On Mon, Nov 14, 2022 at 3:29 PM Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > Until now, what Fedora described as an "MIT" license was, in fact, a whole family of licenses. SPDX identify them differently. And the differences can be subtle. E.g., compare > > https://spdx.org/licenses/MIT.html > https://spdx.org/licenses/MIT-feh.html > https://spdx.org/licenses/MIT-open-group.html > > If your old Fedora license was MIT, there is a very high chance that the new one will be MIT too. But it is far from being 100 % sure. BTW this can vary based on the age and language community/ecosystem of the upstream project. Relatively old projects written in C are more likely to have "MIT"-like licenses that are not MIT in the OSI/SPDX sense, while, say, less old PyPI-packaged Python projects are more likely to just have that de-facto-standard MIT license. I'm pretty sympathetic to maintainers of some of the older and more (license-wise) complex packages where this process of license representation migration can be more complicated. > There are 14 other options. These that `license-fedora2spdx` listed in the warning above. > > Similarly, for BSD. BSD also identified the whole family. You likely end up with "BSD-2-Clause" or "BSD-3-Clause", but there are two different options as well. > > > There are two common ways to find out what SPDX identifier you should use in such cases. > > > 1) You can use https://github.com/spdx/spdx-license-diff and use it to identify your license. This is a Chrome and Firefox plugin and allows you to select the text; and in the context menu, you can choose to identify the license. It will print, e.g., that it matches 60% of the MIT-feh license and highlight the difference. Or... > > > 2) you can navigate to > > https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ > > in the search box above the first table, you enter your license and filter the content. If you enter "MIT", it will find you 26 licenses. Out of them, 15 have "MIT" in the "Fedora abbreviation" column (Hmm, this should be changed to "legacy name"). Now you have to open the link in the "URL" column and find your package's license. This may look painful, but you usually find the correct license within a few clicks. While that is worth checking, it assumes that you can identify a license based on its name (or what you think it might be) which will not work in all cases. I'm hoping that eventually we can develop tools that could do license text matching against the corpus of allowed and not-allowed Fedora licenses (maybe something like an adaptation of spdx-license-diff, maybe something simpler). Also, feel free to submit an issue at https://gitlab.com/fedora/legal/fedora-license-data or (less preferable) posting a question to legal@xxxxxxxxxxxxxxxxxxxxxxx. Richard _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
