Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-20 Thread Russ Allbery 
Russ Allbery  writes:

> I'll be open about this: I think that there's a deep mismatch between
> how we like to discuss things, which is why I'm trying to avoid getting
> into a back and forth.  I think you're just trying to be clear and
> precise, but I find the close textual reading that you're doing in this
> discussion demoralizing and off-putting.

...which should have been my cue to just sleep on it.

Ben, I'm sorry, I now understand what happened, I think.  I was way too
tired last night and couldn't figure out what you were getting at, and
then got frustrated.

I believe you thought I was arguing that copying the contents of NOTICE
into debian/copyright *wasn't* allowed by the license for some reason.
That had never occurred to me; I was assuming as a given that of course
that was fine with the license.  So I got really confused about why you
were debating what the license said.

Then, in trying to figure out why you were talking about the specific
wording of the license, I ended up thinking you were arguing that any
normal construction of debian/copyright would naturally include all the
information that upstream would put in a NOTICE file, even if the
maintainer never looked at the NOTICE file.  (In my defense, I've seen a
fair number of Apache 2.0 packages where the NOTICE file was just a copy
of the license grant paraagraph, so if one only saw such packages, it
wouldn't be an outlandish assumption.)  So I started arguing about that,
which wasn't what you meant at all.

Anyway, just to try to finally clear up this misunderstanding, I
completely agree with you that putting the contents of NOTICE in
debian/copyright complies with the Apache 2.0 license.  My argument is
only that that's fragile and more effort to maintain, not that it's not
allowed.  I personally want the Lintian tag because I don't trust myself
to remember to check for NOTICE files, particularly if upstream introduces
one in a later release after the first packaging, and don't trust myself
to remember to update a copy of it.  I have no opinion about its severity
or certainty, given that there is an alternate way of satisfying the
license that would trigger the tag.

I'm very sorry for having gotten irritated with you over a
misunderstanding.  I really need to not reply to email I'm puzzled by at
the tail end of a long week without enough sleep.

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-20 Thread Ben Finney 
On 20-Jan-2018, Russ Allbery wrote:
> […] I can try to write one more message to summarize how I see this
> overall.

Thank you for doing so. In the interest of not making a finely-parsed
reply, I'll leave it at that and read it in detail later :-) You've
certainly exceeded my request to explain your position, so again,
thanks.

-- 
 \“My doctor told me to stop having intimate dinners for four. |
  `\   Unless there are three other people.” —Orson Welles |
_o__)  |
Ben Finney 


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-20 Thread Russ Allbery 
Ben Finney  writes:

> Thanks for saying so. To talk with them, though, I would be better
> informed if I could say what your position is and know wy; as it is I
> feel I would be putting words into your mouth. I don't want to do that,
> but that's what I'm left with so far.

Fair, particularly since I misstated part of it in my previous message (I
don't disagree with your interpretation of the license, just of Debian
Policy).

I'll be open about this: I think that there's a deep mismatch between how
we like to discuss things, which is why I'm trying to avoid getting into a
back and forth.  I think you're just trying to be clear and precise, but I
find the close textual reading that you're doing in this discussion
demoralizing and off-putting.  But I can try to write one more message to
summarize how I see this overall.

After that, I really do need to stop, even if there are further unanswered
questions about the specifics, since I truly don't think the specifics
that you're calling out are either important or relevant to my argument,
and I feel like all I'm doing is restating my original bug report in
different words (and way, way more of them...).

I have the following relevant goals as a package maintainer:

1. Spend as little time as possible on maintaining the debian/copyright
   file consistent with the requirements of that file, since this time is
   generally far less productive than time spent elsewhere on a package in
   terms of providing utilitarian value for package users (including
   myself).

2. Minimize the chances that I will not comply with the upstream license.

3. Within the possible bugs I could accidentally introduce under the
   requirements of the upstream license, minimize the chances that I won't
   comply with a requirement that upstream truly cares about.

The last point requires a bit of explanation.

The Apache 2.0 license requires preserving both copyright notices (4c) and
the attribution notices in NOTICE (4d).  However, my experience tells me
that most upstreams do not really care about 4c.  Frequently they don't
update their copyright notices *themselves*, and even when they do, I have
literally never, in my entire time packaging software for Debian, seen an
upstream complain about an error in recording a newly-introduced copyright
notice.

However, these attribution notices in the NOTICE file are something that I
have had upstreams care about a lot.  They may be required records of
funding, they may be important for giving proper credit in ways that
upstream cares a lot about, and so forth.  This is a unique feature of the
Apache 2.0 license, and while mostly people pick the license for other
reasons, this may be something that really matters to them.

If you follow a packaging model where debian/copyright contains only the
copyright and license notices (and the various origin information, which
almost never changes), and the NOTICE file is separately installed, this
means that the only debian/copyright maintenance I have to do when
packaging a new upstream release is to run "git grep Copyright" and update
years (or, rarely, add a new upstream copyright holder), and then do a
spot check of new files to be sure upstream didn't introduce some other
license.  If I am transcribing the NOTICE file into debian/copyright, I
have to do an additional step.

But, more importantly, notice the failure mode: if I forget to do the
debian/copyright update, I might fail goal 2 if there are new upstream
copyright notices.  However, I will never fail goal 3 unless upstream adds
a new NOTICE file that didn't previously exist: this is *structurally*
ensured by the nature of the packaging.  And with this Lintian tag,
Lintian will tell me about even that case, so I will *never* fail goal 3.
The worst thing that will happen is that I'll fail to update copyright
notices, which, again, literally no one has ever actually cared about in
any package I maintain in all the time I've worked on Debian.

(Well, to be complete, there's *some* chance that I might miss a more
serious licensing bug due to a newly-introduced license, but this is quite
rare and the chances are small.)

If, instead, I copy the NOTICE file into debian/copyright, I have to
remember to check it again with each upstream release, and if I don't, I
risk failing on both goals 2 and 3.

Worse, synchronizing the NOTICE file with debian/copyright is not easily
testable.  I'd have to write a more complicated test that maps the
reformatted debian/copyright text (since I use copyright-format 1.0) to
the presentation in the NOTICE file to check all the data is included.  By
comparison, whether I installed the NOTICE file is trivially testable.
All things being equal, I believe in the design principle that you should
use the more testable approach over the less testable approach, since
humans always make mistakes.

The solution proposed in this Lintian tag addresses all goals for me with
a minimum of overhead: with a

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Ben Finney 
On 19-Jan-2018, Russ Allbery wrote:
> Ben Finney  writes:
> 
> > We may be describing different problems. I am responding to a bug report
> > that claims:
> 
> > Apache 2.0 requires distributing any NOTICE file along with
> > derivative works […]
> 
> > and I'm asking how that assertion squares with the text of the license.
> 
> Oh, if that was the question, the answer is that this was a quick
> and mildly inaccurate paraphrase of the actual license text because
> my bug report was written quickly.

Yes, I was taking that as your paraphrase of the intent of the license
text. I'm questioning how you get to that stated intent, because I
don't see it in the license text.

> Well, I don't agree with your interpretation of either Debian Policy
> or the license, and the active Lintian developers added the check I
> wanted, so I'm happy.

Thanks. I think you're telling me you don't want to engage with my
question about how you get the above statement of intent, from the
actual text of the license?

You're under no obligation of course, and I'm not demanding it; but
I'm currently at a loss to understand how you get there.

> If you want to try to talk the Lintian developers into removing the
> check again, feel free, and I won't further get in your way.

Thanks for saying so. To talk with them, though, I would be better
informed if I could say what your position is and know wy; as it is I
feel I would be putting words into your mouth. I don't want to do
that, but that's what I'm left with so far.

> My entire purpose in opening the original bug was to provide Debian
> packagers a pointer to an easy way to avoid this fiddly bit of
> license trivia with zero ongoing maintenance cost.

Likewise, my purpose here is to try to revoke this Lintian check,
since I see it as only causing extra work for no benefit.

> Talking it to death is directly contrary to the entire reason I
> created this bug. :)

I appreciate that sentiment :-)

I leave it open for you to go to the effort of explaining the missing
connection, so I don't have to guess when talking about it with the
Lintian maintainers.

-- 
 \   “The long-term solution to mountains of waste is not more |
  `\  landfill sites but fewer shopping centres.” —Clive Hamilton, |
_o__)_Affluenza_, 2005 |
Ben Finney 


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Russ Allbery 
Ben Finney  writes:

> We may be describing different problems. I am responding to a bug report
> that claims:

> Apache 2.0 requires distributing any NOTICE file along with
> derivative works […]

> and I'm asking how that assertion squares with the text of the license.

Oh, if that was the question, the answer is that this was a quick and
mildly inaccurate paraphrase of the actual license text because my bug
report was written quickly.

Please assume that part of my message actually contains the full text of
the relevant point of the license.  It makes no difference from my
perspective in my request for a Lintian tag.

> That point also doesn't support making a Lintian error for failing to
> duplicate information that, when the Debian Policy requirements are
> satisfied by transcribing that information into the ‘copyright’ file
> installed with every binary package, entirely satisfies the Apache
> License 2.0 §4(d) requirements.

Well, I don't agree with your interpretation of either Debian Policy or
the license, and the active Lintian developers added the check I wanted,
so I'm happy.  If you want to try to talk the Lintian developers into
removing the check again, feel free, and I won't further get in your way.
I find this check very useful for all the reasons I previously stated, and
which I think are fairly obvious on this thread, so I'll be sad if that
happens, but I suppose I can write my own check if I need to.

I've already invested more time in this discussion than I will spend on
installing the NOTICE file for every package I'm likely to maintain under
this license for the next ten years, so I think I've exhausted my budget
of being willing to elaborate, particularly since I really don't have
anything more to add to my original rationale and my immediately previous
message.  My entire purpose in opening the original bug was to provide
Debian packagers a pointer to an easy way to avoid this fiddly bit of
license trivia with zero ongoing maintenance cost.  Talking it to death is
directly contrary to the entire reason I created this bug.  :)

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Ben Finney 
On 19-Jan-2018, Russ Allbery wrote:
> Ben Finney  writes:
> 
> > Why the entire contents? The only thing that clause requires is “the
> > attribution notices contained within such NOTICE file”.
> 
> Let's make this more concrete, because I'm not sure you understand
> the nature of the problem.

We may be describing different problems. I am responding to a bug
report that claims:

Apache 2.0 requires distributing any NOTICE file along with
derivative works […]

and I'm asking how that assertion squares with the text of the
license.

> Here's an example of a NOTICE file from a real Debian package:
> 
>[…]
> 
> What parts of this do you think are attribution notices?
> What parts of this do you think a Debian developer would naturally
> include in debian/copyright?

I can't claim to know what an unspecified Debian developer would
naturally do.

You appear to be asking that to make the point that it's difficult to
maintain transcribed information when that information is subject to
change; I agree with that point.

That point is not special to the Apache License 2.0 requirements.

That point also doesn't support making a Lintian error for failing to
duplicate information that, when the Debian Policy requirements are
satisfied by transcribing that information into the ‘copyright’ file
installed with every binary package, entirely satisfies the Apache
License 2.0 §4(d) requirements.

> Important additional piece of information: other than in this file,
> the string "The Danish CLARIN Consortium" appears nowhere in the
> upstream source distribution, and the string "The National Research
> Council of Canada" appears only here and in a CREDITS file.

I don't see how that's relevant to the justification of what the
Apache License 2.0 requires.

Either that information is required in the ‘copyright’ file (because
it is attribution notices needed for copyright information), or
they're not attribution notices and so the Apache License 2.0 doesn't
require us to distribute that information.

