Bug#883731: audacious: Debian packaging has incorrect license

Nicholas D Steeves nsteeves at gmail.com
Fri Dec 8 03:39:41 UTC 2017 

Dear Debian Legal Team,

I've CCed you for my reply to this bug, because I don't have the
experience to be able to tell if Debian implicitly relicensed
Audacious as GPL-3 from 2012-2016, how potentially falling out of
BSD-2-clause license compliance might have affected this, and also how
this should be resolved.  The Debian packaging is GPL-2+, so it's
possible to move to copyright-format/1.0 if that would simplify
things.  Also, please reply to point 2. OTTO "ancient plugins...under
different licenses.  I assume audacious-plugins will also need a
copyright review.  Please CC John and I, Bug #883731, and
debian-legal as appropriate.


Hi John,

On Thu, Dec 07, 2017 at 05:15:53PM -0500, John Lindgren wrote:
> Hi Nicholas,
> 
> > On this topic, would you please update contrib/audacious.appdata.xml
> > to reflect the current Audacious license (GPL3)? It claims the
> > project_license is BSD-2-Clause.
> 
> Sorry if my initial email was unclear.  The current Audacious license *is*
> BSD 2-clause, with some exceptions:

Oh, now I see.  Sorry I wasn't familiar with Audacious' upstream
relicensing, and thank you very much for confirming for the files I
asked about.

> 1. The embedded copy of libguess (which is an external project) is under
>    a BSD 3-clause license, with a separate copyright.  I believe this is
>    not a problem so long as the libguess license is also included with
>    any distribution.
> 2. Some of the more ancient plugins are under different licenses, including
>    GPLv2+ and GPLv3.  When we relicensed the main parts of Audacious to BSD
>    around 2012, we thought it impractical to contact all of the original
>    plugin authors since some of them go back to XMMS days (20 years ago now).
>    The plugins are compiled as separate binaries, and Debian has them in a
>    separate package (audacious-plugins).
> 
> Our upstream COPYING file makes note of these exceptions, which is one
> reason why it's important for it to be included verbatim, and not replaced
> with generic BSD 2-clause text as it is in the current Debian package.

Both BSD 3-clause and BSD 2-clause allow relicensing as GPL, thus so
long as the licensing terms are complied with correctly BSD code can
perpetually and unidirectionally flow to GPL projects.  So from what I
can tell it's 100% ok for the Debian package (both src and bin) to be
GPL-3 from 2012-to-2016, and both the Debian source packages and
binaries from this time period might actually be implicitly relicensed
as GPL-3.  If so, that's history that can't be changed.  Also, I'm not
sure what debian-legal and ftpmaster's view of #2 will be in light of
the relicensing (and possible implied relicensing back to GPL-3).

On 2016-04-06 06:55:52
(commit at 124bf3bdccdac9d0eb78ce65b53c9a4ba128e052)
use-system-licenses.patch might have made Debian's implicit
relicensing invalid, not because of the deduplication patch per-se,
but because /usr/share/common-licenses/BSD is a 3-clause and not a
2-clause one like Audacious uses.  It's the same style, but is a
different license altogether...and yeah, I think one can go
BSD-2-clause to BSD-3-clause to GPL-3, but only if the original
BSD-2-clause bits aren't stripped.  I'm also unsure whether the patch
that changes the user-visible bits and the out-of-date
debian/copyright outweigh the 2-clause license that wasn't stripped
from the headers of various files.  eg: not implicitly relicensed, and
just out of date copyright plus non-compliance with 2-clause BSD.

> Regarding the plugins, I don't know the state of debian/copyright in the
> audacious-plugins package, but my main concern here is that the one in
> audacious is correct.
>
> > Conversely, what I found in debian/copyright was a project license of
> > GPL-3, with notable exceptions. eg: are really translations GPL-1+?
> 
> As I said, debian/copyright is out-of-date.  We relicensed the project
> from GPLv3 to BSD 2-clause back in 2012.  Possibly we didn't make an
> obvious enough announcement back then for Debian to take notice.

I haven't looked at audacious-plugins yet either.  Re: "is correct", I
agree, and I'm hoping the fix will be to simply synchronise with
upstream Audacious' BSD 2-clause.

> Translations are under the same license as the rest of Audacious.

Thank you for the confirmation.

> > To my eyes it looks like the upstream project license needs to be
> > clarified and disambiguated, debian/copyright needs work, and finally
> > that deduplication patch can be dropped.
> 
> Let me know if you think there are still clarifications needed upstream
> given the information I've provided here.  I'd be happy to adjust things
> as necessary.

Well, since the main Audacious project is in fact 2-clause-BSD this
is much clearer now!  Thanks again for the help.  I hope to work on
this Sunday, or after we hear back from debian-legal.

Sincerely,
Nicholas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171207/e791f009/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list