To who it may concern

As you know the audacity project has been recently acquired by musegroup. Since then there have been a series of changes impacting Audacity. One such change is that telemetry has been included in newer versions of audacity no the one currently in the
Debian repository for Bullseye and Sid (version 2.4.2), and has a requirement which both violates the GPLv2 license, the GPLv3 license as well as the Debian Free Software Guidelines. There has been a fork, which removes the questionable code, which can
be found here: https://github.com/cookiengineer/audacity. Here is the github issue thread explaining the license violation issue with regards to the privacy policy: https://github.com/audacity/audacity/issues/1213 What is the plan going forward, after
the release of Debian 11 (since version 2.4.2 is unaffected by the licensing isuse) in regards to Audacity in the Debian package repository? Should this GPL2 violation be reported, if so to what organization? How will it impact the audacity package in
bullseye-backports, bookworm as well as newer versions?

Looking forward towards your answers

Regards

Jorkano

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div>To who it may concern<br></div><div dir="auto"><br></div><div dir="auto">As you know the audacity project has been recently acquired by musegroup. Since then there have been a series of changes impacting Audacity. One such change is that telemetry
has been included in newer versions of audacity no the one currently in the Debian repository for Bullseye and Sid (version 2.4.2), and has a requirement which both violates the GPLv2 license, the GPLv3 license as well as the Debian Free Software
Guidelines. There has been a fork, which removes the questionable code, which can be found here:&nbsp;<a href="https://github.com/cookiengineer/audacity">https://github.com/cookiengineer/audacity</a>. Here is the github issue thread explaining the
license violation issue with regards to the privacy policy: <a href="https://github.com/audacity/audacity/issues/1213">https://github.com/audacity/audacity/issues/1213</a> What is the plan going forward, after the release of Debian 11 (since version 2.4.
2 is unaffected by the licensing isuse) in regards to Audacity in the Debian package repository? Should this GPL2 violation be reported, if so to what organization? How will it impact the audacity package in bullseye-backports, bookworm as well as newer
versions?<br></div><div dir="auto"><br></div><div dir="auto">Looking forward towards your answers<br></div><div dir="auto"><br></div><div dir="auto">Regards<br></div><div dir="auto"><br></div><div dir="auto">Jorkano<br></div> </body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 5, 2021 at 1:15 AM <[email protected]> wrote:

there have been a series of changes impacting Audacity.

This sounds like something that should be reported as a bug against
the Debian package requesting to switch to the fork.

https://www.debian.org/Bugs/Reporting

--
bye,
pabs

https://wiki.debian.org/PaulWise

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

At a glance, while Debian shouldn't distribute it and the community should certainly fork, I'm not sure it's technically a GPL violation. Is there a clickwrap page requiring you to agree to the privacy policy to use
audacity? Does Audacity as they distribute it involve any network-related services?

GPL packages are allowed to ship with privacy policies (although they
usually don't need them), and those policies normally cover your use of
certain services alongside the software (here, telemetry services, which
you're hardly "using," but you know, use a fork). Now, you can't be
required to agree to the policy to use Audacity... that's a problem for
them, but are they requiring it? As I mentioned above -- is it
clickwrapped, or just linked to on their website?

Regards,

Daniel J. Hakimi
B.S. Philosophy, RPI 2012
B.S. Computer Science, RPI 2012
J.D. Cardozo Law 2015


On Sun, Jul 4, 2021 at 9:15 PM <[email protected]> wrote:

To who it may concern

As you know the audacity project has been recently acquired by musegroup. Since then there have been a series of changes impacting Audacity. One such change is that telemetry has been included in newer versions of audacity no the one currently in the Debian repository for Bullseye and Sid (version 2.4.2), and has a requirement which both violates the GPLv2 license, the GPLv3 license as well as the Debian Free Software Guidelines. There has
been a fork, which removes the questionable code, which can be found here: https://github.com/cookiengineer/audacity. Here is the github issue
thread explaining the license violation issue with regards to the privacy policy: https://github.com/audacity/audacity/issues/1213 What is the plan going forward, after the release of Debian 11 (since version 2.4.2 is unaffected by the licensing isuse) in regards to Audacity in the Debian package repository? Should this GPL2 violation be reported, if so to what organization? How will it impact the audacity package in
bullseye-backports, bookworm as well as newer versions?

Looking forward towards your answers

Regards

Jorkano

<div dir="ltr"><div>At a glance, while Debian shouldn&#39;t distribute it and the community should certainly fork, I&#39;m not sure it&#39;s technically a GPL violation. Is there a clickwrap page requiring you to agree to the privacy policy to use
audacity? Does Audacity as they distribute it involve any network-related services?<br></div><div><br></div><div>GPL packages are allowed to ship with privacy policies (although they usually don&#39;t need them), and those policies normally cover your
use of certain services alongside the software (here, telemetry services, which you&#39;re hardly &quot;using,&quot; but you know, use a fork). Now, you can&#39;t be required to agree to the policy to use Audacity... that&#39;s a problem for them, but
are they requiring it? As I mentioned above -- is it clickwrapped, or just linked to on their website?<br></div><div><br></div><div>Regards,</div><div><br></div><div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div
dir="ltr"><div><div dir="ltr"><div><div>Daniel J. Hakimi</div><div>B.S. Philosophy, RPI 2012</div><div>B.S. Computer Science, RPI 2012</div><div>J.D. Cardozo Law 2015</div></div></div></div></div></div></div><br></div></div></div><br><div class="gmail_
quote"><div dir="ltr" class="gmail_attr">On Sun, Jul 4, 2021 at 9:15 PM &lt;<a href="mailto:[email protected]">[email protected]</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">



<div>
<div>To who it may concern<br></div><div dir="auto"><br></div><div dir="auto">As you know the audacity project has been recently acquired by musegroup. Since then there have been a series of changes impacting Audacity. One such change is that telemetry
has been included in newer versions of audacity no the one currently in the Debian repository for Bullseye and Sid (version 2.4.2), and has a requirement which both violates the GPLv2 license, the GPLv3 license as well as the Debian Free Software
Guidelines. There has been a fork, which removes the questionable code, which can be found here: <a href="https://github.com/cookiengineer/audacity" target="_blank">https://github.com/cookiengineer/audacity</a>. Here is the github issue thread
explaining the license violation issue with regards to the privacy policy: <a href="https://github.com/audacity/audacity/issues/1213" target="_blank">https://github.com/audacity/audacity/issues/1213</a> What is the plan going forward, after the release
of Debian 11 (since version 2.4.2 is unaffected by the licensing isuse) in regards to Audacity in the Debian package repository? Should this GPL2 violation be reported, if so to what organization? How will it impact the audacity package in bullseye-
backports, bookworm as well as newer versions?<br></div><div dir="auto"><br></div><div dir="auto">Looking forward towards your answers<br></div><div dir="auto"><br></div><div dir="auto">Regards<br></div><div dir="auto"><br></div><div dir="auto">Jorkano<

</div> </div>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2021/07/05 02:58, [email protected] wrote:

As you know the audacity project has been recently acquired by
musegroup. Since then there have been a series of changes impacting
Audacity. One such change is that telemetry has been included in newer versions of audacity no the one currently in the Debian repository for Bullseye and Sid (version 2.4.2), and has a requirement which both
violates the GPLv2 license, the GPLv3 license as well as the Debian Free Software Guidelines. There has been a fork, which removes the
questionable code, which can be found here: https://github.com/cookiengineer/audacity <https://github.com/cookiengineer/audacity>. Here is the github issue
thread explaining the license violation issue with regards to the
privacy policy: https://github.com/audacity/audacity/issues/1213 <https://github.com/audacity/audacity/issues/1213> What is the plan
going forward, after the release of Debian 11 (since version 2.4.2 is unaffected by the licensing isuse) in regards to Audacity in the Debian package repository? Should this GPL2 violation be reported, if so to
what organization? How will it impact the audacity package in bullseye-backports, bookworm as well as newer versions?

I still need to read both the following article and all sources properly
(along with actual audacity changes announced), but it appears that
there might be more to it, according to Ars Technica:

https://arstechnica.com/gadgets/2021/07/no-open-source-audacity-audio-editor-is-not-spyware/

-Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[email protected] writes:

To who it may concern

As you know the audacity project has been recently acquired by musegroup. Since then there have been a series of changes impacting Audacity. One such change is that telemetry has been included in newer versions of audacity no the one currently in the

Debian repository for Bullseye and Sid (version 2.4.2), and has a requirement which both violates the GPLv2 license, the GPLv3 license as well as the Debian Free Software Guidelines. There has been a fork, which removes the questionable code, which can
be found here: https://github.com/cookiengineer/audacity. Here is the github issue thread explaining the license violation issue with regards to the privacy policy: https://github.com/audacity/audacity/issues/1213 What is the plan going forward, after
the release of Debian 11 (since version 2.4.2 is unaffected by the licensing isuse) in regards to Audacity in the Debian package repository? Should this GPL2 violation be reported, if so to what organization? How will it impact the audacity package in
bullseye-backports, bookworm as well as newer versions?

Looking forward towards your answers

Regards

Jorkano

Here is some additional details.

Two key issues with Muse Group's new privacy policy for Audacity are the
on by default telemetry and that Audacity can no longer be used for any
purpose contradicting freedom 0.

# On by default telemetry

On by default telemetry is being introduced to Audacity. The on by
default telemetry collects IP address information, system information
and Audacity version information. <https://github.com/audacity/audacity/discussions/1225#discussioncomment-967178>
<https://github.com/audacity/audacity/discussions/1225#discussioncomment-966782>
<https://www.audacityteam.org/about/desktop-privacy-notice/>

# Freedom 0

Audacity can no longer be used for any purpose. Section 3 of the Muse
Group's new privacy policy for Audacity <https://www.audacityteam.org/about/desktop-privacy-notice/> says:

3 Minors

1 The App we provide is not intended for individuals below the age
of 13. If you are under 13 years old, please do not use the App.

This age restriction contradicts freedom 0. <http://www.gnu.org/philosophy/free-sw.en.html>

The freedom to run the program as you wish, for any purpose
(freedom 0).

This age restriction also contradicts Audacity's GPL version 2 license <https://github.com/audacity/audacity/blob/master/LICENSE.txt> which
says:

The act of running the Program is not restricted

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Bone" == Bone Baboon <[email protected]> writes:

Bone> Here is some additional details.

Bone> Two key issues with Muse Group's new privacy policy for
Bone> Audacity are the on by default telemetry and that Audacity can
Bone> no longer be used for any purpose contradicting freedom 0.

Bone> # On by default telemetry

Bone> On by default telemetry is being introduced to Audacity. The
Bone> on by default telemetry collects IP address information,
Bone> system information and Audacity version information.

That's not a GPL violation.
Anyone is free to modify the software to turn that off.
It's not something Debian is likely to keep. It's up to the individual maintainer though.


Bone> # Freedom 0

Bone> Audacity can no longer be used for any purpose. Section 3 of
Bone> the Muse Group's new privacy policy for Audacity
Bone> <https://www.audacityteam.org/about/desktop-privacy-notice/>
Bone> says:

>> 3 Minors
>>
>> 1 The App we provide is not intended for individuals below the
>> age of 13. If you are under 13 years old, please do not use the
>> App.

That's not a GPL violation. It's not a license restriction on the app.
It's not even a usage restriction on the app; it's a request. It seems
like it is very carefully worded to avoid falling under certain laws
without being a license restriction.

If you don't like that text, remove it from your copy of the app and
stop using any web services that privacy policy applies to.

None of the above are DFSG violations either.

Let's take DFSG 5:

5. No Discrimination Against Persons or Groups
The **license** must not discriminate against any person or group of
persons.

Emphasis added by me.
It's not a DFSG violation if the software discriminates against
persons. We aren't very fond of such discrimination and might well not package such software (or might remove such discrimination), but it's
not a DFSG violation.

I could totally stick a game in Debian that started up by popping up a
dialogue box. "Are you under 18? yes/no?" And if you click no, pops up
"This childish game is only for those under 18," and exits. That would
not be a DFSG violation. I suspect if I did that I'd get a number of RC
bugs, and generally the community would probably end up deciding Debian
didn't want to ship that game in that way.

The DFSG requires that we able to remove that discrimination if we like.
We can change the privacy policy for software we ship, at least in so
far as it affects interactions on your local system.
(We ought to respect privacy policies of web services we connect to and accurately reflect what they are).


None of the issues you are bringing up are license issues, nor do they
affect what changes Debian (or our users) can make to the software.

The Debian maintainers of the packages in question can decide which of
the upstream changes they wish to revert.
It seems likely we'll turn off telemetry by default, because we often
do.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --usp4MZZ6q3Wq9Clc6CGSTRmeI43CECmzl
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

* On 7/12/21 10:58 PM, Sam Hartman wrote:

None of the issues you are bringing up are license issues, nor do they
affect what changes Debian (or our users) can make to the software.

The Debian maintainers of the packages in question can decide which of
the upstream changes they wish to revert.
It seems likely we'll turn off telemetry by default, because we often
do.

Additionally, it doesn't look like any changes are even necessary, if I understand the material correctly:

- The telemetry code (as implemented now) is both optional and DISABLED by
default in the build system. Maintainers would need to explicitly turn it
on to be compiled/used.
- Only the builds/binaries published by Muse Group explicitly enable the
option.

Unless this situation changes, there is no need for the packagers to do anything, other than monitor changes to the build system with every new version to check if the disabled-by-default state switches to enabled-by-default.



Mihai


--usp4MZZ6q3Wq9Clc6CGSTRmeI43CECmzl--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAmDtVMoFAwAAAAAACgkQH9Yu2W4lOoec 5w/9GKd7kZjiZJcSSWiKqD3LonqvHppsClEV0InOotd7bwk6lGfMDIkVtwyr60oqOaoE+L6dkEzO fGnUce8UWga+adXlNavlsQyeAXlY4t8I7bdTAvfomWH/maJpeoOSSCopPJhEw/QWzB4DvTJiF06F Idcqbkpw0sUmRm1aLOUqf0Wtwm6oqHWvcJ9O8JyiOMqFLOSzYfbk2flnXoYzPX4mKliSgE9dqULm Q7PfCnBW7xbAVe5rjRISyL7QJyfpyVviw+Zx09LE55Y08AUSAtFF3TOHOOwAXg1Ogtv4CdoUWX0C ySoBPxzMxqxBR4Y92uT0UryFxPArIZ9Th4i2/L5wMgu/QyajHHG214rb4D6iY96CV41uysq2prSb dtePOtAvFgL0LvufxW7qaCSKJRt6muHpbiSeI/p2M4epJUWAWWREvNG9EyVrfwuOgAeVdtMH67k2 8iohr9ti4PTaLcmEJRfWCgdBjVzxovVbPfnqI+n5TNBE9CkZLB1CIXxc9qskuQEbW+UVnRMbmQa6 KARIueNJzYL/dHsFfj7GqY2aQF9MvNX3i4ziOEXUTW0FQNWsQjMX2QYRucruVkGTDPeoisHFoYci 9tCFFtCQxpUQk5DlUNW/r3dgwI+kZ5I6u8BDkyAQ72qj4wCL4h07B3xLtz8BPVZXtptIw7AjGu3n xS0=
=HfWP
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)