"Blocking on the SPDX-legal team" is the one aspect of this process that I am somewhat worried about, and I think it might be something unprecedented for Fedora, so it's important that people can get behind that as an experiment. Also I went back and looked at Jilayne's original email in this thread and I'm not sure that this was an obvious feature of the proposal. So it's important to understand: under this proposal, Fedora package submitters will have to wait for an external project to make a decision, for some unspecified amount of time, and I'm not even sure if we can say what that time period might be based on past experience because this relationship is going to be new for SPDX as well as for Fedora. Probably worth keeping in mind, though, that new licenses in new packages are *probably* going to be a relatively uncommon event, assuming that we don't primarily use the new package process as the means of transitioning existing approved Callaway license symbols to SPDX-conformant identifiers. I don't know how much delay Fedora packagers can tolerate or how fast SPDX-legal can be. I would assume this is something new for SPDX too -- the first time an external consumer of SPDX identifiers is dependent on SPDX-legal acting somewhat fast. I believe we talked (maybe this was on the spdx-legal list) about defining an SPDX-legal decision as being the merging of a pull request at github.com/spdx/license-list-XML, not on a formal release of a new license list by SPDX (which I think we can agree would be unacceptable for Fedora). Jilayne, I think we can be confident that SPDX-legal will be efficient enough as long as you are involved in leading it and also are involved on the Fedora side, but it would be reasonable for Fedora community members to wonder what will happen if one or both of those involvements were to ever change. Maybe we should think about a backup plan (like, if some version of the SPDX namespace proposal is adopted, making use of that if SPDX-legal is not responsive by a certain time, or using LicenseRef- to create SPDX-conformant identifiers that can be altered later on to SPDX-adopted identifiers as needed). Richard On Thu, Jun 9, 2022 at 7:34 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Thu, Jun 9, 2022 at 7:06 PM Jilayne Lovejoy <jlovejoy@xxxxxxxxxx> wrote: > > > > > > > > On 6/9/22 4:27 PM, Neal Gompa wrote: > > > On Thu, Jun 9, 2022 at 6:01 PM Jilayne Lovejoy <jlovejoy@xxxxxxxxxx> wrote: > > >> > > >> > > >> On 6/8/22 12:23 PM, Neal Gompa wrote: > > >>> On Wed, Jun 8, 2022 at 2:09 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > >>>> On Wed, Jun 8, 2022 at 1:58 PM Jilayne Lovejoy <jlovejoy@xxxxxxxxxx> wrote: > > >>>>> ` If the license is not on the SPDX License List, then submit the license to the to the SPDX-legal team at https://tools.spdx.org/app/submit_new_license/. In addition to the required information, include a note that it is under review for Fedora and a link to the related Fedora License Data Gitlab issue. > > >>>> Shouldn't this step depend on the license actually being approved by > > >>>> Fedora first? I guess that's more of an SPDX question than a Fedora > > >>>> question. Do you want people to be submitting licenses to SPDX even if > > >>>> the end result might be that Fedora classifies it as "not allowed"? Of > > >>>> course the license might still meet SPDX's inclusion guidelines. > > >>>> > > >>> It should be approved by Fedora with a provisional identifier, and > > >>> that identifier should be forwarded to SPDX. We don't want to have > > >>> Fedora wait on SPDX. > > >> I already responded to Richard's comment above as to why not wait on > > >> this step, but to add to that and in light of Neal's comment about the > > >> identifier - while "waiting on SPDX" is not ideal, we also don't want to > > >> jump to fast to using a provisional identifier, as it's on the SPDX > > >> legal team to ensure that identifier is not already used by another > > >> license - pretty important aspect for all involved. > > >> > > > If we're already using SPDX identifiers for the basis of our license > > > identifier list, this problem isn't going to happen. > > well, no, this could happen if Fedora reviewed a new license, not on > > SPDX License List and waited to submit it to SPDX License List, started > > using a proposed identifier in the package spec file, and then SPDX > > determined, 'oh, can't use that identifier, as it's already used' - this > > may be unlikely, but still something I think we want to prevent. > > The likelihood would be very low. We can already search if an existing > identifier is present. If not, we can make our own and submit at the > same time. We will use the new identifier as if it's approved, since > SPDX will eventually approve it based on our usage anyway. > > > > It already > > > doesn't happen today even with our distinctly different identifier > > > systems. So I consider this optimization worth implementing, because > > > SPDX legal is inherently not bound to Fedora and I don't want to add > > > more drag to our already very slow FE-Legal process. > > I'm not sure what you meant by SPDX legal is inherently not bound to > > Fedora but let me add some key things for people to understand here who > > may not be familiar with SPDX License List inclusion principles: > > - if Fedora or even Debian have already concluded that a license meets > > their free/open guidelines and that license is used for software > > included in a major Linux distribution - this is pretty much a shoe-in > > for inclusion on the SPDX License List. In other words, this make the > > decision-making part easy for the SPDX legal team. > > > > (for those on this list who are not already aware - I have been a > > maintainer of the SPDX License List since its inception) > > If this is the case, then my proposal on process should be fine. > SPDX's purpose is to document the world, Fedora's purpose is to create > that world. My problem with us blocking on SPDX is that it punishes > packagers for trying to ship new software by forcing them to wait on a > group that doesn't really need to align to us if they don't want to. > > Moreover, we wouldn't submit a request anyway if the license isn't > good for Fedora anyway. So it doesn't make sense to submit to SPDX > first, but instead for us to do the process ourselves, give an > identifier, and then submit to SPDX to let them incorporate it > eventually. > > > -- > 真実はいつも一つ!/ Always, there's only one truth! > _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
