-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAmeQQ9sFAwAAAAAACgkQ4n8s+EWML6Tz
dA/+Mc/IFAJ8keO/4J08WL2ebi/7PAg2k6mi5epk2DeEh2k6timpyhtrhkZq/653GWapb7aImwAQ
BXB8ijhirr+wTk2J5hc23YE2gEwLtdPoqOcgTxiEj1e8+5P4iDxSH8RilvthsjLnavMQXH5abuJp
1vO4vbNcaeJd8+40mMfk5QtSj5kVRDkSI5sF1rqPeVlRV3j+/Er2ofbKnncJsXeFf135rtuIwtIb
94Q3zZ0YgaorsmmGfNyX8FiYldH3ivT5kbIPJnig6JejEF+4U5vtTUaK02BRANE1JvcUbzGXJDPZ
rpVLbXQq6vQOZ3FuzPNwrviuZ3U1lhpmgGtvm1dNUDYOuGobPwz3ULZm/gtJ0RlsGmsvKThx+uj9
LZFWeCLP275MaXW7zuWQTRAIAsIFSrAs9zB0gXisFHv1IsSulcD7bVqQ5WyZ625AMeDZYr9NirQt
SKQDR8tNidOUtiFfRO7jFy7T/QL8KWXXfFzZB6bVszMtB5/2CKSXbk6KTe27jbY4eDyuMLRo3pTE
kPEUHiCD8O2Mpey4T6320RGpsc2Uc79twG6NpgKWmaVK8V7VAeCuP2QtrzLXBQCvHMoqvxuTmn8X
3cPUG+C/+UZiXa5prcojPf5xqQRp49iAkomigCYrSSVq44sIndv6Py2ytv137blq55apXzUNjACh
Ehs=
=mXW/
-----END PGP SIGNATURE-----
Hello,
I have been working on a general effort to improve the new packaging guide[1]. As a general note, please consider joining me.
As part of this effort, with the help of Aaron Rainbolt[2], I have written an initial, rough draft of best practices for licensing packages in Ubuntu. This is based on our *de facto* copyright practices in Lubuntu.
You can also find a changelog and Git history here[3], with a rendered copy of the draft pull request here[4].
I would like to open this up for general comment from the Ubuntu Archive Admins and other Ubuntu Developers, then ask the Ubuntu Archive Admins to officially ratify it before it is merged into the packaging guide.
The Ubuntu Archive Admins may consider escalating this to the Technical Board for approval, at their discretion. That being said, I would like all relevant parties to participate, and come to an agreement before it is merged.
If something like this already exists, which parts need to be included? Is there anything factually incorrect or misleading in the text below? Do you know of good examples that should be included as a reference?
Most importantly, I am unsure about the specific requirements for a package to be moved to Multiverse or Restricted. I have never uploaded a brand new source package to either, to my recollection.
Lastly, the intent of this is to clarify existing procedures around licensing in Ubuntu. Could we please save discussion on actually changing those standards for another thread?
The full text, as it currently stands:
===== START RST-FORMATTED TEXT =====
Copyright and Licensing
=======================
Ubuntu is a collection of free and open source software. As such, it is
critical to ensure the licensing of our packages is reviewed carefully.
It is important to verify a package's :file:`debian/copyright` file when
creating patches, updating to new upstream releases, and creating new packages
altogether. Understanding copyright can be a time-consuming task, but being
conscious of licensing standards broadens your perspective on how software may
interact.
DEP-5 and Copyright Files
-------------------------
Ubuntu and Debian use the `DEP-5 standard <https://dep-team.pages.debian.net/deps/dep5/>`_
for tracking copyright references in packages. Per Debian Policy `4.5 <https://www.debian.org/doc/debian-policy/ch-source.html#copyright-debian-copyright>`_,
`12.5 <https://www.debian.org/doc/debian-policy/ch-docs.html#s-copyrightfile>`_, and
`2.3 <https://www.debian.org/doc/debian-policy/ch-archive.html#s-pkgcopyright>`_
(which should be considered as the Single Source Of Truth for policy regarding
copyright files), every package must have a copyright file. While DEP-5 is
technically not a hard requirement, it is best practice to use DEP-5 when
creating or updating packages.
When you should (not) rewrite a copyright file to use DEP-5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You **should** rewrite a copyright file to use DEP-5 if:
* you are updating to a new upstream version in an Ubuntu-only package.
* you are updating to a new upstream version in a package that is in both
Debian and Ubuntu, and you are sending the delta upstream to Debian.
* a package you maintain in Debian does not use DEP-5.
