[openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED)

Ian Cordasco ian.cordasco at RACKSPACE.COM
Tue May 5 02:31:35 UTC 2015 

On 5/4/15, 18:13, "Thomas Goirand" <zigo at debian.org> wrote:

>On 05/05/2015 12:15 AM, Ian Cordasco wrote:
>> For what it’s worth Thomas and Maxime, removing the old versions from
>>PyPI
>> is likely to be a bad idea.
>
>Probably, but it's legally wrong (ie: worst case, you can be sued) to
>leave a package which is in direct violation of the license of things it
>contains.

Note: I didn’t say it was legally correct. Please don’t put words in my
mouth Thomas. You do this frequently.

>
>> An increasing number of deployers have stopped
>> relying on system packages and install either from source or from PyPI.
>>If
>> they’re creating frozen lists of dependencies, you *will* break them.
>
>I don't think we have a choice here. Or do you want to push Maxime to
>take the legal risks? I wouldn't do that...
>
>Anyway, here, we're talking about xstatic-angular-bootstrap, and I it's
>safe to say that nothing else but horizon depends on it. So we should be
>fine.

Have you analyzed all of the dependencies on PyPI? Are you sure Storyboard
doesn’t depend on it? Horizon may be the only project *you* know of that
depends on it. I don’t think, you, Maxime, or I can know that for certain.
Even so, Horizon is deployed in many places, and given the reliability of
system packages, it’s increasingly deployed from source.

>
>> While I agree that those distributions are violating the license, I
>>think
>> it is a mistake that no one believes is malicious and which no one will
>> actually chase after you for.
>
>Are you a lawyer? Do you have a special connection with people from
>bootstrap and angular, and they told you so?

Again with trying to put words in my mouth Thomas.

>
>> If you’re very concerned about it, you can
>> create updated releases of all of those packages (for PyPI).
>
>Even if you aren't concerned, please do create an updated release on
>PyPi so that it can be uploaded to Debian.
>
>> If you have
>> version 1.2.3, you can release version 1.2.3.post1 to indicate that the
>> source code itself didn’t exactly change but some metadata was added or
>> fixed. Pip should, then if I recall correctly, select 1.2.3.post1 over
>> 1.2.3.
>
>There's no need to do this, there's already 4 digits in XStatic
>packages. Just increasing the ultra-micro (ie: the last digit) in the
>version number is fine. I fail to see why one would need to
>over-engineer this with a .post1 suffix.

I suppose if you used pip, you’d understand why the .post1 suffix is
necessary, but you don’t care about anything other than how this affects
your packages, do you?

More information about the OpenStack-dev mailing list