[pkg-wpa-devel] Bug#718651: Built hostapd/wpasupplicant 2.1 (patch)

Thu Jun 5 23:29:42 UTC 2014

Hi

On Thursday 05 June 2014, Raphael Hertzog wrote:
> Hi,
> 
> On Wed, 04 Jun 2014, Stefan Lippers-Hollmann wrote:
> > > The Perl script (attached) took a few hours to write - there's a brick
> > > of about 60 lines to munge file moves.  Then about another hour to
> > > inspect all that output, plus poking at each file to make sure that the
> > > license change actually occured.
> > 
> > Thank you a lot, this really helps. I'll integrate your changes over 
> > the next few days after some further local testing.
> 
> I'm glad that this got sorted out but I wanted to point out that
> you are actually too demanding of yourself in terms of what to put in
> debian/copyright.
> 
> You don't have to document the copyright holders of each and every file.
> What truly matters is to properly distinguish the different licenses and
> the files concerned by each license.
> 
> Listing of copyright holders doesn't have to be exhaustive (it's
> impossible for big projects) and it's perfectly acceptable to group them
> for a set of files that share a common license. See how the linux
> packages uses:
> 
> Files: *
> Copyright: 1991-2012 Linus Torvalds and many others
> License: GPL-2

I'm aware of debian/copyright implementations like this and linux is 
certainly in a particularly bad situation when it comes to doing a 
complete copyright audit (it's all available, but just too exhaustive 
to even start documenting it). But not every package gets this carte 
blanche.

The better question however would be, if a package like this would be 
able to pass NEW[1] (as wpa had to for 1.0-1 - and it will have to pass
through binary-NEW in the not too distant future again). While wpa
certainly has a non-trivial copyright status, recent history has shown
that ftp-master requests complete documentation for debian/copyright
even from much larger/ more complex packages than wpa. Just look at
chromium(-browser) or kfreebsd{9,10,11} for comparison, which were
REJECTed within the last few years, until the missing attributions
were added.

So, does wpa need to have a machine readable debian/copyright, 
certainly not, as DEP-5 is just non-binding advice. Would it be easier
to forget about DEP-5 and use a more free-form listing of copyright 
attribution? Quite likely yes, but would it be so much easier to make
a significant difference? This answer is less easy to answer, probably
it would be a "yes" after larger changes/ code movement like this time,
but that's less obvious for more incremental changes like 0.7.x --> 
1.x where diff(1) or git diff can do most of the job. 

The level of difficulty for doing a sufficient documentation for 
debian/copyright is less depending on DEP-5's syntax (although a few
changes later in the DEP-5 process certainly led to quite some useless 
busy-work - and it's certainly rather verbose), nor is it doing the 
mechanical listing (although there is a significant margin of error
regarding false negatives, when contributors get inventive regarding
anti-spam methods). The difficulty is in cleaning up the listings and 
collating information into useable chunks, like you mentioned 
historical mail addresses for the same copyright holder, collating 
files into groups and dealing with unclear attributions or IP takeovers
(like Qualcomm buying Atheros). These issues are independent of the 
preferred syntax for debian/copyright - and while it would be easier
to ignore these and just continue with a mechanical listing for version
'n', it's poses more of a problem for version 'n+1' (assuming 
incremental, rather than monumental, changes).

Regards
	Stefan Lippers-Hollmann

[1]	Yes, src:linux has to go through binary-NEW every ~3 months.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20140606/5093ca79/attachment.sig>