On Friday, 24 July 2020 14:40:15 CEST Stuart D Gathman wrote: > On Fri, 24 Jul 2020, Jason Tibbitts wrote: > > > > Are any of the following acceptable? > > > > > > > > 1) Trust the packager to do a license review, with no reviewer > > > > verification. > > > Definitely need a second opinion IMHO (IANAL). > > > > 2) Trust the output of an automated tool which attempts to detect > > > > project licenses (such as askalono). > > > My understanding is that such tools are pretty accurate when a license > is positively identified, and this can be a reasonable 2nd opinion. > When the tool fails to find or confirm a license, then manual search may be > required. > > > > 3) Trust the license tag from a project hosting service such as github? > > > > (I understand that the answer may depend on the hosting service.) > > > Ask a real lawyer. I would be inclined to not trust the service, but > it might count as "due diligence". I want to precise that the tool used (askalono) does not work with Github "license field" but works by analysing all the files and look for licence texts and SPDX tag. _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx