First, let's be clear that Debian obviously doesn't distribute binaries built by Ubuntu. At least I would hope they don't. There are, however, tons of source packages in Debian that contain package changelog entries copied verbatimly from the corresponding Ubuntu source packages. Some of them even include Ubuntu release code names rather than the Debian ones. One would need to compare diffs of the package versions in question to be sure but I would think it's reasonable to assume that not only the changelog entries have been copied from Ubuntu but the source changes as well. It doesn't matter much who did the copying. How can you be sure that they had the right to upload to Debian under a different license? Were they even aware of the implications of Ubuntu's copyright policy? Often the Ubuntu uploader wasn't the same person as the Debian uploader. Also, Canonical employees don't own the copyright to their changes. Community packagers working on both Ubuntu and Debian packages simultaneously? Perhaps. But even if they do, will they indemnify you if Canonical thinks otherwise? At the end of the day, if you don't want to lull yourself in a false sense of security, you must assume that code has moved from Ubuntu into Debian and that this happened under Canonical's terms.
The open question is whether Canonical has a case for going after Debian or (and this seems more likely to me) someone basing their stuff on Debian. You can take your pick between copyright or trademark law. To get you into trouble under copyright law I guess it's sufficient if there's any code under a license that's liberal enough to allow Canonical to add the extra restrictions Matthew blogged about on top of it. If changes under that combined license have been imported from Ubuntu into Debian one could argue that Canonical has a case. Irrespective of the copyright policy, under a strict reading of trademark law it may be sufficient for anything in Debian to contain the string "*buntu". Whether either case stands any chance in court is not clear at all, though, but that's the point: There's a non-zero chance of success for Canonical. Thus, unless you have a large legal department and a budget to match, it's now just no longer a sane business decision to have this doubt looming over your product. You'll want to stay clear of this risk.
I believe Debian should take action. Whether that be seeking proper legal counsel as to whether or not Debian users may be affected by this (I'd sure like to be proven wrong!) and if so under what conditions and to what extent. Or whether it be removing code with problematic license status and any Ubuntu trademarks from the Debian archive just to be sure.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: Deriving from Debian
Date: 2015-07-22 09:32 pm (UTC)The open question is whether Canonical has a case for going after Debian or (and this seems more likely to me) someone basing their stuff on Debian. You can take your pick between copyright or trademark law. To get you into trouble under copyright law I guess it's sufficient if there's any code under a license that's liberal enough to allow Canonical to add the extra restrictions Matthew blogged about on top of it. If changes under that combined license have been imported from Ubuntu into Debian one could argue that Canonical has a case. Irrespective of the copyright policy, under a strict reading of trademark law it may be sufficient for anything in Debian to contain the string "*buntu". Whether either case stands any chance in court is not clear at all, though, but that's the point: There's a non-zero chance of success for Canonical. Thus, unless you have a large legal department and a budget to match, it's now just no longer a sane business decision to have this doubt looming over your product. You'll want to stay clear of this risk.
I believe Debian should take action. Whether that be seeking proper legal counsel as to whether or not Debian users may be affected by this (I'd sure like to be proven wrong!) and if so under what conditions and to what extent. Or whether it be removing code with problematic license status and any Ubuntu trademarks from the Debian archive just to be sure.