Hi Miroslav, On Tue, Nov 28, 2023 at 08:08:38AM +0100, Miroslav Suchý wrote: > Dne 28. 11. 23 v 0:19 Mark Wielaard napsal(a): > >SBOMs only decribe the software bill of materials, not the binary > >packages created from them. And they don't just use a license tag, but > > It does. > > https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf > > AFAIK most common ones are Build and Analyzes which describes the > binary packages. I think we are talking past each other here. SBOMs are not really relevant to projects like Fedora which already distributes the complete and corresponding source code for all packages. SBOMs are for people who want to get away with not doing that. Also they don't really help with picking a License tag for our binary packages because as they don't use such a simplistic way of describing a license for a binary. > >I don't have any specific proposal. Lets just hope SPDX will just > >create a new generic Hybrid-BSD variant. I do find it somewhat > >disturbing Fedora contributors are asked to file issues in these > >external third-pary proprietary trackers. > > SPDX is community-driven project. Under Linux Foundation. With all > materials open and all decisions done in public. Even if it is, then it is still problematic to request Fedora contributors to file issues in these external third-pary proprietary trackers. Also we never just relied on third parties even if we closely worked together with the FSF and OSI, Fedora always reviewed more licenses than either of them, and I doubt the SPDX project will either. > I personally find it motivating. That we are collaborating on open > standard that is used by various distributions and communities and > not working on a NIH project. I don't mind the SPDX project trying to create a collection of Free Software licenses with comment identifier names that can be used to refer to them. But some of the other things they seem to promote, like these SBOMs, feel like just setup to promote proprietary software "based on" Free Software (without a commitment to make sure the user will actually get the complete and corresponding source code). I cannot say I can get very excited about that. > >>|This example may look artificial, but I know a lot of companies > >>that want to avoid GPL-3.0-or-later. > >And how does that help Fedora? > > If companies find it easier to use Fedora, it will get wider > recognition and companies in exchange very often contributes back. I don't share your optimisim about companies that go out of their way to avoid the GPL. Is getting recognition for helping companies avoid the GPL a positive thing for Fedora? > >I think it is a pretty standard convention and easy to automate. > >Various source code repositories already do and show you the project's > >license based on scanning those files. > > I disagree with you. E.g. most visible is GitHub, but it does that > for only limited number of licenses https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository#disclaimer > and very often fails when COPYING include multiple licenses. Now at least there is something we agree on. github is certainly something to avoid. But I don't understand how showing the actual COPYING file, even if it contains multiple licenses covering the work is a failure. Cheers, Mark -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
