On Tue, Apr 4, 2023 at 10:55 AM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote: > > Hello, > > during a package review I came across this License tag (simplified): > > License: ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT) > > Where "(Apache-2.0 OR MIT) AND BSD-3-Clause" is a license of one "unit" built > into the RPM and "Apache-2.0 OR MIT" is a license of another "unit". (Both > units are built into a single binary if that makes a difference.) > > Do I change that to: > > License: (Apache-2.0 OR MIT) AND BSD-3-Clause > > Or not? > > I know that we are not supposed to calculate "effective license", but in my > head they both mean the exact same thing. I guess this isn't explicitly addressed here: https://docs.fedoraproject.org/en-US/legal/license-field/ We do say: "The license expression must reflect the disjunctive license choice even if one or both of the license identifiers in the OR expression also appear separately in the composite license expression." and "A single license identifier should only appear once in an "AND" expression regardless of how many distinct source or binary components the corresponding license covers for the relevant binary RPM." and also the example: "Example: bar.rpm contains three executable utility programs. You’ve determined that two of them are each licensed under GPL version 2 only, while the third is licensed under the MIT license. The spec file would have: License: GPL-2.0-only AND MIT It would not be GPL-2.0-only AND GPL-2.0-only AND MIT, even though from an orthodox GPL interpretation standpoint there are two separate GPL-licensed "Programs" in this package." I think the debatable decision not to attempt to reflect sub-RPM "units" is key. So I think it follows from that that complex SPDX expressions should only appear once in a larger AND expression. At any rate, I think that's what the rule should be, so in your case, ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT) should just be represented as (Apache-2.0 OR MIT) AND BSD-3-Clause However, I think something like this: (Apache-2.0 OR MIT OR Unlicense) AND BSD-3-Clause AND (Apache-2.0 OR MIT) would not "reduce" to (Apache-2.0 OR MIT OR Unlicense) AND BSD-3-Clause or (Apache-2.0 OR MIT) AND BSD-3-Clause because we are stubbornly adhering to the view that it is useful to reflect all disjunctive license expressions (if only because this was a convention in the Callaway system). Note: we are making these policies up, since the SPDX spec (rightly) does not attempt to address any of it and outside of Fedora, uses of SPDX expressions for project/package license metadata are extremely primitive and unsophisticated at present, so there are no useful practices or conventions for Fedora to draw upon. Richard _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue