On Wed, Jun 28, 2023 at 11:13 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > On Wed, Jun 28, 2023 at 4:44 PM <h-k-81@xxxxxxxxxxx> wrote: > > > > I am in the process of reviewing this package [1]. The author of the pacakge mentions "A lot of the code in this package was based on Julien Schmidt's httprouter." in the documentation and includes the license file of httprouter. > > The thing is that httprouter is written in Go and the library, that is being packaged, is written in Rust. > > > > So the question here is, does the Rust library have to include and mention the license of httprouter? > > I think you may be asking one of more of the following questions: > > 1. Given that httprouter is written in Go, can we assume that the > license of httprouter doesn't apply to this Rust crate? > > 2. Does the binary package need to install the httprouter license file? > > 3. Should the httprouter license be included in the spec file License: field? > > As to 1: I don't think we can assume that, no. The upstream project > says it's based on httprouter and it could be that some of it is a > close translation from Go to Rust. While the BSD licenses are not > entirely clear on this issue I think you should assume that the Rust > crate copies from httprouter in such a way that the httprouter license > requirements are triggered. > > As to 2: We still don't have updated standards around how to deal with > installation of license files and (in my opinion) the existing > packaging guidelines on that topic don't entirely make sense. In this > case I'd take a conservative approach and assume the httprouter > license needs to be installed along with the rust-matchit project > license. > > As to 3, this follows from 1: you should assume the License: field > should include `BSD-3-Clause` as appropriate. Thanks for the explanations! (I submitted the package in question for review.) I only have one remaining question: The upstream project's metadata uses the SPDX expression "MIT" for the project's license, but includes both the license text for MIT (which covers the "matchit" project) and the one for BSD-3-Clause (which is the license of the "httprouter" project, which "matchit" is based on). Following the logic from points 1 and 3, should the upstream project's metadata use "MIT AND BSD-3-Clause" for the project license? I assume similar reasons apply to the tarballs that the upstream project distributes as would to the RPM packages that Fedora distributes. Should this discrepancy (i.e. license texts for both licenses included, but license in metadata does not) be reported / fixed in the upstream project as well? Fabio _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue