Simplification of package license expressions involving dual licenses
by Richard Fontana
Fedora legal docs currently say:
"If your package is built from files under multiple distinct licenses,
and some files are licensed under a choice of two (or more) licenses,
then the License: field must include the appropriate OR and AND
expressions.... The license expression must reflect the disjunctive
license choice even if one or both of the license identifiers in the
OR expression also appear separately in the composite license
expression."
I am coming around to the view that we can revise the last sentence
there: For an SPDX expression involving licenses foo and bar,
foo AND bar AND (foo OR bar)
can acceptably be "reduced" to
foo AND bar
since both elements of the OR-expression are separately atomic
elements of the larger AND expression.
In insisting on preservation of all dual licenses (involving
Fedora-allowed licenses that is), we were following what I understood
to be the Callaway tradition. However, this is not entirely clear; see
for example: https://web.archive.org/web/20190801152043/https://fedoraproject.org/wiki...
As far as I can tell, the scenario we're talking about wasn't
explicitly addressed in the old guidelines.
The other part of this is that insisting on preservation of dual
licenses was making an important cultural or political point. To
understand this, you need to understand that some companies consuming
open source have a silly practice of taking steps to explicitly select
one of the licenses. As you might expect this usually happens when one
of the licenses is in the *GPL family. A related phenomenon involves
taking GPLv2-or-later code "as" GPLv2-only. Apart from being sort of
ridiculous, this practice conflicts with the usual practice in
upstream open source of passing through all disjunctive licenses. So
by *not* doing this, Fedora was expressing a sort of solidarity with
normal open source development and distancing itself from the
practices of those companies.
Since in the (foo AND bar AND (foo OR bar)) -> (foo AND bar) case the
simplified expression has all of the elements that were in the dual
license, I think the simplification is still in the spirit of the old
rule. We would not be removing any of the license symbols on either
side of the dual license; we are just hiding the fact that there was a
dual license.
If anyone thinks this would be a bad, or good, change to make let me
know. It probably wouldn't affect too many packages and wouldn't do a
whole lot to make their license tags that much shorter. I don't feel
too strongly about it but I am trying to think of ways we could make
SPDX expressions a little simpler without abandoning all integrity.
Note that adoption of this approach this would not be an assertion
that (foo AND bar AND (foo OR bar)) is *equivalent* to (foo AND bar).
Richard
8 months, 1 week
Making no-conditions identifiers optional in the License: field
by Richard Fontana
Some of the complaints that have surfaced since the migration from the
Callaway system to SPDX seem to be, at root, an aesthetic distaste for
complex license expressions in RPM license metadata. This may explain
why some favor application of "effective license" analysis. I suspect
there is also a sort of psychological desire to hide the underlying
licensing complexity that characterizes many packages.
I do think that the current approach can be criticized as being overly
pedantic, and perhaps also internally contradictory (some of Florian's
recent comments get at the various ways in which we are being
contradictory). We have a still-undocumented rule that what I call
"true public domain" should not be reflected in the License: field
(unless it would otherwise be empty), yet we have carefully attempted
to collect nonstandard public domain dedication statements and cover
those by `LicenseRef-Fedora-Public-Domain`. We have been using a
similar approach with `LicenseRef-Fedora-UltraPermissive`. These
basically replace Callaway system names "Public domain" (though this
was sometimes used for "true public domain") and "Freely
redistributable without restrictions", respectively.
I think it can reasonably be argued that there is little point in
including `LicenseRef-Fedora-Public-Domain` and
`LicenseRef-Fedora-UltraPermissive` in the License: field since they
are associated with no conditions or obligations. In those special
cases where the License: field would otherwise be empty, we can ask
SPDX to create unique identifiers for the license text in question.
We might want to extend this principle to other things, such as GPL
exceptions that entail no conditions in the use case encountered in
particular packages. (There is already an old issue about this, I
think concerning the Bison exception.)
This wouldn't do *that* much to make License: fields simpler, so maybe
it's not particularly worthwhile. There is also the problem that if we
make it optional, package maintainers may be less likely to scrutinize
things that are assumed to fall into these kinds of categories, when
in some cases they actually wouldn't, although I think it's now clear
that those situations are uncommon. In theory we'd still expect
package maintainers to submit issues to have things that seem to
qualify for LicenseRef-Fedora-Public-Domain reviewed, but it might be
challenging to enforce that expectation and the Fedora Legal team
would have to end up doing all that work themselves, which might be a
justifiable result.
As with abandoning the "license of the binary" rule, this would
seemingly be a major departure from the principles established under
the Callaway system.
Any thoughts on this?
Richard
8 months, 2 weeks