Dne 05. 08. 24 v 16:38 Vít Ondruch napsal(a):
Dne 05. 08. 24 v 15:24 Richard Fontana napsal(a):On Mon, Aug 5, 2024 at 5:40 AM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:On Mon, Aug 05, 2024 at 11:23:08AM +0200, Vít Ondruch wrote:Implementing this requires a (re-)review of everything in the source tarball, which is an exercise we just went through for SDPX in many cases. The idea of doing this again in order to add SourceLicense is not going to fly in termsDne 02. 08. 24 v 21:37 Miroslav Suchý napsal(a):Thank you for the PR, because this is hard one. I think that in ideal world,Dne 02. 08. 24 v 9:07 odp. Miroslav Suchý napsal(a):I will love to see more usage of this tag, but I believe the documentatin has to be updated first. PR for packaging guidelines and legal doc is welcome.Here it comeshttps://gitlab.com/fedora/legal/fedora-legal-docs/-/merge_requests/306the PR should be worded in a way that:1) The `SourceLicense` tag is always used and it fully describes the content of the SRPM, i.e. it should contain all licenses which would be identifiedby some (ideal) scanner2) The `License` tag would be used in cases when the resulting (sub) package has different license from the `SourceLicense` (e.g. build scripts are notpart of the resulting binary obviously).The question is if we can get from the current state to the state I proposedabove.of the time investment asked of maintainers.I don't really see the justification. Apart from maybe the complications of Rust and Go packages that were mentioned (which I think raise some deeper issues that haven't really been addressed satisfactorily yet), I see no point in having *both* `License:` and `SourceLicense:`. If a full license breakdown of what's in the SRPM is desired then that should be the standard of what goes in `License:`, instead of the traditional Fedora approach of having `License:` be a subset (or, as it was formerly described, "the license of the binary RPM"). If the idea is to record what some particular scanner produced, that may be something like SPDX's ill-defined "Declared License" concept. But even the best scanners produce a lot of junk information and you still have to undertake analysis to exclude things that are spurious licenses, misidentified licenses, things that purport to be licenses for which licenses aren't needed, etc. I feel like the strongest argument for saying something about `SourceLicense:` is that the RPM project adopted this tag so it shouldn't be ignored. Which doesn't feel like a strong argument.My main point is that SRPM is the thing we redistribute. Therefore we should care about License of it. It seems strange that we would care that much about binary RPMs and not care about SRPM at all.
And the second point is that we won't ever be able to 100% cover RPMs by license scanners, but we could achieve that for SRPMs.
Vít
Vít
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
