[Openstack-devel] Licensing guidelines for any projects (because of: python-warlock_0.4.0-1_amd64.changes REJECTED)

Thomas Goirand zigo at debian.org
Thu Jan 31 09:02:42 UTC 2013

Dear everyone, dear Openstack contributors,

As you all can see with the email below, sent by Ansgar Burchardt, who
is one of the FTP masters team (who doing the peer-review for the
licensing in Debian), even if a project has an attached LICENSE file
containing the Apache-2.0 license, even if we all well know that our
projects are all using the Apache-2.0 license inside Openstack, your
package might well be rejected by the Debian FTP masters.

I have absolutely no doubts that python-warlock, written by Brian
Waldon, who is one of the core dev of Glance (I hope I'm not mistaking
here...), is released under the Apache-2.0 license. But the FTP masters
at Debian may have a different view on the requirement to really trust
that a given source code is released under a specific license, and they
wont just trust my words.

Therefore, I would like to kindly request everyone to pay attention to
what is required to release a given source code under a give license.

Please do add the Apache-2.0 license header in all the source code that
you write if possible, and otherwise at least, write in a README.txt or
such, that you really do want to release your code under the license
(see below how to do that, and again, just dropping the Apache LICENSE
file seems not enough from the viewpoint of the Debian FTP masters).

Also, I have found often very difficult to find each individual email
address which I should normally put in the debian/copyright of each
package. This isn't absolutely mandatory, but this helps a lot to get in
touch whenever needed (and it's sometimes important for QA). So please
don't hide your email address. Trying to avoid spam isn't an excuse:
setup a good anti-spam system and deal with it like everyone else...
your email will anyway go sooner or later in the hands of the bad guys,
like it or not.

Also, please don't reply that the FTP Masters are nitpicking. In some
ways, one might think this is the case, but in fact, they are absolutely
right. We are dealing here with legal maters, and legal maters require
some things to be clearly written. Think about it this way: on the
extreme case, if we don't take precautions, someone might well one day
attack SPI in court (the legal non-profit behind Debian), using some
copyright laws. The licenses and statements are there to be 100% sure of
the fact we are dealing with free software.

Remember that Canonical seems to care a lot less about such licensing
issues than we do at Debian, which we insist in remaining 100% free.

So this is a very serious subject that I'm talking about here.

All this is slowing down the upload to Debian a lot, and it's getting
really painful.

Thanks in advance to follow these guidelines,

Thomas Goirand (zigo)

P.S: This is absolutely not addressed specifically to Brian Waldon, who
just happen to be yet another instance of such problem. My intention is
to warn *everyone* here. I'm by the way writing to him privately to
address this specific package.

-------- Original Message --------
Subject: Re: [Openstack-devel] python-warlock_0.4.0-1_amd64.changes REJECTED
Date: Thu, 31 Jan 2013 08:25:09 +0100
From: Ansgar Burchardt <ansgar at debian.org>
To: Thomas Goirand <zigo at debian.org>
CC: Ansgar Burchardt <ftpmaster at debian.org>, PKG OpenStack
<openstack-devel at lists.alioth.debian.org>

On 01/31/2013 03:25 PM, Ansgar Burchardt wrote:
> Thomas Goirand <zigo at debian.org> writes:
>> On 01/31/2013 02:01 AM, Ansgar Burchardt wrote:
>>> there is no statement in the upstream source that the files are actually
>>> licensed under the terms of the Apache license.
>> Are you *sure*? There's a LICENSE file together with the upstream source
>> code. Since you don't have the package anymore, please check for it here:
> I saw the LICENSE file, however including the text of the Apache 2.0
> license doesn't mean that the project is licensed under the Apache
> license.
> In fact the Apache license even requires an explicit copyright notice in
> the license text itself:
> ----
>       "Work" shall mean the work of authorship, whether in Source or
>       Object form, made available under the License, as indicated by a
>       copyright notice that is included in or attached to the work
>       (an example is provided in the Appendix below).
> ----
> So what is missing is something similar to this:
> ----
>    APPENDIX: How to apply the Apache License to your work.
>       To apply the Apache License to your work, attach the following
>       boilerplate notice, with the fields enclosed by brackets "[]"
>       replaced with your own identifying information. (Don't include
>       the brackets!)  The text should be enclosed in the appropriate
>       comment syntax for the file format. We also recommend that a
>       file or class name and description of purpose be included on the
>       same "printed page" as the copyright notice for easier
>       identification within third-party archives.
>    Copyright [yyyy] [name of copyright owner]
>    Licensed under the Apache License, Version 2.0 (the "License");
>    you may not use this file except in compliance with the License.
>    You may obtain a copy of the License at
>        http://www.apache.org/licenses/LICENSE-2.0
>    Unless required by applicable law or agreed to in writing, software
>    distributed under the License is distributed on an "AS IS" BASIS,
>    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>    See the License for the specific language governing permissions and
>    limitations under the License.
> ----
>> There's no requirement in Debian that the license is written in each and
>> every source file as much as I know.
> No, though that is very nice to have.
> Ansgar

More information about the Openstack-devel mailing list