Re: Important changes to software license information in Fedora packages (SPDX and more!)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kevin Kofler via devel wrote:

> Now you have to compare every word of the MIT license 
> with the very similar templates such as MIT, MIT-CMU, MIT-feh, etc., and 
> then figure out which one it actually is. If it is even one of these and not
> some random mix of several variants (one sentence from here, one sentence
> from there, …).

You're right. MIT/BSD License variants are a pain to deal with. In
practice, they are mostly equivalent, so having to identify is a burden
without a lot of benefit.

Currently, there's MIT variants such as the HPND that aren't even part
of the new license list, despite being explicitly listed on the old list
and being used by packages like libX11[1]. As that license deprecated,
it's not likely to cause issues when importing new packages, but it is
still used by older packages. There are other examples of licenses
missing from the new list that are already blocking new packages[2].

[1]: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/1#note_969573331
[2]: https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/12#note_1045611169

> But that is how things work in practice. It is just impossible to read 
> through every source file and scan for copied snippets. They can even appear
> in the middle of a file, with the license attached right there. So the
> packager and the reviewer will both check the COPYING/LICENSE/LICENCE file
> provided by upstream, then go exemplarily through a handful source files to
> check that the copyright header and/or SPDX REUSE header matches that
> license, and then declare that as the one License.

This is onerous if you do it manually, but there are tools to make it a
bit easier. You can use scancode-toolkit or licencecheck to scan the
entire codebase. I believe the RH legal folks recommended the former at
some point, but licensecheck is used by fedora-review and actually
packaged in Fedora[^1]. The Legal docs recommend SPDX license-diff[3]
and [4] to see if a certain license text exists in SPDX.

[^1]: I wish luck to anyone who tries to package tries to package scancode. 
There are quite a few unpackaged dependencies...
[3]: https://addons.mozilla.org/en-US/firefox/addon/spdx-license-diff/
[4]: https://tools.spdx.org/app/check_license/


-- 
Thanks,

Maxwell G (@gotmax23)
Pronouns: He/Him/His

Attachment: signature.asc
Description: PGP signature

_______________________________________________
packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Forum]     [KDE Users]

  Powered by Linux