Discussion:
Does Debian itself have a license?
(too old to reply)
Hong Xu
2018-09-08 19:48:50 UTC
Permalink
Hi all,

I understand that each piece of software has its own license in Debian
and they can be easily looked up. However, I have trouble finding the
license of the Debian itself, e.g., metadata of packages, default
configuration files created by the Debian project, etc. Can you provide
any information on that? Thanks!

Example: Fedora provides a license for the compilation of the project:
<https://fedoraproject.org/wiki/Legal:Licenses/LicenseAgreement>; and so
does CentOS (License agreement upon first boot).

Hong
Ben Finney
2018-09-09 04:51:15 UTC
Permalink
Post by Hong Xu
I understand that each piece of software has its own license in Debian
and they can be easily looked up. However, I have trouble finding the
license of the Debian itself, e.g., metadata of packages, default
configuration files created by the Debian project, etc. Can you
provide any information on that? Thanks!
My understanding is that the entire operating system is delivered as
packages, and each package declares its copyright information in its
‘/usr/share/doc/$PACKAGENAME/copyright’ document.

The “metadata of packages” I am not sure what you mean? To my knowledge
all the metadata is part of the source form of the package, and so is
subject to the license conditions described for that package. Is there
something else you refer to as “metadata of packages”?

Maybe you mean data that is auto-generated by running some tool on the
source package. If so, and again in my own understanding, the resulting
work is (a) not affected by new copyright restrictions because, being
auto-generated, no creative transformation has occurred, and (b)
therefore all the same license conditions apply as for the source works
from which it was generated.

The same would be true for any default configuration files. They will be
auto-generated (maybe even, simply copied) from some files installed
from a specific package, and so are subject to whatever general license
conditions apply for each package.
Post by Hong Xu
<https://fedoraproject.org/wiki/Legal:Licenses/LicenseAgreement>; and
so does CentOS (License agreement upon first boot).
I am not aware of any such explicit declaration for the entirety of
Debian as a whole work.
--
\ “The Initial Mystery that attends any journey is: how did the |
`\ traveller reach his starting point in the first place?” —Louise |
_o__) Bogan, _Journey Around My Room_ |
Ben Finney
Ole Streicher
2018-09-09 11:32:14 UTC
Permalink
Post by Ben Finney
My understanding is that the entire operating system is delivered as
packages, and each package declares its copyright information in its
‘/usr/share/doc/$PACKAGENAME/copyright’ document.
This however covers only the *source* of the package, not the binary
packages. There is no way to find out the license of the binary packages
without checking very carefully the sources and the way the package is
created. So, the end user does not know what he is allowed to do with a
certain (binary) Debian software package.

Best

Ole
Ben Finney
2018-09-09 23:17:13 UTC
Permalink
Post by Ole Streicher
This however covers only the *source* of the package, not the binary
packages. There is no way to find out the license of the binary
packages without checking very carefully the sources and the way the
package is created. So, the end user does not know what he is allowed
to do with a certain (binary) Debian software package.
You're right, that is a practical shortcoming which impacts Hong Xu's
concern about the feasibility of that effort.

That is a matter which should IMO be discussed more broadly than
‘debian-legal’. This is because it's much more about tools and
installation locations and how users get information. It's actually
AFAICT not much to do with the copyright information of packages, only
about how to get that information once the packages are installed.
--
\ “Pinky, are you pondering what I'm pondering?” “Well, I think |
`\ so, Brain, but ‘apply North Pole’ to what?” —_Pinky and The |
_o__) Brain_ |
Ben Finney
Hong Xu
2018-09-09 19:32:28 UTC
Permalink
Post by Ben Finney
Post by Hong Xu
I understand that each piece of software has its own license in Debian
and they can be easily looked up. However, I have trouble finding the
license of the Debian itself, e.g., metadata of packages, default
configuration files created by the Debian project, etc. Can you
provide any information on that? Thanks!
My understanding is that the entire operating system is delivered as
packages, and each package declares its copyright information in its
‘/usr/share/doc/$PACKAGENAME/copyright’ document.
The “metadata of packages” I am not sure what you mean? To my knowledge
all the metadata is part of the source form of the package, and so is
subject to the license conditions described for that package. Is there
something else you refer to as “metadata of packages”?
The metadata of packages include information package descriptions,
dependencies, etc. that were created by Debian developers. It seems to
me that the copyright file of package does not describe the license of
this information since the copyright holder seems to be always the
upstream copyright holders. For example, /usr/share/doc/bash/copyright
reads "Copyright (C) 1987-2014 Free Software Foundation, Inc." Although
the author of the packaging "Matthias Klose <***@debian.org>" is
mentioned, there is no license claimed for his packaging work.
Post by Ben Finney
The same would be true for any default configuration files. They will be
auto-generated (maybe even, simply copied) from some files installed
from a specific package, and so are subject to whatever general license
conditions apply for each package.
As far as I know, there are a lot of cases where default configuration
files in Debian are handcrafted, either from scratch or modified from
those in the upstream package. For example, the file octave.conf
(installed to /etc/octave.conf) in the source package of octave seems to
be manually modified from the upstream configuration file and its header
reads:

