[openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED)
Thomas Goirand
zigo at debian.org
Sun May 3 16:46:13 UTC 2015
Hi,
According to Paul Tagliamonte, who is from the Debian FTP master team
(which peer-reviews NEW packages in Debian before they reach the
archive) python-xstatic-angular-bootstrap cannot be uploaded as-is to
Debian because it doesn't include an Expat LICENSE file, which is in
direct violation of the license itself (ie: anything which is shipped
using the MIT / Expat license *must* include the said license). Below is
a copy of reply to me, after the package was rejected.
Maxime, since you're the maintainer of this xstatic package, could you
please include the Expat (aka: MIT) license inside
xstatic-angular-bootstrap, then retag and re-release the package?
Also, when this is done, I would strongly suggest fixing the
global-requirements.txt to force using the correct package, then remove
license infringing version from PyPi. This wont change anything for me
as long as there's a new package which fixes the licensing issue, but
legally, I don't think it's right to leave downloadable what has already
been released.
-------- Forwarded Message --------
Subject: Re: [PKG-Openstack-devel]
python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED
Date: Sat, 2 May 2015 17:21:10 -0400
From: Paul Tagliamonte <paultag at debian.org>
Reply-To: Tracking bugs and development for OpenStack
<openstack-devel at lists.alioth.debian.org>
To: Thomas Goirand <thomas at goirand.fr>
CC: Paul Richards Tagliamonte <ftpmaster at ftp-master.debian.org>, PKG
OpenStack <openstack-devel at lists.alioth.debian.org>
On Sat, May 02, 2015 at 11:07:51PM +0200, Thomas Goirand wrote:
> Hi Paul!
>
> First of all, thanks a lot for all the package review. This is simply
> awesome, and helps me really a lot in my work!
np :)
> Well, for all XStatic projects, the habit is to use the same licensing as
> for the javascript that is packaged as Python module. So in this file:
>
> xstatic/pkg/angular_bootstrap/__init__.py
>
> you can see:
>
> LICENSE = '(same as %s)' % DISPLAY_NAME
>
> then in xstatic/pkg/angular_bootstrap/data/angular-bootstrap.js, in the
> header of the file, you may see:
>
> * angular-ui-bootstrap
> * http://angular-ui.github.io/bootstrap/
>
> * Version: 0.11.0 - 2014-05-01
> * License: MIT
>
> So, python-xstatic-angular-bootstrap uses the same Expat license.
>
> Is this enough?
So, I trust this *is* MIT/Expat licensed, but if you look at the terms
they're granting us::
| Permission is hereby granted, free of charge, to any person obtaining
a copy
| of this software and associated documentation files (the "Software"),
to deal
| in the Software without restriction, including without limitation the
rights
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
| copies of the Software, and to permit persons to whom the Software is
| furnished to do so, subject to the following conditions:
|
| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.
|
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
SHALL THE
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM,
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
| THE SOFTWARE.
The critical bit here --
| The above copyright notice and this permission notice shall be included in
| all copies or substantial portions of the Software.
The source distribution is non-complient. They can do that since they
can't infringe on themselves. We would be infringing by distributed the
source tarball.
Just do a DFSG repack and include the license in it. That'll be great
and enough.
> Can I upload again the package? Or should I ask for a more
> clear statement from upstream (which by the way, I have met face to face,
> and I know how to ping him on Freenode...)?
Cheers,
Paul
--
.''`. Paul Tagliamonte <paultag at debian.org> | Proud Debian Developer
: :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87
`. `'` http://people.debian.org/~paultag
`- http://people.debian.org/~paultag/conduct-statement.txt
More information about the OpenStack-dev
mailing list