On 7/12/07, Luis Villa <luis@xxxxxxxxxx> wrote:
> 1) Why do we need to examine code coming from upstream updates? (E.g. > only to make sure the license tag spells out the correct version?) Consider a not very hypothetical hypothetical: (the details of the incompatibility are simplified and possibly even incorrect, because I have been at the office *a lot* the past three days, but the basic idea is there) * Samba releases a library which is GPLv3. They are upstream for libsmbclient; it is their prerogative to do this. * Fedora packages and ships this new, GPL v3 libsmbclient. * Fedora rebuilds things which link against libsmbclient, but which are not GPL v3. * Fedora distributes. Voila... a (potential, depending on the details) license violation! Here, all relevant upstreams have done the right thing, and yet Fedora has committed a license violation. So Fedora might wish to put into place review procedures which minimize the risk of this occurring.
I think this is a potential messy enough issue that all fedora maintainers need to make sure that they have an accurate idea of what their upstreams are doing with regard to GPLv3 and more importantly take a look at what the libraries your applications depend on plan to do. And please if you are a package maintainer and your upstream is looking at moving to GPLv3 or LGPLv3 try to ping fedora-maintainers with a note concerning the change of licensing status so people with packages that link to that library can get a heads up and talk to their upstreams. We really need to make sure that we (as well as other distribution packagers) are keeping the lines of communicating open with the upstream developers over potential licensing conflicts as individual projects make the licensing version jump. -jef _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
