On Thu, May 26, 2022 at 10:14 AM Petr Pisar <ppisar@xxxxxxxxxx> wrote: > > V Thu, May 26, 2022 at 08:49:16AM -0500, Richard Shaw napsal(a): > > On Thu, May 26, 2022 at 8:46 AM Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > > > > > Dne 25. 05. 22 v 14:40 Daniel P. Berrangé napsal(a): > > > > Ewwww, please no. Apps need to know whether a given RPM is using SPDX > > > > or not, independantly of whether they have Fedora git source history > > > > available. We just need to record this fact in the specfile explicitly, > > > > so it is available both to maintainers and to any apps parsing the > > > > spec and to any apps querying the installed RPMDB. > > > > > > We can hardly avoid a transition period. So any application (and I am > > > aware of just rpminspect and rpmlint) will know > > > that everything prior F35 and EPEL-7 use short names. And everything after > > > F39 and EPEL 10 will use SPDX. > > > > > > In the between we just need to somehow track what was migrated and what > > > not. That can be bugzilla, special macro (which > > > likely should be removed after few years) or git log. > > > > > > > While functional, I don't like embedded spdx within the license tag. It's > > just ugly... But could we not have some sort of special tag/statement in > > the git log / %changelog that can be picked up programmatically? > > > Does a marker of the conversion need to be visible in the binary packages? If > it does not, I would simply mass inject a comment line above each License tag > in the spec files that old Fedora identifiers are in use and they are > expected to by migrated to SPDX identifiers: > > # Fedora license identifiers in use, please migrate to SPDX and then remove > # this comment before F39. <https://fedoraproject.org/wiki/Changes/...> > License: MIT > > Later, when Fedora forbids the old identifiers, all spec files can be > inspected for that line. You will find either: > > License: MIT-Modern-Variant > > which would mean that the packager did the migration, or: > > # Fedora license identifiers in use, please migrate to SPDX and then remove > # this comment before F39. <https://fedoraproject.org/wiki/Changes/...> > License: MIT > > meaning that the package has not yet been migrated. > > Of course there is a class of spec files which do not contain any License tag, > like font packages. But those also can be identified by nonpresence of the tag > and handled specially and fixed by correcting the generating srpm-macro before > a mass rebuild. Finally we can block failed-to-build packages from > a distribution. > At least in the MIT license case, the MIT identifier exists there. One reason Tom Callaway resisted changing to SPDX in the past was that they never resolved the problem with the MIT identifier. It's effectively a family identifier, just like in Fedora. The difference is that some MIT license variants got separate identifiers, but not all. All known BSD license variants have new SPDX variants and the "BSD" identifier is clearly Fedora-style rather than SPDX-style. All of this also pre-supposes that a mixture of Fedora and SPDX identifiers is "bad". I would argue that it is, in fact, not. A partial conversion is still better than no conversion at all. In fact, some of our newer Fedora identifiers cribbed from SPDX ones already (such as the CDDL identifier split when 1.1 was introduced). The *only* reason SPDX identifiers are considered valuable to use is because our upstream ecosystems are starting to use them. They don't have a particularly large foothold in the distro space: only the SUSE distributions use them today, and that's because they developed tooling to audit and re-classify every single package automatically and require license audits on every package update. They did this because their previous system for identifying licenses was too incomplete to stand scrutiny. That was not true for Fedora. Neither Debian nor Fedora use SPDX identifiers. Debian uses DEP-5[1] (which seems to be where SPDX got its convention from) and Fedora (along with most RPM-based distributions) uses its own system[2] (which Richard Fontana now calls the "Callaway system"). So it is my opinion that most people are massively overthinking this problem. [1]: https://dep-team.pages.debian.net/deps/dep5/#license-specification [2]: https://fedoraproject.org/wiki/Licensing:Main -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
