[Fwd: [openstack-dev] Call for a clear COPYRIGHT-HOLDERS file in all OpenStack projects (and [trove] python-troveclient_0.1.4-1_amd64.changes REJECTED)]
Full thread here: http://lists.openstack.org/pipermail/openstack-dev/2013-October/thread.html#... Mark. -------- Forwarded Message --------
From: Thomas Goirand <zigo@debian.org> Reply-to: OpenStack Development Mailing List <openstack-dev@lists.openstack.org> To: OpenStack Development Mailing List <openstack-dev@lists.openstack.org> Subject: [openstack-dev] Call for a clear COPYRIGHT-HOLDERS file in all OpenStack projects (and [trove] python-troveclient_0.1.4-1_amd64.changes REJECTED) Date: Sat, 19 Oct 2013 14:01:50 +0800
Hi there,
TroveClient just got rejected by Debian FTP masters. Reply from Luke Faraone is below.
In general, I would strongly advise that a clean COPYRIGHT-HOLDER file is created with the copyright holders in them. Why? Because it is hard to distinguish between authors and copyright holders, which are very distinct things. Listing the authors in debian/copyright doesn't seem to satisfy the FTP masters as well... :(
FYI, my reply was that I knew some of the authors were working for Rackspace, because I met them in Portland, and that I knew Rackspace was one of the copyright holders. Though that's of course not enough for the Debian FTP masters.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
-------- Original Message -------- Subject: [Openstack-devel] python-troveclient_0.1.4-1_amd64.changes REJECTED Date: Sat, 19 Oct 2013 04:00:19 +0000 From: Luke Faraone <ftpmaster@ftp-master.debian.org> To: PKG OpenStack <openstack-devel@lists.alioth.debian.org>, Thomas Goirand <zigo@debian.org>
Dear maintainer,
debian/copyright is **not** an AUTHORS list. This package appears to be Copyright (c) 2013 Hewlett-Packard Development Company, L.P., and some other companies, not copyrighted each individual employee at HP who worked on it.
Your automated debian/copyright generation is most probably suboptimal for most packages, and is most certainly not a substitute for manual review. One missed copyright holder:
python-troveclient-0.1.4\troveclient\base.py: Copyright 2010 Jacob Kaplan-Moss
Cheers,
Luke Faraone FTP Team
===
Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns.
_______________________________________________ Openstack-devel mailing list Openstack-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/openstack-devel
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
On Mon, Oct 21, 2013 at 08:17:19AM +0100, Mark McLoughlin wrote:
Full thread here:
http://lists.openstack.org/pipermail/openstack-dev/2013-October/thread.html#...
cc'ing Thomas Goirand. I have a feeling something is being lost in the translation from Debian to OpenStack, but I'm not sure. I've read the full thread but do not understand the issue. If Debian were to insist on a complete list of all copyright holders for each of its packages, it would have to shut itself down. If there is a Debian packaging requirement that requires a package maintainer to collect all identified copyright holders into a single file, that is the package maintainer's responsibility. One of the suggestions in the thread made by someone seemed to be to make some automated mapping between an author and an affiliated organization, but this will not necessarily yield a correct identification of the copyright holder (that is true, for example, in a number of cases involving Red Hat employees). - Richard
Mark.
-------- Forwarded Message --------
From: Thomas Goirand <zigo@debian.org> Reply-to: OpenStack Development Mailing List <openstack-dev@lists.openstack.org> To: OpenStack Development Mailing List <openstack-dev@lists.openstack.org> Subject: [openstack-dev] Call for a clear COPYRIGHT-HOLDERS file in all OpenStack projects (and [trove] python-troveclient_0.1.4-1_amd64.changes REJECTED) Date: Sat, 19 Oct 2013 14:01:50 +0800
Hi there,
TroveClient just got rejected by Debian FTP masters. Reply from Luke Faraone is below.
In general, I would strongly advise that a clean COPYRIGHT-HOLDER file is created with the copyright holders in them. Why? Because it is hard to distinguish between authors and copyright holders, which are very distinct things. Listing the authors in debian/copyright doesn't seem to satisfy the FTP masters as well... :(
FYI, my reply was that I knew some of the authors were working for Rackspace, because I met them in Portland, and that I knew Rackspace was one of the copyright holders. Though that's of course not enough for the Debian FTP masters.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
-------- Original Message -------- Subject: [Openstack-devel] python-troveclient_0.1.4-1_amd64.changes REJECTED Date: Sat, 19 Oct 2013 04:00:19 +0000 From: Luke Faraone <ftpmaster@ftp-master.debian.org> To: PKG OpenStack <openstack-devel@lists.alioth.debian.org>, Thomas Goirand <zigo@debian.org>
Dear maintainer,
debian/copyright is **not** an AUTHORS list. This package appears to be Copyright (c) 2013 Hewlett-Packard Development Company, L.P., and some other companies, not copyrighted each individual employee at HP who worked on it.
Your automated debian/copyright generation is most probably suboptimal for most packages, and is most certainly not a substitute for manual review. One missed copyright holder:
python-troveclient-0.1.4\troveclient\base.py: Copyright 2010 Jacob Kaplan-Moss
Cheers,
Luke Faraone FTP Team
===
Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns.
_______________________________________________ Openstack-devel mailing list Openstack-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/openstack-devel
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
On 2013-10-21 10:23:41 -0400 (-0400), Richard Fontana wrote: [...]
One of the suggestions in the thread made by someone seemed to be to make some automated mapping between an author and an affiliated organization, but this will not necessarily yield a correct identification of the copyright holder (that is true, for example, in a number of cases involving Red Hat employees).
That was me pontificating on some possible ways to extract the requested information, mostly pointing out that it would be complicated to implement and still not entirely accurate. One of my concerns there was with regard to contributors with concurrent multiple affiliations... but out of curiosity what's the copyright holder identification concern specific to Red Hat employees? Are their contributions not a work for hire (so that they're counted as independent contributors for the sake of copyright assignment)? -- Jeremy Stanley
On Mon, Oct 21, 2013 at 04:05:03PM +0000, Jeremy Stanley wrote:
but out of curiosity what's the copyright holder identification concern specific to Red Hat employees? Are their contributions not a work for hire (so that they're counted as independent contributors for the sake of copyright assignment)?
I don't consider it a 'concern' in this setting, but a theoretical complication. Some employees retain copyright ownership of some contributions under some circumstances. - RF
On 2013-10-21 13:03:40 -0400 (-0400), Richard Fontana wrote:
I don't consider it a 'concern' in this setting, but a theoretical complication. Some employees retain copyright ownership of some contributions under some circumstances.
Agreed, that does further increase the complication of trying to accurately map authors to potential copyright holders. -- Jeremy Stanley
Why not keep the list of assignments in a text file in a git repo, where it is easy for developer to modify. That would also ensure that the build system doesn't depend on any resources outside of the infra team's control. On Mon, Oct 21, 2013 at 1:29 PM, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2013-10-21 13:03:40 -0400 (-0400), Richard Fontana wrote:
I don't consider it a 'concern' in this setting, but a theoretical complication. Some employees retain copyright ownership of some contributions under some circumstances.
Agreed, that does further increase the complication of trying to accurately map authors to potential copyright holders. -- Jeremy Stanley
_______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
On 2013-10-21 14:37:33 -0400 (-0400), Doug Hellmann wrote:
Why not keep the list of assignments in a text file in a git repo, where it is easy for developer to modify. That would also ensure that the build system doesn't depend on any resources outside of the infra team's control.
Good point, though we'd still need to query the seed data from somewhere. I originally didn't suggest it because I was assuming the affiliation mapping could provide a fairly accurate representation of work-for-hire situations at different points in history for any given contributor and we wouldn't want to maintain two copies of that in different places. As the discussion evolved it seems that affiliation and copyright assignment are probably not as closely tied as I first presumed (though they might be somewhat similar). Anyway, I wasn't so much trying to suggest that we should do this, but rather point out the complexity involved it having it be anywhere close to accurate. -- Jeremy Stanley
On Mon, Oct 21, 2013 at 2:48 PM, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2013-10-21 14:37:33 -0400 (-0400), Doug Hellmann wrote:
Why not keep the list of assignments in a text file in a git repo, where it is easy for developer to modify. That would also ensure that the build system doesn't depend on any resources outside of the infra team's control.
Good point, though we'd still need to query the seed data from somewhere. I originally didn't suggest it because I was assuming the affiliation mapping could provide a fairly accurate representation of work-for-hire situations at different points in history for any given contributor and we wouldn't want to maintain two copies of that in different places. As the discussion evolved it seems that affiliation and copyright assignment are probably not as closely tied as I first presumed (though they might be somewhat similar).
Anyway, I wasn't so much trying to suggest that we should do this, but rather point out the complexity involved it having it be anywhere close to accurate.
Sure. If we do it, we have to acknowledge that it's only as accurate as the developers care to keep the database. An automatic check would just encourage them to do that. Doug
-- Jeremy Stanley
_______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
On Mon, 2013-10-21 at 10:23 -0400, Richard Fontana wrote:
On Mon, Oct 21, 2013 at 08:17:19AM +0100, Mark McLoughlin wrote:
Full thread here:
http://lists.openstack.org/pipermail/openstack-dev/2013-October/thread.html#...
cc'ing Thomas Goirand.
I have a feeling something is being lost in the translation from Debian to OpenStack, but I'm not sure. I've read the full thread but do not understand the issue.
Me too.
If Debian were to insist on a complete list of all copyright holders for each of its packages, it would have to shut itself down.
Indeed. And I haven't heard an explanation yet as to *why* this information is important except "a downstream policy with no clear justification requires it".
If there is a Debian packaging requirement that requires a package maintainer to collect all identified copyright holders into a single file, that is the package maintainer's responsibility.
Agree with this too ... unless this information is somehow useful and important in a broader context. Thanks, Mark.
On 10/21/2013 09:33 PM, Mark McLoughlin wrote:
On Mon, 2013-10-21 at 10:23 -0400, Richard Fontana wrote:
On Mon, Oct 21, 2013 at 08:17:19AM +0100, Mark McLoughlin wrote:
Full thread here:
http://lists.openstack.org/pipermail/openstack-dev/2013-October/thread.html#...
cc'ing Thomas Goirand.
I have a feeling something is being lost in the translation from Debian to OpenStack, but I'm not sure. I've read the full thread but do not understand the issue.
Me too.
If Debian were to insist on a complete list of all copyright holders for each of its packages, it would have to shut itself down.
Indeed.
And I haven't heard an explanation yet as to *why* this information is important except "a downstream policy with no clear justification requires it".
If there is a Debian packaging requirement that requires a package maintainer to collect all identified copyright holders into a single file, that is the package maintainer's responsibility.
Agree with this too ... unless this information is somehow useful and important in a broader context.
I just posted a flamy response to openstack-dev on the original thread. Read it if you want to read a rant. If you don't - I will summarize here: - We should not include the text of the CLA in our tarballs as was suggested. There are several reasons for this, most of which that I do not feel it's necessary, and the rest of them having to do with the fact that I still feel that our CLA is pointless and kind of embarrasing. - Debian has a policy of compiling a debian/copyright file which lists the copyright that is asserted upstream. It's annoying to make it. HOWEVER - Thomas decided that he would make a debian/copyright file that was "more accurate" than our headers. That is incorrect behavior. We, as an upstream, have produced a source tarball that asserts a certain set of information regarding copyright and license. That is what debian/copyright should contain. If it did, the FTP Masters would be fine. - If Thomas, or anyone else, feels that the copyright information in any of our files is incorrect, there is a very clearly defined process to fix it. If that happens, subsequent releases will have the updated information. I do not believe we need to prove to anyone anything about our Apache licensed software. Also, we should get rid of the CLA. Because it's pointless. Monty
On Tue, Oct 22, 2013 at 01:16:31AM +0100, Monty Taylor wrote:
- We should not include the text of the CLA in our tarballs as was suggested. There are several reasons for this, most of which that I do not feel it's necessary, and the rest of them having to do with the fact that I still feel that our CLA is pointless and kind of embarrasing.
It would certainly be strange to include the text of the CLA in the tarballs. I took a look at some Debian 'copyright' files for ASF projects, which are somewhat similar to OpenStack legally. I can only conclude that either the FTP master in question here is misinterpreting the Debian project's guidelines, or that OpenStack is being held to a stricter standard than other multiple-copyright-holder projects packaged in Debian. (There seemed to be a hint in the thread on openstack-dev that this might be intentionally so, because OpenStack is 'new'?) - RF
Richard Fontana wrote:
I took a look at some Debian 'copyright' files for ASF projects, which are somewhat similar to OpenStack legally. I can only conclude that either the FTP master in question here is misinterpreting the Debian project's guidelines, or that OpenStack is being held to a stricter standard than other multiple-copyright-holder projects packaged in Debian. (There seemed to be a hint in the thread on openstack-dev that this might be intentionally so, because OpenStack is 'new'?)
The FTP masters are the gatekeepers for new packages. They basically check that the new package is well-packaged and obeys the DFSG. Part of those checks include the presence in the packaging of a comprehensive debian/copyright file, which lists the licenses and copyright holders. This file facilitates the DFSG-compliance analysis the FTP Masters have to go through. The trick is, once a package has been accepted, it never goes through the FTP masters checks again. It belongs to its maintainer. And while the licenses are (sometimes) kept up-to-date, the copyright holders list goes stale about 5 minutes after package upload. This is why the whole thing isn't rooted in any legal or social contract requirement. If it was, it would be kept up to date. It's a process artifact, which survived only because a small of the process still goes through people that enforce it. So Monty is right, it doesn't have to be "accurate", it just has to reflect what the project asserts at the precise moment the package is proposed for Debian upload, so that a cargo-culted process checkbox can be ticked. -- Thierry Carrez (ttx)
participants (6)
-
Doug Hellmann
-
Jeremy Stanley
-
Mark McLoughlin
-
Monty Taylor
-
Richard Fontana
-
Thierry Carrez