If there isn't a special requirement on us to copy the ‘NOTICE’ file
in addition to the existing Debian policy requirements – and my
reading of this bug report leads me to conclude there is no such
special requirement – I don't see why we'd impose a Lintian error tag
for that.

-- 
 \  “[I]t is impossible for anyone to begin to learn that which he |
  `\thinks he already knows.” —Epictetus, _Discourses_ |
_o__)  |
Ben Finney 


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Russ Allbery 
Ben Finney  writes:

> Why the entire contents? The only thing that clause requires is “the
> attribution notices contained within such NOTICE file”.

Let's make this more concrete, because I'm not sure you understand the
nature of the problem.  Here's an example of a NOTICE file from a real
Debian package:

We wish to acknowledge the following copyrighted works that make up
portions of this software:

This product includes software developed by the Apache Software
Foundation (http://www.apache.org/).

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/).

This project uses libraries covered by the Lesser GNU Public License.
Source code for these libraries is available on request.

This product includes software developed, copyrighted, and/or
contributed by:

The Ohio State University
The National Research Council of Canada
The Danish CLARIN Consortium
National Institute of Informatics in Japan

What parts of this do you think are attribution notices?

What parts of this do you think a Debian developer would naturally include
in debian/copyright?  Important additional piece of information: other
than in this file, the string "The Danish CLARIN Consortium" appears
nowhere in the upstream source distribution, and the string "The National
Research Council of Canada" appears only here and in a CREDITS file.

What makes you confident that the process you propose would continue to
satisfy the license going forward during normal upstream updates?

How much energy would you want to spend on defending your interpretation
of this in order to avoid installing this file in the documentation area
of the package?

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Ben Finney 
On 19-Jan-2018, Russ Allbery wrote:
> Ben Finney  writes:
> 
> > That does require “Derivative Works […] must include a readable
> > copy of the attribution notices contained within such NOTICE file
> > […] in at least one of the following places: […] within the Source
> > form or documentation, if provided along with the Derivative
> > Works; […]”.
> 
> > Do you think the routine inclusion of those notices, in the package's
> > ‘copyright’ file, does not satisfy [Apache License 2.0 §4(d)]?
> 
> It does if you actually include the entire contents of NOTICE in the
> copyright file

Why the entire contents? The only thing that clause requires is “the
attribution notices contained within such NOTICE file”.

Do you think that clause requires duplicating, in addition to the
attribution notices, anything extra from the ‘NOTICE’ file?

> Perhaps you were under the assumption that the NOTICE file contains
> only the copyright and license statement that we would naturally put
> in debian/copyright anyway?

I find the Apache License 2.0 §4(d) requires duplication of *only* the
attribution notices. That is satisfied by adhering to Debian's own
requirements for the ‘copyright’ file.

> While there are other ways to satisfying the Apache 2.0 requirement,
> I strongly believe that the best approach for *Debian* as a whole to
> take is to just routinely install the NOTICE file as part of the
> package documentation.

I think this would be entirely superfluous with the general Debian
requirements for *all* its packages. I would like to know why you
think more is required than what we already routinely transcribe into
the ‘copyright’ file.

-- 
 \   “Most people are other people. Their thoughts are someone |
  `\  else’s opinions, their lives a mimicry, their passions a |
_o__)   quotation.” —Oscar Wilde, _De Profundis_, 1897 |
Ben Finney 


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Russ Allbery 
Ben Finney  writes:

> That does require “Derivative Works […] must include a readable copy of
> the attribution notices contained within such NOTICE file […] in at
> least one of the following places: […] within the Source form or
> documentation, if provided along with the Derivative Works; […]”.

> Do you think the routine inclusion of those notices, in the package's
> ‘copyright’ file, does not satisfy the above clause?

It does if you actually include the entire contents of NOTICE in the
copyright file, and are meticulous about updating debian/copyright every
time upstream changes the NOTICE file.  I definitely do not trust myself
to do this, particularly when just installing the NOTICE file is trivial
with our packaging tools and makes the problem go away completely.

Perhaps you were under the assumption that the NOTICE file contains only
the copyright and license statement that we would naturally put in
debian/copyright anyway?  While there are *some* Apache 2.0 packages where
this is the case, there is nothing about the Apache 2.0 license that
requires this, and there are definitely packages where this is *not* the
case.

While there are other ways to satisfying the Apache 2.0 requirement, I
strongly believe that the best approach for *Debian* as a whole to take is
to just routinely install the NOTICE file as part of the package
documentation.  This is simple, foolproof, trivial to do, and lets us
forget about this issue entirely rather than carefully analyzing the
situation or remembering to resync copies of the upstream file.

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-19 Thread Ben Finney 
On 22-Dec-2017, Russ Allbery wrote:

> Apache 2.0 requires distributing any NOTICE file along with
> derivative works […]

My reading of the license text doesn't match that. I think you are
referring to Apache License version 2.0, § 4 (d):

  (d) If the Work includes a "NOTICE" text file as part of its
  distribution, then any Derivative Works that You distribute
  must include a readable copy of the attribution notices
  contained within such NOTICE file, excluding those notices
  that do not pertain to any part of the Derivative Works, in
  at least one of the following places: within a NOTICE text
  file distributed as part of the Derivative Works; within the
  Source form or documentation, if provided along with the
  Derivative Works; or, within a display generated by the
  Derivative Works, if and wherever such third-party notices
  normally appear. The contents of the NOTICE file are for
  informational purposes only and do not modify the License.
  You may add Your own attribution notices within Derivative
  Works that You distribute, alongside or as an addendum to
  the NOTICE text from the Work, provided that such additional
  attribution notices cannot be construed as modifying the
  License.

That does require “Derivative Works […] must include a readable copy
of the attribution notices contained within such NOTICE file […] in at
least one of the following places: […] within the Source form or
documentation, if provided along with the Derivative Works; […]”.

Do you think the routine inclusion of those notices, in the package's
‘copyright’ file, does not satisfy the above clause? I think it does:
that file is installed in the documentation along with the package.

So, I am not seeing how you think the ‘NOTICE’ file itself must be
duplicated.

-- 
 \ “Pinky, are you pondering what I'm pondering?” “I think so, but |
  `\  where will we find an open tattoo parlor at this time of |
_o__)   night?” —_Pinky and The Brain_ |
Ben Finney 


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-02 Thread Russ Allbery 
Vincent Bernat  writes:

> There is some irony on having a warning about license.txt that shouldn't
> be in the binary copyright (because "all license information should be
> collected in the debian/copyright file") but an error when we don't copy
> the notice file.

Yeah, this provision of the Apache 2.0 license is a little weird, and I
get the impression it doesn't register with people as much as it should.
A bit like the GPL requirement to keep a changelog, which I see violated
all over the place.  (Including probably occasionally in Debian, although
normal Debian best practices with debian/changelog would satisfy it.)

Free software licenses have a lot more restrictions and specific
requirements than a lot of people realize they do, and there are a *lot*
of technical violations of free software licenses out there.

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-02 Thread Vincent Bernat 
 ❦  2 janvier 2018 12:04 -0800, Russ Allbery  :

>>> We currently allow distribution of a binary-package-only Debian image
>>> along with a written offer of source or, for non-commercial
>>> distribution, a simple pointer to the Debian source archives.  This
>>> complies with the GPL but wouldn't, at least by my reading, comply with
>>> the Apache 2.0 license unless we include the NOTICE files in binary
>>> packages.  (Which is fairly trivial to do -- in fact, I wonder if we
>>> should just solve this problem in debhelper and add NOTICE to the
>>> default debhelper dh_installdocs whitelist.)
>
>> Except for cases where the whole work is not under Apache license, only
>> part of it. In this case, the NOTICE file may not be at the
>> root. License also says documentation is fine, so debian/copyright could
>> be enough.
>
> debian/copyright would definitely be enough if people remembered to check
> NOTICE for each upstream release and copy its contents into
> debian/copyright, but I've forgotten to do this for packages in the past.
> Just installing the NOTICE files seems more foolproof to me, and involves
> less fiddly checklist stuff with each new upstream release.
>
> Good point about it possibly being hard for debhelper to find all the
> NOTICE files, though.

There is some irony on having a warning about license.txt that shouldn't
be in the binary copyright (because "all license information should be
collected in the debian/copyright file") but an error when we don't copy
the notice file.
-- 
Patch griefs with proverbs.
-- William Shakespeare, "Much Ado About Nothing"


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-02 Thread Russ Allbery 
Vincent Bernat  writes:
>  ❦  2 janvier 2018 10:42 -0800, Russ Allbery  :

>> We currently allow distribution of a binary-package-only Debian image
>> along with a written offer of source or, for non-commercial
>> distribution, a simple pointer to the Debian source archives.  This
>> complies with the GPL but wouldn't, at least by my reading, comply with
>> the Apache 2.0 license unless we include the NOTICE files in binary
>> packages.  (Which is fairly trivial to do -- in fact, I wonder if we
>> should just solve this problem in debhelper and add NOTICE to the
>> default debhelper dh_installdocs whitelist.)

> Except for cases where the whole work is not under Apache license, only
> part of it. In this case, the NOTICE file may not be at the
> root. License also says documentation is fine, so debian/copyright could
> be enough.

debian/copyright would definitely be enough if people remembered to check
NOTICE for each upstream release and copy its contents into
debian/copyright, but I've forgotten to do this for packages in the past.
Just installing the NOTICE files seems more foolproof to me, and involves
less fiddly checklist stuff with each new upstream release.

Good point about it possibly being hard for debhelper to find all the
NOTICE files, though.

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-02 Thread Vincent Bernat 
 ❦  2 janvier 2018 10:42 -0800, Russ Allbery  :

>>> Apache 2.0 requires distributing any NOTICE file along with derivative
>>> works, but this is easy to forget.  In many cases, we have effectively
>>> the same information in debian/copyright, but even if this is the case
>>> for a specific release, it's not guaranteed to stay the case in the
>>> future and it's easy to forget to check.
>
>> The license says notice can be provided with the source form: "within
>> the Source form or documentation, if provided along with the Derivative
>> Works". IMO, that's already what we do as this is how we comply with
>> GPL-like licenses.
>
> We currently allow distribution of a binary-package-only Debian image
> along with a written offer of source or, for non-commercial distribution,
> a simple pointer to the Debian source archives.  This complies with the
> GPL but wouldn't, at least by my reading, comply with the Apache 2.0
> license unless we include the NOTICE files in binary packages.  (Which is
> fairly trivial to do -- in fact, I wonder if we should just solve this
> problem in debhelper and add NOTICE to the default debhelper
> dh_installdocs whitelist.)

Except for cases where the whole work is not under Apache license, only
part of it. In this case, the NOTICE file may not be at the
root. License also says documentation is fine, so debian/copyright could
be enough.
-- 
Write clearly - don't sacrifice clarity for "efficiency".
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-02 Thread Russ Allbery 
Vincent Bernat  writes:
>  ❦ 22 décembre 2017 19:58 -0800, Russ Allbery  :

>> Apache 2.0 requires distributing any NOTICE file along with derivative
>> works, but this is easy to forget.  In many cases, we have effectively
>> the same information in debian/copyright, but even if this is the case
>> for a specific release, it's not guaranteed to stay the case in the
>> future and it's easy to forget to check.

> The license says notice can be provided with the source form: "within
> the Source form or documentation, if provided along with the Derivative
> Works". IMO, that's already what we do as this is how we comply with
> GPL-like licenses.

We currently allow distribution of a binary-package-only Debian image
along with a written offer of source or, for non-commercial distribution,
a simple pointer to the Debian source archives.  This complies with the
GPL but wouldn't, at least by my reading, comply with the Apache 2.0
license unless we include the NOTICE files in binary packages.  (Which is
fairly trivial to do -- in fact, I wonder if we should just solve this
problem in debhelper and add NOTICE to the default debhelper
dh_installdocs whitelist.)

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2018-01-02 Thread Vincent Bernat 
 ❦ 22 décembre 2017 19:58 -0800, Russ Allbery  :

> Apache 2.0 requires distributing any NOTICE file along with derivative
> works, but this is easy to forget.  In many cases, we have effectively
> the same information in debian/copyright, but even if this is the case
> for a specific release, it's not guaranteed to stay the case in the
> future and it's easy to forget to check.

The license says notice can be provided with the source form: "within
the Source form or documentation, if provided along with the Derivative
Works". IMO, that's already what we do as this is how we comply with
GPL-like licenses.
-- 
"You have been in Afghanistan, I perceive."
-- Sir Arthur Conan Doyle, "A Study in Scarlet"


signature.asc
Description: PGP signature

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2017-12-23 Thread Chris Lamb 
Hi Russ,

> I suspect you want package.docs in the long description of the tag instead
> of package.install.

Hah, yep; not sure how I typo'd that given that I meant to copy the
exact meta-syntactic variable used in the dh_installdocs manpage.

Fixed in:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=0fa3c2abc9db5f8e3b8d4cc8a8c48a6f543eef64


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2017-12-23 Thread Russ Allbery 
Chris Lamb  writes:

> Good catch. Fixed in Git:

>   
> https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=6110e0f1185e26d903dd0ed8a7a8edaae14cf905

I suspect you want package.docs in the long description of the tag instead
of package.install.

-- 
Russ Allbery (r...@debian.org)

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2017-12-23 Thread Chris Lamb 
tags 885042 + pending
thanks

Good catch. Fixed in Git:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=6110e0f1185e26d903dd0ed8a7a8edaae14cf905


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#885042: Check inclusion of Apache 2.0 NOTICE files

2017-12-22 Thread Russ Allbery 
Package: lintian
Version: 2.5.65
Severity: wishlist

Apache 2.0 requires distributing any NOTICE file along with derivative
works, but this is easy to forget.  In many cases, we have effectively
the same information in debian/copyright, but even if this is the case
for a specific release, it's not guaranteed to stay the case in the
future and it's easy to forget to check.

I think Lintian could warn if a NOTICE file exists in the source tree
and the package says in debian/copyright that it's under Apache 2.0, but
the NOTICE file is not included in the package documentation files.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils  2.29.1-12
ii  bzip2 1.0.6-8.1
ii  diffstat  1.61-1+b1
ii  dpkg  1.19.0.4
ii  file  1:5.32-1
ii  gettext   0.19.8.1-4
ii  intltool-debian   0.35.0+20060710.4
ii  libapt-pkg-perl   0.1.33
ii  libarchive-zip-perl   1.60-1
ii  libclass-accessor-perl0.51-1
ii  libclone-perl 0.39-1
ii  libdpkg-perl  1.19.0.4
ii  libemail-valid-perl   1.202-1
ii  libfile-basedir-perl  0.07-1
ii  libipc-run-perl   0.96-1
ii  liblist-moreutils-perl0.416-1+b3
ii  libparse-debianchangelog-perl 1.2.0-12
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-3
ii  libtext-levenshtein-perl  0.13-1
ii  libtimedate-perl  2.3000-2
ii  liburi-perl   1.72-2
ii  libxml-simple-perl2.24-1
ii  libyaml-libyaml-perl  0.63-2+b2
ii  man-db2.7.6.1-4
ii  patchutils0.3.4-2
ii  perl  5.26.1-3
ii  t1utils   1.41-2
ii  xz-utils  5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  

Versions of packages lintian suggests:
pn  binutils-multiarch 
ii  dpkg-dev   1.19.0.4
ii  libhtml-parser-perl3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information