Re: rust-regex-syntax package license change: added Unicode-DFS-2016 license

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 13, 2022 at 1:55 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
>
> Hi all,
>
> With the update to the regex-syntax crate package that I'm building
> right now, the license will change from "MIT OR Apache-2.0" to "(MIT
> OR Apache-2.0) AND Unicode-DFS-2016".
>
> The project includes code that is derived from Unicode data files, and
> it already shipped a license text for the Unicode-DFS-2016 license for
> this reason - but the SPDX license string in upstream crate metadata
> doesn't reflect this fact. It also appears that the inclusion of the
> additional license file was made after the package was initially
> reviewed for Fedora, and as a result, previous versions of this
> package didn't include the Unicode license in its License tag.
>
> I have also opened an upstream discussion about this, since I believe
> that the upstream license specifier is wrong (i.e. missing " ... AND
> Unicode-DFS-2016"), but upstream developers don't appear convinced
> (even though similar changes were already made in equivalent cases for
> other Rust projects):
> https://github.com/rust-lang/regex/discussions/933
>
> This change will probably have at least some "ripple effect" across
> Rust packages in Fedora once they are rebuilt against this new
> version, since basically everything depends on the "regex" crate
> (which depends on regex-syntax), either directly, or indirectly.
>
> I'm pretty sure that this package now has the the correct license tag
> (i.e. project has two parts: first part is dual-licensed "MIT OR
> Apache-2.0", second part is derived from Unicode data and is licensed
> "Unicode-DFS-2016", so the license tag should reflect *both* parts),
> but if I am wrong about this, please get my attention, so I can revert
> this change in a timely manner.

Somebody asked the Rust Foundation to clarify the equivalent case as
it applies to the Rust compiler and standard library itself:
https://github.com/rust-lang/rust/issues/98116#issuecomment-1359471815

As far as I understand it, their legal counsel's conclusion is that
crates must include the license *text* for the Unicode license, but
not to include the SPDX license identifier for it in crate metadata.
To me, this seems like "cheating" - why include the license text, but
not include the license in metadata?

As far as I understand, it's also in contradiction with what Red Hat
legal asks Fedora packagers to do for our redistributables (RPM
packages vs. Rust libraries) - which is to list all applicable
licenses in the package metadata.

Applying two separate legal standards to Rust libraries in upstream
projects vs. Fedora packages would be extremely tedious, as we
generally rely on upstream license metadata (SPDX expression) to be
correct, and automatically use upstream SPDX license expressions
verbatim for RPM packages' License tags in Fedora (unless the upstream
license metadata is believed to be "wrong", in which case manual
intervention is required).

Fabio
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux