On Wed, Jan 17, 2024 at 5:57 PM Mark Wielaard <mark@xxxxxxxxx> wrote: > > > I have no attachment to RPM-style > > > license tags, though Red Hat finds them marginally useful for some > > > purposes. > > > > What are the purposes for which Red Hat finds the spec license tags > > useful? > > I am still interested in this because I think it will help people > understand why they are doing all this work. I think there may be some confusion here. Red Hat originally developed RPMs as a packaging technology and from what I understand, from an early period there was a data field in spec files for licensing information (IIRC it was originally "Copyright:" rather than "License:"). Many other packaging technologies attempt to document licensing information. Some are worse than others. When I say that Red Hat finds spec file License tags useful for some things, this has nothing to do with the adoption of SPDX license expressions in License tags; the usefulness predates that recent development by many years. That said, for those uses, the adoption of SPDX license expressions makes the License tags significantly more useful because it is associated with an improvement in the quality of the data. (This has something to do with the nature of SPDX license expressions but it also has to do with the process bringing about a wave of active review of licensing information in Fedora packages.) Also, to be clear, Fedora's adoption of SPDX identifiers is *not* being done to help Red Hat, except to the extent that Red Hat is a major sponsor of and contributor to Fedora. That said, RPM License tags are sometimes used for these purposes at Red Hat: (1) Naturally, people have always used them as a quick way of assessing the license of a package (for example, as a highly flawed method of answering the question "How many packages in Fedora/RHEL use LGPLv3" and so forth). Of course this sort of use isn't specific to Red Hat. (2) Red Hat historically published so-called package manifests for RHEL that were basically lists of RPMs with the content of the License: field. Nowadays I think the equivalent is provided in SBOM format. (3) Some Red Hat partners and customers are interested in licensing details at the level of the package and for RPM-based products or portions of products the usual way of producing this information is to provide the content of the License: field for each RPM. I think that's it. My view is that by switching to SPDX license expressions, along with changes we've made to Fedora legal documentation, we are making major improvements to the quality and sophistication of this kind of information. But if I thought it was only something that would benefit downstream product derivatives of Fedora I wouldn't support it. This all makes it sound like I'm a fan of SPDX so I hope people understand I'm not. Basically, SPDX is the worst license representation system we have, but I begrudgingly accept that it's better than all the others. I think my colleagues on the Fedora Legal team *are* authentic fans of SPDX. :) > I am slightly surprised Red Hat (and Fedora) finds the SPDX > indetifiers as license tags/expression language useful. I thought that > making sure the company/project always complies with, and makes sure > that all users can easily comply with, the licenses by distributing > the complete, corresponding source code and build scripts (in the > srpm) is way simpler and effective. We don't use the License: tags for purposes of license compliance, so these two things are not in conflict. Red Hat indeed normally approaches license compliance by providing the corresponding source code, and this is also true of Fedora. The usefulness is for non-compliance-related activities. I think some of the confusion may relate to the fact that in the industry, in open source-related contexts, "compliance" somehow came to mean, as a colleague once put it, "making lists of stuff", which is very puzzling. But anyway this has nothing to do with Red Hat, or Fedora. It's very legitimate to ask why we have License tags at all, but few people have asked that. We didn't invent the practice in 2022; it existed in some form for decades (or at least as far back as the early years of Fedora, offhand I don't know if it originates in the Red Hat Linux era). In adopting SPDX license expressions, as I see it, the justification was basically, "if we're going to continue this long-established practice of having License tags, we might as well use the least bad license representation system". But in saying all this I realize I am continuing to conflate the two main uses of SPDX license expressions (or at least SPDX license identifier conventions) in Fedora. We don't just use SPDX identifiers in License tags. Our original 2022 documentation was really confusing about this, probably because *we* were initially confused about it, and I've tried to make a lot of changes to clear this up. We more fundamentally use SPDX identifiers as a classification system in approving and disapproving particular licenses, some of which would never normally be used in a License tag. When we say a given license is allowed, or not allowed, we have to define more or less precisely what we mean by that license, and SPDX (for all its many faults) provides the best system I know of for doing that. Richard -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
