[Pkg-rust-maintainers] rust-apple-nvram_0.2.0-1_arm64.changes REJECTED

Mon Nov 20 21:49:45 GMT 2023

Hello Thorsten Alteholz,

Thanks for your review. I understand your questions might be rethorical
and I will do another upload matching what LICENSE says unless I hear
otherwise (because to me a debian/copyright that makes ftp team happy >
a truthful debian/copyright).

I'll answer how I over-did my homework below if you're interested (and
ask some counter-questions that might help me better understand what
we're aiming for if you possibly have the time to enlighten me).

Please note that the rust crates are all part of the same source (git)
repository, so I might talk about all of them in general:
apple-nvram
asahi-nvram
asahi-btsync
asahi-wifisync
asahi-bless

You might want to just REJECT them all as they all repeat the same
pattern described below.

On Mon, Nov 20, 2023 at 06:00:10PM +0000, Thorsten Alteholz wrote:
> 
> Hi Andreas,
> 
> the MIT license mentions "The Asahi Linux Contributors".

Yes.

The "debcargo package apple-nvram" helper generates a template to start
from which can be seen here:
https://salsa.debian.org/rust-team/debcargo-conf/-/blob/master/src/apple-nvram/debian/copyright.debcargo.hint
As you can see it lists the LICENSE files as copyright by The Asahi
Linux Contributors, but * by UNKNOWN....

If this is all the information available, I don't think it's
unreasonable to extrapolate like you did that this might apply to the
entire project, but I have more info to go on....

First of all I know that The Asahi Linux project (which to the best of
my knowledge is just a made up name and not a legal entity) hosts their
projects at:
https://github.com/AsahiLinux/

The origin of apple-nvram on the other hand is from the asahi-nvram
repository living under the namespace:
https://github.com/WhatAmISupposedToPutHere/

I know from looking at incoming Pull Requests to project under
AsahiLinux namespace that "WhatAmISupposedToPutHere" themselves is
atleast attempting to be one of "The Asahi Linux Contributors" if not
already so.
I'm not sure if this person just copied the LICENSE file from one
of the AsahiLinux projects into their own project or if they're
actually intending to try to assign copyright over to what I beleive
is this non-legal-entity Asahi Linux. I'm also unaware if they got
anyones permission to do so.
If the more fields of Cargo.toml had been filled out alot of doubts
about the intention might have not existed.

> Neither the list of contributors nor the contents of the repository mentions "Sasha Finkelstein".

Which list of contributors and which repository are you talking about
here?

If we look at what I beleive is the "origin" of this source (where our
tarball was actually fetched from crates.io):
https://github.com/WhatAmISupposedToPutHere/asahi-nvram

Looking at the individual commit Authors we'll see people using what I
believe is their actual legal names.
(This is also why I put Janne Grunau as the copyright holder in
src:asahi-btsync).

We can also follow "WhatAmISupposedToPutHere"'s work and see that when
"signing off" on work according to Developer Certificate of Origin (DCO)
they are signing off their code with:
Signed-off-by: Sasha Finkelstein <...>

See for example:
https://github.com/chadmed/asahi-overlay/pull/47/commits/c2e8224049ba17447dcb016e1e475d50e9905f45

Back to apple-nvram again:
The majority of code is authored by Sasha Finkelstein as can be seen in
the individual git commits metadata.

The commits that does not have Sasha Finkelstein as author,
(except Janne Grunau - relevant only in src:asahi-btsync)
comes from names that I've not seen in any of the AsahiLinux
repositories (which I've been wading through the last couple of weeks
and generally following along on progress for months), but I've not done
extensive research to completely rule them out as actual Asahi Linux
Contributors.
Some of these commits might not also be trivial enough that the probably
aren't even copyrightable, so probably not relevant from our
debian/copyright point of view.

Finally if we look at "Who is working on Asahi Linux?" on
https://asahilinux.org/about/
the list is described as "major contributors" where
Sasha "WhatAmISupposedToPutHere" Finkelstein is not listed.

> So why should he be a copyright holder?

>From the background info above I believe (but might be wrong):
* Sasha Finkelstein is the legal name of the person behind the
  "WhatAmISupposedToPutHere" github account/namespace.
* Sasha Finkelstein is the author of the majority of the code and owner
  of the copyrightable work for apple-nvram and most of the asahi-nvram
  git repository except src:asahi-btsync.
* none of the code has been written on behalf of an employer (who could
  own the copyright instead of the individual author) or similar.
* The Asahi Linux Contributors is not a legal entity.
* There is no documented paper trail that the asahi-nvram repository has
  any affiliation with the Asahi Linux project.
* The metadata in the git revision history is a more accurate
  source of truth.

So some of the questions I'd be very happy if you could help me
understand are:
* Can non-legal entities be assigned copyright?
* Can anyone just claim copyright belongs to someone else?
* Does Debian accept vague copyright holder descriptions like
  "$PROJECT Contributors" (because that would make it really easy
  for my future endaevors to document things in debian/copyright)?
* Also the AsahiLinux project themselves do not use years in their
  copyright statements of their projects (see eg.
  https://github.com/AsahiLinux/speakersafetyd/blob/main/LICENSE#L1 ),
  does this mean I should not list years in debian/copyright (rather
  than extracting them from git revision history)?
* When a project like apple-nvram's LICENSE file claim copyright year is
  2022, despite a time machine would be needed since the currently
  relevant "v3" apple proprietary data format was not made public to the
  world until 2023, the reverse engineering happened in 2023 and the
  parsing code was written in 2023.
  Should I still repeat whats stated in the LICENSE file?

For the three first questions above my previous understanding was that
the Debian project did not accept documenting something as copyrighted
by for example "public domain" when the author claimed so.

For documenting years, if we extract those from git metadata, why
shouldn't we also do it with the rest of the information?
This makes me curious to look at how src:curl debian/copyright looks
as I know the upstream curl project does not include copyright years
in their copyright statements anymore.

> 
>   Thorsten
> 
> 
> 
> ===
> 
> Please feel free to respond to this email if you don't understand why
> your files were rejected, or if you upload new files which address our
> concerns.
> 

Regards,
Andreas Henriksson