1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Is it allowed to remove attribution in public domain "licensed" source

    From =?UTF-8?B?T3R0byBLZWvDpGzDpGluZW4=?@21:1/5 to All on Sat Mar 30 22:20:01 2024
    Hi!

    While reviewing xz-utils commits I noticed that a bunch of old
    copyright holder names were removed in https://salsa.debian.org/debian/xz-utils/-/commit/d1b67558cbc06c449a0ae7b7c1694e277aef4a78.

    Is this OK to do so? Having source code in the public domain means
    that there is no copyright, so no attribution required either?

    But if copyright attribution is done, each name should have a year
    next to it at least, right?

    Is it so that the debian/copyright file is reviewed by ftp-masters
    only for packages in NEW queue, and there is probably no automation in
    place to flag subsequent copyright changes for re-review?


    Pondering off-topic: I don't expect ftp-masters to have bandwidth to
    do manually anything more, so I am specifically keen to understand
    what automation is in place. Some improvements can be done in Salsa-CI
    for things that the maintainer is likely to be interested in fixing
    themselves (e.g. [1], [2]) but the most critical checks for copyright
    changes and supply-chain changes related to who is the uploader or
    what is the upstream homepage/repository address could perhaps have
    some mechanism at ftp-level that requires review/sign-off by
    additional Debian Developers, perhaps via a new review tool.

    - Otto


    [1] https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/342
    (missing git tags after upload)
    [2] https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/343
    (misconfigured upstream git branches)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonas Smedegaard@21:1/5 to All on Sun Mar 31 09:50:01 2024
    Quoting Otto Kekäläinen (2024-03-30 22:09:46)
    Is it so that the debian/copyright file is reviewed by ftp-masters
    only for packages in NEW queue, and there is probably no automation in
    place to flag subsequent copyright changes for re-review?

    It is my understanding that it is, and always has been, the
    responsibility of the _uploader_ and not ftp-masters to ensure that debian/copyright data is accurate.

    True, ftp-masters review, but we should not rely on that. Which means
    the flagging you ask about is something each package maintainer should
    (either themselves or through their choice of tooling) put in place.

    What I do is recheck for changes to copyright and licensing changes each
    time a package is changed to use a new upstream release. I am greatly
    helped (but do not fully trust - I also manually look at source files)
    by an automated licensecheck scan, where I keep a dump of that in the
    source package, and compare to a rescan after importing the upstream
    code but before releasing it: https://wiki.debian.org/CopyrightReviewTools#licensecheck


    - Jonas

    --
    * Jonas Smedegaard - idealist & Internet-arkitekt
    * Tlf.: +45 40843136 Website: http://dr.jones.dk/
    * Sponsorship: https://ko-fi.com/drjones

    [x] quote me freely [ ] ask before reusing [ ] keep private --==============575228959336236066=MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Description: signature
    Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmYJFDUACgkQLHwxRsGg ASGUOQ//ccw1moYFzGjGK9Byo+ekTFiAYPr/KkKY6JWCs8tZvkpicgpS+idkZ120 07MKvFZctDTP+xEI+sapABnRR1+JrZCABgLXc1dBfQoeqY/IBQoCAeKNJQCteFYU ZypamRvWGzS5TUar27WK+u/T6I+wUWnuYSQbcKD9ZJj3uMzVHlrZ2UuoNzm4Pc2D JBSJNJLuk93Ybxo2mws9XHi0kyLP6lHC8X5cV63P2aLQX7N5ARaImMvInMXSpmP8 R1Vdln28CRqzsc8r13EfDLaP+rZauAVRdwAFRO41yNcMESg2Wc2pXXP/3R4Q7Wr7 h2k4KbgSTb7lHA3MWsNsF3o5WfDOrSvNmpLFtM2+tg30QA7DcVHd4ufO+42UmJcE uLj/5WcIe5Dzlt6wMGqjcBNx9Hz5N02h076JdiXwMlT4DqpJm+IP82qlr4OFcBCv nIEPRhQDmoO1fsfH/2uG+M/TcWdlsOoswiGyJbdg