Hi Richard:

On Thu, Jun 18, 2020 at 2:57 PM Richard Purdie wrote:

Just to be really clear, the license ID of a given specific
package *is* correct and definitive. What is unclear is the license of
the license information.

The challenge is that one software project can be split into multiple
binary packages and those binary packages can have finer grained
licenses.

For example, gcc which contains libgcc. gcc is GPL-3.0 and libgcc is
the under the runtime license exception. We specifically mark the
binary packages with the correct license.

This isn't enough for some legal departments and some licenses, we have
to have the full license text somewhere. We have options:

a) Include the full license text in every binary package
b) Have a licence package per test and require each binary package to
depend on that license package
c) As per b) but have the package management or tools figure out the
dependencies if requested
d) Have a license package per piece of software containing all the
licensing texts for that piece of software.

There are pros and cons for all of these, some of the issues are very
significant, particularly in a constrained embedded system. Rightly or
wrongly, we have d) implemented today and this is consistent with what
other distros like Debian do (although they merge docs and license
info, we split them).

Also, this assumes the licenses can be split into specific individual
chunks. I suspect in some cases this is not possible.

The question is what license is that package in d) under.

Then in this case you can take the same approach as Debian's
packaging: your package in d) can be under its own license unrelated
to the license of the things it contains.

You could state that the license of the packaging of these license
data is under a CC0-1.0. You are not making any assertion about the
license of the licenses which are under whatever license they may be;
and whatever these may be are self-contained in their own license
texts.

This is the approach I take in scancode.
I bundle thousand license texts and I am not reporting any specific
license for these license texts..
Instead I am only declaring that the license data set is under CC0-1.0

As an aside, this might make scancode's [1] processing a little more
complicated ... but this could be fixed if we know we are looking at
the license of Yocto packages somehow.
--
Cordially
Philippe Ombredanne

[1] https://github.com/openembedded/meta-openembedded/blob/612128b46d183934bda7d0c7e224a313fc54d227/meta-oe/classes/scancode.bbclass