Hi Thorsten, On Sat, Feb 05, 2022 at 12:08:03PM +0000, Thorsten Alteholz wrote: > Package: capnproto > Severity: serious > Usertags: ftp > thanks > > Hi, > > please rework your debian/copyright. Especially > > Kenton Varda > Cloudflare, Inc. > Google Inc. > Nathan C. Myers <n...@cantrip.org> > Philip Quinn > Ian Denhardt > Alexander Peslyak > > need to be mentioned. > Please also check other releases.
Thanks for the bug report. I will get the debian/copyright updated in the next upload. However, I do have a question about the severity of the bug, which implies that the package is in violation of Debian policy. First the bug severity as per https://www.debian.org/Bugs/Developer#severities: > serious > > is a severe violation of Debian policy (roughly, it violates > a must or required directive), or, in the package maintainer's or > release manager's opinion, makes the package unsuitable for release. And are the sections of Debian policy that pertain to copyright: - 2.3: https://www.debian.org/doc/debian-policy/ch-archive.html#copyright-considerations - 4.5: https://www.debian.org/doc/debian-policy/ch-source.html#copyright-debian-copyright - 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information - 12.5.1: https://www.debian.org/doc/debian-policy/ch-docs.html#machine-readable-copyright-information In section 12.5, it states (emphasis on **should** added): > In addition, the copyright file must say where the upstream sources > (if any) were obtained, and **should** include a name or contact > address for the upstream authors. This can be the name of an > individual or an organization, an email address, a web forum or > bugtracker, or any other means to unambiguously identify who to > contact to participate in the development of the upstream source code. I believe there is ambiguity here. For this bug to be severity serious, doesn't policy need to be revised to change "should" to "must" so that it is clear that **every** upstream author **must** be enumerated in debian/copyright? If this is a requirement for software to be part of Debian, policy should say so directly. In my personal opinion, policy requiring an exhaustive debian/copyright is less useful for our users than functioning free software that correctly documents the provenance of the software, albeit perhaps not down to the detail of every individual who has ever contributed a line of code. I expect that I could trivially find thousands of source packages in the main archive for which such a requirement does not hold. But that is beside the point. The point is that I don't understand the policy basis upon which this bug is severity serious. Thank you, tony
signature.asc
Description: PGP signature
