[Pkg-giraffe-discuss] z-push packaging question - licenses / lintian

Guido Günther agx at sigxcpu.org
Wed Dec 28 13:50:04 UTC 2016


Hi Roel,
On Wed, Dec 28, 2016 at 09:10:55AM +0100, Roel van Meer wrote:
> Guido Günther writes:
> 
> > > The problem is that a number of PHP files (derived from Pear files) are
> > > listed in the copyright file as having the PHP-2.02 license, and according
> > > to Lintian this license is only valid for the PHP interpreter itself, not
> > > for code written in PHP, nor for Pear modules. The specification of this
> > > license is correct, however, as this license is indeed named in the PHP
> > > files themselves.
> > >
> > > Now, when I look at official Debian packages that provide the original
> > > version of these files, then the files themselves also mention the PHP-2.02
> > > license, but the d/copyright file lists them under a different license
> > > (BSD-3-clause, or PHP 3.01).
> > 
> > "original version" sounds as if these were embedded code copies. If so
> > you can just drop them from the upstream tarball (adding a +dfsg to the
> > version number). This is also much better from a security pov.
> 
> Well, these are modified copies. So unfortunately that's not an option.

Then I suggest to upstream your changes first. This solves the licensing
issues _and_ the maintenance burden for the security team. If you don't
want to get rid of them please prepare an entry to

    https://wiki.debian.org/EmbeddedCodeCopies

You should also let the ftp masters know that you're introducing forked
versions of already existing code.
Cheers,
 -- Guido



More information about the Pkg-giraffe-discuss mailing list