Tl;dr Please start migrating your license tag to SPDX now. Tool `license-fedora2spdx` is your friend. The JSON format changed - but is backwards compatible.


Hi.

I want to update you on where we are with SPDX Change https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 :


  1. All parts that are part of this phase are done. We are missing only one optional item, and we want to automatize the generation of legal-docs. Right now I have to manually create PR for legal-docs whenever I release fedora-license-data.

  2. All tooling and documentation are in place.  The documentation is here: https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ The package `fedora-license-data` is in Fedoras and EPELs. The subpackage `rpmlint-fedora-license-data` contains the data for rpmlint.

  3. The latest version of `fedora-license-data` **changed the format** of JSON file. If you use this file, please see https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/119 and update your tool. The JSON file now contains data in both old and new formats.

  4. The JSON is automatically updated after each commit (and merged MR). For details see https://gitlab.com/fedora/legal/fedora-license-data#artifact 

  5. Please, start migrating your spec files **now**. You can use the tool `license-fedora2spdx` from package `license-validate`. Use this opportunity to check if your package license matches the upstream version - especially if you took over the package from the previous maintainer. If you are not sure what SPDX string to use, ask for help on the “legal” mailing list https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/

  6. When you are changing your license tag, there is no need to notify the devel mailing list.

  7. When your license does not have an SPDX identifier, then please follow this documentation https://docs.fedoraproject.org/en-US/legal/update-existing-packages/

  8. After you migrate your SPEC file, please add the string “SPDX” to the entry of the packages’ %changelog. This is the easiest way to detect the migration has been done. The second best option is to add it to the dist-git commit message.

  9. The list of packages that do not mention “SPDX” neither in %changelog nor in dist-git log is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-in-distgit-changelog.txt If you see there some false positives, please let me know (privately) and I will adjust my scripts.

  10. As of 2022-10-27:

    1. There are 23302 spec files in Fedora

    2. 264 mentions "SPDX" in the spec changelog

    3. out of the remaining, 173 packages mention "SPDX" in dist-git log

    4. 22865 packages need to be migrated yet.

    5. 11371 package has straight answer from `license-fedora2spdx` and the migration is trivial.

  11. Right now, we are finalizing the Change proposal for phase 2. https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2 This is yet about to be finished and approved. The main takeaway is that we do not plan to do any mass action before Fedora 38 branching (I.e. 2023-02-07)


Miroslav 

on behalf of other owners of this Change (Jillayne, Neal, David, Richard, Matthew)