## This file is an extended copy of Octave's startup file at
## /usr/share/octave/${OCTAVE_VERSION}/m/startup/octaverc
## Configure readline using the file inputrc in the Octave startup
## directory.

While trivial modification should probably be fine, but I'm not sure
whether it's OK if a developer maintains a lot of packages and they are
put together in a distributed Debian system...

Hong
Ben Finney
2018-09-09 23:12:47 UTC
Permalink
Post by Hong Xu
The metadata of packages include information package descriptions,
dependencies, etc. that were created by Debian developers.
Thanks for clarifying. Okay, that seems to describe the Debian packaging
files, a work that sometimes is part of the upstream work but often is a
separate work combined with the upstream work.
Post by Hong Xu
It seems to me that the copyright file of package does not describe
the license of this information since the copyright holder seems to be
always the upstream copyright holders.
You're right to question this. The files that constitute Debian
packaging often have copyright held by parties different from the
upstream work.

In those (many) cases, the distinct copyright information for the Debian
packaging should be described explicitly in the source package's
‘debian/copyright’ (and therefore be installed as part of the binary
packages created from that source).
Post by Hong Xu
For example, /usr/share/doc/bash/copyright reads "Copyright (C)
1987-2014 Free Software Foundation, Inc." Although the author of the
license claimed for his packaging work.
I consider that to be a bug worthy of reporting. (The absence of
explicit grant of license for the packaging work is a violation of
Debian Policy §4.5.)

It will be a bug that many packages in Debian have, so you might want to
co-ordinate a response. After discussion you might find the response
is “this isn't urgent because it has been this way for decades”. Or you
might find a different consensus.

Be aware of the Debian Developer's Reference guidance on reporting a bug
to many packages at once (in brief: don't until you discuss it with the
package maintainers and achieve consensus)
<URL:https://www.debian.org/doc/manuals/developers-reference/ch07.en.html#submit-many-bugs>.
Post by Hong Xu
As far as I know, there are a lot of cases where default configuration
files in Debian are handcrafted, either from scratch or modified from
those in the upstream package.
The copyright document for a package must (Debian Policy §4.5) contain
comprehensive copyright information for all the package, whether
originating from upstream or from Debian maintainers or anywhere else.

So I think that every part of Debian is required to have its copyright
information declared explicitly in the ‘copyright’ document of one or
more installed packages on the system.

If you know of an exception, let's discuss that; otherwise I think the
response is to talk about specific packages that fail to meet that
requirement.
--
\ “From the moment I picked your book up until I laid it down I |
`\ was convulsed with laughter. Someday I intend reading it.” |
_o__) —Groucho Marx |
Ben Finney
Nicholas D Steeves
2018-09-09 23:32:49 UTC
Permalink
Post by Ben Finney
Post by Hong Xu
For example, /usr/share/doc/bash/copyright reads "Copyright (C)
1987-2014 Free Software Foundation, Inc." Although the author of the
license claimed for his packaging work.
I consider that to be a bug worthy of reporting. (The absence of
explicit grant of license for the packaging work is a violation of
Debian Policy §4.5.)
It will be a bug that many packages in Debian have, so you might want to
co-ordinate a response. After discussion you might find the response
is “this isn't urgent because it has been this way for decades”. Or you
might find a different consensus.
Be aware of the Debian Developer's Reference guidance on reporting a bug
to many packages at once (in brief: don't until you discuss it with the
package maintainers and achieve consensus)
<URL:https://www.debian.org/doc/manuals/developers-reference/ch07.en.html#submit-many-bugs>.
Post by Hong Xu
As far as I know, there are a lot of cases where default configuration
files in Debian are handcrafted, either from scratch or modified from
those in the upstream package.
The copyright document for a package must (Debian Policy §4.5) contain
comprehensive copyright information for all the package, whether
originating from upstream or from Debian maintainers or anywhere else.
So I think that every part of Debian is required to have its copyright
information declared explicitly in the ‘copyright’ document of one or
more installed packages on the system.
If you know of an exception, let's discuss that; otherwise I think the
response is to talk about specific packages that fail to meet that
requirement.
Hi Ben,

I'm in the process of adopting php-elisp and have been delaying while
waiting for copyright confirmation emails from all contributors.
Given this:

https://sources.debian.org/src/php-elisp/1.13.5-3/debian/copyright/

Per the URL above, is it a Policy v3.9.6 §4.5 violation? Would it be
such a violation under Policy 4.2.0? There are still a lot of
packages like this...

Are Ola and Pontus the only copyright holders for debian/*? I've
followed the licensing confirmation procedure and am tracking the
replies here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903092

If Ola and Pontus are the only copyright holders then I can switch to
format 1.0 with explicit licensing of debian/* :-)

Regards,
Nicholas
Nicholas D Steeves
2018-09-09 23:16:14 UTC
Permalink
Hi Hong,
Post by Hong Xu
Post by Ben Finney
Post by Hong Xu
I understand that each piece of software has its own license in Debian
and they can be easily looked up. However, I have trouble finding the
license of the Debian itself, e.g., metadata of packages, default
configuration files created by the Debian project, etc. Can you
provide any information on that? Thanks!
My understanding is that the entire operating system is delivered as
packages, and each package declares its copyright information in its
‘/usr/share/doc/$PACKAGENAME/copyright’ document.
Let's use the octave example. In /usr/share/doc/octave/copyright you'll
find the section "Files: debian/*". This is the copyright for the
Debian portions of the source package. Sometimes there were be
debian/patches/custom_debian_config.patch which modifies the upstream
source. Such patches also fall under the copyright of
"Files:debian/*" unless otherwise specified. [1]

Unfortunately the it's not nearly as clear for package which don't use
copyright format 1.0...
Post by Hong Xu
Post by Ben Finney
The “metadata of packages” I am not sure what you mean? To my knowledge
all the metadata is part of the source form of the package, and so is
subject to the license conditions described for that package. Is there
something else you refer to as “metadata of packages”?
The metadata of packages include information package descriptions,
dependencies, etc. that were created by Debian developers. It seems to
me that the copyright file of package does not describe the license of
this information since the copyright holder seems to be always the
upstream copyright holders. For example, /usr/share/doc/bash/copyright
reads "Copyright (C) 1987-2014 Free Software Foundation, Inc." Although
mentioned, there is no license claimed for his packaging work.
It sounds like you're saying "metadata of the [binary] packages".
They're not metadata for source packages, where they are actual files.
Eg: '$ apt source octave'. In a non-native (the majority of packages)
Debian source package the Debian bits are also in a separate tarball
from the upstream one. eg:
http://http.debian.net/debian/pool/main/o/octave/octave_4.0.3-3.debian.tar.xz
vs
http://http.debian.net/debian/pool/main/o/octave/octave_4.0.3.orig.tar.xz
Post by Hong Xu
Post by Ben Finney
The same would be true for any default configuration files. They will be
auto-generated (maybe even, simply copied) from some files installed
from a specific package, and so are subject to whatever general license
conditions apply for each package.
As far as I know, there are a lot of cases where default configuration
files in Debian are handcrafted, either from scratch or modified from
those in the upstream package. For example, the file octave.conf
(installed to /etc/octave.conf) in the source package of octave seems to
be manually modified from the upstream configuration file and its header
octave-4.0.3/debian/octave.conf. See [1].