You **should not** rewrite a copyright file to use DEP-5 if:
* you are performing a Stable Release Update, except in the case of
documented Microrelease Exceptions.
* a package does not have an extensive Ubuntu delta and you do not plan on
sending the change to Debian.
* there is general disagreement with the team claiming maintenance of the
package in Ubuntu (this should be discussed on the ubuntu-devel mailing
list).
* the package contains an extremely large number of files under different
copyrights, and the maintenance of an accurate DEP-5 copyright file for
the package would render further maintenance effectively impossible.
This exception is not to be used lightly, and should be fallen back on
only for the largest and most extremely complicated packages in Debian
and Ubuntu, such as the Linux kernel.
Unclear Licensing and Special Cases
+++++++++++++++++++++++++++++++++++
There are several cases in which the licensing of source files is
questionable. Below you will find several examples; when in doubt about a
specific license, please review the DFSG FAQ linked in the Resources section:
* A source package which contains no licensing information is considered to be
proprietary, and thus not eligible for inclusion in Ubuntu.
* Files licensed in the public domain still must be listed in the copyright
file. Some jurisdictions allow copyright for software to be changed
posthumously, so it is important to still credit authors in this case.
Copyright of Image Files
++++++++++++++++++++++++
When including image files in a source package, you should also verify there
are no embedded licenses within the `Exif data <https://en.wikipedia.org/wiki/Exif>`_
for the image. Additionally, you should also ensure the color profile is free.
(Examples of non-free color profiles include the `Adobe formats <https://www.adobe.com/support/downloads/iccprofiles/icc_eula_win_end.html>`_.)
You can use the following Bash script to determine whether an image file has
such data:
.. code-block:: bash
for i in *; do
if [[ "$(exiftool "$i")" =~ (creator|copyright|license|description) ]]; then
exiftool "$i"
fi
done
A non-free image file may output something like:
.. code-block:: ini
Profile Creator : Hewlett-Packard
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : Adobe RGB 1998
If there are no licensing details within the Exif data, it is assumed that it
is licensed the same as the source package or specific directory it resides in.
While this was later proved to be a false positive, you can find an example of
a non-free image (and how to inform upstreams) `here <https://github.com/lxqt/lxqt-runner/issues/241>`_.
Tools for Copyright File Verification
-------------------------------------
Many tools exist to verify the licenses in a package. You can find a current
list on the `CopyrightReviewTools Debian Wiki page <https://wiki.debian.org/CopyrightReviewTools>`_.
The most commonly used tool for this is :manpage:`licensecheck(1)`. Here is an
example of how you may use it:
.. code-block:: bash
licensecheck --check '.*' --recursive --deb-machine --lines 0 -- *
If all else fails, you will need to manually open each file and make a
determination based on its copyright header (if there is one).
Resources
---------
* `Debian Free Software Guidelines <https://www.debian.org/social_contract.html#guidelines>`_
* `DFSG and Software License FAQ (Draft) <https://people.debian.org/~bap/dfsg-faq.html>`_
* `Licensing exercises from the Debian Developer process <https://salsa.debian.org/nm-team/nm-templates/-/blob/master/nm_pp1.txt?ref_type=heads#L48>`_
- It can be incredibly helpful to answer these questions in your own notes,
and ask a Debian Developer to verify your answers. Alternatively, you may
politely ask a Debian Developer for their own answers to those questions.
* `Ubuntu open-source licenses <https://ubuntu.com/legal/open-source-licences>`_
* `Debian license information <https://www.debian.org/legal/licenses/>`_
* `DFSGLicenses on the Debian Wiki <https://wiki.debian.org/DFSGLicenses>`_
* `The Open Source Definition from OSI <https://opensource.org/osd>`_
* `debian-legal mailing list archives <https://lists.debian.org/debian-legal/>`_
===== END RST-FORMATTED TEXT =====
[1] https://github.com/canonical/ubuntu-packaging-guide
[2] Erich Eickmeyer also pointed me to some of the specific public domain topics based on past rejects.
[3] https://github.com/tsimonq2/ubuntu-packaging-guide/tree/tsimonq2/copyright-and-licensing
[4] https://canonical-ubuntu-packaging-guide--88.com.readthedocs.build/en/88/how-to/copyright-and-licensing/
Thanks,
--
Simon Quigley
simon@tsimonq2.net
@tsimonq2:ubuntu.com on Matrix
tsimonq2 on LiberaChat and OFTC
5C7A BEA2 0F86 3045 9CC8
C8B5 E27F 2CF8 458C 2FA4
