https://bugzilla.redhat.com/show_bug.cgi?id=1448778 Tom "spot" Callaway <tcallawa@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tcallawa@xxxxxxxxxx Blocks|182235 (FE-Legal) | --- Comment #1 from Tom "spot" Callaway <tcallawa@xxxxxxxxxx> --- I'm not sure why you flagged this against FE-Legal, but I took a quick look at it nevertheless. License wise, this has: ***** * Public Domain (cockatrice/resources/countries/*.svg) * GPLv2+ (most of the code) * BSD (cockatrice/src/qt-json/, common/sfmt/, * GPLv2 (oracle/src/zip/) * CPL or LGPLv2 (servatrice/src/smtp/) # Webclient code (not included?) * ASL 2.0 (webclient/js/protobuf.js, webclient/js/long.js, webclient/js/bytebuffer.js) * MIT (webclient/js/jquery-*.js) ***** I feel like I should stop and point out here that these versions of jquery/jquery-ui are VERY VERY OLD. They are vulnerable to at least https://www.cvedetails.com/cve/CVE-2016-7103/. I strongly strongly recommend that you update them to the "final" releases of the v1 code for both, and have upstream make that change as well. Back to the licensing, CPL is GPLv2 incompatible, so we choose the LGPLv2 option there. ASL 2.0 is also GPLv2 incompatible, but that code is not being compiled into or linked with GPLv2 code, so it is not a compatibility concern. In fact, it does not look like any of the code in webclient is packaged up or used. Unsure if this is intentional (aka, this code is not useful anymore) or accidental (forgot to make a -webclient subpackage). If you do end up including the webclient bits, add this to the end of the license tag: ASL 2.0 and MIT However, I'm going to assume for now that you do not plan to include the webclient bits. You can choose to update the license tag in two ways: * The long and absolutely correct way: License: GPLv2+ and GPLv2 and BSD and (CPL or LGPLv2) and Public Domain * The simplified way License: GPLv2 and Public Domain The reason you can do this is because: 1) We choose LGPLv2 for the smtp code. 2) GPLv2+ + GPLv2 = GPLv2 3) LGPLv2 + GPLv2 = GPLv2 4) BSD + GPLv2 = GPLv2 5) Need to call out Public Domain because that license applies to distinct and separate works (the SVG files) Either way, please include the above license analysis (the bits between the *****) as a comment above the License tag in the spec file. If any of that is unclear, please let me know. Lifting FE-Legal. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
