Bug#883731: audacious: Debian packaging has incorrect license

[Andrej Shadura]

On Tue, 23 Oct 2018 at 03:51, Nicholas D Steeves  wrote:
>
> On Mon, Oct 22, 2018 at 08:50:56PM +0200, Andrej Shadura wrote:
> >
> >I was going to have a look but got distracted by writing kernel drivers
> >â** fascinating stuff :D
> >I will try and spend some time this week on this. If not, I'll post an
> >update here.
>
> Thank you Andrej!  Very much appreciated :-)  I hope this bug contains
> all the information you need.
>
> Yes, they really are, although I must confess the details are a bit
> above my head.  Kudos for getting to that level of proficiency!  By
> the way, assuming you're a member of a the Multimedia Team, and are
> interested in kernel drivers, are you the Debian guy to contact for
> audio interface driver issues (eg: model specific quirks) or wishlist
> "please support this new awesome interface or peripheral"? ;-)

Haha, I’m just a beginner — this is my first driver, and it’s not
related to multimedia (a driver to support a hardware random number
generator in U2F Zero).
So far this is my fourth patch to the Linux kernel; nevertheless, it’s
quite some fun to work with that and see how things work (or not — and
crash your system if you’re not careful *or* if you don’t run tests in
a qemu).

-- 
Cheers,
  Andrej

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

On Mon, Oct 22, 2018 at 08:50:56PM +0200, Andrej Shadura wrote:
> 
>I was going to have a look but got distracted by writing kernel drivers
>â** fascinating stuff :D
>I will try and spend some time this week on this. If not, I'll post an
>update here.

Thank you Andrej!  Very much appreciated :-)  I hope this bug contains
all the information you need.

Yes, they really are, although I must confess the details are a bit
above my head.  Kudos for getting to that level of proficiency!  By
the way, assuming you're a member of a the Multimedia Team, and are
interested in kernel drivers, are you the Debian guy to contact for
audio interface driver issues (eg: model specific quirks) or wishlist
"please support this new awesome interface or peripheral"? ;-)

Cheers,
Nicholas


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

Hi Francesco,

On Tue, Dec 12, 2017 at 11:37:46PM +0100, Francesco Poli wrote:
> On Tue, 12 Dec 2017 16:39:28 -0500 Nicholas D Steeves wrote:
> 
> [...]
> > This is one of the reasons the FSF demands copyright
> > assignment for their projects...they want to be able to relicense at
> > any point in the future without having to contact and document consent
> > from all contributors.
> 
> Yeah, right: they want to do what they like, without asking whether the
> contributors are fine with their decisions...
> Personally, I consider this FSF copyright assignment policy a very bad
> practice!
> 
> But I am digressing...

Sorry this email fell through the cracks, even if it is a digression.
I agree that FSF copyright assignment is at odds with the ethos of
empowering the people, because it transfers the people's power to the
organisation--trusting in its beneficence.  Oh, and that it's
identical to the people -> communist party power structure (the people
lose power), or the feudal copyright assignment of employee work to
their employers.

That said, it does make project management easier for the legal and
paperwork side--and for keeping things consistent, particularly if
records are ever lost...which counts as a pro, from a top-down
perspective ;-)

I haven't reread the history of this bug, but if I remember correctly
it's a win for GPL if the GPL translations are combined with BSD
sources, because the resulting binaries become inherently GPL,
assuming the translation meet the criteria for copyrightable material
(eg: originality).  I understand how to this could be frustrating for
a project manager, which is why I thought it was important to mention
the alternative.

Cheers,
Nicholas


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Andrej Shadura]

Hi,

On Mon, 22 Oct 2018, 20:15 Nicholas D Steeves,  wrote:

> Update
>
> Sorry for my deplorable memory and lack of organisation wrt this bug;
> I committed some initial work and then forgot about it.  Given my work
> schedule for Oct and Nov it is unlikely that I will be able to prevent
> the scheduled autoremoval.  If someone else would like to fix it asap
> please go ahead.  Otherwise I anticipate being able to find the time
> to work on this after the 28th of Nov.
>
> I'll go ahead and file a bug asking for confirmation of the license
> for contributors to debian/*, because this information is not
> contained in old-style copyright format and I'm only familiar with
> machine readable copyright format 1.0
>

I was going to have a look but got distracted by writing kernel drivers —
fascinating stuff :D

I will try and spend some time this week on this. If not, I'll post an
update here.

-- 
Cheers,
  Andrej

>

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

Update

Sorry for my deplorable memory and lack of organisation wrt this bug;
I committed some initial work and then forgot about it.  Given my work
schedule for Oct and Nov it is unlikely that I will be able to prevent
the scheduled autoremoval.  If someone else would like to fix it asap
please go ahead.  Otherwise I anticipate being able to find the time
to work on this after the 28th of Nov.

I'll go ahead and file a bug asking for confirmation of the license
for contributors to debian/*, because this information is not
contained in old-style copyright format and I'm only familiar with
machine readable copyright format 1.0.

Regards,
Nicholas


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[John Lindgren]

Hi Nicholas et. al,

(tallica: This is re: Debian bug #883731, related to the GPL -> BSD
relicensing of Audacious a few years back.  Please take a look at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883731 for background
if you're interested, otherwise disregard.)

On 12/12/2017 04:39 PM, Nicholas D Steeves wrote:
> For Debian Legal Team: With respect to the translations, I now suspect
> they can probably be transitioned to BSD without issue, because
> copyright is also assigned to the Audacious Translators.  eg, in the
> last GPL-2+ release 3.2.4:
> Copyright (C) Audacious translators

We needed a single copyright line because of the way Transifex is set
up, but it's not meant to indicate copyright assignment.  "Audacious
translators" is not a legal entity and just refers to the individual
translators listed in each .po file, who are the copyright holders.

> John, I removed the offending patch in git for the user-visible
> license provided by the Audacious GUI.  Then I went ahead and did a
> historical relicensing review, in spite of the potential for other
> missing copyright holders due to the Transifex switch.  I am a bit
> concerned about what looks to be a politic of "silence is consent" wrt
> relicensing, and hope that I am wrong, or that I was sloppy in my
> review.  Was the discussing conducted informally off the record?

We took a bit more care with the source code relicensing than with the
translations.  I personally went through Git commit logs and replaced
copyrights of "XMMS team", "BMP team", or "Audacious team" (again, none
of which were legal entities) and replaced them with the names of the
actual contributors.

In many cases, files still credited to "the XMMS team" or "the BMP team"
had been totally rewritten and none of the original code that was under
the XMMS/BMP copyright remained.  Actually, as of today, no original
XMMS code remains in Audacious core (i.e. the "audacious" package) at
all.  The largest body of remaining XMMS code is in the "skins" plugin,
which is still GPL for that very reason.

For the core of Audacious, the remaining copyright holders all gave
consent to relicense their code as BSD, generally by email or via the
IRC channel we had back then.  I don't have any of the emails or IRC
logs saved (sorry) but the date of each of the separate Git commits you
listed reflects the point at which we received permission from the
copyright holders listed in those files.

> Would you please take a look at the following (Ian's reply) for an
> example of how to provide a record of all copyright holder's consent?
> tldr; documented confirmation (eg: via copies of emails or a download
> of a bug report/issue/forum thread) for all contributors who did not
> assign copyright to the Audacious Team in the headers of the files
> they contributed to.

Unfortunately, such documentation doesn't exist, to my knowledge.  I'll
point out any specific information I recall about the commits you mentioned.

> 42cbe57307962e65acc2db24dbe99249453c6aac
The equalizer code was a port from mplayer.  The author, Anders
Johansson, was contacted and gave consent for the relicense, and
incidentally also asked that we retain some of his coding style (see the
previous commit to equalizer.c).

> b308c892f47a55c63ef2675f9b6cf016be037f4c
The session management code was later removed from Audacious, which is
why Ivan and David aren't listed in AUTHORS any longer.

> 31ea4ad1adb84f37ce8fff5b4868df247bd6d913
Michal Lipski (tallica, CC'd) did the footwork in tracking down the
authors of those files, and "where possible" in the commit message
refers to developers who gave consent.  Most of the developers listed in
those files were still around on IRC at the time.

> df1165d2fdd8470b2fd45d2e87cac5373055b55e
"desowin ok'd it" -- desowin is the Tomasz Moń listed in those files.
The rest of us were present on IRC, I think.

> 9a979a5af95eb663435ef99d3b7b5c79b94855be
Jussi Judin was not a core developer at the time; I assume tallica
contacted him.

> 33b58d4d8ba18fcbcc36af5c650414e173e22396
>   * Do you have consent on file to move to BSD license for all
> contributors to XMMS and BMP?

I don't recall the particular IRC discussion referenced in the commit
message, but presumably it was determined that no XMMS/BMP code remained
in those files.

> bc295976816358f9512f99a78e933e6594cce121
The commit message itself lists the copyright holders who gave consent.
Most of those folks were around on IRC and so I would assume that was
how they were contacted.

> 853f96f54bbca608f0c95b5e8bf3fd2146607bdd
Similar, except that (from what I remember) Paula developed that code
under Tony Vroon (Chainsaw)'s mentorship, and he would have vouched for
her consent.

> 3d2ca792a02973fb5e2f33d6273aac825d4f3a55
Here I was reattributing some files to their actual authors based on Git
logs, as I said earlier.  You can see that in this commit, I left the
GPL notice intact on any files whose authors hadn't given consent yet at
that 

Bug#883731: audacious: Debian packaging has incorrect license

[Francesco Poli]

On Tue, 12 Dec 2017 16:39:28 -0500 Nicholas D Steeves wrote:

[...]
> This is one of the reasons the FSF demands copyright
> assignment for their projects...they want to be able to relicense at
> any point in the future without having to contact and document consent
> from all contributors.

Yeah, right: they want to do what they like, without asking whether the
contributors are fine with their decisions...
Personally, I consider this FSF copyright assignment policy a very bad
practice!

But I am digressing...

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpmgr1vBjy_1.pgp
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

Hi Ian, Francesco, John, and everyone else reading this,

On Mon, Dec 11, 2017 at 12:28:43AM -0500, John Lindgren wrote:
> On 12/10/2017 06:12 PM, Nicholas D Steeves wrote:
> > In particular I'm concerned about lines like this from
> > d/copyright:
> > 
> > "po/uk.po" is © 2005 Mykola Lynnyk and is distributed under the terms of the
> >  GPL.
> > 
> > Where the new po/uk.po is GPL-incompatible 2-clause BSD:
> 
> The line "Copyright (C) 2005 Mykola Lynnyk <...>" appears to have been
> lost accidentally in commit 1a013156d209b, when we switched over to
> Transifex.  I'll see about restoring it.
> 
> As far as our Git history goes back (to October 2005), uk.po had no
> license declaration and was assumed to be under the same license as the
> source files it translated (which at the time was GPLv2+). At the time
> of the BSD relicense, we took the liberty of assuming that such
> translations would automatically switch to the new license along with
> the source files they translated.  No one (to my knowledge) has
> contacted us in the five years since to clarify that their translations
> were intended to be forever GPL-only, but I suppose that to take a more
> cautious approach, Debian could still distribute the package as GPL in
> total.

For Debian Legal Team: With respect to the translations, I now suspect
they can probably be transitioned to BSD without issue, because
copyright is also assigned to the Audacious Translators.  eg, in the
last GPL-2+ release 3.2.4:
Copyright (C) Audacious translators

Would you please confirm?  It would be nice to be able to simplify the
issue of relicensing for the translations :-)  Also, would you please
confirm or deny the necessity of the work outlined in the second half
of this email?


John, I removed the offending patch in git for the user-visible
license provided by the Audacious GUI.  Then I went ahead and did a
historical relicensing review, in spite of the potential for other
missing copyright holders due to the Transifex switch.  I am a bit
concerned about what looks to be a politic of "silence is consent" wrt
relicensing, and hope that I am wrong, or that I was sloppy in my
review.  Was the discussing conducted informally off the record?

By the way, I definitely support every author's right to choose a
preferred license, so I'm not troubled with a transition to BSD
licensing ;-) This is one of the reasons the FSF demands copyright
assignment for their projects...they want to be able to relicense at
any point in the future without having to contact and document consent
from all contributors.

Would you please take a look at the following (Ian's reply) for an
example of how to provide a record of all copyright holder's consent?
tldr; documented confirmation (eg: via copies of emails or a download
of a bug report/issue/forum thread) for all contributors who did not
assign copyright to the Audacious Team in the headers of the files
they contributed to.  I would be happy to generate such a file[s] if
you can point me in the right direction[s].

On Mon, Dec 11, 2017 at 03:03:09PM +, Ian Jackson wrote:
> Nicholas D Steeves writes ("Re: Bug#883731: audacious: Debian packaging has 
> incorrect license"):
> > Will I also need to provide formal copies in debian/COPYING.emails or
> > would a README.copyright or similar pointing to the bug report
> > suffice?  In particular I'm concerned about lines like this from
> > d/copyright:
> 
> Please put all the necessary information in the source package.
> 
> COPYING.emails is only one filename you might choose to use.  If you
> want to download multiple pages, or something, you can put them in
> separate files.  It's probably a good idea to download them with w3m
> -dump or something.  That produces a human-readable file which doesn't
> depend on any external HTML assets.
> 
> This is much better than simply urls, because (sadly), urls often rot.
> The lifetime of the contents in debian/ is controlled by Debian and
> often exceeds, by large factors, the lifetime of upstream source
> repositories, bug trackers, etc.
> 
> It would be a best praqctice to record the contents _and also_ the url
> you got it from, and the date you downloaded it.  That way the
> information you give is verifiable while the url is still active; and
> if the url rots, the information (attribution, etc.) is not lost.
> 
> So in summary, I would 
>   w3m -dump https://bugtracker/whatever > debian/COPYING.issue4391.txt
> and make an overview file (COPYING.emails maybe) referring to
> these other files.

Specific commits I couldn't find documented consent for, and which
didn't have have copyright assigned to the Audacious Team in the last
stable GPL-2+ release (3.2.4).  From the git

Bug#883731: audacious: Debian packaging has incorrect license

[Ian Jackson]

Nicholas D Steeves writes ("Re: Bug#883731: audacious: Debian packaging has 
incorrect license"):
> Will I also need to provide formal copies in debian/COPYING.emails or
> would a README.copyright or similar pointing to the bug report
> suffice?  In particular I'm concerned about lines like this from
> d/copyright:

Please put all the necessary information in the source package.

COPYING.emails is only one filename you might choose to use.  If you
want to download multiple pages, or something, you can put them in
separate files.  It's probably a good idea to download them with w3m
-dump or something.  That produces a human-readable file which doesn't
depend on any external HTML assets.

This is much better than simply urls, because (sadly), urls often rot.
The lifetime of the contents in debian/ is controlled by Debian and
often exceeds, by large factors, the lifetime of upstream source
repositories, bug trackers, etc.

It would be a best praqctice to record the contents _and also_ the url
you got it from, and the date you downloaded it.  That way the
information you give is verifiable while the url is still active; and
if the url rots, the information (attribution, etc.) is not lost.

So in summary, I would 
  w3m -dump https://bugtracker/whatever > debian/COPYING.issue4391.txt
and make an overview file (COPYING.emails maybe) referring to
these other files.

Thanks,
Ian.

Bug#883731: audacious: Debian packaging has incorrect license

[John Lindgren]

On 12/10/2017 06:12 PM, Nicholas D Steeves wrote:
> In particular I'm concerned about lines like this from
> d/copyright:
> 
> "po/uk.po" is © 2005 Mykola Lynnyk and is distributed under the terms of the
>  GPL.
> 
> Where the new po/uk.po is GPL-incompatible 2-clause BSD:

The line "Copyright (C) 2005 Mykola Lynnyk <...>" appears to have been
lost accidentally in commit 1a013156d209b, when we switched over to
Transifex.  I'll see about restoring it.

As far as our Git history goes back (to October 2005), uk.po had no
license declaration and was assumed to be under the same license as the
source files it translated (which at the time was GPLv2+). At the time
of the BSD relicense, we took the liberty of assuming that such
translations would automatically switch to the new license along with
the source files they translated.  No one (to my knowledge) has
contacted us in the five years since to clarify that their translations
were intended to be forever GPL-only, but I suppose that to take a more
cautious approach, Debian could still distribute the package as GPL in
total.

> Oh, and if
> everything goes according to plan we'll have a qt variant again
> sometime in 2018 (one src:package will build the gtk variant, cleanup,
> build the qt variant, and then package the two variants separately).

+1 from me!

John

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

On Mon, Dec 11, 2017 at 12:23:47AM +0100, Francesco Poli wrote:
> On Sun, 10 Dec 2017 18:12:39 -0500 Nicholas D Steeves wrote:
> 
> [...]
> > GPL-incompatible 2-clause BSD
> [...]
> 
> A nitpick: the 2-clause BSD license is not GPL-incompatible (it's
> indeed compatible with the GNU GPL).
> It's just a distinct license with different (and much simpler)
> wording...

Good point.  I ought to have phrased that differently ;-) What I mean
is that a GPL piece cannot become a BSD piece without explicit
relicensing by all copyright holders.


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Francesco Poli]

On Sun, 10 Dec 2017 18:12:39 -0500 Nicholas D Steeves wrote:

[...]
> GPL-incompatible 2-clause BSD
[...]

A nitpick: the 2-clause BSD license is not GPL-incompatible (it's
indeed compatible with the GNU GPL).
It's just a distinct license with different (and much simpler)
wording...



-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpOALhYIXdRX.pgp
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

On Fri, Dec 08, 2017 at 10:36:49AM -0500, John Lindgren wrote:
> Nicholas D Steeves wrote:
> 
> > Both BSD 3-clause and BSD 2-clause allow relicensing as GPL, thus so
> > long as the licensing terms are complied with correctly BSD code can
> > perpetually and unidirectionally flow to GPL projects.
> 
> Yes, I agree.  It's perfectly okay for the Debian package(s) to be
> distributed as GPL, *as long as* the original BSD license text is still
> retained.
> 
> > I'm also unsure whether the patch
> > that changes the user-visible bits and the out-of-date
> > debian/copyright outweigh the 2-clause license that wasn't stripped
> > from the headers of various files.
> 
> Speaking for myself as upstream project lead, I'm not worried about
> the legal status of already-built packages, but I would prefer that the
> upstream (BSD 2-clause) license remain user-visible in future Debian
> builds.  The simplest way to achieve this would be to remove
> use-system-licenses.patch and let the GUI again display
> /usr/share/audacious/COPYING as the upstream version does.

This will be easier to do.

> Alternatively, debian/copyright could be updated to include the full
> text of the upstream license, plus any Debian-specific bits (packaging
> copyrights, etc.), and the patch could be updated so that the GUI
> displays the installed version of that file instead (I think that would
> be /usr/share/doc/audacious/copyright?)

Thank you for your blessing on doing it this way.  If Debian was/is
relicensing as GPL in a non-reversible way then this the way it
would/might have to be done.

> Francesco Poli wrote:
> 
> > The Audacious upstream developers may be willing to help, by clarifying
> > any doubts upon request.
> 
> Yes, for sure.

Please see my question about a missing copyright holder; I paused my
review at this point, so there might be other examples.

> > If that is deemed to be needed or useful, it could be feasible to also
> > fix the debian/copyright file for audacious version 3.7.2 in a Debian
> > stable update (and possibly also address the same issue for
> > oldstable)... On the other hand, this extra effort could perhaps be
> > considered not worth doing.
> 
> For my part, I'm not worried about the stable+oldstable packages being
> fixed, only that the problem is resolved in a new unstable upload going
> forward.  I think that the other upstream developers would agree.

Whew, thank you, that makes things easier for everyone :-)

> Thank you both for the prompt reply and good discussion!

You're welcome!  Thank you for reaching out.

Sincerely,
Nicholas


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

Hi Francesco, John, and everybody else reading this,

On Fri, Dec 08, 2017 at 11:10:40AM +0100, Francesco Poli wrote:
> On Thu, 7 Dec 2017 22:39:41 -0500 Nicholas D Steeves wrote:
[...]
> Failing to retain the license text in the package distribution is in
> fact lack of compliance with the 2-clause BSD license, I would say...
> 
> > and also how
> > this should be resolved.  The Debian packaging is GPL-2+, so it's
> > possible to move to copyright-format/1.0 if that would simplify
> > things.
> 
> I personally think that the first thing to do is an accurate copyright
> and licensing status review of the audacious package, so that the
> debian/copyright file may be fixed to reflect the actual current state
> of affairs.
> The Audacious upstream developers may be willing to help, by clarifying
> any doubts upon request.
> This may be a perfect opportunity to switch to the [machine readable]
> format.
> 
> [machine readable]: 
> 

Thanks for the clarification.  I guess I've dropped the offending
patch in git and am currently working on a copyright-format/1.0
debian/copyright.

Will I also need to provide formal copies in debian/COPYING.emails or
would a README.copyright or similar pointing to the bug report
suffice?  In particular I'm concerned about lines like this from
d/copyright:

"po/uk.po" is © 2005 Mykola Lynnyk and is distributed under the terms of the
 GPL.

Where the new po/uk.po is GPL-incompatible 2-clause BSD:

# Ukrainian translation for Audacious
# Copyright (C) Audacious translators
# This file is distributed under the same license as the Audacious package.
#
# Translators:
# Dennis , 2014
# Eugene Paskevich , 2015-2016
# Kostyantyn Fedenko , 2011
# Oleg , 2012
# NaiLi (aka jamesjames) Rootaerc , 2012
# NaiLi (aka jamesjames) Rootaerc , 2012
# Oleg , 2012
# Rax Garfield , 2012
# Rax Garfield (http://biokillaz.com/), 2012
# Rax Garfield , 2012-2013
# Rustam Tsurik , 2013
# Rustam Tsurik , 2013
# Oleg , 2012
# Taras Shevchenko, 2017
# Yaroslav Yenkala , 2016
msgid ""
msgstr ""
"Project-Id-Version: Audacious\n"
"Report-Msgid-Bugs-To: http://redmine.audacious-media-player.org/\n;
"POT-Creation-Date: 2017-08-19 19:12+0200\n"
"PO-Revision-Date: 2017-08-06 05:54+\n"
"Last-Translator: Taras Shevchenko\n"

John, what happened here with Mykola Lynnyk's 2005 GPL copyright?

> > Also, please reply to point 2. OTTO "ancient plugins...under
> > different licenses.  I assume audacious-plugins will also need a
> > copyright review.
> 
> Probably.

I took a cursory glance and it seems to be in better shape than the
main audacious package but I'll take a look later.

> > Please CC John and I, Bug #883731, and
> > debian-legal as appropriate.
> 
> Done.
> 
> I hope my comments may help.
> 
> Bye and thanks to the Debian Multimedia Maintainers for the time they
> spend in maintaining a number of great Debian packages, and to the
> Audacious upstream developers for the time they spend in
> developing/maintaining that very nice audio player (that I personally
> use everyday!). Thank you!

Thank you Francesco, your comments do help.  I'm also a big fan of
Audacious and use it all the time. (thank you John!)  Oh, and if
everything goes according to plan we'll have a qt variant again
sometime in 2018 (one src:package will build the gtk variant, cleanup,
build the qt variant, and then package the two variants separately).

Cheers,
Nicholas


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[John Lindgren]

Nicholas D Steeves wrote:

> Both BSD 3-clause and BSD 2-clause allow relicensing as GPL, thus so
> long as the licensing terms are complied with correctly BSD code can
> perpetually and unidirectionally flow to GPL projects.

Yes, I agree.  It's perfectly okay for the Debian package(s) to be
distributed as GPL, *as long as* the original BSD license text is still
retained.

> I'm also unsure whether the patch
> that changes the user-visible bits and the out-of-date
> debian/copyright outweigh the 2-clause license that wasn't stripped
> from the headers of various files.

Speaking for myself as upstream project lead, I'm not worried about
the legal status of already-built packages, but I would prefer that the
upstream (BSD 2-clause) license remain user-visible in future Debian
builds.  The simplest way to achieve this would be to remove
use-system-licenses.patch and let the GUI again display
/usr/share/audacious/COPYING as the upstream version does.

Alternatively, debian/copyright could be updated to include the full
text of the upstream license, plus any Debian-specific bits (packaging
copyrights, etc.), and the patch could be updated so that the GUI
displays the installed version of that file instead (I think that would
be /usr/share/doc/audacious/copyright?)

Francesco Poli wrote:

> The Audacious upstream developers may be willing to help, by clarifying
> any doubts upon request.

Yes, for sure.

> If that is deemed to be needed or useful, it could be feasible to also
> fix the debian/copyright file for audacious version 3.7.2 in a Debian
> stable update (and possibly also address the same issue for
> oldstable)... On the other hand, this extra effort could perhaps be
> considered not worth doing.

For my part, I'm not worried about the stable+oldstable packages being
fixed, only that the problem is resolved in a new unstable upload going
forward.  I think that the other upstream developers would agree.

Thank you both for the prompt reply and good discussion!

John

Bug#883731: audacious: Debian packaging has incorrect license

[Francesco Poli]

On Thu, 7 Dec 2017 22:39:41 -0500 Nicholas D Steeves wrote:

> Dear Debian Legal Team,

Hello Nicholas, John, and everybody else reading this.

I would like to send some comments of mine, here.

Please note that: not only I am not a lawyer, but, even more
importantly, I am not your lawyer, nor a lawyer of the Debian Project.
Also, I am not a member of the Debian Project: I am just a Debian
external contributor, who happens to be a regular on the debian-legal
mailing list...

> 
> I've CCed you for my reply to this bug, because I don't have the
> experience to be able to tell if Debian implicitly relicensed
> Audacious as GPL-3 from 2012-2016,

As far as I can tell, *maybe* the implicit re-licensing was done by
distributing the audacious Debian package with the incorrect
debian/copyright file.

> how potentially falling out of
> BSD-2-clause license compliance might have affected this,

Failing to retain the license text in the package distribution is in
fact lack of compliance with the 2-clause BSD license, I would say...

> and also how
> this should be resolved.  The Debian packaging is GPL-2+, so it's
> possible to move to copyright-format/1.0 if that would simplify
> things.

I personally think that the first thing to do is an accurate copyright
and licensing status review of the audacious package, so that the
debian/copyright file may be fixed to reflect the actual current state
of affairs.
The Audacious upstream developers may be willing to help, by clarifying
any doubts upon request.
This may be a perfect opportunity to switch to the [machine readable]
format.

[machine readable]: 


After a fixed audacious package is uploaded to Debian unstable and
migrates to Debian testing, the most offending issue should be solved,
I suppose.
At that point, the Audacious upstream developers may be willing to
forgive the Debian Project for the past incorrect copyright information.

If that is deemed to be needed or useful, it could be feasible to also
fix the debian/copyright file for audacious version 3.7.2 in a Debian
stable update (and possibly also address the same issue for
oldstable)... On the other hand, this extra effort could perhaps be
considered not worth doing.

> Also, please reply to point 2. OTTO "ancient plugins...under
> different licenses.  I assume audacious-plugins will also need a
> copyright review.

Probably.

> Please CC John and I, Bug #883731, and
> debian-legal as appropriate.

Done.

I hope my comments may help.

Bye and thanks to the Debian Multimedia Maintainers for the time they
spend in maintaining a number of great Debian packages, and to the
Audacious upstream developers for the time they spend in
developing/maintaining that very nice audio player (that I personally
use everyday!). Thank you!


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpF15_wZzbW1.pgp
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

Dear Debian Legal Team,

I've CCed you for my reply to this bug, because I don't have the
experience to be able to tell if Debian implicitly relicensed
Audacious as GPL-3 from 2012-2016, how potentially falling out of
BSD-2-clause license compliance might have affected this, and also how
this should be resolved.  The Debian packaging is GPL-2+, so it's
possible to move to copyright-format/1.0 if that would simplify
things.  Also, please reply to point 2. OTTO "ancient plugins...under
different licenses.  I assume audacious-plugins will also need a
copyright review.  Please CC John and I, Bug #883731, and
debian-legal as appropriate.


Hi John,

On Thu, Dec 07, 2017 at 05:15:53PM -0500, John Lindgren wrote:
> Hi Nicholas,
> 
> > On this topic, would you please update contrib/audacious.appdata.xml
> > to reflect the current Audacious license (GPL3)? It claims the
> > project_license is BSD-2-Clause.
> 
> Sorry if my initial email was unclear.  The current Audacious license *is*
> BSD 2-clause, with some exceptions:

Oh, now I see.  Sorry I wasn't familiar with Audacious' upstream
relicensing, and thank you very much for confirming for the files I
asked about.

