[openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED)

Thomas Goirand zigo at debian.org
Sun May 3 16:46:13 UTC 2015 

Hi,

According to Paul Tagliamonte, who is from the Debian FTP master team 
(which peer-reviews NEW packages in Debian before they reach the 
archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to 
Debian because it doesn't include an Expat LICENSE file, which is in 
direct violation of the license itself (ie: anything which is shipped 
using the MIT / Expat license *must* include the said license). Below is 
a copy of reply to me, after the package was rejected.

Maxime, since you're the maintainer of this xstatic package, could you 
please include the Expat (aka: MIT) license inside 
xstatic-angular-bootstrap, then retag and re-release the package?

Also, when this is done, I would strongly suggest fixing the 
global-requirements.txt to force using the correct package, then remove 
license infringing version from PyPi. This wont change anything for me 
as long as there's a new package which fixes the licensing issue, but 
legally, I don't think it's right to leave downloadable what has already 
been released.

-------- Forwarded Message --------
Subject: Re: [PKG-Openstack-devel] 
python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED
Date: Sat, 2 May 2015 17:21:10 -0400
From: Paul Tagliamonte <paultag at debian.org>
Reply-To: Tracking bugs and development for OpenStack 
<openstack-devel at lists.alioth.debian.org>
To: Thomas Goirand <thomas at goirand.fr>
CC: Paul Richards Tagliamonte <ftpmaster at ftp-master.debian.org>, PKG 
OpenStack <openstack-devel at lists.alioth.debian.org>

On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote:
> Hi Paul!
>
> First of all, thanks a lot for all the package review. This is simply
> awesome, and helps me really a lot in my work!

np :)

> Well, for all XStatic projects, the habit is to use the same licensing as
> for the javascript that is packaged as Python module. So in this file:
>
> xstatic/pkg/angular_bootstrap/__init__.py
>
> you can see:
>
> LICENSE = '(same as %s)' % DISPLAY_NAME
>
> then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the
> header of the file, you may see:
>
>  * angular-ui-bootstrap
>  * http://angular-ui.github.io/bootstrap/
>
>  * Version: 0.11.0 - 2014-05-01
>  * License: MIT
>
> So, python-xstatic-angular-bootstrap uses the same Expat license.
>
> Is this enough?

So, I trust this *is* MIT/Expat licensed, but if you look at the terms
they're granting us::

| Permission is hereby granted, free of charge, to any person obtaining 
a copy
| of this software and associated documentation files (the "Software"), 
to deal
| in the Software without restriction, including without limitation the 
rights
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
| copies of the Software, and to permit persons to whom the Software is
| furnished to do so, subject to the following conditions:
|
| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.
|
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 
SHALL THE
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 
ARISING FROM,
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
| THE SOFTWARE.

The critical bit here --

| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.

The source distribution is non-complient. They can do that since they
can't infringe on themselves. We would be infringing by distributed the
source tarball.

Just do a DFSG repack and include the license in it. That'll be great
and enough.

> Can I upload again the package? Or should I ask for a more
> clear statement from upstream (which by the way, I have met face to face,
> and I know how to ping him on Freenode...)?

Cheers,
   Paul

-- 
  .''`.  Paul Tagliamonte <paultag at debian.org>  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
  `-     http://people.debian.org/~paultag/conduct-statement.txt

More information about the OpenStack-dev mailing list