> The upstream project's metadata uses the SPDX expression "MIT" for the > project's license, but includes both the license text for MIT (which > covers the "matchit" project) and the one for BSD-3-Clause (which is > the license of the "httprouter" project, which "matchit" is based on). > > Following the logic from points 1 and 3, should the upstream project's > metadata use "MIT AND BSD-3-Clause" for the project license? I assume > similar reasons apply to the tarballs that the upstream project > distributes as would to the RPM packages that Fedora distributes. > Should this discrepancy (i.e. license texts for both licenses > included, but license in metadata does not) be reported / fixed in the > upstream project as well? I checked crates.io and couldn't find any guidelines on license metadata. I don't think I personally would bother if I were the Fedora packager but I think you've previously explained that for Rust packages having the upstream metadata match the Fedora metadata would have some benefits on the Fedora side. So it may be worth a try. The upstream maintainer may be sympathetic to this given how they emphasize the httprouter license. Richard > On Wed, Jun 28, 2023 at 6:18 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > On Wed, Jun 28, 2023 at 11:13 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > > > On Wed, Jun 28, 2023 at 4:44 PM <h-k-81@xxxxxxxxxxx> wrote: > > > > > > I am in the process of reviewing this package [1]. The author of the pacakge mentions "A lot of the code in this package was based on Julien Schmidt's httprouter." in the documentation and includes the license file of httprouter. > > > The thing is that httprouter is written in Go and the library, that is being packaged, is written in Rust. > > > > > > So the question here is, does the Rust library have to include and mention the license of httprouter? > > > > I think you may be asking one of more of the following questions: > > > > 1. Given that httprouter is written in Go, can we assume that the > > license of httprouter doesn't apply to this Rust crate? > > > > 2. Does the binary package need to install the httprouter license file? > > > > 3. Should the httprouter license be included in the spec file License: field? > > > > As to 1: I don't think we can assume that, no. The upstream project > > says it's based on httprouter and it could be that some of it is a > > close translation from Go to Rust. While the BSD licenses are not > > entirely clear on this issue I think you should assume that the Rust > > crate copies from httprouter in such a way that the httprouter license > > requirements are triggered. > > > > As to 2: We still don't have updated standards around how to deal with > > installation of license files and (in my opinion) the existing > > packaging guidelines on that topic don't entirely make sense. In this > > case I'd take a conservative approach and assume the httprouter > > license needs to be installed along with the rust-matchit project > > license. > > > > As to 3, this follows from 1: you should assume the License: field > > should include `BSD-3-Clause` as appropriate. > > Thanks for the explanations! (I submitted the package in question for review.) > > I only have one remaining question: > > The upstream project's metadata uses the SPDX expression "MIT" for the > project's license, but includes both the license text for MIT (which > covers the "matchit" project) and the one for BSD-3-Clause (which is > the license of the "httprouter" project, which "matchit" is based on). > > Following the logic from points 1 and 3, should the upstream project's > metadata use "MIT AND BSD-3-Clause" for the project license? I assume > similar reasons apply to the tarballs that the upstream project > distributes as would to the RPM packages that Fedora distributes. > > Should this discrepancy (i.e. license texts for both licenses > included, but license in metadata does not) be reported / fixed in the > upstream project as well? > > Fabio > _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue