a legal position on this. If we're not allowed to use angular (and anybody else), I wonder how anyone could use it (following above logic) Lets take a sensible, pragmatic approach here. Firstly, upload a new tarball to pypi (a point release, not a postN release - for uninteresting reasons pbr 0.10 produced postN versions for local commits, and thus any postN version is not guaranteed to be unique). Secondly, reference that in a stable branch update to global-requirements and horizon. Thats easy enough. Thirdly, once our users have had time to update to the next point release of Horizon - say 3 months - delete the file thats missing its license statement from PyPI: upstream git has a LICENSE file, so we are clearly not representing them well by distributing a package without it. There's absolutely no reason to rush: if upstream were license pedants, they would not have chosen the license they did (because of its obvious incompatibility with js minification). The incompatibility that I refer to is potentially serious, since a license pedant can trivially take the position I put forward above, but since we can reasonably assume upstream want their code to be used, I think should be treated as a linter warning, not a fatal error, and we should take a gentle non-contentious approach to discussing it with them. angular-bootstrap only! has 190 committers, angular has 1200 committers:- any rectification, even a simple rider added to the repo, is likely to take time due to the lovely way copyright intertwines on these things. -Rob -- Robert Collins rbtcoll...@hp.com Distinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 05/05/15 05:29, Robert Collins wrote: Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains. So,we shouldn't use angular at all then, because as a js framework its distributed to users when they use the website, but the license file isn't included in that distribution. Would be good to get a legal position on this. If we're not allowed to use angular (and anybody else), I wonder how anyone could use it (following above logic) Angular.js is licensed under MIT License [1],[2]: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. question is, if our use of angular is a substantial portion if this software. Matthias [1] https://angularjs.org/ [2] https://github.com/angular/angular.js/blob/master/LICENSE __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 05/05/2015 04:31 AM, Ian Cordasco wrote: Please don’t put words in my mouth Thomas. You do this frequently. I don't think I have. Not here, not before. Please assume good faith on mailing lists, because it's hard to grasp the feeling on the other end. If you want to start an argue and feel like I've been bad with you, please do it privately, and I hope we'll get on together better. How about having a beer in Vancouver? :) given the reliability of system packages, it’s increasingly deployed from source. WTF?!? In what way are Python packages that I maintain for OpenStack not reliable? Could you care to explain? Are you a lawyer? Do you have a special connection with people from bootstrap and angular, and they told you so? Again with trying to put words in my mouth Thomas. I'm just pointing to the fact that you don't know, just like I don't either or anyone else, what the consequences can be to violate a license. This is unless you're a lawyer, or if you know upstream for Angular. I fail to see where I do put words into your mouth... I suppose if you used pip, you’d understand why the .post1 suffix is necessary I did use pip, but I still don't understand how adding .post1 provides more information. Probably I wont be the only one. Could you enlighten me? but you don’t care about anything other than how this affects your packages, do you? I do care that everything done within the OpenStack project is done respecting free software licenses. This is more than just packaging in Debian, this is also related to ethic. I'm pointing out the fact that there's a legal issue with the licensing and the distribution of a package. The plan described by Robert Collins is very accurate, and is just exactly what I thought should be done. Let's be constructive, have the issue fixed like Robert described, and avoid time loss (with nit-pickings), ok? On 05/05/2015 05:29 AM, Robert Collins wrote: So,we shouldn't use angular at all then, because as a js framework its distributed to users when they use the website, but the license file isn't included in that distribution. IANAL, but I don't think minified runtime use of a MIT-licensed Javascript has the same legal issues as shipping the source code. So far, I haven't seen a case where having a javascript running within your browser was considered as redistribution of the source code. On 05/05/2015 08:17 AM, Matthias Runge wrote: If we're not allowed to use angular (and anybody else), I wonder how anyone could use it (following above logic) Exactly my thoughts. Angular.js is licensed under MIT License [1],[2]: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. question is, if our use of angular is a substantial portion if this software. I'm convince it is. And I'm convince we *must* ship the above copyright notice and this permission notice in our source packages, as the license says. If you don't trust me, please do trust the Debian FTP masters who are doing this every day. Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 05/05/15 04:31, Ian Cordasco wrote: Even so, Horizon is deployed in many places, and given the reliability of system packages, it’s increasingly deployed from source. Ok, I'll bite. You surely have a source for your statement, or even better, a proof? This is wrong in so many ways. It's the same truth as someone could claim: neutron doesn't work, so don't use it. (just took neutron as example) If there is something wrong with system packages, please file bugs. Every distribution has a bug tracker. Matthias __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 5 May 2015 at 11:13, Thomas Goirand z...@debian.org wrote: On 05/05/2015 12:15 AM, Ian Cordasco wrote: For what it’s worth Thomas and Maxime, removing the old versions from PyPI is likely to be a bad idea. Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains. So,we shouldn't use angular at all then, because as a js framework its distributed to users when they use the website, but the license file isn't included in that distribution. -Rob -- Robert Collins rbtcoll...@hp.com Distinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 5/3/15, 11:46, Thomas Goirand z...@debian.org wrote: Hi, According to Paul Tagliamonte, who is from the Debian FTP master team (which peer-reviews NEW packages in Debian before they reach the archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to Debian because it doesn't include an Expat LICENSE file, which is in direct violation of the license itself (ie: anything which is shipped using the MIT / Expat license *must* include the said license). Below is a copy of reply to me, after the package was rejected. Maxime, since you're the maintainer of this xstatic package, could you please include the Expat (aka: MIT) license inside xstatic-angular-bootstrap, then retag and re-release the package? Also, when this is done, I would strongly suggest fixing the global-requirements.txt to force using the correct package, then remove license infringing version from PyPi. This wont change anything for me as long as there's a new package which fixes the licensing issue, but legally, I don't think it's right to leave downloadable what has already been released. Forwarded Message Subject: Re: [PKG-Openstack-devel] python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED Date: Sat, 2 May 2015 17:21:10 -0400 From: Paul Tagliamonte paul...@debian.org Reply-To: Tracking bugs and development for OpenStack openstack-de...@lists.alioth.debian.org To: Thomas Goirand tho...@goirand.fr CC: Paul Richards Tagliamonte ftpmas...@ftp-master.debian.org, PKG OpenStack openstack-de...@lists.alioth.debian.org On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote: Hi Paul! First of all, thanks a lot for all the package review. This is simply awesome, and helps me really a lot in my work! np :) Well, for all XStatic projects, the habit is to use the same licensing as for the javascript that is packaged as Python module. So in this file: xstatic/pkg/angular_bootstrap/__init__.py you can see: LICENSE = '(same as %s)' % DISPLAY_NAME then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the header of the file, you may see: * angular-ui-bootstrap * http://angular-ui.github.io/bootstrap/ * Version: 0.11.0 - 2014-05-01 * License: MIT So, python-xstatic-angular-bootstrap uses the same Expat license. Is this enough? So, I trust this *is* MIT/Expat licensed, but if you look at the terms they're granting us:: | Permission is hereby granted, free of charge, to any person obtaining a copy | of this software and associated documentation files (the Software), to deal | in the Software without restriction, including without limitation the rights | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | copies of the Software, and to permit persons to whom the Software is | furnished to do so, subject to the following conditions: | | The above copyright notice and this permission notice shall be included in | all copies or substantial portions of the Software. | | THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | THE SOFTWARE. The critical bit here -- | The above copyright notice and this permission notice shall be included in | all copies or substantial portions of the Software. The source distribution is non-complient. They can do that since they can't infringe on themselves. We would be infringing by distributed the source tarball. Just do a DFSG repack and include the license in it. That'll be great and enough. Can I upload again the package? Or should I ask for a more clear statement from upstream (which by the way, I have met face to face, and I know how to ping him on Freenode...)? Cheers, Paul -- .''`. Paul Tagliamonte paul...@debian.org | Proud Debian Developer : :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `. `'` http://people.debian.org/~paultag `- http://people.debian.org/~paultag/conduct-statement.txt __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev For what it’s worth Thomas and Maxime, removing the old versions from PyPI is likely to be a bad idea. An increasing number of deployers have stopped relying on system packages and install either from source or from PyPI. If they’re creating frozen lists of dependencies, you *will* break them. While I agree that those distributions are violating the license, I think it is a mistake that no one
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 05/05/2015 12:15 AM, Ian Cordasco wrote: For what it’s worth Thomas and Maxime, removing the old versions from PyPI is likely to be a bad idea. Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains. An increasing number of deployers have stopped relying on system packages and install either from source or from PyPI. If they’re creating frozen lists of dependencies, you *will* break them. I don't think we have a choice here. Or do you want to push Maxime to take the legal risks? I wouldn't do that... Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's safe to say that nothing else but horizon depends on it. So we should be fine. While I agree that those distributions are violating the license, I think it is a mistake that no one believes is malicious and which no one will actually chase after you for. Are you a lawyer? Do you have a special connection with people from bootstrap and angular, and they told you so? If you’re very concerned about it, you can create updated releases of all of those packages (for PyPI). Even if you aren't concerned, please do create an updated release on PyPi so that it can be uploaded to Debian. If you have version 1.2.3, you can release version 1.2.3.post1 to indicate that the source code itself didn’t exactly change but some metadata was added or fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over 1.2.3. There's no need to do this, there's already 4 digits in XStatic packages. Just increasing the ultra-micro (ie: the last digit) in the version number is fine. I fail to see why one would need to over-engineer this with a .post1 suffix. Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
On 5/4/15, 18:13, Thomas Goirand z...@debian.org wrote: On 05/05/2015 12:15 AM, Ian Cordasco wrote: For what it’s worth Thomas and Maxime, removing the old versions from PyPI is likely to be a bad idea. Probably, but it's legally wrong (ie: worst case, you can be sued) to leave a package which is in direct violation of the license of things it contains. Note: I didn’t say it was legally correct. Please don’t put words in my mouth Thomas. You do this frequently. An increasing number of deployers have stopped relying on system packages and install either from source or from PyPI. If they’re creating frozen lists of dependencies, you *will* break them. I don't think we have a choice here. Or do you want to push Maxime to take the legal risks? I wouldn't do that... Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's safe to say that nothing else but horizon depends on it. So we should be fine. Have you analyzed all of the dependencies on PyPI? Are you sure Storyboard doesn’t depend on it? Horizon may be the only project *you* know of that depends on it. I don’t think, you, Maxime, or I can know that for certain. Even so, Horizon is deployed in many places, and given the reliability of system packages, it’s increasingly deployed from source. While I agree that those distributions are violating the license, I think it is a mistake that no one believes is malicious and which no one will actually chase after you for. Are you a lawyer? Do you have a special connection with people from bootstrap and angular, and they told you so? Again with trying to put words in my mouth Thomas. If you’re very concerned about it, you can create updated releases of all of those packages (for PyPI). Even if you aren't concerned, please do create an updated release on PyPi so that it can be uploaded to Debian. If you have version 1.2.3, you can release version 1.2.3.post1 to indicate that the source code itself didn’t exactly change but some metadata was added or fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over 1.2.3. There's no need to do this, there's already 4 digits in XStatic packages. Just increasing the ultra-micro (ie: the last digit) in the version number is fine. I fail to see why one would need to over-engineer this with a .post1 suffix. I suppose if you used pip, you’d understand why the .post1 suffix is necessary, but you don’t care about anything other than how this affects your packages, do you? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
Hi, According to Paul Tagliamonte, who is from the Debian FTP master team (which peer-reviews NEW packages in Debian before they reach the archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to Debian because it doesn't include an Expat LICENSE file, which is in direct violation of the license itself (ie: anything which is shipped using the MIT / Expat license *must* include the said license). Below is a copy of reply to me, after the package was rejected. Maxime, since you're the maintainer of this xstatic package, could you please include the Expat (aka: MIT) license inside xstatic-angular-bootstrap, then retag and re-release the package? Also, when this is done, I would strongly suggest fixing the global-requirements.txt to force using the correct package, then remove license infringing version from PyPi. This wont change anything for me as long as there's a new package which fixes the licensing issue, but legally, I don't think it's right to leave downloadable what has already been released. Forwarded Message Subject: Re: [PKG-Openstack-devel] python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED Date: Sat, 2 May 2015 17:21:10 -0400 From: Paul Tagliamonte paul...@debian.org Reply-To: Tracking bugs and development for OpenStack openstack-de...@lists.alioth.debian.org To: Thomas Goirand tho...@goirand.fr CC: Paul Richards Tagliamonte ftpmas...@ftp-master.debian.org, PKG OpenStack openstack-de...@lists.alioth.debian.org On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote: Hi Paul! First of all, thanks a lot for all the package review. This is simply awesome, and helps me really a lot in my work! np :) Well, for all XStatic projects, the habit is to use the same licensing as for the javascript that is packaged as Python module. So in this file: xstatic/pkg/angular_bootstrap/__init__.py you can see: LICENSE = '(same as %s)' % DISPLAY_NAME then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the header of the file, you may see: * angular-ui-bootstrap * http://angular-ui.github.io/bootstrap/ * Version: 0.11.0 - 2014-05-01 * License: MIT So, python-xstatic-angular-bootstrap uses the same Expat license. Is this enough? So, I trust this *is* MIT/Expat licensed, but if you look at the terms they're granting us:: | Permission is hereby granted, free of charge, to any person obtaining a copy | of this software and associated documentation files (the Software), to deal | in the Software without restriction, including without limitation the rights | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | copies of the Software, and to permit persons to whom the Software is | furnished to do so, subject to the following conditions: | | The above copyright notice and this permission notice shall be included in | all copies or substantial portions of the Software. | | THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | THE SOFTWARE. The critical bit here -- | The above copyright notice and this permission notice shall be included in | all copies or substantial portions of the Software. The source distribution is non-complient. They can do that since they can't infringe on themselves. We would be infringing by distributed the source tarball. Just do a DFSG repack and include the license in it. That'll be great and enough. Can I upload again the package? Or should I ask for a more clear statement from upstream (which by the way, I have met face to face, and I know how to ping him on Freenode...)? Cheers, Paul -- .''`. Paul Tagliamonte paul...@debian.org | Proud Debian Developer : :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `. `'` http://people.debian.org/~paultag `- http://people.debian.org/~paultag/conduct-statement.txt __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes R
Hi, According to Paul Tagliamonte, who is from the Debian FTP master team (which peer-reviews NEW packages in Debian before they reach the archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to Debian because it doesn't include an Expat LICENSE file, which is in direct violation of the license itself (ie: anything which is shipped using the MIT / Expat license *must* include the said license). Below is a copy of reply to me, after the package was rejected. Maxime, since you're the maintainer of this xstatic package, could you please include the Expat (aka: MIT) license inside xstatic-angular-bootstrap, then retag and re-release the package? Also, when this is done, I would strongly suggest fixing the global-requirements.txt to force using the correct package, then remove license infringing version from PyPi. This wont change anything for me as long as there's a new package which fixes the licensing issue, but legally, I don't think it's right to leave downloadable what has already been released. Forwarded Message Subject: Re: [PKG-Openstack-devel] python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED Date: Sat, 2 May 2015 17:21:10 -0400 From: Paul Tagliamonte paul...@debian.org Reply-To: Tracking bugs and development for OpenStack openstack-de...@lists.alioth.debian.org To: Thomas Goirand tho...@goirand.fr CC: Paul Richards Tagliamonte ftpmas...@ftp-master.debian.org, PKG OpenStack openstack-de...@lists.alioth.debian.org On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote: Hi Paul! First of all, thanks a lot for all the package review. This is simply awesome, and helps me really a lot in my work! np :) Well, for all XStatic projects, the habit is to use the same licensing as for the javascript that is packaged as Python module. So in this file: xstatic/pkg/angular_bootstrap/__init__.py you can see: LICENSE = '(same as %s)' % DISPLAY_NAME then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the header of the file, you may see: * angular-ui-bootstrap * http://angular-ui.github.io/bootstrap/ * Version: 0.11.0 - 2014-05-01 * License: MIT So, python-xstatic-angular-bootstrap uses the same Expat license. Is this enough? So, I trust this *is* MIT/Expat licensed, but if you look at the terms they're granting us:: | Permission is hereby granted, free of charge, to any person obtaining a copy | of this software and associated documentation files (the Software), to deal | in the Software without restriction, including without limitation the rights | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | copies of the Software, and to permit persons to whom the Software is | furnished to do so, subject to the following conditions: | | The above copyright notice and this permission notice shall be included in | all copies or substantial portions of the Software. | | THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | THE SOFTWARE. The critical bit here -- | The above copyright notice and this permission notice shall be included in | all copies or substantial portions of the Software. The source distribution is non-complient. They can do that since they can't infringe on themselves. We would be infringing by distributed the source tarball. Just do a DFSG repack and include the license in it. That'll be great and enough. Can I upload again the package? Or should I ask for a more clear statement from upstream (which by the way, I have met face to face, and I know how to ping him on Freenode...)? Cheers, Paul -- .''`. Paul Tagliamonte paul...@debian.org | Proud Debian Developer : :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `. `'` http://people.debian.org/~paultag `- http://people.debian.org/~paultag/conduct-statement.txt __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev