David Cantrell wrote: > We can't get rid of the License tag, unfortunately. See: > > https://www.linuxfoundation.org/blog/blog/spdx-its-already-in-use-for-global-software-bill-of-materials-sbom-and-supply-chain-security > > And as part of the US Executive Order on Cybersecurity, we need to start > using SPDX identifiers in software we package and provide so that our > downstream users are in compliance: > > https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ I do not see anything there requiring RPM packages to contain a License tag. I doubt this can ever be encoded in a law. Software needs to state its license somehow, but that is already the case in various forms (depending on the package) within the SRPM and hopefully the binary RPM. (If the notice does not make it into the binary package, that is an upstream issue and IMHO not our problem.) Personally, I think it makes sense to state the license in the RPM metadata for the people installing the software, but, like Michael Catanzaro, I doubt the current approach of requiring to explicitly list every permissive license of copied&pasted code is in any way practical. The License tag should have only indicative value, the authoritative license(s) are the ones on the source code itself. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
