Hi Richard, On Sun, 2023-12-10 at 12:23 -0500, Richard Fontana wrote: > On Sat, Dec 9, 2023 at 6:48 PM Mark Wielaard <mark@xxxxxxxxx> wrote: > > > > SPDX is community-driven project. Under Linux Foundation. With all > > > materials open and all decisions done in public. > > > > Even if it is, then it is still problematic to request Fedora > > contributors to file issues in these external third-pary proprietary > > trackers. > > I agree that this is problematic though we are already using a > third-party proprietary system (gitlab.com) to host the Fedora License > Data repository, so does the fact that SPDX is hosted on GitHub really > make things materially worse? (Surely the fact that gitlab is open > core shouldn't make much of a difference for use of their hosted > version, though I get the sense that > some people feel this way.) I personally wouldn't be opposed to > hosting Fedora License Data on pagure.io (or finding some other FOSS > solution) but I think some others on the team would. :) > > If anyone objects to direct use of GitHub, we can file issues on their > behalf. Same goes for anyone who objects to gitlab.com. I'll make a > note to put this in the Fedora legal documentation. I do think it is problematic (ironic?) for Fedora legal to use these proprietary platforms. The only reason I even could use the gitlab.com thing was because I happen to have a corporate account created for me. I got the impression the discussion on the mailinglist was stuck so did use the discussion going. But in my normal setup I couldn't even access it because there is some kind of Cloudflare block. > But this is a concern I had too - when we started this I was worried > about SPDX taking too long to review issues coming from Fedora. This > has actually not turned out to be a significant problem in practice. > The delays in the process have had more to do with things on our side. > > > Fedora always reviewed > > more licenses than either of them, and I doubt the SPDX project will > > either. > > Over the past year and a half, I believe SPDX has made an > unprecedented expansion of the SPDX license list and this is mostly > due to SPDX accommodating issues from Fedora. That is good to hear. Sorry for my skepticism. But I still think this double indirection isn't a good thing. It would be so much better if the spdx team just engaged on the fedora legal list. Now we have various outstanding questions which first have to go through gitlab.com and then through github.com causing a lot of noise/confusion imho. > Also, SPDX is a standard that does not lock us in to the SPDX license > list. We can bypass the SPDX license list inclusion process by using > Fedora-defined `LicenseRef-` identifiers, and indeed we have done this > in quite a few cases (including for allowed licenses). The current > policy is to aim for SPDX license list inclusion at least for all > Fedora-allowed FOSS licenses. This is less a benefit for Fedora than > it is for SPDX and the larger community that is likely to make > increasing use of SPDX identifiers. Also, in an extreme scenario (for > example, if the SPDX project dies out or becomes impossible to work > with) we can fork SPDX, or more precisely the limited aspects of SPDX > that are relevant to Fedora. I think there is at least some confusion (at least for myself) how we are matching these license lists, or more specifically how to map licenses to identifiers. We have tooling, but that seems either too strict or too inexact. And different people seem to interpret different kind of notices as part of a license and/or requiring new identifiers (at least the AND/OR/WITH language seems too weak to express some things). It isn't totally clear to me who is expected to make these determinations, the packager, the Fedora legal team or the SPDX team. And if being too nitpicking (which I might be) is actually in the interest of the Fedora project/users. Will reply to your comments in the gitlab issue with specifics for the case of the Hybrid-BSD (variants?) in valgrind. Cheers, Mark -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
