oci-seccomp-bpf-hook
oci-seccomp-bpf-hook copied to clipboard
Apache 2.0 license seems to be incorrectly applied
At bottom of LICENSE is explained how to apply the Apache 2.0 license to some work. The following text should be enclosed in source files:
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
I cannot find this statement in any file of this tree and I'm blocked from packaging it for Debian.
Actually no file has any copyright notice at all.
Please open a PR to add this notification.
Do we really need to? We don’t in other projects which are already in Debian.
We should double check with legal.
On Sat 13 Aug 2022 at 12:37, Daniel J Walsh @.***> wrote:
Please open a PR to add this notification.
— Reply to this email directly, view it on GitHub https://github.com/containers/oci-seccomp-bpf-hook/issues/99#issuecomment-1214135318, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACZDRA6PTG5MBUFRGSVCMHTVY53GZANCNFSM56MH3PMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Do we really need to? We don’t in other projects which are already in Debian.
Maybe it's not necessary to add the boilerplate to every file, add at least an SPDX comment to the most important ones.
My upload was rejected because I could not show who are the copyright holders, please add them somewhere. Thanks.
Could you add them?
Could you add them?
@rhatdan, if you are asking to me, I don't know who are the copyright holders.
I would guess https://github.com/containers/oci-seccomp-bpf-hook/graphs/contributors
Let's take a step back before opening PRs please. I do not see any such thing in Podman, for instance, which uses the same license as most of github.com/containers does.
Probably, the bot in debian is just picking up a Copyright notice from a vendored dependency there?
I will check with legal as well.
@vrothberg I conflated two issues: the Apache 2.0 license and the copyright statements. While I pointed out the first I actually care more about the second.
Indeed also Podman has virtually no copyright statements anywhere, setting aside the vendor
dir and a few files (checked with git grep -i copyright | grep -v -e ^vendor
). Therefore it's not clear how for Podman the Debian developer could attribute the following (from here):
Files: *
Copyright:
2016-2019 Red Hat, Inc.
License: Apache-2.0
Likely, it's not clear to me how I (or anybody else) could attribute any copyright to oci-seccomp-bpf-hook. Sure I can say it's covered by Apache 2.0 but who is holder? Red Hat Inc, you, Daniel, and/or every contributor?
Please check :)
Thanks for clarifying @cavokz.
I suggest to attribute the copyright to the "github.com/containers/oci-seccomp-bpf-hook authors". Red Hat does not seem accurate as the community spans across Red Hat including other companies and individual contributors.
Isn't it worth adding this claim somewhere in the sources as well and also clarify who are the authors?
If I succeed in getting one line changed do I automatically become an author and copyright holder of the whole or am I just a contributor? Would I hold any saying on the changes I contribute or everything is donated to the authors?
This stuff is boring (I'm a developer myself) but it's just a matter of setting the rules of the game plainly clear for everybody to have fun.
Since I am just a mere mortal developer as well, I reached out to legal for guidance. I want to make sure whether the license requires us to add an explicit copyright header.
In short, a copyright notice is of less legal significance, see https://opensource.com/article/20/10/copyright-notices-open-source-software.
Nonetheless, I will open a PR and add a notice to the README.
In short, a copyright notice is of less legal significance, see https://opensource.com/article/20/10/copyright-notices-open-source-software.
Interesting, I'll check with other Debian fellows whether we can simplify things.
Nonetheless, I will open a PR and add a notice to the README.
Thanks, this will help to keep me moving now.