Hi all, I've been working on updating a few Rust applications that are packaged for Fedora, and one of them (gitui) has added a new dependency on the "notify-debouncer-mini" crate. (GitHub project: https://github.com/notify-rs/notify) However, I think the license of both the "notify-debouncer-mini" crate (which is not packaged yet) and the "notify" crate as currently packaged are possibly problematic: The project was initially licensed "CC0-1.0", but was relicensed to "CC0-1.0 OR Artistic-2.0" with recent releases. This is reflected in the project's metadata, which claims "license = CC0-1.0 OR Artistic-2.0". However, reading the project's README, this is not accurate - old code was not relicensed, so it is still "CC0-1.0"-only, and only new code is dual-licensed as "CC0-1.0 OR Artistic-2.0": https://github.com/notify-rs/notify#license So if I understand this correctly, the SPDX identifier in the project metadata is wrong (should be "CC0-1.0 AND Artistic-2.0" instead). It looks like this was not noticed when the "notify" crate in Fedora was updated to this version, and as a result, the license tag of the package is currently inaccurate (i.e. "Artistic-2.0"). Additionally, the file that includes the license text for the Artistic-2.0 license contains this additional amendment from the project's author: """ Copyright © 2018 Félix Saparelli Any action relating to this license may only be brought in New Zealand. """ ref. https://github.com/notify-rs/notify/blob/main/LICENSE.ARTISTIC#L1-L2 I have no idea if this is a valid thing to do, but it looks at least potentially problematic.There have been discussions about this project's license in the past (because "CC0-1.0 OR Artistic-2.0" is a very weird license for the Rust ecosystem, which almost exclusively uses "MIT", "Apache-2.0", or "MIT OR Apache-2.0" for projects). I'm unsure how to proceed here. The "notify" crate has already been packaged for a while, so it was not covered by the "no packages must use the 'CC0-1.0' license" rule yet, but the "notify-debouncer-mini" crate was essentially split off from the main "notify" crate, so it shares its license. If the license terms of this project are indeed problematic, what would be the way to proceed? There is one existing application (alacritty) in Fedora that depends on this library, and the latest version of gitui (not updated yet) also added a dependency on it. It's the only popular cross-platform library for watching filesystem events, with over 700K downloads - no alternatives comes close to that, so I'm not sure if recommending upstream projects to migrate to a different library would be possible. Thanks, Fabio _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
