On Mon, 2022-08-01 at 12:13 +0100, Daniel P. Berrangé wrote: > I do expect Fedora reviewers to do more than just look at a handful of > source files though. For any package review, the header of every source > file should checked. Random sampling is not sufficient to identify the > exceptions which do occur often, and are not usually mentioned in the > top level LICENSE file. If there's no header present, then it is > implicitly under the global license, and it is fine to trust that for > the purposes of Fedora license tag. > > We're not expecting Fedora reviewers to be perfect, but we do expect > them to make a serious effort to identify the licenses present across > the source files. You're talking about different things, though. You're talking about a review - a one-time operation at which probably more care is taken than any other time in a package's life cycle. Kevin is talking about ongoing maintenance - the problem that there's now a sort of expectation that maintainers check whether every new addition of code upstream introduces an additional license. If I trust my upstream to make sure new contributions are compatible with the 'main' license, but I know it does accept contributions under different licenses that are compatible with it, this policy change introduces a burden on me where previously there was none. To take a broader view, I think Fabio raises an important point. Let's take a step back and say: what's the *point* of the License field? What useful information is it imparting to whom? If we take one of these problematic projects, let's say we successfully produce the correct license field for it, and it's just a 500 character string of "foo AND bar AND moo AND baz AND zzz AND lala"... Who is that for? What use is it to them? To me, it's more or less pointless. It contains too much information to be a not-strictly- correct-but-useful simplification, but it doesn't provide *enough* information on the true state of affairs, because it doesn't tell you which parts of the code are under what license. To find that out, you still have to actually look at the source tree yourself. I like Smooge's idea of just allowing an "it's complicated" value for the License field. We definitely do provide value to Fedora, Red Hat and the wider community by doing license evaluation at package review time - but the value there is in the evaluation, which is permanently available in the review ticket. There's not very much value in the resulting text in the License: field of the package, which is trivial if simple and practically quite useless if complicated. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
