Re: effective license (was: SPDX Statistics - R.U.R. edition)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel P. Berrangé wrote:
> On Tue, Sep 19, 2023 at 08:06:45AM +0200, Björn Persson wrote:
> > Richard Fontana wrote:  
> > > I basically don't recognize "effective license" as a valid concept. I
> > > see people using it, perhaps increasingly, but I never see any
> > > definition of what it means.  
> > 
> > Here's an attempt at a definition of "effective license":
> > 
> > Suppose I have a package with several source files, some of which are
> > licensed as GPL-2.0-or-later and others as GPL-3.0-or-later. All the
> > source files are compiled into a single executable file.
> > 
> > GPL-3.0-or-later does not allow me to convey the executable as
> > GPL-2.0-only. GPL-2.0-or-later allows me to convey it as GPL-3.0-only
> > or a hypothetical later version. Thus the executable is – effectively –
> > covered by the terms of GPL-3.0-or-later. I'd say that the effective
> > license of the executable is GPL-3.0-or-later.
> > 
> > If license x allows replacing itself with license y, then (x AND y)
> > simplifies into y. The effective license of a combined work is y.  
> 
> The problem I have with this kind of "effective" analysis is that
> it can lead to a rather misleading presentation of the license
> of a package.
> 
> Consider that the package has 10,000 source files, of which
> 9999 are GPL-2.0-or-later, and 1 is GPL-3.0-or-later. Lets say
> the 9999 files are compiled into 1 binary, and the single 3.0
> file is compiled into 2nd binary.

Then the effective license of binary 1 is GPL-2.0-or-later, and the
effective license of binary 2 is GPL-3.0-or-later.

> The effective analysis rule
> says we should express the license of the RPM package as
> GPL-3.0-or-later, even though the overwhealming majority of
> the package is GPL-2.0-or-later.

To prevent misunderstandings like that, I included the following
paragraph in my previous message:

> > All of the above applies only when sources under different licenses are
> > combined to form a program or library based on those sources. It does
> > not apply when a package contains multiple separate programs under
> > different licenses. SPDX expressions don't make that distinction.  

Because two separate binaries under different licenses do not simplify
into one binary under one license, the best way that SPDX can express
the licenses in your package is "GPL-2.0-or-later AND GPL-3.0-or-later".

> I view that as intentionally
> misleading on the part of Fedora, so am very happy we dropped
> the effective analysis practice for RPM spec license tags.

Has anyone actually argued in favor of such misrepresentation of
licenses, or are you just knocking down strawmen?

> It also had a result of changing license changes on rebases
> to new versions, even if the existing binaries were not
> changed. eg libfoo.so was GPL-2.0-or-later, and then a new
> release added a libbar.so as GPL-3.0-or-later. The RPM package
> would have to be changed to say 3.0-or-later by effective
> license doctrine, despite the pre-existing libfoo.so (that
> everyone currently uses) remaining 2.0-or-later.

If the new version of libfoo were linked to libbar, and you take the
stance that dynamic linking makes a "covered work" in the GPL sense the
same way as static linking does, then that would make GPL-3.0-or-later
the effective license of libfoo. In that case it would be correct to
change the license field of the RPM package to GPL-3.0-or-later.

If libfoo were not linked to libbar, or if dynamic linking does not make
a "covered work" (which seems to be the Fedora Project's stance), then
the effective license of libfoo would remain GPL-2.0-or-later. In that
case the license field of the RPM package would become
"GPL-2.0-or-later AND GPL-3.0-or-later". To make that clear I included
the following paragraph in my previous message:

> > All of the above applies only when sources under different licenses are
> > combined to form a program or library based on those sources. It does
> > not apply when a package contains multiple separate programs under
> > different licenses. SPDX expressions don't make that distinction.  

> > If licenses x and y contradict each other, so that it's impossible to
> > comply with both, then the effective license is nil. Such a combined
> > work is not allowed.  
> 
> That would be true from the POV of a single binary, but not true
> from the POV of a package RPM spec. We aggregate the license of
> everything in the RPM, so it is valid for the RPM spec to include
> incompatible license sets.

Correct. That's why I included the following paragraph:

> > All of the above applies only when sources under different licenses are
> > combined to form a program or library based on those sources. It does
> > not apply when a package contains multiple separate programs under
> > different licenses. SPDX expressions don't make that distinction.  

Björn Persson

Attachment: pgplAaGnQJrFl.pgp
Description: OpenPGP digital signatur

_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux