oci-seccomp-bpf-hook icon indicating copy to clipboard operation
oci-seccomp-bpf-hook copied to clipboard

Published 20 hours ago verified publisher icon containers

Apache 2.0 license seems to be incorrectly applied

Open cavokz opened this issue 1 year ago • 2 comments

At bottom of LICENSE is explained how to apply the Apache 2.0 license to some work. The following text should be enclosed in source files:

   Copyright {yyyy} {name of copyright owner}

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

I cannot find this statement in any file of this tree and I'm blocked from packaging it for Debian.

Actually no file has any copyright notice at all.

cavokz avatar Aug 12 '22 16:08 cavokz

Please open a PR to add this notification.

rhatdan avatar Aug 13 '22 10:08 rhatdan

Do we really need to? We don’t in other projects which are already in Debian.

We should double check with legal.

On Sat 13 Aug 2022 at 12:37, Daniel J Walsh @.***> wrote:

Please open a PR to add this notification.

— Reply to this email directly, view it on GitHub https://github.com/containers/oci-seccomp-bpf-hook/issues/99#issuecomment-1214135318, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACZDRA6PTG5MBUFRGSVCMHTVY53GZANCNFSM56MH3PMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

vrothberg avatar Aug 13 '22 12:08 vrothberg

Do we really need to? We don’t in other projects which are already in Debian.

Maybe it's not necessary to add the boilerplate to every file, add at least an SPDX comment to the most important ones.

My upload was rejected because I could not show who are the copyright holders, please add them somewhere. Thanks.

cavokz avatar Aug 15 '22 14:08 cavokz

Could you add them?

rhatdan avatar Aug 15 '22 14:08 rhatdan

Could you add them?

@rhatdan, if you are asking to me, I don't know who are the copyright holders.

cavokz avatar Aug 16 '22 20:08 cavokz

I would guess https://github.com/containers/oci-seccomp-bpf-hook/graphs/contributors

rhatdan avatar Aug 16 '22 21:08 rhatdan

Let's take a step back before opening PRs please. I do not see any such thing in Podman, for instance, which uses the same license as most of github.com/containers does.

Probably, the bot in debian is just picking up a Copyright notice from a vendored dependency there?

I will check with legal as well.

vrothberg avatar Aug 22 '22 08:08 vrothberg

@vrothberg I conflated two issues: the Apache 2.0 license and the copyright statements. While I pointed out the first I actually care more about the second.

Indeed also Podman has virtually no copyright statements anywhere, setting aside the vendor dir and a few files (checked with git grep -i copyright | grep -v -e ^vendor). Therefore it's not clear how for Podman the Debian developer could attribute the following (from here):

Files: *
Copyright:
    2016-2019 Red Hat, Inc.
License: Apache-2.0

Likely, it's not clear to me how I (or anybody else) could attribute any copyright to oci-seccomp-bpf-hook. Sure I can say it's covered by Apache 2.0 but who is holder? Red Hat Inc, you, Daniel, and/or every contributor?

Please check :)

cavokz avatar Aug 22 '22 09:08 cavokz

Thanks for clarifying @cavokz.

I suggest to attribute the copyright to the "github.com/containers/oci-seccomp-bpf-hook authors". Red Hat does not seem accurate as the community spans across Red Hat including other companies and individual contributors.

vrothberg avatar Aug 22 '22 09:08 vrothberg

Isn't it worth adding this claim somewhere in the sources as well and also clarify who are the authors?

If I succeed in getting one line changed do I automatically become an author and copyright holder of the whole or am I just a contributor? Would I hold any saying on the changes I contribute or everything is donated to the authors?

This stuff is boring (I'm a developer myself) but it's just a matter of setting the rules of the game plainly clear for everybody to have fun.

cavokz avatar Aug 22 '22 10:08 cavokz

Since I am just a mere mortal developer as well, I reached out to legal for guidance. I want to make sure whether the license requires us to add an explicit copyright header.

vrothberg avatar Aug 22 '22 12:08 vrothberg

In short, a copyright notice is of less legal significance, see https://opensource.com/article/20/10/copyright-notices-open-source-software.

Nonetheless, I will open a PR and add a notice to the README.

vrothberg avatar Aug 31 '22 11:08 vrothberg

In short, a copyright notice is of less legal significance, see https://opensource.com/article/20/10/copyright-notices-open-source-software.

Interesting, I'll check with other Debian fellows whether we can simplify things.

Nonetheless, I will open a PR and add a notice to the README.

Thanks, this will help to keep me moving now.

cavokz avatar Aug 31 '22 11:08 cavokz