On Mon, Aug 5, 2024 at 10:39 AM Vít Ondruch <vondruch@xxxxxxxxxx> wrote: > > > Dne 05. 08. 24 v 15:24 Richard Fontana napsal(a): > > On Mon, Aug 5, 2024 at 5:40 AM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > >> On Mon, Aug 05, 2024 at 11:23:08AM +0200, Vít Ondruch wrote: > >>> Dne 02. 08. 24 v 21:37 Miroslav Suchý napsal(a): > >>>> Dne 02. 08. 24 v 9:07 odp. Miroslav Suchý napsal(a): > >>>>> > >>>>> I will love to see more usage of this tag, but I believe the > >>>>> documentatin has to be updated first. PR for packaging guidelines > >>>>> and legal doc is welcome. > >>>>> > >>>> Here it comes > >>>> https://gitlab.com/fedora/legal/fedora-legal-docs/-/merge_requests/306 > >>>> > >>>> > >>> Thank you for the PR, because this is hard one. I think that in ideal world, > >>> the PR should be worded in a way that: > >>> > >>> 1) The `SourceLicense` tag is always used and it fully describes the content > >>> of the SRPM, i.e. it should contain all licenses which would be identified > >>> by some (ideal) scanner > >>> > >>> 2) The `License` tag would be used in cases when the resulting (sub) package > >>> has different license from the `SourceLicense` (e.g. build scripts are not > >>> part of the resulting binary obviously). > >>> > >>> The question is if we can get from the current state to the state I proposed > >>> above. > >> Implementing this requires a (re-)review of everything in the source tarball, > >> which is an exercise we just went through for SDPX in many cases. The idea of > >> doing this again in order to add SourceLicense is not going to fly in terms > >> of the time investment asked of maintainers. > > I don't really see the justification. Apart from maybe the > > complications of Rust and Go packages that were mentioned (which I > > think raise some deeper issues that haven't really been addressed > > satisfactorily yet), I see no point in having *both* `License:` and > > `SourceLicense:`. If a full license breakdown of what's in the SRPM is > > desired then that should be the standard of what goes in `License:`, > > instead of the traditional Fedora approach of having `License:` be a > > subset (or, as it was formerly described, "the license of the binary > > RPM"). > > > > If the idea is to record what some particular scanner produced, that > > may be something like SPDX's ill-defined "Declared License" concept. > > But even the best scanners produce a lot of junk information and you > > still have to undertake analysis to exclude things that are spurious > > licenses, misidentified licenses, things that purport to be licenses > > for which licenses aren't needed, etc. > > > > I feel like the strongest argument for saying something about > > `SourceLicense:` is that the RPM project adopted this tag so it > > shouldn't be ignored. Which doesn't feel like a strong argument. > > > My main point is that SRPM is the thing we redistribute. Therefore we > should care about License of it. It seems strange that we would care > that much about binary RPMs and not care about SRPM at all. We do care about the licensing of SRPMs - Fedora legal docs say: "Fedora’s license approval standards apply to everything that is made available by the Fedora Project, not just installable binary packages in Fedora Linux. For example, everything available at Fedora Pagure, Fedora Source Packages, Fedora Koji, Fedora documentation and Copr repositories is subject to the same licensing rules as Fedora Linux packages." "If a license that covers something in Fedora, or in a package that has been or is intended to be proposed for inclusion in Fedora Linux, is not listed on the allowed and not-allowed lists, then it must be reviewed." "The Fedora convention is that License: tags describe a relevant subset of the licenses that apply to the source code of the package. Any license that applies to anything in the source code must be Fedora-acceptable (assuming you actually need a license for that material), even if it is ultimately not included in the License: tag." The issue is just what gets reflected in license metadata. We could dispense with `License:` altogether and it wouldn't mean we don't care about licenses. (For example, I believe Debian and its derivatives don't have any real concept of package license metadata.) Now yes it *is* strange that `License:` does not consist of what you want `SourceLicense:` to be used for. But that is explained by Fedora tradition going back nearly two decades at this point. So again I think the issue here is that if people think that we need package license metadata to reflect the full contents of SRPMs then we should change the standard for `License:` rather than normalize the additional use of `SourceLicense:`. I do worry about the current approach because I have seen from various cases it seems to lead some to believe that "source licenses don't matter" or "source licenses don't matter to Fedora". I have tried to make it very clear in the Fedora legal docs that they do matter. I guess you could argue that mandating `SourceLicense:` would make this even clearer, but I think at that point `License:` and `SourceLicense:` should be the same. As an aside I think it is odd that the RPM project adopted `SourceLicense:` given that non-Fedora(based) RPM-package-based distributions might very well decide that `License:` should contain a complete enumeration of source code licenses. For example I have no idea what the standard for license tags is in the openSUSE world other than that it must be quite different from Fedora's traditions. Richard -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
