Daniel P. Berrangé wrote:
> In order to perform the simplification that Fedora previously used, it
> was neccessary to first know what the full license list was. From that
> full list some elements could be eliminated if considered to be subsumed
> by another license in the list.
Uh no, it was sufficient to recognize that copied snippets were under some
MIT license variant, it was not necessary to determine which one exactly.
> With the new process the need to know the full license list is just
> as it was before. The simplication step is just eliminated. This
> should be a net win.
It is not, because now you have to compare every word of the MIT license
with the very similar templates such as MIT, MIT-CMU, MIT-feh, etc., and
then figure out which one it actually is. If it is even one of these and not
some random mix of several variants (one sentence from here, one sentence
from there, …).
Assuming you even find the MIT-licensed snippet, because many upstreams just
consider these free to take and do not bother mentioning it in their overall
license. (The required attribution only appears in the source file where the
code snippet was copied. Which is probably not fine for binary-only
distribution, but nobody seems to care.) Only a handful, such as Qt,
actually go to great lengths to comply with the attribution requirement.
> Either way reviewers need to determine the full license list of the
> source being packaged, unless the inference was that previously
> reviewers were taking short cuts, not actually bothering to do
> a full license review of the code, and just making assumptions about
> the overall simplified license. That would not have been compliant
> with our review process though.
But that is how things work in practice. It is just impossible to read
through every source file and scan for copied snippets. They can even appear
in the middle of a file, with the license attached right there. So the
packager and the reviewer will both check the COPYING/LICENSE/LICENCE file
provided by upstream, then go exemplarily through a handful source files to
check that the copyright header and/or SPDX REUSE header matches that
license, and then declare that as the one License. That is, if there are
even copyright/REUSE headers on the files at all. In many cases, there are
none and you have to trust the global license file to tell the truth.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
