include copyright information for locally built dependencies

[kfjahnke]

Recently, I tentatively added OpenImageIO support to my project - an image and panorama viewer. OpenImageIO is quickly evolving, and the package shipping with Ubuntu 20.04 is missing several features I'd like to see in the AppImage. So I built OpenImageIO from source and installed to /usr/local. Then I built the appimage and scanned the AppDir to see if the copyright for OpenImageIO was present - it wasn't. A bit of digging revealed that the copyright information is gathered by using dpkg-query - but that would only produce copyright information for packages which are installed on the system with the package manager. When I looked at the output of the build process, I noticed quite a few more WARNING messages - likely due to the fact that I also built some of OpenImageIO's dependencies from source (stuff like OpenVC and openexr).

Nevertheless, I got an AppImage which works just fine - the libraries and binary are all there - but OpenImageIO, for example, is now licensed under Apache 2 which requires people who distribute it in object format to 'give' a copy of the license to the recipient, and distributing an AppImage is certainly distributing the library in object form.

So I'm a bit at a loss what to do. I imagine I could try and gather all the copyright and licensing information 'manually' and somehow incorporate it into the AppDir, but that kind of defeats the purpose of having a tool which automates the process. Can someone here give me advice on how to get the copyright info into the AppImage?

[TheAssassin]

Right now, the deployment of copyright data is supported only on Debian and makes use of Debian's package management tools. I don't see a generic solution for self-provided libraries. Is there any reason not to just copy those files to the AppDir yourself?

We could brainstorm about a linuxdeploy plugin that handles additional copyright files, but, again, I'm not sure there's a generic solution. I don't even think CMake and its friends could be utilized for this...

[kfjahnke]

Is there any reason not to just copy those files to the AppDir yourself?

The first reason is that I like the structured approach which I see right now from the automatic extraction with a standardized process. I suppose the resulting 'copyright' files might even be machine-readable, and they all look uniform. What I find as copyright information in the libraries I use is in varying formats (e.g. .md files or plain text), and I'm unsure as to how to format them to comply with their diverse license requirements. There is a set of tools - see e.g. this list which can be used for automatic licensing/copyright extraction from entire project folders, but so far I haven't found a solution to my liking.

The second reason is the necessity to do such a thing in the first place: I saw that I could build appimages with linuxdeploy, it made working appimages but it did not initially occur to me that distributing the resulting appimages can be a breach of the license agreement if the appimage does not contain license information for a library it incorporates, which seems to be the case for every library which isn't installed via a debian package. There are the warnings in the output, but they are easy to overlook, considering the large number of libraries which may be involved.

[kfjahnke]

@TheAssassin, are you sure your copyright extraction code is doing the right thing? I dug a bit deeper and followed some of the warnings which told me that copyright information could not be found with dpkg-query, and it looks like the lookup failed, even though the copyright information is actually present. For this test, I worked on a debian12 system. I used this linuxdeploy:
https://github.com/linuxdeploy/linuxdeploy/releases/download/1-alpha-20240109-1/linuxdeploy-x86_64.AppImage
As an example, one of my dependencies is libtirpc.Running dpkg-query, I get

dpkg-query -S libtirpc | grep copyright
libtirpc3:amd64: /usr/share/doc/libtirpc3/copyright
libtirpc-common: /usr/share/doc/libtirpc-common/copyright
libtirpc-dev:amd64: /usr/share/doc/libtirpc-dev/copyright

But when I build an AppImage with linuxdeploy, I get the warning that it can't find copyright information:

...
Deploying shared library /lib/x86_64-linux-gnu/libtirpc.so.3
WARNING: Could not find copyright files for file /lib/x86_64-linux-gnu/libtirpc.so.3 using dpkg-query
...

Maybe there is something amiss with the arguments you pass to dpkg-query? If there are only a few dependencies where copyright information can't be found, I could maybe live with copying them manually into the AppDir, but for the application I am currently working on, I get 57 misses, which is a bit excessive.