On Thu, Aug 24, 2023 at 02:15:21PM -0400, Richard Fontana wrote: > On Mon, Aug 21, 2023 at 7:04 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > Below, I'm collecting a list of observations of what I believe is the > > current approach in this area, as taken by package maintainers carrying > > out the SPDX conversion. To me, it strongly suggest that the SPDX > > identifiers we derive today do not accurately reflect binary RPM package > > licensing, even when lots of package maintainers put in the extra effort > > to determine binary package licenses. > > > > * Most package maintainers probably assume that License: tags on all > > built RPMs (source RPMs and binary RPMs) should reflect binary package > > contents, at least when all subpackages are considered in aggregate. > > Often, Source RPMs contain the same License: line as binary RPMs. > > This is the most important issue I was hoping to raise, if we mean the > same thing. > > When I look randomly at spec files of Fedora packages, I begin to > suspect that most Fedora package maintainers must have always ignored > this directive and have continued to ignore it after the rule was > recast in the post-July-2022 docs. In *most* cases of packages other > than possibly those coming from ecosystems or historical contexts > featuring highly uncomplicated licensing structures, there will be > some differences in the makeup of binary packages from a built source > code licensing standpoint. I only rarely see attempts to reflect this > via multiple License: fields. While in the scheme of things I only > look at a small sample of Fedora packages I suspect they are > representative. > > I can conclude one of two things: > 1. The license of the binary rule is too hard for most Fedora package > maintainers to comply with. > 2. Fedora package maintainers are unaware of the rule and are > substituting their own intuition, which I think must be something like > "each RPM should have one License: field that reflects the makeup of > all the binary RPMs without attempting to distinguish among them". FWIW, I was not even aware that it was possible have multiple License fields, one per sub-RPM. I suspect many people will be in the same boat, because if it is used, it is very rare. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