Cheers,
Nicholas
Anthony DeRobertis
2018-09-17 17:14:24 UTC
Permalink
Post by Ben Finney
My understanding is that the entire operating system is delivered as
packages, and each package declares its copyright information in its
‘/usr/share/doc/$PACKAGENAME/copyright’ document.
That does raise an interesting question — things like the package long
description are used all over the place, and combined together (e.g., in
the package lists). Translations are made, maintained outside the
package (AFAIK), and then combined together and displayed various places.

Is https://packages.debian.org/stretch/bash a GPL violation, because it
doesn't include the full text of the GPL, a copyright statement, etc.?
In fact, it claims (via tiny license terms link at the bottom) to be
under MIT.

In practice, we seem to consider use of package descriptions to be fair
use, and ignore the license.
Mihai Moldovan
2018-09-17 17:39:13 UTC
Permalink
Post by Ben Finney
My understanding is that the entire operating system is delivered as
packages, and each package declares its copyright information in its
‘/usr/share/doc/$PACKAGENAME/copyright’ document.
That does raise an interesting question — things like the package long
description are used all over the place, and combined together (e.g., in
the package lists).
[...]
Is https://packages.debian.org/stretch/bash a GPL violation, because it
doesn't include the full text of the GPL, a copyright statement, etc.?
In fact, it claims (via tiny license terms link at the bottom) to be
under MIT.
Generally, this is package metadata and has one or multiple entries in the
debian/copyright file per package for the whole debian subdirectory - typically
GPL-2+ or the like. As you've already seen, this file normally is also installed
with other data and can be viewed on the local system after the fact.

I cannot see a violation, other than maybe not parsing information in
debian/copyright and publishing it per-package on websites or whatever else uses
this information. This, however, is not trivial to do (for instance some files
within the directory could be differently-licensed, the format isn't too
machine-friendly, ...)

While, e.g., GNU programs recommend to include at least the license name
somewhere in the help text, though better even the short license text, there is
no hard guideline to *always* specify the license whenever something is executed
or shown. Such a requirement doesn't exist for a good reason - it would spam the
license all over the place. Even apt-cache would have to list licenses for each
package (for instance in the search command that does list short descriptions).
Thinking of artwork, if some requirement like this was in effect, every piece of
artwork would need to state the license as well, which sounds very ugly. Think
watermarks for visual artwork or spoken text for aural artwork.

As long as the copyright and license information is available and properly
stated, everything's fine.
Translations are made, maintained outside the
package (AFAIK), and then combined together and displayed various places.
As far as I know (but I could be wrong), translations always adopt the original
string's license.
In practice, we seem to consider use of package descriptions to be fair
use, and ignore the license.
Why would you think so? As stated above, these components *do* have a license
and as they are part of the packaging metadata, which is typically complex
enough to also warrant one, also a copyright.



Mihai

Jonathan Carter
2018-09-09 18:02:24 UTC
Permalink
Hi Hong!
Post by Hong Xu
I understand that each piece of software has its own license in Debian
and they can be easily looked up. However, I have trouble finding the
license of the Debian itself, e.g., metadata of packages, default
configuration files created by the Debian project, etc. Can you provide
any information on that? Thanks!
<https://fedoraproject.org/wiki/Legal:Licenses/LicenseAgreement>; and so
does CentOS (License agreement upon first boot).
Not a license per sé, but we have the Debian Social Contract which is a
cornerstone of the project:

https://www.debian.org/social_contract

If someone is interested in where Debian stands on licensing, then that
page should probably answer most questions.

-Jonathan
--
⢀⣴⠾⠻⢶⣦⠀ Jonathan Carter (highvoltage) <jcc>
⣾⠁⢠⠒⠀⣿⡁ Debian Developer - https://wiki.debian.org/highvoltage
⢿⡄⠘⠷⠚⠋ https://debian.org | https://jonathancarter.org
⠈⠳⣄⠀⠀⠀⠀ Be Bold. Be brave. Debian has got your back.



Powered ByWebafricaFibre | LTE
Continue reading on narkive:
Loading...