> 1. The embedded copy of libguess (which is an external project) is under
>a BSD 3-clause license, with a separate copyright.  I believe this is
>not a problem so long as the libguess license is also included with
>any distribution.
> 2. Some of the more ancient plugins are under different licenses, including
>GPLv2+ and GPLv3.  When we relicensed the main parts of Audacious to BSD
>around 2012, we thought it impractical to contact all of the original
>plugin authors since some of them go back to XMMS days (20 years ago now).
>The plugins are compiled as separate binaries, and Debian has them in a
>separate package (audacious-plugins).
> 
> Our upstream COPYING file makes note of these exceptions, which is one
> reason why it's important for it to be included verbatim, and not replaced
> with generic BSD 2-clause text as it is in the current Debian package.

Both BSD 3-clause and BSD 2-clause allow relicensing as GPL, thus so
long as the licensing terms are complied with correctly BSD code can
perpetually and unidirectionally flow to GPL projects.  So from what I
can tell it's 100% ok for the Debian package (both src and bin) to be
GPL-3 from 2012-to-2016, and both the Debian source packages and
binaries from this time period might actually be implicitly relicensed
as GPL-3.  If so, that's history that can't be changed.  Also, I'm not
sure what debian-legal and ftpmaster's view of #2 will be in light of
the relicensing (and possible implied relicensing back to GPL-3).

On 2016-04-06 06:55:52
(commit@124bf3bdccdac9d0eb78ce65b53c9a4ba128e052)
use-system-licenses.patch might have made Debian's implicit
relicensing invalid, not because of the deduplication patch per-se,
but because /usr/share/common-licenses/BSD is a 3-clause and not a
2-clause one like Audacious uses.  It's the same style, but is a
different license altogether...and yeah, I think one can go
BSD-2-clause to BSD-3-clause to GPL-3, but only if the original
BSD-2-clause bits aren't stripped.  I'm also unsure whether the patch
that changes the user-visible bits and the out-of-date
debian/copyright outweigh the 2-clause license that wasn't stripped
from the headers of various files.  eg: not implicitly relicensed, and
just out of date copyright plus non-compliance with 2-clause BSD.

> Regarding the plugins, I don't know the state of debian/copyright in the
> audacious-plugins package, but my main concern here is that the one in
> audacious is correct.
>
> > Conversely, what I found in debian/copyright was a project license of
> > GPL-3, with notable exceptions. eg: are really translations GPL-1+?
> 
> As I said, debian/copyright is out-of-date.  We relicensed the project
> from GPLv3 to BSD 2-clause back in 2012.  Possibly we didn't make an
> obvious enough announcement back then for Debian to take notice.

I haven't looked at audacious-plugins yet either.  Re: "is correct", I
agree, and I'm hoping the fix will be to simply synchronise with
upstream Audacious' BSD 2-clause.

> Translations are under the same license as the rest of Audacious.

Thank you for the confirmation.

> > To my eyes it looks like the upstream project license needs to be
> > clarified and disambiguated, debian/copyright needs work, and finally
> > that deduplication patch can be dropped.
> 
> Let me know if you think there are still clarifications needed upstream
> given the information I've provided here.  I'd be happy to adjust things
> as necessary.

Well, since the main Audacious project is in fact 2-clause-BSD this
is much clearer now!  Thanks again for the help.  I hope to work on
this Sunday, or after we hear back from debian-legal.

Sincerely,
Nicholas


signature.asc
Description: PGP signature

Processed: Re: Bug#883731: audacious: Debian packaging has incorrect license

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # License change happened in 3.3 (about 5 years ago)
> found 883731 3.3.1-1
Bug #883731 [audacious] audacious: Debian packaging has incorrect license
Marked as found in versions audacious/3.3.1-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
883731: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883731
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#883731: audacious: Debian packaging has incorrect license

[John Lindgren]

Hi Nicholas,

> On this topic, would you please update contrib/audacious.appdata.xml
> to reflect the current Audacious license (GPL3)? It claims the
> project_license is BSD-2-Clause.

Sorry if my initial email was unclear.  The current Audacious license *is*
BSD 2-clause, with some exceptions:

1. The embedded copy of libguess (which is an external project) is under
   a BSD 3-clause license, with a separate copyright.  I believe this is
   not a problem so long as the libguess license is also included with
   any distribution.
2. Some of the more ancient plugins are under different licenses, including
   GPLv2+ and GPLv3.  When we relicensed the main parts of Audacious to BSD
   around 2012, we thought it impractical to contact all of the original
   plugin authors since some of them go back to XMMS days (20 years ago now).
   The plugins are compiled as separate binaries, and Debian has them in a
   separate package (audacious-plugins).

Our upstream COPYING file makes note of these exceptions, which is one
reason why it's important for it to be included verbatim, and not replaced
with generic BSD 2-clause text as it is in the current Debian package.

Regarding the plugins, I don't know the state of debian/copyright in the
audacious-plugins package, but my main concern here is that the one in
audacious is correct.

> However, shouldn't it say the following if Audacious' project license
> is GPL-3+ (drop the "any later version" clause for GPL-3 only) ?:

No, see above.

> Also, I found BSD-2-clause here: src/libaudcore/hook.cc,
> src/libaudcore/hook.h, src/libaudcore/output.cc, et al.

Those are correct.

> Conversely, what I found in debian/copyright was a project license of
> GPL-3, with notable exceptions. eg: are really translations GPL-1+?

As I said, debian/copyright is out-of-date.  We relicensed the project
from GPLv3 to BSD 2-clause back in 2012.  Possibly we didn't make an
obvious enough announcement back then for Debian to take notice.

Translations are under the same license as the rest of Audacious.

> To my eyes it looks like the upstream project license needs to be
> clarified and disambiguated, debian/copyright needs work, and finally
> that deduplication patch can be dropped.

Let me know if you think there are still clarifications needed upstream
given the information I've provided here.  I'd be happy to adjust things
as necessary.

Thank you,
John

Bug#883731: audacious: Debian packaging has incorrect license

[Nicholas D Steeves]

Hi John,

On Wed, Dec 06, 2017 at 05:08:56PM -0500, John Lindgren wrote:
> 
> Per Debian policy 2.3:
> 
> "Every package must be accompanied by a verbatim copy of its copyright
> information and distribution license in the file 
> /usr/share/doc/package/copyright
> (see Copyright information for further details)."
> 
> The file /usr/share/doc/audacious/copyright shipped in the Debian package
> is out of date and does not match the current Audacious license (GPL3 vs.
> BSD 2-clause).
> 
> Worse, the Debian package patches out[1] the upstream license file which
> is normally installed under /usr/share/audacious/COPYING and visible in
> the "About" window when running Audacious.
> 
> You are currently distributing Audacious in violation both of our license
> and of Debian's own policy.  Please include the original upstream license,
> verbatim, in the Debian package, or stop distributing Audacious.
> 
> Thank you,
> 
> John Lindgren
> Audacious maintainer

I'm not the maintainer of Audacious' Debian package, but I am part of
the Multimedia team, so I took a look at the Debian and upstream
source, because I agree that license problems must be fixed asap.

On this topic, would you please update contrib/audacious.appdata.xml
to reflect the current Audacious license (GPL3)?  It claims the
project_license is BSD-2-Clause.

http://redmine.audacious-media-player.org/projects/audacious/repository/revisions/master/changes/contrib/audacious.appdata.xml

And when I looked up upstream audacious/COPYING here:
http://redmine.audacious-media-player.org/projects/audacious/repository/revisions/master/changes/COPYING

I found this, which also looks like BSD-2-Clause:

LICENSE

Copyright © 2001-2017 Audacious developers and others

(A list of the copyright holders is provided in the AUTHORS file.)

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice,
   this list of conditions, and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions, and the following disclaimer in the
   documentation provided with the distribution.

This software is provided “as is” and without any warranty, express or
implied.  In no event shall the authors be liable for any damages arising
from the use of this software.
--
However, shouldn't it say the following if Audacious' project license
is GPL-3+ (drop the "any later version" clause for GPL-3 only) ?:

Audacious, an Advanced Audio Player
Copyright (C) 2001-2017 Audacious developers and others

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see .
--

Also, I found BSD-2-clause here: src/libaudcore/hook.cc,
src/libaudcore/hook.h, src/libaudcore/output.cc, et al.

Conversely, what I found in debian/copyright was a project license of
GPL-3, with notable exceptions. eg: are really translations GPL-1+?
Because the project license seems to be BSD-2-Clause, and the
translations have "This file is distributed under the same license as
the Audacious package" I wonder if they're actually BSD-2-Clause.
Would you please provide a citation for the upstream project's
relicensing to GPL-3?

Finally, from what I understand about combining licenses I think the
BSD-2-clause project license (please provide evidence that this isn't
the case), the src/libguess/* BSD-3-clause and the GPL bits can all be
used to produce a GPL-3 binary, so long as the BSD copyright notices
are preserved.

To my eyes it looks like the upstream project license needs to be
clarified and disambiguated, debian/copyright needs work, and finally
that deduplication patch can be dropped.

I'd be happy to take care of the Debian side of things over the
weekend.

Thank you,
Nicholas


signature.asc
Description: PGP signature

Bug#883731: audacious: Debian packaging has incorrect license

[John Lindgren]

Package: audacious
Version: 3.9-2
Severity: serious

Per Debian policy 2.3:

"Every package must be accompanied by a verbatim copy of its copyright
information and distribution license in the file 
/usr/share/doc/package/copyright
(see Copyright information for further details)."

The file /usr/share/doc/audacious/copyright shipped in the Debian package
is out of date and does not match the current Audacious license (GPL3 vs.
BSD 2-clause).

Worse, the Debian package patches out[1] the upstream license file which
is normally installed under /usr/share/audacious/COPYING and visible in
the "About" window when running Audacious.

You are currently distributing Audacious in violation both of our license
and of Debian's own policy.  Please include the original upstream license,
verbatim, in the Debian package, or stop distributing Audacious.

Thank you,

John Lindgren
Audacious maintainer

[1] 
https://sources.debian.org/patches/audacious/3.9-2/use-system-licenses.patch/