[Fedora-legal-list] Re: Should I mention Build-scripts' licensing terms in a spec's License field?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Dne 05. 08. 24 v 15:24 Richard Fontana napsal(a):
On Mon, Aug 5, 2024 at 5:40 AM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
On Mon, Aug 05, 2024 at 11:23:08AM +0200, Vít Ondruch wrote:
Dne 02. 08. 24 v 21:37 Miroslav Suchý napsal(a):
Dne 02. 08. 24 v 9:07 odp. Miroslav Suchý napsal(a):

I will love to see more usage of this tag, but I believe the
documentatin has to be updated first. PR for packaging guidelines
and legal doc is welcome.

Here it comes
https://gitlab.com/fedora/legal/fedora-legal-docs/-/merge_requests/306


Thank you for the PR, because this is hard one. I think that in ideal world,
the PR should be worded in a way that:

1) The `SourceLicense` tag is always used and it fully describes the content
of the SRPM, i.e. it should contain all licenses which would be identified
by some (ideal) scanner

2) The `License` tag would be used in cases when the resulting (sub) package
has different license from the `SourceLicense` (e.g. build scripts are not
part of the resulting binary obviously).

The question is if we can get from the current state to the state I proposed
above.
Implementing this requires a (re-)review of everything in the source tarball,
which is an exercise we just went through for SDPX in many cases. The idea of
doing this again in order to add SourceLicense is not going to fly in terms
of the time investment asked of maintainers.
I don't really see the justification. Apart from maybe the
complications of Rust and Go packages that were mentioned (which I
think raise some deeper issues that haven't really been addressed
satisfactorily yet), I see no point in having *both* `License:` and
`SourceLicense:`. If a full license breakdown of what's in the SRPM is
desired then that should be the standard of what goes in `License:`,
instead of the traditional Fedora approach of having `License:` be a
subset (or, as it was formerly described, "the license of the binary
RPM").

If the idea is to record what some particular scanner produced, that
may be something like SPDX's ill-defined "Declared License" concept.
But even the best scanners produce a lot of junk information and you
still have to undertake analysis to exclude things that are spurious
licenses, misidentified licenses, things that purport to be licenses
for which licenses aren't needed, etc.

I feel like the strongest argument for saying something about
`SourceLicense:` is that the RPM project adopted this tag so it
shouldn't be ignored. Which doesn't feel like a strong argument.


My main point is that SRPM is the thing we redistribute. Therefore we should care about License of it. It seems strange that we would care that much about binary RPMs and not care about SRPM at all.


Vít

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux