[Fedora-legal-list] Re: msv (xsdlib) licensing review

Yes, I would like to package only that part. Does license review need to be done before or after submitting a package review in Bugzilla? Regarding opening issues on fedora / spdx: * one part is about adding / not adding Oracle / Sun's variant of BSD-3-Clause * the other is about accepting differently formatted Apache-1.1? Does formatting matter to SPDX? On 8. 8. 2023 20:24, Richard Fontana wrote: > On Tue, Aug 8, 2023 at 9:00 AM Marián Konček <mkoncek(a)redhat.com&gt; wrote: >> As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is >> needed for its code generation. Therefore, I would like to package >> it in >> Fedora. This package has complex licensing which is why I am asking for >> a review. Note that I only need the "xsdlib" subdirectory. >> >> I only need a stripped-down version of this package as if by >> downloading: >> https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz >> >> and running (inside the msv-msv-2022.7 directory): >> >> find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf >> {} + >> rm -rf xsdlib/src/main/resources >> rm -rf xsdlib/src/test >> grep -l -r --ignore-case 'proprietary' | xargs rm -v >> >> Most problematic license files are: copyright.txt and license.txt in >> https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge, >> all files that remained use explicit BSD-3-Clause or Apache-1.1. >> Question is whether we could have removed the copyright.txt and >> license.txt files in the first place. >> >> Current upstream: https://github.com/xmlark/msv >> Previous package in Fedora (used different source repository): >> https://koji.fedoraproject.org/koji/packageinfo?packageID=2576 >> Previous bug related to licensing: >> https://bugzilla.redhat.com/show_bug.cgi?id=87684 >> >> Also grep --ignore-case for "proprietary" "confidential", "nuclear". > Can you create  a package just from that subset of the xsdlib > directory as you indicated above? > > In those files, what I saw on a quick review was: > > - pom.xml : there's a Sun BSD license that is probably OK for Fedora > but does not seem to match any known variant. (It's tempting to just > ignore this but since it's probably OK we might as well add it.) > > - Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause, > but there was one for which SPDX would need to revise the markup, I > think ( > xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java) > > - The Apache 1.1 license appearing on a number of source files does > not quite match SPDX Apache-1.1, would require SPDX revision to the > Apache-1.1 markup > > So these seem fairly nonproblematic but it would be helpful if you > could create issues for these in fedora-license-data and then at > github.com/spdx/license-list-XML. > > But if you need to package any of the other stuff in this repository > that may complicate things further. > > Richard >