Re: SPDX Statistics - R.U.R. edition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Miroslav,

On Tue, Nov 28, 2023 at 08:08:38AM +0100, Miroslav Suchý wrote:
> Dne 28. 11. 23 v 0:19 Mark Wielaard napsal(a):
> >SBOMs only decribe the software bill of materials, not the binary
> >packages created from them. And they don't just use a license tag, but
> 
> It does.
> 
> https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf
>
> AFAIK most common ones are Build and Analyzes which describes the
> binary packages.

I think we are talking past each other here. SBOMs are not really
relevant to projects like Fedora which already distributes the
complete and corresponding source code for all packages. SBOMs are for
people who want to get away with not doing that. Also they don't
really help with picking a License tag for our binary packages because
as they don't use such a simplistic way of describing a license for a
binary.

> >I don't have any specific proposal. Lets just hope SPDX will just
> >create a new generic Hybrid-BSD variant. I do find it somewhat
> >disturbing Fedora contributors are asked to file issues in these
> >external third-pary proprietary trackers.
> 
> SPDX is community-driven project. Under Linux Foundation. With all
> materials open and all decisions done in public.

Even if it is, then it is still problematic to request Fedora
contributors to file issues in these external third-pary proprietary
trackers. Also we never just relied on third parties even if we
closely worked together with the FSF and OSI, Fedora always reviewed
more licenses than either of them, and I doubt the SPDX project will
either.

> I personally find it motivating. That we are collaborating on open
> standard that is used by various distributions and communities and
> not working on a NIH project.

I don't mind the SPDX project trying to create a collection of Free
Software licenses with comment identifier names that can be used to
refer to them. But some of the other things they seem to promote, like
these SBOMs, feel like just setup to promote proprietary software
"based on" Free Software (without a commitment to make sure the user
will actually get the complete and corresponding source code). I
cannot say I can get very excited about that.

> >>|This example may look artificial, but I know a lot of companies
> >>that want to avoid GPL-3.0-or-later.
> >And how does that help Fedora?
> 
> If companies find it easier to use Fedora, it will get wider
> recognition and companies in exchange very often contributes back.

I don't share your optimisim about companies that go out of their way
to avoid the GPL. Is getting recognition for helping companies avoid
the GPL a positive thing for Fedora?

> >I think it is a pretty standard convention and easy to automate.
> >Various source code repositories already do and show you the project's
> >license based on scanning those files.
>
> I disagree with you. E.g. most visible is GitHub, but it does that
> for only limited number of licenses https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository#disclaimer
> and very often fails when COPYING include multiple licenses.

Now at least there is something we agree on. github is certainly
something to avoid. But I don't understand how showing the actual
COPYING file, even if it contains multiple licenses covering the work
is a failure.

Cheers,

Mark
--
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux