On Sat, Oct 28, 2023 at 6:05 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > On Mon, Aug 21, 2023 at 7:04 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > > Below, I'm collecting a list of observations of what I believe is the > > current approach in this area, as taken by package maintainers carrying > > out the SPDX conversion. To me, it strongly suggest that the SPDX > > identifiers we derive today do not accurately reflect binary RPM package > > licensing, even when lots of package maintainers put in the extra effort > > to determine binary package licenses. > > I recently noticed something that could be added to this list. There's > a package that generates a '-docs' subpackage using Doxygen. > Apparently Doxygen injects various pieces of minified JavaScript > (mostly from the jQuery ecosystem, mostly MIT-licensed) in a way that > is not obvious from analyzing the source code of the package that uses > Doxygen. I assume this must be compliant with Fedora packaging > guidelines -- although I could not verify this from reading Fedora > guidelines on bundling and JavaScript. > > Anyway, I would guess no Fedora package maintainer of a package that > has a Doxygen docs subpackage is taking this issue into account when > thinking about License: tags. Should they? This might have been the case a few years ago, but no longer. New packages often don't bother building documentation (be it with doxygen, sphinx, or rubygems), because the effort to make this work "properly" for the latest guidelines wrt/ bundling and license tags makes it very onerous. You will find many mentions of this, especially for sphinx, in recent Python package reviews, or on the mailing lists. Fabio > I am having trouble seeing > why the licensing of the Doxygen pieces should be deliberately > ignored. But I also am not sure if a Fedora package maintainer should > realistically be expected to know that this situation occurs. I was > moving toward the view that if the package build process results in > the inclusion of some licensed material from another package, this can > be ignored if (a) the inclusion occurs in huge numbers of Fedora > packages and (b) most normal Fedora installs will have the other > package. I was thinking that would take care of Florian's gcc and > glibc statically-linked startup code examples, but surely neither (a) > nor (b) apply to the Doxygen case which seems sort of analogous. _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
