Open Stack

On 5/3/15, 11:46, "Thomas Goirand" <zigo at debian.org> wrote:

>Hi,
>
>According to Paul Tagliamonte, who is from the Debian FTP master team
>(which peer-reviews NEW packages in Debian before they reach the
>archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to
>Debian because it doesn't include an Expat LICENSE file, which is in
>direct violation of the license itself (ie: anything which is shipped
>using the MIT / Expat license *must* include the said license). Below is
>a copy of reply to me, after the package was rejected.
>
>Maxime, since you're the maintainer of this xstatic package, could you
>please include the Expat (aka: MIT) license inside
>xstatic-angular-bootstrap, then retag and re-release the package?
>
>Also, when this is done, I would strongly suggest fixing the
>global-requirements.txt to force using the correct package, then remove
>license infringing version from PyPi. This wont change anything for me
>as long as there's a new package which fixes the licensing issue, but
>legally, I don't think it's right to leave downloadable what has already
>been released.
>
>-------- Forwarded Message --------
>Subject: Re: [PKG-Openstack-devel]
>python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED
>Date: Sat, 2 May 2015 17:21:10 -0400
>From: Paul Tagliamonte <paultag at debian.org>
>Reply-To: Tracking bugs and development for OpenStack
><openstack-devel at lists.alioth.debian.org>
>To: Thomas Goirand <thomas at goirand.fr>
>CC: Paul Richards Tagliamonte <ftpmaster at ftp-master.debian.org>, PKG
>OpenStack <openstack-devel at lists.alioth.debian.org>
>
>On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote:
>> Hi Paul!
>>
>> First of all, thanks a lot for all the package review. This is simply
>> awesome, and helps me really a lot in my work!
>
>np :)
>
>> Well, for all XStatic projects, the habit is to use the same licensing
>>as
>> for the javascript that is packaged as Python module. So in this file:
>>
>> xstatic/pkg/angular_bootstrap/__init__.py
>>
>> you can see:
>>
>> LICENSE = '(same as %s)' % DISPLAY_NAME
>>
>> then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the
>> header of the file, you may see:
>>
>>  * angular-ui-bootstrap
>>  * http://angular-ui.github.io/bootstrap/
>>
>>  * Version: 0.11.0 - 2014-05-01
>>  * License: MIT
>>
>> So, python-xstatic-angular-bootstrap uses the same Expat license.
>>
>> Is this enough?
>
>So, I trust this *is* MIT/Expat licensed, but if you look at the terms
>they're granting us::
>
>| Permission is hereby granted, free of charge, to any person obtaining
>a copy
>| of this software and associated documentation files (the "Software"),
>to deal
>| in the Software without restriction, including without limitation the
>rights
>| to use, copy, modify, merge, publish, distribute, sublicense, and/or
>sell
>| copies of the Software, and to permit persons to whom the Software is
>| furnished to do so, subject to the following conditions:
>|
>| The above copyright notice and this permission notice shall be included
>in
>| all copies or substantial portions of the Software.
>|
>| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>OR
>| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
>SHALL THE
>| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
>| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
>ARISING FROM,
>| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
>IN
>| THE SOFTWARE.
>
>The critical bit here --
>
>| The above copyright notice and this permission notice shall be included
>in
>| all copies or substantial portions of the Software.
>
>The source distribution is non-complient. They can do that since they
>can't infringe on themselves. We would be infringing by distributed the
>source tarball.
>
>Just do a DFSG repack and include the license in it. That'll be great
>and enough.
>
>> Can I upload again the package? Or should I ask for a more
>> clear statement from upstream (which by the way, I have met face to
>>face,
>> and I know how to ping him on Freenode...)?
>
>Cheers,
>   Paul
>
>-- 
>  .''`.  Paul Tagliamonte <paultag at debian.org>  |   Proud Debian Developer
>: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
>`. `'`  http://people.debian.org/~paultag
>  `-     http://people.debian.org/~paultag/conduct-statement.txt
>
>
>
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

For what it’s worth Thomas and Maxime, removing the old versions from PyPI
is likely to be a bad idea. An increasing number of deployers have stopped
relying on system packages and install either from source or from PyPI. If
they’re creating frozen lists of dependencies, you *will* break them.
While I agree that those distributions are violating the license, I think
it is a mistake that no one believes is malicious and which no one will
actually chase after you for. If you’re very concerned about it, you can
create updated releases of all of those packages (for PyPI). If you have
version 1.2.3, you can release version 1.2.3.post1 to indicate that the
source code itself didn’t exactly change but some metadata was added or
fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over
1.2.3.

Cheers,
Ian