On Thu, Jun 29, 2023 at 9:37 AM Vít Ondruch <vondruch@xxxxxxxxxx> wrote: > > > Dne 29. 06. 23 v 14:54 Richard Fontana napsal(a): > >> The upstream project's metadata uses the SPDX expression "MIT" for the > >> project's license, but includes both the license text for MIT (which > >> covers the "matchit" project) and the one for BSD-3-Clause (which is > >> the license of the "httprouter" project, which "matchit" is based on). > >> > >> Following the logic from points 1 and 3, should the upstream project's > >> metadata use "MIT AND BSD-3-Clause" for the project license? I assume > >> similar reasons apply to the tarballs that the upstream project > >> distributes as would to the RPM packages that Fedora distributes. > >> Should this discrepancy (i.e. license texts for both licenses > >> included, but license in metadata does not) be reported / fixed in the > >> upstream project as well? > > I checked crates.io and couldn't find any guidelines on license > > metadata. I don't think I personally would bother > > > This is surprising position. > > Why it should be based on crates.io guidelines? I think that most of us > struggling with licenses. Fedora is struggling with licenses. I am quite > sure crates.io is struggling with licenses. > > So maybe the Fedora position should be at minimum to recommend to fix it > upstream if the time was already spent on the analysis. I think Jilayne might agree with this. My concern is that different packaging systems may (legitimately) have different standards for how to document licenses in metadata, even if superficially they use the same syntax (increasingly, SPDX). Fedora's current (and historical) standards at least in theory are based on this binary/source distinction, but that may not make sense for other systems. There's no universal standard for what package license metadata should signify. To a large extent I think the question is about what license information should/can be *ignored* despite it being detectable somehow in the source code of a package. SPDX could probably provide this but I don't think it wants to. Richard _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue