On Tue, Apr 2, 2019 at 1:20 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote:
On Tue, Apr 2, 2019 at 1:57 PM J Lovejoy <opensource@xxxxxxxxxxx> wrote:
>
> regarding Tom’s comment on this topic:
>
> So this is the difficulty. We know of an order of magnitude of different variants of BSD and MIT (many of which are unclassified by the OSI and SPDX). They're all functionally identical. Are you volunteering to audit all the Fedora packages to correct the license tags? I'm not. :)
>
>
> I could be possible to come up with a correlation of the Fedora tags and SPDX ids (where Fedora groups licenses under one age, but SPDX uses different ones) and then automate updating the tags, no?
One of the problems is that in effect Fedora has a different notion of
"matching" from that of SPDX. In general, and especially seen in the
Fedora use of "BSD" and "MIT", there isn't a one-to-one correspondence
between a Fedora license identifier and an SPDX one. That's not a
theoretical problem because it's common (especially with older
codebases) to have a package consisting of source files under various
materially different BSD-like licenses, or vaguely MIT-like licenses.
One scupulous solution would be to replace a given use of, say, "MIT"
with, in such a case, for example, "MIT-Variant-1 AND MIT-Variant-2 .
. . AND MIT-Variant-N" but no one seems to want to do that (this also
connects with the recent discussion in the SPDX community about the
potential advantages of having SPDX license identifier namespaces). A
nonscrupulous solution which seems similar in spirit to how many
developers are using SPDX identifiers today is to ignore the
complexity and decide arbitrarily, or for convenience, that you'll
describe the package in that case as "MIT", or "BSD-3-Clause", but
that is then pretty unfaithful to the SPDX system (or so it seems to
me).
Seconding this problem (which I came across in the wild last week).
Does SPDX have a notion of indicating confidence level of a scan? Or is that just derived from the reputation of whoever creates the manifest?
Luis
_______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx