On Fri, Jul 24, 2020 at 08:40:15AM -0400, Stuart D Gathman wrote:
On Fri, 24 Jul 2020, Jason Tibbitts wrote:
Are any of the following acceptable?
1) Trust the packager to do a license review, with no reviewer
verification.
Definitely need a second opinion IMHO (IANAL).
2) Trust the output of an automated tool which attempts to detect
project licenses (such as askalono).
My understanding is that such tools are pretty accurate when a license
is positively identified, and this can be a reasonable 2nd opinion.
When the tool fails to find or confirm a license, then manual search may be
required.
The package reviewer and the person submitting the new package should be
taking the time to do this part. It's tedious, but the advantage is that we
can then trust our "normalized" license string that goes in the spec file as
capturing the licenses that apply to that particular project.
One that I have used for package reviews is:
https://github.com/nexB/scancode-toolkit
3) Trust the license tag from a project hosting service such as github?
(I understand that the answer may depend on the hosting service.)
Ask a real lawyer. I would be inclined to not trust the service, but
it might count as "due diligence".
--
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat, Inc. | Boston, MA | EST5EDT
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx