Re: SPDX License List coverage for a full distro


Richard Fontana
 

On Tue, Aug 17, 2021 at 9:10 PM Warner Losh <imp@...> wrote:

So, things went from having the following at the top of all the files

* Copyright (c) 2013 Some Author
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.

to something simpler like at the top.

* Copyright (c) 2021 Jane Author
*
* SPDX-License-Identifier: GPL-2.0-or-later

which simplifies things greatly, but only if everybody involved knows and understands where to
find this "GPL-2.0-or-later". So as it's copied around, everybody knows it's GPL'd code v2 or
later. You can go to the SPDX web site to find this and it's clear.

My concern is that if there starts to be Fedora--FooLicense in this situation, and it's copied
around and time passes, what guarantees are there that Fedora will be as careful about
keeping a historical list of these things as the SPDX folks have been. And I mean no disrespect
to Fedora specifically, mind you, to be clear. It's just thinking ahead to code that's passed
from hand to hand to some project that's not Fedora, how will they know what all they
can do with the code.
Right, this is what I thought you meant. So to rephrase what I said in
an earlier reply, the current interest among some involved in Fedora
is solely to use valid SPDX short identifier expressions in package
license metadata.

For those not familiar with RPM-based distros, packages are associated
with "spec files" that contain a "License:" field, the contents of
which are not standardized across all uses of RPM. In Fedora, since
time immemorial the License: field contents have in theory conformed
to a system developed primarily by Tom Callaway, which is documented
mainly here:
https://fedoraproject.org/wiki/Licensing:Main#Good_Licenses
Somewhat importantly, the meaning of an identifier is sort of defined
in this document:
https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/

I could get into this in more detail, but the point is that we are not
talking about the use of SPDX identifiers in *source files* (as a
replacement for traditional FOSS source file license notices or
otherwise), which is what I think you are contemplating. Fedora as a
distribution is primarily packaging software developed upstream of
Fedora. There are plenty of Fedora-specific projects, but even if all
these projects decided to adopt the use of SPDX-License-Identifier,
this would not present any interesting problem because 99% of the
source files of such projects are licensed under, I'm guessing, a set
of fewer than five licenses which have well-established SPDX
representations (ignoring possibly-applicable license exceptions).

Something analogous to the problem of "passing from hand to hand"
could occur in the form of derivative RPM-based distributions that
replicate license tags in spec files, to be sure, and moreover I think
some nonderivative distributions have informally adopted the existing
Callaway system so we might expect nonderivative distributions to
similarly copy the specifics of Fedora's possible effort to
incorporate the use of SPDX identifiers. But historically the Callaway
system has been reasonably well documented and I would expect that to
continue.

Richard

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.