[openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED)

Thomas Goirand zigo at debian.org
Tue May 5 07:50:41 UTC 2015



On 05/05/2015 04:31 AM, Ian Cordasco wrote:
> Please don’t put words in my
> mouth Thomas. You do this frequently.

I don't think I have. Not here, not before. Please assume good faith on 
mailing lists, because it's hard to grasp the feeling on the other end. 
If you want to start an argue and feel like I've been bad with you, 
please do it privately, and I hope we'll get on together better. How 
about having a beer in Vancouver? :)

> given the reliability of
> system packages, it’s increasingly deployed from source.

WTF?!? In what way are Python packages that I maintain for OpenStack not 
reliable? Could you care to explain?

>> Are you a lawyer? Do you have a special connection with people from
>> bootstrap and angular, and they told you so?
>
> Again with trying to put words in my mouth Thomas.

I'm just pointing to the fact that you don't know, just like I don't 
either or anyone else, what the consequences can be to violate a 
license. This is unless you're a lawyer, or if you know upstream for 
Angular. I fail to see where I do put words into your mouth...

> I suppose if you used pip, you’d understand why the .post1 suffix is
> necessary

I did use pip, but I still don't understand how adding ".post1" provides 
more information. Probably I wont be the only one. Could you enlighten me?

> but you don’t care about anything other than how this affects
> your packages, do you?

I do care that everything done within the OpenStack project is done 
respecting free software licenses. This is more than just packaging in 
Debian, this is also related to ethic.

I'm pointing out the fact that there's a legal issue with the licensing 
and the distribution of a package. The plan described by Robert Collins 
is very accurate, and is just exactly what I thought should be done. 
Let's be constructive, have the issue fixed like Robert described, and 
avoid time loss (with nit-pickings), ok?

On 05/05/2015 05:29 AM, Robert Collins wrote:
 > So,we shouldn't use angular at all then, because as a js framework its
 > distributed to users when they use the website, but the license file
 > isn't included in that distribution.

IANAL, but I don't think minified runtime use of a MIT-licensed 
Javascript has the same legal issues as shipping the source code. So 
far, I haven't seen a case where having a javascript running within your 
browser was considered as redistribution of the source code.

On 05/05/2015 08:17 AM, Matthias Runge wrote:
 > If we're not allowed to use angular (and anybody else), I wonder how
 > anyone could use it (following above logic)

Exactly my thoughts.

 > Angular.js is licensed under MIT License [1],[2]:
 > --------
 > The above copyright notice and this permission notice shall be 
included in
 > all copies or substantial portions of the Software.
 > --------
 >
 > question is, if our use of angular is a substantial portion if this
 > software.

I'm convince it is. And I'm convince we *must* ship "the above copyright 
notice and this permission notice" in our source packages, as the 
license says. If you don't trust me, please do trust the Debian FTP 
masters who are doing this every day.

Cheers,

Thomas Goirand (zigo)



More information about the OpenStack-dev mailing list