On Mon, Aug 01, 2022 at 12:44:13PM +0200, Kevin Kofler via devel wrote: > Daniel P. Berrangé wrote: > > In order to perform the simplification that Fedora previously used, it > > was neccessary to first know what the full license list was. From that > > full list some elements could be eliminated if considered to be subsumed > > by another license in the list. > > Uh no, it was sufficient to recognize that copied snippets were under some > MIT license variant, it was not necessary to determine which one exactly. > > > With the new process the need to know the full license list is just > > as it was before. The simplication step is just eliminated. This > > should be a net win. > > It is not, because now you have to compare every word of the MIT license > with the very similar templates such as MIT, MIT-CMU, MIT-feh, etc., and > then figure out which one it actually is. If it is even one of these and not > some random mix of several variants (one sentence from here, one sentence > from there, …). > > Assuming you even find the MIT-licensed snippet, because many upstreams just > consider these free to take and do not bother mentioning it in their overall > license. (The required attribution only appears in the source file where the > code snippet was copied. Which is probably not fine for binary-only > distribution, but nobody seems to care.) Only a handful, such as Qt, > actually go to great lengths to comply with the attribution requirement. > > > Either way reviewers need to determine the full license list of the > > source being packaged, unless the inference was that previously > > reviewers were taking short cuts, not actually bothering to do > > a full license review of the code, and just making assumptions about > > the overall simplified license. That would not have been compliant > > with our review process though. > > But that is how things work in practice. It is just impossible to read > through every source file and scan for copied snippets. They can even appear > in the middle of a file, with the license attached right there. So the > packager and the reviewer will both check the COPYING/LICENSE/LICENCE file > provided by upstream, then go exemplarily through a handful source files to > check that the copyright header and/or SPDX REUSE header matches that > license, and then declare that as the one License. That is, if there are > even copyright/REUSE headers on the files at all. In many cases, there are > none and you have to trust the global license file to tell the truth. I don't think there's an expectation that you go looking at every single line of code to find the snippets of copied code. While it is true that you might find a license note in the middle fo the file, that is pretty exceptionally rare IME. I do expect Fedora reviewers to do more than just look at a handful of source files though. For any package review, the header of every source file should checked. Random sampling is not sufficient to identify the exceptions which do occur often, and are not usually mentioned in the top level LICENSE file. If there's no header present, then it is implicitly under the global license, and it is fine to trust that for the purposes of Fedora license tag. We're not expecting Fedora reviewers to be perfect, but we do expect them to make a serious effort to identify the licenses present across the source files. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure