Dne 29. 06. 23 v 16:42 Richard Fontana napsal(a):
On Thu, Jun 29, 2023 at 9:37 AM Vít Ondruch <vondruch@xxxxxxxxxx> wrote:Dne 29. 06. 23 v 14:54 Richard Fontana napsal(a):The upstream project's metadata uses the SPDX expression "MIT" for the project's license, but includes both the license text for MIT (which covers the "matchit" project) and the one for BSD-3-Clause (which is the license of the "httprouter" project, which "matchit" is based on). Following the logic from points 1 and 3, should the upstream project's metadata use "MIT AND BSD-3-Clause" for the project license? I assume similar reasons apply to the tarballs that the upstream project distributes as would to the RPM packages that Fedora distributes. Should this discrepancy (i.e. license texts for both licenses included, but license in metadata does not) be reported / fixed in the upstream project as well?I checked crates.io and couldn't find any guidelines on license metadata. I don't think I personally would botherThis is surprising position. Why it should be based on crates.io guidelines? I think that most of us struggling with licenses. Fedora is struggling with licenses. I am quite sure crates.io is struggling with licenses. So maybe the Fedora position should be at minimum to recommend to fix it upstream if the time was already spent on the analysis.I think Jilayne might agree with this. My concern is that different packaging systems may (legitimately) have different standards for how to document licenses in metadata, even if superficially they use the same syntax (increasingly, SPDX). Fedora's current (and historical) standards at least in theory are based on this binary/source distinction, but that may not make sense for other systems. There's no universal standard for what package license metadata should signify. To a large extent I think the question is about what license information should/can be *ignored* despite it being detectable somehow in the source code of a package. SPDX could probably provide this but I don't think it wants to.
I vaguely remember, that the Rust packaging automation was approved based on the condition, that there are SPDX licenses listed in metadata. I don't think and Cargo licensing guidelines were evaluated along the way. But if the was different standard for Cargo licenses in metadata, then in Fedora, Rust packaging automation should be disabled, because we cannot trust the license information.
Being member of Ruby community, I don't think there is any suggestion to what the tag in the metadata really means. It just happens there is the metadata, because it was requested. It is there by evolution not by design. I believe that Fedora (or SPDX / LF) lead in this area would be useful (BTW there is no difference to license information in general, based on our work, the upstreams are much more knowledgeable about licenses. I have already lost my count how many "missing license" discussion with upstream I had, but there are less such cases then used to be).
Vít
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
