On 9. 8. 2023 13:35, Marián Konček wrote:
Yes, I would like to package only that part.
Does license review need to be done before or after submitting a
package review in Bugzilla?
Regarding opening issues on fedora / spdx:
* one part is about adding / not adding Oracle / Sun's variant of
BSD-3-Clause
* the other is about accepting differently formatted Apache-1.1?
Does formatting matter to SPDX?
On 8. 8. 2023 20:24, Richard Fontana wrote:
> On Tue, Aug 8, 2023 at 9:00 AM Marián Konček <mkoncek(a)redhat.com> wrote:
>> As part of the jaxb 4.0.2 -> 4.0.3 update, part of this package is
>> needed for its code generation. Therefore, I would like to package
>> it in
>> Fedora. This package has complex licensing which is why I am asking for
>> a review. Note that I only need the "xsdlib" subdirectory.
>>
>> I only need a stripped-down version of this package as if by
>> downloading:
>>
https://github.com/xmlark/msv/archive/refs/tags/msv-2022.7.tar.gz
>>
>> and running (inside the msv-msv-2022.7 directory):
>>
>> find . -mindepth 1 -maxdepth 1 -type d ! -name 'xsdlib' -exec rm -rf
>> {} +
>> rm -rf xsdlib/src/main/resources
>> rm -rf xsdlib/src/test
>> grep -l -r --ignore-case 'proprietary' | xargs rm -v
>>
>> Most problematic license files are: copyright.txt and license.txt in
>>
https://github.com/xmlark/msv/tree/main/docs/xsdlib. To my knowledge,
>> all files that remained use explicit BSD-3-Clause or Apache-1.1.
>> Question is whether we could have removed the copyright.txt and
>> license.txt files in the first place.
>>
>> Current upstream:
https://github.com/xmlark/msv
>> Previous package in Fedora (used different source repository):
>>
https://koji.fedoraproject.org/koji/packageinfo?packageID=2576
>> Previous bug related to licensing:
>>
https://bugzilla.redhat.com/show_bug.cgi?id=87684
>>
>> Also grep --ignore-case for "proprietary" "confidential",
"nuclear".
> Can you create a package just from that subset of the xsdlib
> directory as you indicated above?
>
> In those files, what I saw on a quick review was:
>
> - pom.xml : there's a Sun BSD license that is probably OK for Fedora
> but does not seem to match any known variant. (It's tempting to just
> ignore this but since it's probably OK we might as well add it.)
>
> - Oracle 3-clause BSD licenses: most of these seem to be BSD-3-Clause,
> but there was one for which SPDX would need to revise the markup, I
> think (
> xsdlib/src/main/java/com/sun/msv/datatype/regexp/InternalImpl.java)
>
> - The Apache 1.1 license appearing on a number of source files does
> not quite match SPDX Apache-1.1, would require SPDX revision to the
> Apache-1.1 markup
>
> So these seem fairly nonproblematic but it would be helpful if you
> could create issues for these in fedora-license-data and then at
>
github.com/spdx/license-list-XML.
>
> But if you need to package any of the other stuff in this repository
> that may complicate things further.
>
> Richard
>