Re: [SPDX] Mass license change GPLv2 to GPL-2.0-only

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 6/19/24 6:07 PM, Richard Fontana wrote:
On Wed, Jun 19, 2024 at 11:58 AM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote:
On 18. 06. 24 18:46, Miroslav Suchý wrote:
Hi.

I am going to do the mass change of the license from GPLv2 to GPL-2.0-only
Hi.

How do you know the License tag is not supposed to be e.g. "GPL-2.0-only AND
MIT" or similar?

Converting "GPLv2" (which could mean any number of "weaker" licenses are hidden
under the "stronger" GPL in the old notation) to "GPL-2.0-only" (which means
all the code is exactly GPL 2.0 only) cannot be done automatically.

Same for the other thread about LGPLv3 to LGPL-3.0-only conversion.
The meaning of something like "GPLv2" or "LGPLv3" in the Callaway™
(old notation) system was not consistently defined, documented or
understood. We've had some discussions about this (see legal list
threads on the so-called "effective license" concept). It is true that
under the Callaway system some package maintainers were applying some
sort of idiosyncratic effective license theory when populating license
tags, but prior to Fedora's migration to SPDX expressions I would have
asserted this was incorrect.

It should be noted btw that much (probably most) of the use of SPDX
identifiers in the open source community seems to be based on
application of various kinds of undocumented effective license
theories. So non-use of effective license theory is not an inherent
property of SPDX, at least in practice. The SPDX spec itself, and the
SPDX project, doesn't really assert an opinion on how SPDX expressions
should be used by projects (i.e., what something like `GPL-2.0-only`
*ought* to mean), at least as far as I understand. 
that is correct and I would say that is not the domain of SPDX generally as it has to do with interpretation.
In any case, I don't see anyway that kind of thing could be or ever will be consistently defined across the diverse reality of "the open source community"
I'd argue that
proper use of SPDX expressions should lead to the non-use of effective
license analysis, which I guess implies that much of the use of SPDX
expressions is improper.
not improper per se - if people find a license and choose not to identify it in an SPDX _expression_, that isn't really something the SPDX spec has guidance about. It cuts to trust in whoever made that call or created an SPDX document.

So anyway what I think you're basically saying is that if you
automatically convert a Callaway-notation package license tag from
`GPLv2` to `GPL-2.0-only`, the resulting license tag will often be
incorrect under the current (post-Callaway/SPDX-based) system. This is
true, but I would say that in such cases the license tag should have
been viewed as incorrect under the Callaway system for at least
partially the same reasons.

Relatedly, I have had some misgivings and mixed feelings about these
mass conversions, because I have worried that the resulting situation
will make people complacent regarding the correctness of the license
tag. That is, they may assume that a converted license tag has some
sort of implied stamp of approval. However, I've mostly gotten
comfortable with the piecemeal
mass conversions over time. I accept that we'll (still) have many
inaccurate license tags, under our current documented standards, and
we'll just have to gradually try to improve them.
+1 I also had a lot of misgivings. In addition to Richard's comments, I think I've come to thinking that complacency is an issue no matter what and any amount of auto-conversion is not likely to make that worse or better.

I'm not sure it's really better to stick with Callaway license tags
for some longer period of time in the hope that the *first* attempt to
convert a package license tag to SPDX expressions will be relatively
accurate. I do worry that if everyone is complacent about this, Fedora
could become yet another project using SPDX expressions
inappropriately.
really don't want that!

In any case, Miro, I appreciate your observations and concerns. I think in the long run, putting in place more specific advice and better tooling for license review that is maybe even part of the packaging process would be better. Even for the packages that were diligently updated to SPDX ids won't stay up-to-date over time as packages change their licenses, etc.

thanks,
Jilayne

Richard
--
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux