On Mon, May 10, 2021 at 2:18 PM Alexander Mazuruk wrote: > I'm writing this as I've noticed that some packages have copyright file > filled with records for source code, while the package contains binaries.
Essentially all packages in Debian do this, with a couple of exceptions where the maintainer thought about this problem already. For example, for src:libicns I installed different copyright files in each binary package since the license is different for the library vs the utilities. > Shouldn't those package's COPYRIGHT contain info about final license > that those binaries are distributed with? In theory yes, in practice, no. > * yes. -> should I file a bug report for such packages? The problem is an archive-wide one that is just left unsolved, not one to be solved in individual packages. > * no -> how can I know what license a package actually has in such > case? Are there some officially recommended tools? It is in theory possible to trace the translation from source to binary, but in practice it is mostly impossible. Even if you ptrace the full build process (making it much slower), there is no general way to determine what file is generated from what other file. Fixing this would involve adding instrumentation to every compiler, build system, many different tools and probably lots of Debian packaging and upstream projects. This is a project on the order of magnitude of Bootstrappable Builds or Reproducible Builds; a multi-decade-long effort by many different people. There are potentially benefits to this beyond copyright/license info correctness for binaries too, so it would be an interesting project, but it would be hard to convince entire communities of people to work on this. In practice, shipping the relevant source for the binaries is likely enough to achieve license compliance, so shipping pedantically correct copyright/license info for the binaries is not necessary and shipping source is much easier to do, so that is what Debian tends to do. > We are trying to do start license compliance for Docker images and are a > bit stumped on how to proceed with such packages in Debian-based containers. I suggest you ship source for all the binary packages used, then add source for all the packages installed during each of their build processes. Or just ship a full Debian archive containing every source package. -- bye, pabs https://wiki.debian.org/PaulWise
